Showing papers on "Block cipher published in 2022"

Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography

Abstract: Checking the equality of two arrays is a crucial building block of the Fujisaki-Okamoto transformation, and as such it is used in several post-quantum key encapsulation mechanisms including Kyber and Saber. While this comparison operation is easy to perform in a black box setting, it is hard to efficiently protect against side-channel attacks. For instance, the hash-based method by Oder et al. is limited to first-order masking, a higher-order method by Bache et al. was shown to be flawed, and a very recent higher-order technique by Bos et al. suffers in runtime. In this paper, we first demonstrate that the hash-based approach, and likely many similar first-order techniques, succumb to a relatively simple side-channel collision attack. We can successfully recover a Kyber512 key using just 6000 traces. While this does not break the security claims, it does show the need for efficient higher-order methods. We then present a new higher-order masked comparison algorithm based on the (insecure) higher-order method of Bache et al. Our new method is 4.2x, resp. 7.5x, faster than the method of Bos et al. for a 2nd, resp. 3rd, -order masking on the ARM Cortex-M4, and unlike the method of Bache et al., the new technique takes ciphertext compression into account. We prove correctness, security, and masking security in detail and provide performance numbers for 2nd and 3rd-order implementations. Finally, we verify our the side-channel security of our implementation using the test vector leakage assessment (TVLA) methodology.

Memristor-based PUF for lightweight cryptographic randomness

Abstract: Physical unclonable functions (PUF) are cryptographic primitives employed to generate true and intrinsic randomness which is critical for cryptographic and secure applications. Thus, the PUF output (response) has properties that can be utilized in building a true random number generator (TRNG) for security applications. The most popular PUF architectures are transistor-based and they focus on exploiting the uncontrollable process variations in conventional CMOS fabrication technology. Recent development in emerging technology such as memristor-based models provides an opportunity to achieve a robust and lightweight PUF architecture. Memristor-based PUF has proven to be more resilient to attacks such as hardware reverse engineering attacks. In this paper, we design a lightweight and low-cost memristor PUF and verify it against cryptographic randomness tests achieving a unique, reliable, irreversible random sequence output. The current research demonstrates the architecture of a low-cost, high endurance Cu/HfO[Formula: see text]Si memristor-based PUF (MR-PUF) which is compatible with advanced CMOS technologies. This paper explores the 15 NIST cryptographic randomness tests that have been applied to our Cu/HfO[Formula: see text]Si MR-PUF. Moreover, security properties such as uniformity, uniqueness, and repeatability of our MR-PUF have been tested in this paper and validated. Additionally, this paper explores the applicability of our MR-PUF on block ciphers to improve the randomness achieved within the encryption process. Our MR-PUF has been used on block ciphers to construct a TRNG cipher block that successfully passed the NIST tests. Additionally, this paper investigated MR-PUF within a new authenticated key exchange and mutual authentication protocol between the head-end system (HES) and smart meters (SM)s in an advanced metering infrastructure (AMI) for smartgrids. The authenticated key exchange protocol utilized within the AMI was verified in this paper to meet the essential security when it comes to randomness by successfully passing the NIST tests without a post-processing algorithm.

The <i>c</i>-Differential Uniformity and Boomerang Uniformity of Two Classes of Permutation Polynomials

Abstract: The Difference Distribution Table (DDT) and the differential uniformity play a major role for the design of substitution boxes in block ciphers, since they indicate the function’s resistance against differential cryptanalysis. This concept was extended recently to $c$ -DDT and $c$ -differential uniformity, which have the potential of extending differential cryptanalysis. Recently, a new theoretical tool, the Boomerang Connectivity Table (BCT) and the corresponding boomerang uniformity were introduced to quantify the resistance of a block cipher against boomerang-style attacks. Here we concentrate on two classes (introduced recently) of permutation polynomials over finite fields of even characteristic. For one of these, which is an involution used to construct a 4-uniform permutation, we explicitly determine the $c$ -DDT entries and BCT entries. For the second type of function, which is a differentially 4-uniform function, we give bounds for its $c$ -differential and boomerang uniformities.

