Automated Analysis and Synthesis of Block-Cipher Modes of Operation.
0
Citation
10
Reference
20
Related Paper
Abstract:
Block ciphers such as AES are deterministic, keyed functions that operate on small, fixed-size blocks. Block-cipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, against chosen-plaintext attacks) based on the assumption that the underlying block cipher is a pseudorandom function. Such proofs are complex and error-prone, however, and must be done from scratch whenever a new mode of operation is developed. We propose an automated approach for the security analysis of block-cipher modes of operation based on a “local” analysis of the steps carried out by the mode when handling a single message block. We model these steps as a directed, acyclic graph, with nodes corresponding to instructions and edges corresponding to intermediate values. We then introduce a set of labels and constraints on the edges, and prove a meta-theorem showing that any mode for which there exists a labeling of the edges satisfying these constraints is secure (against chosen-plaintext attacks). This allows us to reduce security of a given mode to a constraint-satisfaction problem, which in turn can be handled using an SMT solver. We couple our security-analysis tool with a routine that automatically generates viable modes; together, these allow us to synthesize hundreds of secure modes.Keywords:
Plain text
Pseudorandom function family
Cite
A block cipher can be easily broken if its encryption functions can be seen as linear maps on a small vector space. Even more so, if its round functions can be seen as linear maps on a small vector space. We show that this cannot happen for the AES. More precisely, we prove that if the AES round transformations can be embedded into a linear cipher acting on a vector space, then this space is huge-dimensional and so this embedding is infeasible in practice. We present two elementary proofs.
Affine cipher
Cite
Citations (3)
Boolean satisfiability problem
Cite
Citations (0)
In this article an optimal selection of tap positions for certain LFSR-based encryption schemes is investigated from both design and cryptanalytic perspective. Two novel algorithms towards an optimal selection of tap positions are given which can be satisfactorily used to provide (sub)optimal resistance to some generic cryptanalytic techniques applicable to these schemes. It is demonstrated that certain real-life ciphers (e.g. SOBER-t32, SFINKS and Grain-128), employing some standard criteria for tap selection such as the concept of full difference set, are not fully optimized with respect to these attacks. These standard design criteria are quite insufficient and the proposed algorithms appear to be the only generic method for the purpose of (sub)optimal selection of tap positions. We also extend the framework of a generic cryptanalytic method called Generalized Filter State Guessing Attacks (GFSGA), introduced in [26] as a generalization of the FSGA method, by applying a variable sampling of the keystream bits in order to retrieve as much information about the secret state bits as possible. Two different modes that use a variable sampling of keystream blocks are presented and it is shown that in many cases these modes may outperform the standard GFSGA mode. We also demonstrate the possibility of employing GFSGA-like attacks to other design strategies such as NFSR-based ciphers (Grain family for instance) and filter generators outputting a single bit each time the cipher is clocked. In particular, when the latter scenario is considered, the idea of combining GFSGA technique and algebraic attacks appears to be a promising unified cryptanalytic method against NFSR-based stream ciphers.
Cite
Citations (0)
This paper presents a cryptanalysis of full Kravatte, an instantiation of the Farfalle construction of a pseudorandom function (PRF) with variable input and output length. This new construction, proposed by Bertoni et al., introduces an efficiently parallelizable and extremely versatile building block for the design of symmetric mechanisms, e.g. message authentication codes or stream ciphers. It relies on a set of permutations and on so-called rolling functions: it can be split into a compression layer followed by a two-step expansion layer. The key is expanded and used to mask the inputs and outputs of the construction. Kravatte instantiates Farfalle using linear rolling functions and permutations obtained by iterating the Keccak round function. We develop in this paper several attacks against this PRF, based on three different attack strategies that bypass part of the construction and target a reduced number of permutation rounds. A higher order differential distinguisher exploits the possibility to build an affine space of values in the cipher state after the compression layer. An algebraic meet-in-the-middle attack can be mounted on the second step of the expansion layer. Finally, due to the linearity of the rolling function and the low algebraic degree of the Keccak round function, a linear recurrence distinguisher can be found on intermediate states of the second step of the expansion layer. All the attacks rely on the ability to invert a small number of the final rounds of the construction. In particular, the last two rounds of the construction together with the final masking by the key can be algebraically inverted, which allows to recover the key. The complexities of the devised attacks, applied to the Kravatte specifications published on the IACR ePrint in July 2017, or the strengthened version of Kravatte recently presented at ECC 2017, are far below the security claimed.
