cryptanalysis, reverse-engineering and design of symmetric
Post on 10-Nov-2021
10 Views
Preview:
TRANSCRIPT
Cryptanalysis, Reverse-Engineering and Design of
Symmetric Cryptographic Algorithms
Léo Perrin
CSC & SnT, University of Luxembourg
CryptoLUX Team ; supervised by Alex Biryukov
July 5th 2018
Introduction What is cryptography?
Cryptography? (1/3)
Alice Bob
1 / 27
Introduction What is cryptography?
Cryptography? (1/3)
Alice Bob
Charlie
1 / 27
Introduction What is cryptography?
Cryptography? (1/3)
1 / 27
Introduction What is cryptography?
Cryptography? (2/3)
Cryptography is everywhere!
2 / 27
Introduction What is cryptography?
Cryptography? (3/3)
CRYPTO
LUX
3 / 27
Introduction What is cryptography?
Cryptography? (3/3)
CRYPTO
LUX
Envelope: Confidentiality
(nobody can read it)
3 / 27
Introduction What is cryptography?
Cryptography? (3/3)
CRYPTO
LUX
Envelope: Confidentiality
(nobody can read it)
Seal: Integrity
(nobody can modify it)
3 / 27
Introduction What is cryptography?
Cryptography? (3/3)
CRYPTO
LUX
Envelope: Confidentiality
(nobody can read it)
Seal: Integrity
(nobody can modify it)
Signature: Authentication
(it was wrien by the right person)
Paul
3 / 27
Introduction What is cryptography?
Modern Cryptography
Before
Now
Data encrypted Le�ers/Digits
0,1 (bits)
Method
By hand/
Computer program
machine
Cryptographers
Linguists
Mathematicians
inventors
Computer scientists
Example
4 / 27
Introduction What is cryptography?
Modern Cryptography
Before Now
Data encrypted Le�ers/Digits 0,1 (bits)
Method
By hand/
Computer program
machine
Cryptographers
Linguists Mathematicians
inventors Computer scientists
Example
4 / 27
Introduction How do we make cryptographic algorithms?
How do we design such algorithms?
5 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community Industry
Scope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
“Cryptographic Pipeline”
Fundamental Research
time
Design Public Analysis Deployment
Publication Standardization
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithms
Unbroken algo-
rithm are even-
tually trusted
Implements al-
gorithm in ac-
tual products
6 / 27
Introduction How do we make cryptographic algorithms?
What about my thesis?
Funded by the FNR (ACRYPT Project)
7 / 27
Introduction How do we make cryptographic algorithms?
What about my thesis?
Funded by the FNR (ACRYPT Project)
7 / 27
Introduction How do we make cryptographic algorithms?
3 Di�erent Directions
Lightweight Cryptography
5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks
1 new block cipher
S-Box Reverse-Engineering
8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks
Discussions with ISO
Purposefully Hard Cryptography
1 paper (ASIACRYPT)
1 patent (+1 paper under submission)
8 / 27
Introduction How do we make cryptographic algorithms?
3 Di�erent Directions
Lightweight Cryptography
5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks
1 new block cipher
S-Box Reverse-Engineering
8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks
Discussions with ISO
Purposefully Hard Cryptography
1 paper (ASIACRYPT)
1 patent (+1 paper under submission)
8 / 27
Introduction How do we make cryptographic algorithms?
3 Di�erent Directions
Lightweight Cryptography
5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks
1 new block cipher
S-Box Reverse-Engineering
8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks
Discussions with ISO
Purposefully Hard Cryptography
1 paper (ASIACRYPT)
1 patent (+1 paper under submission)
8 / 27
Introduction How do we make cryptographic algorithms?
Outline
1 Introduction
2 Lightweight Cryptography
3 S-Box Reverse-Engineering
4 Conclusion
9 / 27
Lightweight Cryptography
Outline
1 Introduction
2 Lightweight Cryptography
3 S-Box Reverse-Engineering
4 Conclusion
9 / 27
Lightweight Cryptography What is it?
Internet of Things
Everything is being connected to the internet.
10 / 27
Lightweight Cryptography What is it?
Internet of Things
Everything
10 / 27
Lightweight Cryptography What is it?
Internet of Things
Everything
10 / 27
Lightweight Cryptography What is it?
Internet of Things
Everything
10 / 27
Lightweight Cryptography What is it?
Security
“In IoT, the S is for Security.”
Internet-enabled devices have security flaws.
Security is an a�erthought (at best).
Security has a cost in terms of engineering...
... and computationnal resources!
11 / 27
Lightweight Cryptography What is it?
Security
“In IoT, the S is for Security.”
Internet-enabled devices have security flaws.
Security is an a�erthought (at best).
Security has a cost in terms of engineering...
... and computationnal resources!
11 / 27
Lightweight Cryptography What is it?
