Cryptanalysis, Reverse-Engineering and Design of Symmetric - - PowerPoint PPT Presentation
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?
Léo Perrin
CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018
Introduction What is cryptography?
1 / 27
Introduction What is cryptography?
1 / 27
Introduction What is cryptography?
1 / 27
Introduction What is cryptography?
Cryptography is everywhere!
2 / 27
Introduction What is cryptography?
CRYPTO LUX
3 / 27
Introduction What is cryptography?
CRYPTO LUX
Envelope: Confidentiality (nobody can read it)
3 / 27
Introduction What is cryptography?
CRYPTO LUX
Envelope: Confidentiality (nobody can read it) Seal: Integrity (nobody can modify it)
3 / 27
Introduction What is cryptography?
CRYPTO LUX
Envelope: Confidentiality (nobody can read it) Seal: Integrity (nobody can modify it) Signature: Authentication (it was wrien by the right person) Paul
3 / 27
Introduction What is cryptography?
Before Data encrypted Leters/Digits Method By hand/ machine Cryptographers Linguists inventors Example
4 / 27
Introduction What is cryptography?
Before Now Data encrypted Leters/Digits 0,1 (bits) Method By hand/ Computer program machine Cryptographers Linguists Mathematicians inventors Computer scientists Example
4 / 27
Introduction How do we make cryptographic algorithms?
5 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
Try and break published algo- rithms
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
Try and break published algo- rithms
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
Try and break published algo- rithms Unbroken algo- rithm are even- tually trusted
6 / 27
Introduction How do we make cryptographic algorithms?
Fundamental Research time
Publication Standardization Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
Try and break published algo- rithms Unbroken algo- rithm are even- tually trusted Implements al- gorithm in ac- tual products
6 / 27
Introduction How do we make cryptographic algorithms?
What about my thesis?
7 / 27
Introduction How do we make cryptographic algorithms?
What about my thesis? Funded by the FNR (ACRYPT Project)
7 / 27
Introduction How do we make cryptographic algorithms?
Lightweight Cryptography 5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks 1 new block cipher
8 / 27
Introduction How do we make cryptographic algorithms?
Lightweight Cryptography 5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks 1 new block cipher S-Box Reverse-Engineering 8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks Discussions with ISO
8 / 27
Introduction How do we make cryptographic algorithms?
Lightweight Cryptography 5 papers (FSE, ASIACRYPT, JoCEn), 2 invited talks 1 new block cipher S-Box Reverse-Engineering 8 conference papers (CRYPTO, EUROCRYPT...), 7 invited talks Discussions with ISO Purposefully Hard Cryptography 1 paper (ASIACRYPT) 1 patent (+1 paper under submission)
8 / 27
Introduction How do we make cryptographic algorithms?
1 Introduction 2 Lightweight Cryptography 3 S-Box Reverse-Engineering 4 Conclusion
9 / 27
Lightweight Cryptography
1 Introduction 2 Lightweight Cryptography 3 S-Box Reverse-Engineering 4 Conclusion
9 / 27
Lightweight Cryptography What is it?
Everything is being connected to the internet.
10 / 27
Lightweight Cryptography What is it?
Everything
10 / 27
Lightweight Cryptography What is it?
10 / 27
Lightweight Cryptography What is it?
10 / 27
Lightweight Cryptography What is it?
“In IoT, the S is for Security.” Internet-enabled devices have security flaws. Security is an aferthought (at best).
11 / 27
Lightweight Cryptography What is it?
“In IoT, the S is for Security.” Internet-enabled devices have security flaws. Security is an aferthought (at best). Security has a cost in terms of engineering... ... and computationnal resources!
11 / 27
Lightweight Cryptography What is it?
Lightweight cryptography uses litle resources.
12 / 27
Lightweight Cryptography What is it?
Lightweight cryptography uses litle resources.
LWC is a very active research area!
12 / 27
Lightweight Cryptography Our Contributions
Fundamental Research
13 / 27
Lightweight Cryptography Our Contributions
Fundamental Research
13 / 27
Lightweight Cryptography Our Contributions
Fundamental Research
13 / 27
Lightweight Cryptography Our Contributions
Fundamental Research
13 / 27
Lightweight Cryptography Our Contributions
Atacks on Prince We won round 1 of the “PRINCE challenge” The corresponding paper was selected in the top 3 papers at FSE’15;
14 / 27
Lightweight Cryptography Our Contributions
Atacks on Prince We won round 1 of the “PRINCE challenge” The corresponding paper was selected in the top 3 papers at FSE’15; Sparx First ARX-based block cipher proven secure against some atacks. Design strategy re-used by third parties from Waterloo (Canada) to build sLiSCP
14 / 27
Lightweight Cryptography Our Contributions
Atacks on Prince We won round 1 of the “PRINCE challenge” The corresponding paper was selected in the top 3 papers at FSE’15; Sparx First ARX-based block cipher proven secure against some atacks. Design strategy re-used by third parties from Waterloo (Canada) to build sLiSCP NIST Survey greatly appreciated (and cited) by NIST in their
I presented Sparx at a NIST workshop
14 / 27
S-Box Reverse-Engineering
1 Introduction 2 Lightweight Cryptography 3 S-Box Reverse-Engineering 4 Conclusion
14 / 27
S-Box Reverse-Engineering What is it?
