Advanced

On Some Symmetric Lightweight Cryptographic Designs

Ågren, Martin LU (2012)
Abstract
This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented.



The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption.



These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector... (More)
This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented.



The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption.



These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext.



Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way.



The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this.



Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair.



Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings. (Less)
Please use this url to cite or link to this publication:
author
supervisor
opponent
  • Prof. Rijmen, Vincent, KU Leuven, ESAT/SCD (COSIC), Heverlee, Belgium.
organization
publishing date
type
Thesis
publication status
published
subject
keywords
Lightweight cryptography, integrity, authentication, symmetric cryptography, stream ciphers, block ciphers, Grain-128a, BEAN, KTANTAN, \textsc{PRINTcipher}, FCSR combiner, related-key attack, linear cryptanalysis, linear correlations, invariant subspace attack.
pages
212 pages
defense location
Lecture hall E:1406, E-building, Ole Römers väg 3, Lund University Faculty of Engineering
defense date
2012-11-28 13:15
ISSN
1654-790X
ISBN
978-91-7473-391-4
project
EIT_HSWC:Coding Coding, modulation, security and their implementation
language
English
LU publication?
yes
id
69a88ee7-0525-49dd-8327-fc6fe87933e3 (old id 3159339)
date added to LUP
2012-11-02 11:19:57
date last changed
2016-09-19 08:45:00
@misc{69a88ee7-0525-49dd-8327-fc6fe87933e3,
  abstract     = {This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented.<br/><br>
<br/><br>
The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption.<br/><br>
<br/><br>
These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext.<br/><br>
<br/><br>
Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way.<br/><br>
<br/><br>
The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this.<br/><br>
<br/><br>
Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair.<br/><br>
<br/><br>
Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings.},
  author       = {Ågren, Martin},
  isbn         = {978-91-7473-391-4},
  issn         = {1654-790X},
  keyword      = {Lightweight cryptography,integrity,authentication,symmetric cryptography,stream ciphers,block ciphers,Grain-128a,BEAN,KTANTAN,\textsc{PRINTcipher},FCSR combiner,related-key attack,linear cryptanalysis,linear correlations,invariant subspace attack.},
  language     = {eng},
  pages        = {212},
  title        = {On Some Symmetric Lightweight Cryptographic Designs},
  year         = {2012},
}