Lightweight Cryptography
Lightweight cryptography uses li�le resources.
LWC is a very active research area!
12 / 27
Lightweight Cryptography What is it?
Lightweight Cryptography
Lightweight cryptography uses li�le resources.
LWC is a very active research area!
12 / 27
Lightweight Cryptography Our Contributions
Overview
Fundamental Research
Design Public Analysis Deployment
• Extensive survey of the state of the art
• Invention of a new design strategy
• Block cipher Sparx
• A�acks on Gluon
• Results on Prince
• Results on Twine
13 / 27
Lightweight Cryptography Our Contributions
Overview
Fundamental Research
Design Public Analysis Deployment
• Extensive survey of the state of the art
• Invention of a new design strategy
• Block cipher Sparx
• A�acks on Gluon
• Results on Prince
• Results on Twine
13 / 27
Lightweight Cryptography Our Contributions
Overview
Fundamental Research
Design Public Analysis Deployment
• Extensive survey of the state of the art
• Invention of a new design strategy
• Block cipher Sparx
• A�acks on Gluon
• Results on Prince
• Results on Twine
13 / 27
Lightweight Cryptography Our Contributions
Overview
Fundamental Research
Design Public Analysis Deployment
• Extensive survey of the state of the art
• Invention of a new design strategy
• Block cipher Sparx
• A�acks on Gluon
• Results on Prince
• Results on Twine
13 / 27
Lightweight Cryptography Our Contributions
Highlights
A�acks on Prince We won round 1 of the “PRINCE challenge”
The corresponding paper was selected in the top 3 papers
at FSE’15;
Sparx First ARX-based block cipher proven secure against some
a�acks.
Design strategy re-used by third parties from Waterloo
(Canada) to build sLiSCP
NIST Survey greatly appreciated (and cited) by NIST in their
ongoing standardization e�ort
I presented Sparx at a NIST workshop
14 / 27
Lightweight Cryptography Our Contributions
Highlights
A�acks on Prince We won round 1 of the “PRINCE challenge”
The corresponding paper was selected in the top 3 papers
at FSE’15;
Sparx First ARX-based block cipher proven secure against some
a�acks.
Design strategy re-used by third parties from Waterloo
(Canada) to build sLiSCP
NIST Survey greatly appreciated (and cited) by NIST in their
ongoing standardization e�ort
I presented Sparx at a NIST workshop
14 / 27
Lightweight Cryptography Our Contributions
Highlights
A�acks on Prince We won round 1 of the “PRINCE challenge”
The corresponding paper was selected in the top 3 papers
at FSE’15;
Sparx First ARX-based block cipher proven secure against some
a�acks.
Design strategy re-used by third parties from Waterloo
(Canada) to build sLiSCP
NIST Survey greatly appreciated (and cited) by NIST in their
ongoing standardization e�ort
I presented Sparx at a NIST workshop
14 / 27
S-Box Reverse-Engineering
Outline
1 Introduction
2 Lightweight Cryptography
3 S-Box Reverse-Engineering
4 Conclusion
14 / 27
S-Box Reverse-Engineering What is it?
What is an S-Box?
The “S-Box” of the last Russian standards
15 / 27
S-Box Reverse-Engineering What is it?
Breaking the Pipeline
time
Design Public Analysis Deployment
Publication Standardization
Implements al-
gorithm in ac-
tual products
Small teams Academic community IndustryScope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithm
Unbroken algo-
rithm are even-
tually trusted
???
16 / 27
S-Box Reverse-Engineering What is it?
Breaking the Pipeline
time
Design Public Analysis Deployment
Publication Standardization
Implements al-
gorithm in ac-
tual products
Small teams Academic community Industry
Scope
statement
Algorithm
specification
Design
choices
justifications
Security
analysis
Try and break
published algo-
rithm
Unbroken algo-
rithm are even-
tually trusted
???
16 / 27
S-Box Reverse-Engineering What is it?
The Need for Reverse-Engineering
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation...
... or an advantage in cryptanalysis (backdoor).
17 / 27
S-Box Reverse-Engineering What is it?
The Need for Reverse-Engineering
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation...
... or an advantage in cryptanalysis (backdoor).
17 / 27
S-Box Reverse-Engineering What is it?
The Need for Reverse-Engineering
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation...
... or an advantage in cryptanalysis (backdoor).
17 / 27
S-Box Reverse-Engineering Our Contributions
Kuznyechik/Stribog
Stribog
Type Hash function
Publication 2012
Kuznyechik
Type Block cipher
Publication 2015
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .
18 / 27
S-Box Reverse-Engineering Our Contributions
Kuznyechik/Stribog
Stribog
Type Hash function
Publication 2012
Kuznyechik
Type Block cipher
Publication 2015
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .
18 / 27
S-Box Reverse-Engineering Our Contributions
How?
Given an S-Box... Where do we even start?