Cite
Citations (6)
The paper develops a novel approach to stream cipher design: Both the state update function and the output function of the corresponding pseudorandom generators are compositions of arithmetic and bitwise logical operations, which are standard instructions of modern microprocessors. Moreover, both the state update function and the output function are being modified dynamically during the encryption. Also, these compositions could be keyed, so the only information available to an attacker is that these functions belong to some exponentially large class. The paper shows that under rather loose conditions the output sequence is uniformly distributed, achieves maximum period length and has high linear complexity and high $\ell$-error linear complexity. Ciphers of this kind are flexible: One could choose a suitable combination of instructions to obtain due performance without affecting the quality of the output sequence. Finally, some evidence is given that a key recovery problem for (reasonably designed) stream ciphers of this kind is intractable up to plausible conjectures.
Affine cipher
Sequence (biology)
Bitwise operation
Keystream
Cite
Citations (7)
MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random walks on directed graphs (that is, walks which reach a random state quickly, from any starting point). We begin with some well understood walks, and then introduce nonlinearity in their steps in order to improve security and show long term statistical correlations are negligible. To minimize the short term correlations, as well as to deter attacks using equations involving successive outputs, we provide a method for sequencing the outputs derived from the walk using three revolving buffers. The cipher is fast -- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor. A word based cipher needs to output more bits per step, which exposes more correlations for attacks. Moreover we seek simplicity of construction and transparent analysis. To meet these requirements, we use a larger state and claim security corresponding to only a fraction of it. Our design is for an adequately secure word-based cipher; our very preliminary estimate puts the security close to exhaustive search for keys of size < 256 bits.
RC4
Pentium
Cite
Citations (0)
Heuristics
Cite
Citations (114)
In this paper, a new stream cipher is designed as a clock-controlled one, but with a new mechanism of altering steps based on system theory in such a way that the structures used in it are resistant to conventional attacks. Our proposed algorithm (PALS) uses the main key with the length of 256 bits and a 32-bit message key. The most important criteria considered in designing the PALS are resistance to known attacks, maximum period, high linear complexity, and good statistical properties. As a result, the output keystream is very similar to the perfectly random sequences and resistant to conventional attacks such as correlation attacks, algebraic attack, divide & conquer attack, time-memory tradeoff attack and AIDA/cube attacks. The base structure of the PALS is a clock-controlled combination generator with memory and we obtained all the features according to design criteria with this structure. PALS can be used in many applications, especially in financial cryptography due to its proper security features.
Keystream
Correlation attack
Transposition cipher
Cite
Citations (0)
Power analysis
Cite
Citations (18)
A new reverse iterative block encryption scheme using layered cellular automata with T-shaped neighborhood is proposed in this paper. Specifically, based on the T-shaped neighborhood structure, we generate some two order reversible rules and then set the plaintext as the final configuration of a 4-layer CA. Considering the definition of the two order rule, we employ a random sequence as the pre-configuration of the 4-layer CA and keep it as the key with the generated rule, and then backward evolve the CA to get its initial configuration, which is set as the corresponding cipher text. Comprehensive security analysis shows that the proposed scheme is security against statistical, linear and differential cryptanalysis techniques. In addition, the timing analysis demonstrates that the proposed scheme is more efficient than AES algorithm.
Plain text
Sequence (biology)
Cite
Citations (2)