Cryptanalysis of Lightweight Block Ciphers - … University School of Science Degree Programme of...

Aalto University

School of Science

Degree Programme of Computer Science and Engineering

Vikash Kumar Jha

Cryptanalysis of LightweightBlock Ciphers

Master’s ThesisEspoo, November 18, 2011

Supervisor: Professor Tuomas Aura, Aalto University

Instructor: Professor Alex Biryukov, University of Luxembourg

Aalto UniversitySchool of ScienceDegree Programme of Computer Science and Engineering

ABSTRACT OFMASTER’S THESIS

Author: Vikash Kumar Jha

Title:Cryptanalysis of LightweightBlock Ciphers

Date: November 18, 2011 Pages: 86

Professorship: Data Communication Software Code: T-110

Supervisor: Professor Tuomas Aura, Aalto University

Instructor: Professor Alex Biryukov, University of Luxembourg

One of the ways to provide information security is cryptography. Traditionally,cryptographic operations as encryption of data have been applied to protect theinformation contained in a centralized and powerful computing environment. So,cryptography has been associated with powerful computing environment. Butminiaturization of devices and their wide prevalent use in storing and transmittingsensitive and personal information raises important question for the security of thetransmitted or stored information. These devices have severe resource constraintas per the needs of traditional cryptographic primitives. In recent past, theresearch community has focused designing of cryptographic primitives which aresuited to these resource constrained devices. This area of research area is termedas lightweight cryptography. This thesis work summarizes the design criteria oflightweight block ciphers which is one of the various primitives of the lightweightcryptography. It also presents a detailed design analysis of some of the recentlydesigned block ciphers. We will explain the various metrics that is used forevaluation of lightweight cryptography.

One of the main question that arises in the design of any cryptographic algo-rithms is the security. The major part of this thesis investigates the securityof the lightweight block cipher. We investigated whether the choice of a simpleround function impacts the security of the cipher. It focuses on recently designedciphers e.g. KLEIN, LED, and LBlock. The main contribution of this thesis isanalysis of 8 round practical attack on KLEIN. We extend this previous work forpractical attack on 9 round of KLEIN. We also present properties and analysisof the structure, key schedule of other ciphers. Along with this, we give a briefintroduction to state of art of lightweight design of block ciphers and variouscryptanalytic techniques.

Keywords: Lightweight cryptogrpahy,Cryptanalysis,Differntial Crypt-analysis,Gate Equivalents

Language: English

2

Acknowledgements

I am very thankful to Alex Biryukov for allowing me to work in LACS underhis guidance. He has been very kind and patient with my questions evenwith the questions of obvious answers. I am grateful to him for giving meuseful comments and feedbacks, especially for teaching me how to thinkfor attacking a cryptographic primitives. I have learned a great deal fromhim during the course of this thesis. He also sent me to attend ECRYPTlightweight cryptography workshop. I met many researcher in the area ofcryptography and had got an opportunity to listen to them which has beenvery helpful to me.

I am also grateful to Fabienne Schmitz, Isabelle Schroeder, for helpingme with the administrative procedures and facilitating my stay in Luxem-bourg. I am thankful to Satu Kahari and Soili Adolfsson for helping me withadministrative procedures with my thesis in Aalto University.

I am very thankful to my supervisor Tuomas Aura for giving me a placein department to write this thesis. I have immensely benefited from his usefulcomments for improvements of my writing skills during the course of studyand during the writing of this thesis. His useful comments has made thisthesis better.

Espoo, November 18, 2011

Vikash Kumar Jha

3

Abbreviations and Acronyms

RFID Radio-frequency identification devicesGE Gate EquivalentKbps kilo bits per secondµW micro watt (unit of power, measured in 10−6)SPN Substitution and permutation networkAES Advance Encryption standardSNR Signal to noise ratio

4

Variables and Functions

P PlaintextsK Key bitsC CiphertextsEk Encryption for key kDk Decryption for key kE(P,K) Encryption functionD(C,K) Decryption function

5

Contents

Abbreviations and Acronyms 4

Variables and Functions 4

1 Introduction 81.1 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . 101.2 Scope of thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 101.3 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . 11

2 Design of LightweightBlock Ciphers 132.1 Design principle of block ciphers . . . . . . . . . . . . . . . . . 142.2 Lightweight block cipher design . . . . . . . . . . . . . . . . . 172.3 Example Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.3.1 PRESENT . . . . . . . . . . . . . . . . . . . . . . . . 202.3.2 Maximum distance separable matrix . . . . . . . . . . 212.3.3 LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3 Cryptanalysis ofSymmetric Ciphers 283.1 Mode of operation . . . . . . . . . . . . . . . . . . . . . . . . 293.2 Attack models . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.3 Cryptanalytic technique . . . . . . . . . . . . . . . . . . . . . 31