Towards Low-Latency Implementation of Linear Layers

Abstract: Lightweight cryptography features a small footprint and/or low computational complexity. Low-cost implementations of linear layers usually play an important role in lightweight cryptography. Although it has been shown by Boyar et al. that finding the optimal implementation of a linear layer is a Shortest Linear Program (SLP) problem and NP-hard, there exist a variety of heuristic methods to search for near-optimal solutions. This paper considers the low-latency criteria and focuses on the heuristic search of lightweight implementation for linear layers. Most of the prior approach iteratively combines the inputs (of linear layers) to reach the output, which can be regarded as the forward search. To better adapt the low-latency criteria, we propose a new framework of backward search that attempts to iteratively split every output (into an XORing of two bits) until all inputs appear. By bounding the time of splitting, the new framework can find a sub-optimal solution with a minimized depth of circuits.We apply our new search algorithm to linear layers of block ciphers and find many low-latency candidates for implementations. Notably, for AES Mixcolumns, we provide an implementation with 103 XOR gates with a depth of 3, which is among the best hardware implementations of the AES linear layer. Besides, we obtain better implementations in XOR gates for 54.3% of 4256 Maximum Distance Separable (MDS) matrices proposed by Li et al. at FSE 2019. We also achieve an involutory MDS matrix (in M4(GL(8, F2))) whose implementation uses the lowest number (i.e., 86, saving 2 from the state-of-the-art result) of XORs with the minimum depth.

Chaghri - A FHE-friendly Block Cipher

Abstract: The Recent progress in practical applications of secure computation protocols has also attracted attention to the symmetric-key primitives underlying them. Whereas traditional ciphers have evolved to be efficient with respect to certain performance metrics, advanced cryptographic protocols call for a different focus. The so called arithmetic complexity is viewed through the number and layout of non-linear operations in the circuit implemented by the protocol. Symmetric-key algorithms that are optimized with respect to this metric are said to be algebraic ciphers. Previous work targeting ZK and MPC protocols delivered great improvement in the performance of these applications both in lab and in practical use. Interestingly, despite its apparent benefits to privacy-aware cloud computing, algebraic ciphers targeting FHE did not attract similar attention. In this paper we present Chaghri, an FHE-friendly block cipher enabling efficient transciphering in BGV-like schemes. A complete Chaghri circuit can be implemented using only 16 multiplications, 48 Frobenius automorphisms and 32 rotations, all arranged in a depth-32 circuit. Our HElib implementation achieves a throughput of 0.28 seconds-per-bit which is 63% faster thanAES in the same setting.

Secure Image Encryption Using Chaotic, Hybrid Chaotic and Block Cipher Approach

Abstract: Secure image transmission is one of the most challenging problems in the age of communication technology. Millions of people use and transfer images for either personal or commercial purposes over the internet. One way of achieving secure image transmission over the network is encryption techniques that convert the original image into a non-understandable or scrambled form, called a cipher image, so that even if the attacker gets access to the cipher they would not be able to retrieve the original image. In this study, chaos-based image encryption and block cipher techniques are implemented and analyzed for image encryption. Arnold cat map in combination with a logistic map are used as native chaotic and hybrid chaotic approaches respectively whereas advanced encryption standard (AES) is used as a block cipher approach. The chaotic and AES methods are applied to encrypt images and are subjected to measures of different performance parameters such as peak signal to noise ratio (PSNR), number of pixels change rate (NPCR), unified average changing intensity (UACI), and histogram and computation time analysis to measure the strength of each algorithm. The results show that the hybrid chaotic map has better NPCR and UACI values which makes it more robust to differential attacks or chosen plain text attacks. The Arnold cat map is computationally efficient in comparison to the other two approaches. However, AES has a lower PSNR value (7.53 to 11.93) and has more variation between histograms of original and cipher images, thereby indicating that it is more resistant to statistical attacks than the other two approaches.

Superposition Meet-in-the-Middle Attacks: Updates on Fundamental Security of AES-like Hashing

Abstract: The Meet-in-the-Middle approach is one of the most powerful cryptanalysis techniques, demonstrated by its applications in preimage attacks on the full MD4, MD5, Tiger, HAVAL, and Haraka-512 v2 hash functions, and key recovery of the full block cipher KTANTAN. The success relies on the separation of a primitive into two independent chunks, where each active cell of the state is used to represent only one chunk or is otherwise considered unusable once mixed. We observe that some of such cells are linearly mixed and can be as useful as the independent ones. This leads to the introduction of superposition states and a whole suite of accompanied techniques, which we incorporate into the MILP-based search framework proposed by Bao et al. at EUROCRYPT 2021 and Dong et al. at CRYPTO 2021, and find applications on a wide range of AES-like hash functions and block ciphers.

