Analysis of block cipher constructions against biclique and multiset attacks

Abstract

Cryptographic protocols have been a cornerstone of secure communications among armed forces and diplomatic missions since time immemorial. With easy availability and low cost of computing facilities and Internet, the domain of cryptology has not only expanded to non-government uses but also in fulfilling the common needs of individuals. Block ciphers are the basic building blocks of most of today's deployed cryptography and are one of the most widely used cryptographic primitives. They play a crucial role in providing confidentiality of data transmitted over insecure communication channels - one of the fundamental goals of cryptography. Apart from it, block ciphers are also used to build other cryptographic mechanisms such as - Hash functions and Message Authentication Codes. Hence, it is crucial to ensure construction of a secure and robust block cipher design. To achieve so, it is imperative to analyze and evaluate the resistance of block ciphers against a variety of cryptanalytic attacks.

This thesis is devoted to the security analysis of block ciphers and block cipher based hash functions against some of the current state-of-the-art cryptanalytic techniques. We specifically focus on Biclique Cryptanalysis and Multiset Attacks in this work. We propose a new extension of biclique technique - termed as Star based Bicliques and use them to solve the problem of high data complexity usually associated with this technique. Further, we also employ the above cryptanalytic methods to provide the best attacks on few standardized block ciphers. Our cryptanalytic results are as follows:

1. We study biclique based key recovery attacks and _nd improvements that lower the attack costs compared to the original attack in [39]. These attacks are applied to full round AES-128 (10-rounds), AES-192 (12-rounds) and AES-256 (14-rounds) with interesting observations and results. As part of the results, we propose star-based bicliques which allow us to launch attacks with the minimal data complexity in accordance with the unicity distance. Each attack requires just 2-3 known plaintexts with success probability 1.

2. We utilize the biclique based key recovery attacks to find second-preimages on AES based hashing modes. In our attacks, the initialization vector (IV) is a public constant that cannot be changed by the attacker. Under this setting, with message padding restrictions, the biclique trails constructed for key recovery attack in [39] cannot be utilized here. We construct new biclique trails that satisfy the above restrictions and launch second preimage attacks on all 12 PGV hashing modes based on full round AES-128.

3. We investigate the security of Generalized Feistel Networks (GFNs) in known-key scenario. We apply a variant of biclique technique – termed as sliced biclique cryptanalysis on 4-branch, Type-2 Generalized Feistel Networks (GFNs) based hash functions to generate actual collisions. We further demonstrate the best 8-round collision attack on 4-branch, Type-2 based GFNs when the round function F is instantiated with double SP layers.

4. We analyze the security of Korean Encryption Standard ARIA against meet-in-the-middle attack model. We conduct multiset based key recovery attacks on 7 and 8-round ARIA-192 and ARIA-256 with improved time, memory and data complexities compared to [168]. While the previous attacks on ARIA could only recover some round keys, our attacks show the first recovery of the complete master secret key.

5. We analyze the security of recently announced Ukrainian Encryption Standard Kalyna against meet-in-the-middle attack model. We apply multiset attacks supplemented with further related advancements in this attack technique to recover the secret key from 9-round Kalyna-128/256 and Kalyna-256/512. This improves upon the previous best attack reported in [13] in terms of number of rounds attacked by 2.

In terms of either the attack complexity or the number of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned.