Cryptanalysis, Reverse-Engineering and Design of Symmetric ... · S-Box Reverse-Engineering Outline...

Cryptanalysis, Reverse-Engineering and Design of

Symmetric Cryptographic Algorithms

Léo Perrin

CSC & SnT, University of Luxembourg

CryptoLUX Team ; supervised by Alex Biryukov

July 5th 2018

Introduction What is cryptography?

Cryptography? (1/3)

Alice Bob

1 / 27

Cryptography? (1/3)

Alice Bob

Charlie

1 / 27

Cryptography? (1/3)

1 / 27

Cryptography? (2/3)

Cryptography is everywhere!

2 / 27

Cryptography? (3/3)

CRYPTO

3 / 27

Cryptography? (3/3)

CRYPTO

Envelope: Confidentiality

(nobody can read it)

3 / 27

Cryptography? (3/3)

CRYPTO

Seal: Integrity

(nobody can modify it)

3 / 27

Cryptography? (3/3)

CRYPTO

Seal: Integrity

(nobody can modify it)

Signature: Authentication

(it was wrien by the right person)

3 / 27

Modern Cryptography

Before

Data encrypted Le�ers/Digits

0,1 (bits)

Method

By hand/

Computer program

machine

Cryptographers

Linguists

Mathematicians

inventors

Computer scientists

Example

4 / 27

Modern Cryptography

Before Now

Data encrypted Le�ers/Digits 0,1 (bits)

Method

By hand/

Computer program

machine

Cryptographers

Linguists Mathematicians

inventors Computer scientists

Example

4 / 27

Introduction How do we make cryptographic algorithms?

How do we design such algorithms?

5 / 27

“Cryptographic Pipeline”

Fundamental Research

Design Public Analysis Deployment

Publication Standardization

Small teams Academic community IndustryScope

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

Small teams Academic community Industry

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

rithms

Unbroken algo-

rithm are even-

tually trusted

Implements al-

gorithm in ac-

tual products

6 / 27

What about my thesis?

Funded by the FNR (ACRYPT Project)

7 / 27

What about my thesis?

Funded by the FNR (ACRYPT Project)

7 / 27

3 Di�erent Directions

Lightweight Cryptography

5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks

1 new block cipher

S-Box Reverse-Engineering

8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks

Discussions with ISO

Purposefully Hard Cryptography

1 paper (ASIACRYPT)

1 patent (+1 paper under submission)

8 / 27

1 new block cipher

1 paper (ASIACRYPT)

8 / 27

1 new block cipher

1 paper (ASIACRYPT)

8 / 27

Outline

1 Introduction

2 Lightweight Cryptography

3 S-Box Reverse-Engineering

4 Conclusion

9 / 27

Outline

1 Introduction

4 Conclusion

9 / 27

Lightweight Cryptography What is it?

Internet of Things

Everything is being connected to the internet.

10 / 27

Internet of Things

Everything

10 / 27

Internet of Things

Everything

10 / 27

Internet of Things

Everything

10 / 27

Security

“In IoT, the S is for Security.”

Internet-enabled devices have security flaws.

Security is an a�erthought (at best).

Security has a cost in terms of engineering...

... and computationnal resources!

11 / 27

Security

“In IoT, the S is for Security.”

Internet-enabled devices have security flaws.

Security is an a�erthought (at best).

Security has a cost in terms of engineering...

... and computationnal resources!

11 / 27

Lightweight cryptography uses li�le resources.

LWC is a very active research area!

12 / 27

Lightweight cryptography uses li�le resources.

LWC is a very active research area!

12 / 27

Lightweight Cryptography Our Contributions

Overview

• Extensive survey of the state of the art

• Invention of a new design strategy

• Block cipher Sparx

• A�acks on Gluon

• Results on Prince

• Results on Twine

13 / 27

Overview

13 / 27

Overview

13 / 27

Overview

13 / 27

Highlights

A�acks on Prince We won round 1 of the “PRINCE challenge”

The corresponding paper was selected in the top 3 papers

at FSE’15;

Sparx First ARX-based block cipher proven secure against some

a�acks.