Side-Channeling the Kalyna Key Expansion

Abstract: In 2015, the block cipher Kalyna has been approved as the new encryption standard of Ukraine. The cipher is a substitution-permutation network, whose design is based on AES, but includes several different features. Most notably, the key expansion in Kalyna is designed to resist recovering the master key from the round keys. In this paper we present a cache attack on the Kalyna key expansion algorithm. Our attack observes the cache access pattern during key expansion, and uses the obtained information together with one round key to completely recover the master key. We analyze all five parameter sets of Kalyna. Our attack significantly reduces the attack cost and is practical for the Kalyna-128/128 variant, where it is successful for over 97% of the keys and has a complexity of only $$2^{43.58}$$ . To the best of our knowledge, this is the first attack on the Kalyna key expansion algorithm. To show that the attack is feasible, we run the cache attack on the reference implementation of Kalyna-128/128, demonstrating that we can obtain the required side-channel information. We further perform the key-recovery step on our university’s high-performance compute cluster. We find the correct key within 37 hours and note that the attack requires 50K CPU hours for enumerating all key candidates. As a secondary contribution we observe that the additive key whitening used in Kalyna facilitates first round cache attacks. Specifically, we design an attack that can recover the full first round key with only seven adaptively chosen plaintexts.

Revamped Differential-Linear Cryptanalysis on Reduced Round ChaCha

Abstract: In this paper, we provide several improvements over the existing differential-linear attacks on ChaCha. ChaCha is a stream cipher which has 20 rounds. At CRYPTO 2020, Beierle et al. observed a differential in the 3.5-th round if the right pairs are chosen. They produced an improved attack using this, but showed that to achieve a right pair, we need $$2^5$$ iterations on average. In this direction, we provide a technique to find the right pairs with the help of listing. Also, we provide a strategical improvement in PNB construction, modification of complexity calculation and an alternative attack method using two input-output pairs. Using these, we improve the time complexity, reducing it to $$2^{221.95}$$ from $$2^{230.86}$$ reported by Beierle et al. for 256 bit version of ChaCha. Also, after a decade, we improve existing complexity (Shi et al. ICISC 2012) for a 6-round of 128 bit version of ChaCha by more than 11 million times and produce the first-ever attack on 6.5-round ChaCha128 with time complexity $$2^{123.04}.$$

Enhancing Differential-Neural Cryptanalysis

Abstract: In CRYPTO 2019, Gohr shows that well-trained neural networks can perform cryptanalytic distinguishing tasks superior to traditional differential distinguishers. Moreover, applying an unorthodox key guessing strategy, an 11-round key-recovery attack on a modern block cipher Speck32/64 improves upon the published state-of-the-art result. This calls into the next questions. To what extent is the advantage of machine learning (ML) over traditional methods, and whether the advantage generally exists in the cryptanalysis of modern ciphers? To answer the first question, we devised ML-based key-recovery attacks on more extended round-reduced Speck32/64. We achieved an improved 12-round and the first practical 13-round attacks. The essential for the new results is enhancing a classical component in the ML-based attacks, that is, the neutral bits. To answer the second question, we produced various neural distinguishers on round-reduced Simon32/64 and provided comparisons with their pure differential-based counterparts.

Optimized Implementation of SM4 on AVR Microcontrollers, RISC-V Processors, and ARM Processors

Abstract: At 2003, the SM4 block cipher was introduced that is a Chinese domestic cryptographic. It is mandated in the Chinese National Standard for Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI), because the algorithm was developed for use in wireless sensor networks to provide safety network environment. The SM4 block cipher uses a 128-bit block size and a 32-bit round key. It consists of 32 rounds and one reverse translation R. In this paper, we present the optimized implementation of the SM4 block cipher on 8-bit AVR microcontrollers, which are widely used in wireless sensor devices; the optimized implementation of the SM4 block cipher on 32-bit RISC-V processors, which are open-source-based computer architectures, and the optimized implementation of SM4 on 64-bit ARM processors with parallel computation, which are widely used in smartphones and tablets. In the AVR microcontroller, three versions are implemented for various purposes, including speed-optimization, memory-optimization, and code size-optimization. As a result, the speed-optimization, memory-optimization, and code size-optimization versions achieved 205.2 cycles per byte, 213.3 cycles per byte, and 207.4 cycles per byte, respectively. This is faster than the reference implementation written in C language (1670.7 cycles per byte). The implementation on 32-bit RISC-V processors achieved 128.8 cycles per byte. This is faster than the reference implementation written in C language (345.7 cycles per byte). The implementation on 64-bit ARM processors achieved 8.62 cycles per byte. This is faster than the reference implementation written in C language (120.07 cycles per byte).

