Cryptanalysis of symmetric key primitives

Block ciphers and stream ciphers are essential building blocks that are used to construct computing systems which have to satisfy several security objectives. Since the security of these systems depends on the security of its parts, the analysis of these symmetric key primitives has been a goal of critical importance. In this thesis we provide cryptanalytic results for some recently proposed block and stream ciphers. First, we consider two light-weight block ciphers, TREYFER and PIFEA-M. While TREYFER was designed to be very compact in order to fit into constrained environments such as smart cards and RFIDs, PIFEA-M was designed to be very fast in order to be used for the encryption of multimedia data. We provide a related-key attack on TREYFER which recovers the secret key given around 2 11 encryptions and negligible computational effort. As for PIFEA-M, we provide evidence that it does not fulfill its design goal, which was to defend from certain implementation dependant differential attacks possible on previous versions of the cipher. Next. we consider the NGG stream cipher, whose design is based on RC4 and aims to increase throughput by operating with 32-bit or 64-bit values instead of with 8-bit values. We provide a distinguishing attack on NGG which requires just one keystream word. We also show that the first few kilobytes of the keystream may leak information about the secret key which allows the cryptanalyst to recover the secret key in an efficient way. Finally, we consider GGHN, another RC4-like cipher that operates with 32-bit words. We assess different variants of GGHN-Iike algorithms with respect to weak states, in which all internal state words and output elements are even. Once GGHN is absorbed in such a weak state, the least significant bit of the plaintext words will be revealed only by looking at the ciphertext. By modelling the algorithm by a Markov chain and calculating the chain absorption time, we show that the average number of steps required by these algorithms to enter this weak state can be lower than expected at first glance and hence caution should be exercised when estimating this number

[1]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[2]  Martin Boesgaard,et al.  Rabbit: A New High-Performance Stream Cipher , 2003, FSE.

[3]  Jovan Dj. Golic,et al.  Linear Statistical Weakness of Alleged RC4 Keystream Generator , 1997, EUROCRYPT.

[4]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[5]  Goutam Paul,et al.  Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[6]  Martin Hell,et al.  Towards a General RC4-Like Keystream Generator , 2005, CISC.

[7]  Octavio Nieto-Taladriz,et al.  Finding an internal state of RC4 stream cipher , 2007, Inf. Sci..

[8]  David A. Wagner,et al.  Truncated Differentials and Skipjack , 1999, CRYPTO.

[9]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[10]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.

[11]  Bruce Schneier,et al.  Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA , 1997, ICICS.

[12]  John N. Tsitsiklis,et al.  Introduction to Probability , 2002 .

[13]  Philip Hawkes,et al.  On the Applicability of Distinguishing Attacks Against Stream Ciphers , 2002, IACR Cryptol. ePrint Arch..

[14]  Andreas Klein,et al.  Attacks on the RC4 stream cipher , 2008, Des. Codes Cryptogr..

[15]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[16]  Bart Preneel,et al.  On the (In)security of Stream Ciphers Based on Arrays and Modular Addition , 2006, ASIACRYPT.

[17]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.

[18]  Amr M. Youssef,et al.  Comments on the security of fast encryption algorithm for multimedia (FEA-M) , 2003, IEEE Trans. Consumer Electron..

[19]  Dengguo Feng,et al.  Related-Key Differential-Linear Attacks on Reduced AES-192 , 2007, INDOCRYPT.

[20]  Bart Preneel,et al.  Related-Key Attacks on the Py-Family of Ciphers and an Approach to Repair the Weaknesses , 2007, INDOCRYPT.

[21]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[22]  Xun Yi,et al.  Fast encryption for multimedia , 2001, IEEE Trans. Consumer Electron..

[23]  Guang Gong,et al.  A 32-bit RC4-like Keystream Generator , 2005, IACR Cryptol. ePrint Arch..

[24]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[25]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[26]  Christoph Günther,et al.  Alternating Step Generators Controlled by De Bruijn Sequences , 1987, EUROCRYPT.

[27]  Bart Preneel,et al.  A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher , 2004, FSE.

[28]  Anne Canteaut,et al.  Sosemanuk, a Fast Software-Oriented Stream Cipher , 2008, The eSTREAM Finalists.

[29]  Gideon Yuval,et al.  Reinventing the Travois: Encryption/MAC in 30 ROM Bytes , 1997, FSE.

[30]  Alexander Maximov Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers , 2005, FSE.

[31]  Shujun Li,et al.  Security problems with improper implementations of improved FEA-M , 2007, J. Syst. Softw..

[32]  Hongjun Wu Cryptanalysis of a 32-bit RC4-like Stream Cipher , 2005, IACR Cryptol. ePrint Arch..

[33]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[34]  Eli Biham,et al.  Differential Cryptanalysis of the Full 16-Round DES , 1992, CRYPTO.

[35]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[36]  Eli Biham,et al.  Efficient Reconstruction of RC4 Keys from Internal States , 2008, FSE.

[37]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[38]  Stafford E. Tavares,et al.  Cryptanalysis of RC4-like Ciphers , 1998, Selected Areas in Cryptography.

[39]  Eli Biham,et al.  Related-Key Impossible Differential Attacks on 8-Round AES-192 , 2006, CT-RSA.

[40]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[41]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[42]  Elwyn R. Berlekamp,et al.  Algebraic coding theory , 1984, McGraw-Hill series in systems science.

[43]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[44]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[45]  Bartosz Zoltak,et al.  VMPC One-Way Function and Stream Cipher , 2004, FSE.

[46]  Itsik Mantin,et al.  A Practical Attack on the Fixed RC4 in the WEP Mode , 2005, ASIACRYPT.

[47]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[48]  Alexander G. Chefranov,et al.  Parameterized Improved Fast Encryption Algorithm for Multimedia PIFEA-M , 2008, IEEE Communications Letters.

[49]  Bart Preneel,et al.  Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator , 2003, INDOCRYPT.

[50]  Xun Yi,et al.  ID-based key agreement for multimedia encryption , 2002, IEEE Trans. Consumer Electron..

[51]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[52]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[53]  Yukiyasu Tsunoo,et al.  A Distinguishing Attack on a Fast Software-Implemented RC4-Like Stream Cipher , 2007, IEEE Transactions on Information Theory.

[54]  Eli Biham,et al.  A Related-Key Rectangle Attack on the Full KASUMI , 2005, ASIACRYPT.

[55]  Roger M. Needham,et al.  TEA, a Tiny Encryption Algorithm , 1994, FSE.

[56]  Bruce Schneier,et al.  Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish) , 1993, FSE.

[57]  Ryuji Kohno,et al.  Cryptanalysis of fast encryption algorithm for multimedia FEA-M , 2002, IEEE Communications Letters.

[58]  James L. Massey,et al.  SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm , 1993, FSE.