The “S-Box” of the last Russian standards
15 / 27
S-Box Reverse-Engineering What is it?
time
Publication Standardization
Implements al- gorithm in ac- tual products
Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis
Try and break published algo- rithm Unbroken algo- rithm are even- tually trusted
16 / 27
S-Box Reverse-Engineering What is it?
time
Publication Standardization
Implements al- gorithm in ac- tual products
Small teams Academic community Industry ???
16 / 27
S-Box Reverse-Engineering What is it?
A malicious designer can easily hide a structure in an S-Box.
17 / 27
S-Box Reverse-Engineering What is it?
A malicious designer can easily hide a structure in an S-Box. To keep an advantage in implementation...
17 / 27
S-Box Reverse-Engineering What is it?
A malicious designer can easily hide a structure in an S-Box. To keep an advantage in implementation... ... or an advantage in cryptanalysis (backdoor).
17 / 27
S-Box Reverse-Engineering Our Contributions
Stribog Type Hash function Publication 2012 Kuznyechik Type Block cipher Publication 2015
18 / 27
S-Box Reverse-Engineering Our Contributions
Stribog Type Hash function Publication 2012 Kuznyechik Type Block cipher Publication 2015 Common ground Both are standard symmetric primitives in Russia. Both were designed by the FSB (TC26). Both use the same 8 × 8 S-Box, π.
18 / 27
S-Box Reverse-Engineering Our Contributions
Given an S-Box... Where do we even start?
19 / 27
S-Box Reverse-Engineering Our Contributions
Linear Approximations Table (LAT) The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2n matrix such that LATS[a, b] =
2
(−1)a·x ⊕b·S(x) .
20 / 27
S-Box Reverse-Engineering Our Contributions
Linear Approximations Table (LAT) The LAT of S : {0, 1}n → {0, 1}n is a 2n × 2n matrix such that LATS[a, b] =
2
(−1)a·x ⊕b·S(x) . a b
= 0 c d
≥ 20
20 / 27
S-Box Reverse-Engineering Our Contributions
21 / 27
S-Box Reverse-Engineering Our Contributions
22 / 27
S-Box Reverse-Engineering Our Contributions
23 / 27
S-Box Reverse-Engineering Our Contributions
ω σ ϕ ⊙ ν1 ν0 I ⊙ α ⊙ Multiplication in F24 α Linear permutation I Inversion in F24 ν0,ν1,σ 4 × 4 permutations ϕ 4 × 4 function ω Linear permutation
24 / 27
S-Box Reverse-Engineering Our Contributions
Set up a process and tools to recover hidden structures and/or design criteria for S-Boxes. Successful applications to Streebog/Kuznyechik (FSB), Skipjack (NSA)... and a theorem! Found new cryptographic atacks.
25 / 27
S-Box Reverse-Engineering Our Contributions
Set up a process and tools to recover hidden structures and/or design criteria for S-Boxes. Successful applications to Streebog/Kuznyechik (FSB), Skipjack (NSA)... and a theorem! Found new cryptographic atacks. Hopefully, deterred publications of unjustified algorithms.
25 / 27
S-Box Reverse-Engineering Our Contributions
Set up a process and tools to recover hidden structures and/or design criteria for S-Boxes. Successful applications to Streebog/Kuznyechik (FSB), Skipjack (NSA)... and a theorem! Found new cryptographic atacks. Hopefully, deterred publications of unjustified algorithms. Caught the atention of the community: I gave many invited talks on this topic.
25 / 27
Conclusion
1 Introduction 2 Lightweight Cryptography 3 S-Box Reverse-Engineering 4 Conclusion
25 / 27
Conclusion
My co-authors and I made significant contribution to lightweight cryptography.
26 / 27
Conclusion
My co-authors and I made significant contribution to lightweight cryptography. We pioneered the field of S-Box reverse-engineering and obtained important results in cryptography and in mathematics.
26 / 27
Conclusion
My co-authors and I made significant contribution to lightweight cryptography. We pioneered the field of S-Box reverse-engineering and obtained important results in cryptography and in mathematics. We worked on another topic (“Purposefully hard cryptography”, useful for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
My co-authors and I made significant contribution to lightweight cryptography. We pioneered the field of S-Box reverse-engineering and obtained important results in cryptography and in mathematics. We worked on another topic (“Purposefully hard cryptography”, useful for crypto-currencies, DRM systems, spam mitigation...).
26 / 27
Conclusion
I am grateful to... my PhD advisor Alex Biryukov, the uni.lu for providing such a good research environment,
27 / 27
Conclusion
I am grateful to... my PhD advisor Alex Biryukov, the uni.lu for providing such a good research environment, my colleagues and co-authors,
27 / 27
Conclusion
I am grateful to... my PhD advisor Alex Biryukov, the uni.lu for providing such a good research environment, my colleagues and co-authors, my friends and family,
27 / 27
Conclusion
I am grateful to... my PhD advisor Alex Biryukov, the uni.lu for providing such a good research environment, my colleagues and co-authors, my friends and family, the Amis de l’Université and their sponsors... ... and to you for listening!
27 / 27