Differential cryptanalysis

About: Differential cryptanalysis is a research topic. Over the lifetime, 2131 publications have been published within this topic receiving 54681 citations.

Algebraic Methods in Block Cipher Cryptanalysis

Abstract: This thesis is a contribution to the field of algebraic cryptanalysis. Specifically the following topics have been studied: We construct and analyze Feistel and SLN ciphers that have a sound design strategy against linear and differential cryptanalysis. The encryption process for these cipher can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Grobner Basis Attacks can recover the full cipher key for up to 12 rounds requiring only a minimal number of plaintext/ciphertext pairs. We show how Grobner bases for a subset of these ciphers can be constructed with negligible computational effort. This reduces the key-recovery problem to a Grobner basis conversion problem. By bounding the running time of a Grobner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Grobner basis attacks. A paper on this subject has been published in the "Proceedings of The Cryptographers' Track at the RSA Conference 2006 (CT-RSA 2006)". We demonstrate an efficient method for computing a Grobner basis of a zero-dimensional ideal describing the key-recovery problem from a single plaintext/ciphertext pair for the full AES-128. This Grobner basis is relative to a degree-lexicographical order. We investigate whether the existence of this Grobner basis has any security implications for the AES. This result has been published in the "Revised Selected Papers of the Fast Software Encryption Workshop 2006 (FSE 2006)". SMS4 is a 128-bit block cipher used in the WAPI standard for providing data confidentiality in wireless networks. For this cipher we explain how to construct a extension field embedding similar to BES, and demonstrate the fragility of the cipher design by giving variants that exhibit 2^{64} weak keys. These results have been published in the "Proceedings of Information Security and Privacy, 12th Australasian Conference (ACISP 2007)''. Cryptomeria is a 64-bit block cipher with a 56-bit key used in the CPRM / CPPM standard for content protection on DVD Audio discs, Video DVD-Rs and SD cards. The design of this cipher is public, the S-Box - which is application-specific - is treated as a trade secret which needs to be licensed from the 4C Entity, Inc. We show how for Cryptomeria and similarly structured ciphers the S-Box can be recovered in a chosen-key setting by a combination of differential and algebraic methods. This attack has been practically validated against reduced round versions of Cryptomeria. This is unpublished work. We look into Grobner bases algorithms which use linear algebra methods. Because these algorithms are extremely memory-hungry, we have developed strategies for implementing the reduced row-echelon computation efficiently on distributed memory systems. We give an algorithm to efficiently tackle this problem in the dense case and discuss the sparse case. A extended abstract on this subject has been submitted to and accepted at "The First International Conference on Symbolic Computation and Cryptography (SCC 2008)".

Related-key attacks on the Py-family of ciphers and an approach to repair the weaknesses

Abstract: The stream cipher TPypy has been designed by Biham and Seberry in January 2007 as the strongest member of the Py-family ciphers, after weaknesses in the other members Py, Pypy, Py6 were discovered. One main contribution of the paper is the detection of related-key weaknesses in the Py-family of ciphers including the strongest member TPypy. Under related keys, we show a distinguishing attack on TPypy with data complexity 2192.3 which is lower than the previous best known attack on the cipher by a factor of 288. It is shown that the above attack also works on the other members TPy, Pypy and Py. A second contribution of the paper is design and analysis of two fast ciphers RCR-64 and RCR-32 which are derived from the TPy and the TPypy respectively. The performances of the RCR-64 and the RCR-32 are 2.7 cycles/byte and 4.45 cycles/byte on Pentium III (note that the speeds of the ciphers Py, Pypy and RC4 are 2.8, 4.58 and 7.3 cycles/byte). Based on our security analysis, we conjecture that no attacks lower than brute force are possible on the RCR ciphers.

On the Boomerang Uniformity of some Permutation Polynomials.

Abstract: The boomerang attack, introduced by Wagner in 1999, is a cryptanalysis technique against block ciphers based on differential cryptanalysis. In particular it takes into consideration two differentials, one for the upper part of the cipher and one for the lower part, and it exploits the dependency of these two differentials. At Eurocrypt’18, Cid et al. introduced a new tool, called the Boomerang Connectivity Table (BCT), that permits to simplify this analysis. Next, Boura and Canteaut introduced an important parameter for cryptographic S-boxes called boomerang uniformity, that is the maximum value in the BCT. Very recently, the boomerang uniformity of some classes of permutations (in particular quadratic functions) have been studied by Li, Qu, Sun and Li, and by Mesnager, Tang and Xiong. In this paper we further study the boomerang uniformity of some non-quadratic differentially 4-uniform functions. In particular, we consider the case of the Bracken-Leander cubic function and three classes of 4-uniform functions constructed by Li, Wang and Yu, obtained from modifying the inverse functions.

Optimizations in algebraic and differential cryptanalysis

Abstract: In this thesis, we study how to enhance current cryptanalytic techniques, especially in Differential Cryptanalysis (DC) and to some degree in Algebraic Cryptanalysis (AC), by considering and solving some underlying optimization problems based on the general structure of the algorithm. In the first part, we study techniques for optimizing arbitrary algebraic computations in the general non-commutative setting with respect to several metrics [42, 44]. We apply our techniques to combinatorial circuit optimization and Matrix Multiplication (MM) problems [30, 44]. Obtaining exact bounds for such problems is very challenging. We have developed a 2- step technique, where firstly we algebraically encode the problem and then we solve the corresponding CNF-SAT problem using a SAT solver. We apply this methodology to optimize small circuits such as S-boxes with respect to a given metric and to discover new bilinear algorithms for multiplying sufficiently small matrices. We have obtained the best bit-slice implementation of PRESENT S-box currently known [6]. Furthermore, this technique allows us to compute the Multiplicative Complexity (MC) of whole ciphers [23], a very important measure of the non-linearity of a cipher [20, 44]. Another major theme in this thesis is the study of advanced differential attacks on block ciphers. We suggest a general framework, which enhances current differential cryptanalytic techniques and we apply it to evaluate the security of GOST block cipher [63, 102, 107]. We introduce a new type of differential sets based on the connections be- tween the S-boxes, named “general open sets” [50, 51], which can be seen as a refinement of Knudsen’s truncated differentials [84]. Using this notion, we construct 20-round statistical distinguishers and then based on this construction we develop attacks against full 32-rounds. Our attacks are in the form of Depth-First key search with many technical steps subject to optimization. We validate and analyze in detail each of these steps in an attempt to provide a solid formulation for our advanced differential attacks.