Design strategy re-used by third parties from Waterloo

(Canada) to build sLiSCP

NIST Survey greatly appreciated (and cited) by NIST in their

ongoing standardization e�ort

I presented Sparx at a NIST workshop

14 / 27

Highlights

at FSE’15;

a�acks.

14 / 27

Highlights

at FSE’15;

a�acks.

14 / 27

Outline

1 Introduction

4 Conclusion

14 / 27

S-Box Reverse-Engineering What is it?

What is an S-Box?

The “S-Box” of the last Russian standards

15 / 27

Breaking the Pipeline

Implements al-

gorithm in ac-

tual products

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

Unbroken algo-

rithm are even-

tually trusted

16 / 27

Breaking the Pipeline

Implements al-

gorithm in ac-

tual products

Small teams Academic community Industry

statement

Algorithm

specification

Design

choices

justifications

Security

analysis

Try and break

published algo-

Unbroken algo-

rithm are even-

tually trusted

16 / 27

The Need for Reverse-Engineering

A malicious designer can easily hide a structure in an S-Box.

To keep an advantage in implementation...

... or an advantage in cryptanalysis (backdoor).

17 / 27

S-Box Reverse-Engineering Our Contributions

Kuznyechik/Stribog

Stribog

Type Hash function

Publication 2012

Kuznyechik

Type Block cipher

Publication 2015

Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .

18 / 27

Kuznyechik/Stribog

Stribog

Type Hash function

Publication 2012

Kuznyechik

Type Block cipher

Publication 2015

Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .

18 / 27

Given an S-Box... Where do we even start?

19 / 27

Fourier to the Rescue

Linear Approximations Table (LAT)

The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2

nmatrix such that

LATS[a, b] =∑x∈Fn

(−1)a·x⊕b ·S (x ) .

��LATS[a, b]�� = 0

��LATS[c, d]�� ≥ 20

20 / 27

Fourier to the Rescue

Linear Approximations Table (LAT)

The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2

nmatrix such that

LATS[a, b] =∑x∈Fn

(−1)a·x⊕b ·S (x ) .

��LATS[a, b]�� = 0

��LATS[c, d]�� ≥ 20

20 / 27

The LAT of π

21 / 27

The LAT of π (reordered columns)

22 / 27

The LAT of η ◦ π ◦ µ

23 / 27

Final Decomposition Number 1

ϕ �

ν1ν0

� Multiplication in F2

α Linear permutation

I Inversion in F2

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

24 / 27

S-Box Reverse-Engineering: Summary

Set up a process and tools to recover hidden structures and/or design

criteria for S-Boxes.

Successful applications to Streebog/Kuznyechik (FSB), Skipjack

(NSA)... and a theorem!

Found new cryptographic a�acks.

Hopefully, deterred publications of unjustified algorithms.

Caught the a�ention of the community: I gave many invited talks on

this topic.

25 / 27

this topic.

25 / 27

this topic.

25 / 27

Conclusion

Outline

1 Introduction

4 Conclusion

25 / 27

Conclusion

My co-authors and I made significant contribution to lightweight

cryptography.

We pioneered the field of S-Box reverse-engineering and obtained

important results in cryptography and in mathematics.

We worked on another topic (“Purposefully hard cryptography”, useful

for crypto-currencies, DRM systems, spam mitigation...).

26 / 27

Conclusion

cryptography.

26 / 27

Conclusion

cryptography.

26 / 27

Conclusion

cryptography.

26 / 27

Conclusion

I am grateful to...

my PhD advisor Alex Biryukov,

the uni.lu for providing such a good research environment,

my colleagues and co-authors,

my friends and family,

the Amis de l’Université and their sponsors...

... and to you for listening!

27 / 27

Conclusion

I am grateful to...

27 / 27

Conclusion

I am grateful to...

27 / 27

Conclusion

I am grateful to...

27 / 27

Cryptanalysis, Reverse-Engineering and Design of Symmetric ... · S-Box Reverse-Engineering Outline...

Documents

Transcript of Cryptanalysis, Reverse-Engineering and Design of Symmetric ... · S-Box Reverse-Engineering Outline...