Security of COFB against Chosen Ciphertext Attacks

Abstract: COFB is a lightweight Authenticated Encryption with Associated Data (AEAD) mode based on block ciphers. It was proposed in CHES 2017 and is the basis for GIFT-COFB, a finalist in the NIST lightweight standardization project. It comes with provable security results that guarantee its security up to the birthday bound in the nonce-respecting model. However, the designers offer multiple versions of the analysis with different details and the implications of attacks against the scheme are not discussed deeply. In this article, we look at a group of possible forgery and privacy attacks against COFB. We show that the security for both forgery and privacy is bounded by the number of forgery attempts. We show the existence of forgery and privacy attacks with success probability qd/2n/2, given qd forgery attempts. In particular, we show an attack with 2n/2 attempts using only a single known-plaintext encryption query against COFB. While these attacks do not contradict the claims made by the designers of GIFT-COFB, they show its limitations in terms of the number of forgery attempts. They also show that, while COFB generates a 128-bit tag, it behaves in a very similar manner to an AEAD scheme with 64-bit tag. As a result of independent interest, our analysis provides a contradiction to the main theorem of Journal of Cryptology volume 33, pages 703–741 (2020), which includes an improved security proof of COFB compared to the CHES 2017 version. Finally, we discuss the term nqd/2n/2 that appears in the security proof of GIFT-COFB and CHES 2017, showing why there is a security gap between the provable results and the attacks. We emphasize that the results in this article do not threaten the security of GIFT-COFB in the scope of the NIST lightweight cryptography requirements or the claims made by the designers in the specification document of the design.

An Enhanced Key Schedule Algorithm of PRESENT-128 Block Cipher for Random and Non-Random Secret Keys

Abstract: The key schedule algorithm (KSA) is a crucial element of symmetric block ciphers with a direct security impact. Despite its undeniable significance, the KSA is still a less focused area in the design of an encryption algorithm. PRESENT is a symmetric lightweight block cipher that provides the optimal balance between security, performance, and minimal cost in IoT. However, the linear functions in KSA lead to a slow and predictable bit transition, indicating the relationship between round keys. A robust KSA should produce random and independent round keys irrespective of the secret key. Therefore, this research aims to improve the KSA PRESENT-128 block cipher with enhanced randomness, round key bit difference, and the avalanche effect. The experiments on round keys and ciphertext with random, low density and high-density secret key datasets endorse the expected improvements. Moreover, the results show that the improved KSA produces random round keys that successfully pass the NIST randomness test. The bit transition from one round key to another is increased from 20% to 40%, where a greater inclination of the avalanche effect has an increased effect with 50% bit change. On the other hand, the improved KSA PRESENT requires an additional 0.001871 s to generate round keys, as a security cost trade-off.

Explicit values of the DDT, the BCT, the FBCT, and the FBDT of the inverse, the gold, and the Bracken-Leander S-boxes

Abstract: The inverse, the Gold, and the Bracken-Leander functions are crucial for building S-boxes of block ciphers with good cryptographic properties in symmetric cryptography. These functions have been intensively studied, and various properties related to standard attacks have been investigated. Thanks to novel advances in symmetric cryptography and, more precisely, those pertaining to boomerang cryptanalysis, this article continues to follow this momentum and further examine these functions. More specifically, we revisit and bring new results about their Difference Distribution Table (DDT), their Boomerang Connectivity Table (BCT), their Feistel Boomerang Connectivity Table (FBCT), and their Feistel Boomerang Difference Table (FBDT). For each table, we give explicit values of all entries by solving specific systems of equations over the finite field $$\mathbb {F}_{2^n}$$ of cardinality $$2^n$$ and compute the cardinalities of their corresponding sets of such values. The explicit values of the entries of these tables and their cardinalities are crucial tools to test the resistance of block ciphers based on variants of the inverse, the Gold, and the Bracken-Leander functions against cryptanalytic attacks such as differential and boomerang attacks. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.