3.3.1 Birthday paradox . . . . . . . . . . . . . . . . . . . . . 323.3.2 Exhaustive Search . . . . . . . . . . . . . . . . . . . . 323.3.3 Dictionary attack . . . . . . . . . . . . . . . . . . . . . 333.3.4 Distinguisher . . . . . . . . . . . . . . . . . . . . . . . 333.3.5 Meet in the Middle attack . . . . . . . . . . . . . . . . 333.3.6 Weak class of keys . . . . . . . . . . . . . . . . . . . . 35

3.4 Differential Cryptanalysis . . . . . . . . . . . . . . . . . . . . 37

6

3.4.1 Truncated differential . . . . . . . . . . . . . . . . . . . 423.4.2 Impossible differential . . . . . . . . . . . . . . . . . . 423.4.3 Boomerang attack . . . . . . . . . . . . . . . . . . . . 43

3.5 Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . 443.6 Algebraic attack . . . . . . . . . . . . . . . . . . . . . . . . . . 483.7 Side channel techniques . . . . . . . . . . . . . . . . . . . . . . 483.8 Cryptanalysis in real world . . . . . . . . . . . . . . . . . . . . 50

4 Cryptanalysis of KLEIN 524.1 Description of KLEIN . . . . . . . . . . . . . . . . . . . . . . 52

4.1.1 Encryption of KLEIN . . . . . . . . . . . . . . . . . . . 524.1.2 Key Schedule of KLEIN . . . . . . . . . . . . . . . . . 55

4.2 Shrinking of Cipher . . . . . . . . . . . . . . . . . . . . . . . . 574.3 Cyclic structure of MRS(x) . . . . . . . . . . . . . . . . . . . 574.4 Properties of key schedule . . . . . . . . . . . . . . . . . . . . 584.5 Properties of MixNibbles and SubNibbles . . . . . . . . . . . 594.6 Differential characteristics . . . . . . . . . . . . . . . . . . . . 60

4.6.1 Probability analysis . . . . . . . . . . . . . . . . . . . . 604.6.2 Neutral bits technique . . . . . . . . . . . . . . . . . . 62

4.7 Attack on 8 rounds of KLEIN . . . . . . . . . . . . . . . . . . 634.8 Attack on 9 rounds . . . . . . . . . . . . . . . . . . . . . . . . 644.9 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

5 Miscellaneous 695.1 LBlock Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

5.1.1 Impossible differential for 14 rounds . . . . . . . . . . . 705.1.2 Key Schedule of LBlock . . . . . . . . . . . . . . . . . 71

5.2 Analyzing S-boxes . . . . . . . . . . . . . . . . . . . . . . . . 73

6 Conclusions 76

A Performance details oflightweight block cipher 83A.1 Performance details . . . . . . . . . . . . . . . . . . . . . . . . 83A.2 Linear approximation of S-box . . . . . . . . . . . . . . . . . . 85A.3 Differential distribution of S-box . . . . . . . . . . . . . . . . . 85

7

Chapter 1

Introduction

Cryptography is the study of protection of information even in presence ofadversary. Cryptography has two important aspects to it namely encryptionand decryption. Encryption involves converting input information (calledplaintext P ) into unintelligible information(called ciphertext C). Along withplaintext, encryption also uses a secret called key(K) which is given as inputto encryption function(denoted by E) along with the plaintext to produceciphertext. Encryption process is represented mathematically by:

C = EK(P )

where C is the ciphertext, EK is the encryption function, P is the plaintextand K is the key. Decryption is just the reverse of encryption, takes cipher-text and key to produce plaintext. Cryptography primitive in which a singlesecret key is used for both encryption as well as decryption is called sym-metric key cryptography. Other being asymmetric key cryptography wherea private key is used for encryption and a public key is used for decryption.This thesis is focused on symmetric key cryptography, so whenever we talkof cryptographic primitive it is implied symmetric key cryptography.