19 / 27
S-Box Reverse-Engineering Our Contributions
Fourier to the Rescue
Linear Approximations Table (LAT)
The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2
nmatrix such that
LATS[a, b] =∑x∈Fn
2
(−1)a·x⊕b ·S (x ) .
ab
��LATS[a, b]�� = 0
c
d
��LATS[c, d]�� ≥ 20
20 / 27
S-Box Reverse-Engineering Our Contributions
Fourier to the Rescue
Linear Approximations Table (LAT)
The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2
nmatrix such that
LATS[a, b] =∑x∈Fn
2
(−1)a·x⊕b ·S (x ) .
ab
��LATS[a, b]�� = 0
c
d
��LATS[c, d]�� ≥ 20
20 / 27
S-Box Reverse-Engineering Our Contributions
The LAT of π
21 / 27
S-Box Reverse-Engineering Our Contributions
The LAT of π (reordered columns)
22 / 27
S-Box Reverse-Engineering Our Contributions
The LAT of η ◦ π ◦ µ
23 / 27
S-Box Reverse-Engineering Our Contributions
Final Decomposition Number 1
ω
σ
ϕ �
ν1ν0
I�
α
� Multiplication in F2
4
α Linear permutation
I Inversion in F2
4
ν0,ν1,σ 4 × 4 permutations
ϕ 4 × 4 function
ω Linear permutation
24 / 27
S-Box Reverse-Engineering Our Contributions
S-Box Reverse-Engineering: Summary
Set up a process and tools to recover hidden structures and/or design
criteria for S-Boxes.
Successful applications to Streebog/Kuznyechik (FSB), Skipjack
(NSA)... and a theorem!
Found new cryptographic a�acks.
Hopefully, deterred publications of unjustified algorithms.
Caught the a�ention of the community: I gave many invited talks on
this topic.
25 / 27
S-Box Reverse-Engineering Our Contributions
S-Box Reverse-Engineering: Summary
Set up a process and tools to recover hidden structures and/or design
criteria for S-Boxes.
Successful applications to Streebog/Kuznyechik (FSB), Skipjack
(NSA)... and a theorem!
Found new cryptographic a�acks.
Hopefully, deterred publications of unjustified algorithms.
Caught the a�ention of the community: I gave many invited talks on
this topic.
25 / 27
S-Box Reverse-Engineering Our Contributions
S-Box Reverse-Engineering: Summary
Set up a process and tools to recover hidden structures and/or design
criteria for S-Boxes.
Successful applications to Streebog/Kuznyechik (FSB), Skipjack
(NSA)... and a theorem!
Found new cryptographic a�acks.
Hopefully, deterred publications of unjustified algorithms.
Caught the a�ention of the community: I gave many invited talks on
this topic.
25 / 27
Conclusion
Outline
1 Introduction
2 Lightweight Cryptography
3 S-Box Reverse-Engineering
4 Conclusion
25 / 27
Conclusion
Conclusion
My co-authors and I made significant contribution to lightweight
cryptography.
We pioneered the field of S-Box reverse-engineering and obtained
important results in cryptography and in mathematics.
We worked on another topic (“Purposefully hard cryptography”, useful
for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
Conclusion
My co-authors and I made significant contribution to lightweight
cryptography.
We pioneered the field of S-Box reverse-engineering and obtained
important results in cryptography and in mathematics.
We worked on another topic (“Purposefully hard cryptography”, useful
for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
Conclusion
My co-authors and I made significant contribution to lightweight
cryptography.
We pioneered the field of S-Box reverse-engineering and obtained
important results in cryptography and in mathematics.
We worked on another topic (“Purposefully hard cryptography”, useful
for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
Conclusion
My co-authors and I made significant contribution to lightweight
cryptography.
We pioneered the field of S-Box reverse-engineering and obtained
important results in cryptography and in mathematics.
We worked on another topic (“Purposefully hard cryptography”, useful
for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
I am grateful to...
my PhD advisor Alex Biryukov,
the uni.lu for providing such a good research environment,
my colleagues and co-authors,
my friends and family,
the Amis de l’Université and their sponsors...
... and to you for listening!
27 / 27
Conclusion
I am grateful to...
my PhD advisor Alex Biryukov,
the uni.lu for providing such a good research environment,
my colleagues and co-authors,
my friends and family,
the Amis de l’Université and their sponsors...
... and to you for listening!
27 / 27
Conclusion
I am grateful to...
my PhD advisor Alex Biryukov,
the uni.lu for providing such a good research environment,
my colleagues and co-authors,
my friends and family,
the Amis de l’Université and their sponsors...
... and to you for listening!
27 / 27
Conclusion
I am grateful to...
my PhD advisor Alex Biryukov,
the uni.lu for providing such a good research environment,
my colleagues and co-authors,
my friends and family,
the Amis de l’Université and their sponsors...
... and to you for listening!
27 / 27
top related