Improved Rotational-XOR Cryptanalysis of Simon-like Block Ciphers

Abstract: Rotational-XOR (RX) cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in ARX-C ciphers, i.e., ciphers that can be described only by using modular addition, cyclic rotation, XOR, and the injection of constants. In this paper we extend RX-cryptanalysis to AND-RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyze the propagation of RX-differences through AND-RX rounds and develop a closed form formula for their expected probability. Inspired by the MILP verification model proposed by Sadeghi et al., we develop a SAT/SMT model for searching compatible RX-characteristics in Simon-like ciphers, i.e., that there are at least one right pair of messages/keys to satisfy the RK-characteristics. To the best of our knowledge, this is the first model that takes the RX-difference transitions and value transitions simultaneously into account in Simon-like ciphers. Meanwhile, we investigate how the choice of the round constants affects the resistance of Simon-like ciphers against RX-cryptanalysis. Finally, we show how to use an RXdistinguisher for a key recovery attack. Evaluating our model we find compatible RX-characteristics of up to 20, 27, and 34 rounds with respective probabilities of 2−26, 2−44, and 2−56 for versions of Simeck with block sizes of 32, 48, and 64 bits, respectively, for large classes of weak keys in the related-key model. In most cases, these are the longest published distinguishers for the respective variants of Simeck. In the case of Simon, we present compatible RX-characteristics for round-reduced versions of all ten instances. We observe that for equal block and key sizes, the RX-distinguishers cover fewer rounds in Simon than in Simeck. Concluding the paper, we present a key recovery attack on Simeck 64 reduced to 28 rounds using a 23-round RX-characteristic.

A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis

Abstract: ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool ArxPy to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works.

Differential Cryptanalysis of WARP

Abstract: WARP is an energy-efficient lightweight block cipher that is currently the smallest 128-bit block cipher in terms of hardware. It was proposed by Banik et al. in SAC 2020 as a lightweight replacement for AES-128 without changing the mode of operation. This paper proposes key-recovery attacks on WARP based on differential cryptanalysis in single and related-key settings. We searched for differential trails for up to 20 rounds of WARP, with the first 19 having optimal differential probabilities. We also found that the cipher has a strong differential effect, whereby 16 to 20-round differentials have substantially higher probabilities than their corresponding individual trails. A 23-round key-recovery attack was then realized using an 18-round differential distinguisher. Next, we formulated an automatic boomerang search using SMT that relies on the Feistel Boomerang Connectivity Table to identify valid switches. We designed the search as an add-on to the CryptoSMT tool, making it applicable to other Feistel-like ciphers such as TWINE and LBlock-s. For WARP, we found a 21-round boomerang distinguisher which was used in a 24-round rectangle attack. In the related-key setting, we describe a family of 2-round iterative differential trails, which we used in a practical related-key attack on the full 41-round WARP.

Meet-in-the-Filter and Dynamic Counting with Applications to Speck

Abstract: We propose a new cryptanalytic tool for differential cryptanalysis, called meet-in-the-filter (MiF). It is suitable for ciphers with a slow or incomplete diffusion layer such as the ones based on Addition-Rotation-XOR (ARX). The MiF technique uses a meet-in-the-middle matching to construct differential trails connecting the differential’s output and the ciphertext difference. The proposed trails are used in the key recovery procedure, reducing time complexity and allowing flexible time-data trade-offs. In addition, we show how to combine MiF with a dynamic counting technique for key recovery. We illustrate MiF in practice by reporting improved attacks on the ARX -based family of block ciphers Speck. We improve the time complexities of the best known attacks up to 15 rounds of Speck 32 and 20 rounds of Speck 64/128. Notably, our new attack on 11 rounds of Speck 32 has practical analysis and data complexities of $$2^{24.66}$$ and $$2^{26.70}$$ respectively, and was experimentally verified, recovering the master key in a matter of seconds.

A Hard Crystal - Implementing Dilithium on Reconfigurable Hardware

Abstract: CRYSTALS-Dilithium as a lattice-based digital signature scheme has been selected as a finalist in the Post-Quantum Cryptography (PQC) standardization process of NIST. As part of this selection, a variety of software implementations have been evaluated regarding their performance and memory requirements for platforms like x86 or ARM Cortex-M4. In this work, we present a first set of Field-Programmable Gate Array (FPGA) implementations for the low-end Xilinx Artix-7 platform, evaluating the peculiarities of the scheme in hardware, reflecting all available round-3 parameter sets. As a key component in our analysis, we present results for a specifically adapted Number-Theoretic Transform (NTT) core for the Dilithium cryptosystem, optimizing this component for an optimal Look-Up Table (LUT) and Flip-Flop (FF) utilization by efficient use of special purpose Digital Signal Processors (DSPs). Presenting our results, we aim to shed further light on the performance of lattice-based cryptography in low-cost and high-throughput configurations and their respective potential use-cases in practice.

The differential fault analysis on block cipher KLEIN-96

Abstract: KLEIN is a new family of lightweight block ciphers designed for resource-constrained devices. Compared to other schemes, it also has great advantages in both software and hardware performances. In recent works, many researchers have studied its security against differential fault analysis (DFA). Note that all the works only focused on the scheme KLEIN-64, which only has 64 bits key length. In fact, the 64-bit's security is obviously not enough for the current ciphers. In this paper, we investigate the differential fault attack on the key schedule of KLEIN-96, which has 96 bits key length. More specifically, by deeply developing the inner-relationship of input-output differentials for its S-box, we reduce the complexity of exhaustive searching from the original 296 to an acceptable boundary by injecting a certain number of byte-faults. Finally, we also demonstrate the efficiency of our proposed attack by simulations, which show that our method has great advantages over other cryptanalysis on KLEIN cipher.

Side Channel Attack On Stream Ciphers: A Three-Step Approach To State/Key Recovery

Abstract: Side Channel Attack (SCA) exploits the physical information leakage (such as electromagnetic emanation) from a device that performs some cryptographic operation and poses a serious threat in the present IoT era. In the last couple of decades, there have been a large body of research works dedicated to streamlining/improving the attacks or suggesting novel countermeasures to thwart those attacks. However, a closer inspection reveals that a vast majority of published works in the context of symmetric key cryptography is dedicated to block ciphers (or similar designs). This leaves the problem for the stream ciphers wide open. There are few works here and there, but a generic and systematic framework appears to be missing from the literature. Motivating by this observation, we explore the problem of SCA on stream ciphers with extensive details. Loosely speaking, our work picks up from the recent TCHES’21 paper by Sim, Bhasin and Jap. We present a framework by extending the efficiency of their analysis, bringing it into more practical terms.In a nutshell, we develop an automated framework that works as a generic tool to perform SCA on any stream cipher or a similar structure. It combines multiple automated tools (such as, machine learning, mixed integer linear programming, satisfiability modulo theory) under one umbrella, and acts as an end-to-end solution (taking side channel traces and returning the secret key). Our framework efficiently handles noisy data and works even after the cipher reaches its pseudo-random state. We demonstrate its efficacy by taking electromagnetic traces from a 32-bit software platform and performing SCA on a high-profile stream cipher, TRIVIUM, which is also an ISO standard. We show pragmatic key recovery on TRIVIUM during its initialization and also after the cipher reaches its pseudo-random state (i.e., producing key-stream).

A New Dynamic Substitution Box for Data Security Using an Innovative Chaotic Map

Abstract: As the motivations and capabilities of threat actors continue to evolve, providing data security has become more important than ever. For this purpose, different ciphers using various techniques are being developed. Currently, chaotic maps are designed and applied in the development of these ciphers. Modern ciphers utilize a substitution box (S-Box) as a core module to provide data security. In this article, an innovative chaotic map is suggested for the design of new and dynamic S-Box. Criteria like Bijectiveness, Nonlinearity (NL), Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), Linear Approximation Probability (LP), and Differential Approximation Probability (DP) are used to critically analyze and evaluate the proposed S-Box performance against various attacks. The cryptanalytic strength of the proposed S-Box is equated with freshly designed S-Boxes for its customization in real-life security applications. The comparative analysis gratifies the true potential of the proposed S-Box for its solicitation in data security domain.