One of the emerging area of cryptography since last few years is lightweightcryptography. As the name signifies, it is the scaled down version of tradi-tional cryptography. It involves the design and analysis of cryptographicprimitives for the devices which are resource constrained. In fact, it is acombination of two fields: cryptography and hardware technology as we willexplore in later chapters . Lightweight cryptography has assumed greater sig-nificance with the evolution of large number of small ubiquitous computingdevices e.g. Radio-frequency identification devices( RFID). These ubiqui-tous devices are used widely now a days and contain sensitive and personalinformation. In some scenarios, these devices are shared by many users sothere is a grave concern for misuse of the information. These miniature de-

8

CHAPTER 1. INTRODUCTION 9

vices are resource constrained so it is not possible for them to run traditionalcryptographic algorithms which require large memory and greater processingpower than these miniaturized devices posses. So,there is need for innovativedesign of the cipher to suit the need of these devices.

There are many lightweight cryptographic algorithms that has been pro-posed in recent past. Instead of re-inventing the wheel completely, most ofthe building blocks have been taken from the traditional cryptography butwith slight modification. We will discuss about the design of lightweightblock ciphers in detail in chapter 2. Lightweight cryptography(like any othercryptographic primitives) can be divided into four categories.

1. Block ciphers : The symmetric key cipher in which a block of fixedsize of plaintext is passed through a invertible function along with akey as parameter to give ciphertext.

2. Stream cipher: The symmetric key cipher in which a string of bitsof plaintext is xored with stream of bits generated by a key, when it ispassed through a function, to give bit string of ciphertexts.

3. Hash functions: The cryptographic primitive which takes a fixed sizeblock of plaintext as input to a one way function to return a uniquestring of bits.

4. Message authentication codes: The cryptographic primitives inwhich a key and long string bits of message is given as input to afunction to give a unique shorter string of bits as output. It is alsocalled keyed hash function.

For this thesis work, we will be only focusing on block cipher. Whilediscussing the design and implementation issues, we may touch upon otherprimitives, in that case it will be explicitly mentioned. Block cipher involvesdividing of plaintext into blocks of fixed size. These blocks along with the keyin turn serve as an input to the encryption algorithm to produce ciphertext.Block cipher encryption algorithm consists of xoring of key bits along with thepermutation and substitution of bits as their main building block called roundfunction. The round function is repeated several times(number of rounds),each time the output of previous round is served as input to the next. Incase of lightweight block cipher, because of the resource constraint of thedevice, there are some consideration for designers. Certain functionalitiese.g. permutation is very easier to implement whereas substitution of bitswill be difficult. So the idea is to keep the functionalities which are tough to


implement to a minimum. Generally the number of rounds is kept higher thantraditional block cipher to compensate for the simplicity of round function.

Besides the constraint of resources, the designer also has to keep in mindthe most important requirement i.e. security of the cipher. The resource con-straint in any case must not jeopardize the security of the ciphers. Generallya lightweight block cipher has to be wired into the device along with the keyso if the device is compromised, there is no flexibility to change the cipherwithout changing the device unlike in traditional computing environment.So, security of the cipher need to be analyzed in grater detail. Security ofthe any cipher is judged through cryptanalysis. Cryptanalysis is the art of re-covering the meaningful information from the encrypted information withoutthe knowledge of key. Cryptanalysis of traditional block ciphers have beenimproving. These new results also has a profound impact on the design andsecurity of the lightweight block ciphers. We will present in grater details thecryptanalysis of KLEIN[20], LBlock[47] and present some interesting detailsabout their structure in chapter 4.

1.1 Problem statement

The thesis studies the recently published lightweight block ciphers to findweaknesses in them.The goal of the thesis can be summarized into belowthree objectives:

1. Study the design and implementation techniques of lightweight blockcipher.

2. Cryptanalysis of recently published lightweight block cipher their struc-ture and key schedules. This also involves implementation of attacks.

3. Propose the viable solution to prevent the attack.

We intend to achieve the above objective by using analytical and practicalmethods mainly through programming.

1.2 Scope of thesis

The first part of the thesis focuses on the design principles of lightweightcryptographic primitives. It presents the state of art for designing lightweightcryptography. It illustrates various design strategy that has been employedto design a lightweight block cipher. Along with that it highlights imple-mentation issues for lightweight cryptographic primitives. We will explain


the recent innovation in design of lightweight cryptography that can be usedto reduce the circuit area for the cipher. For the perspective of design andimplementation issues this thesis presents the recent work and the futuredirection.

The second part of the thesis explores the cryptanalysis of the lightweightblock cipher. We will also present the state of art of cryptanalysis along withthe recent advancements in the field of cryptanalysis. In fact the major partof the work involved in this thesis focused on finding weakness in variousrecently proposed ciphers. We will explore the attack using various attackmodel such as known or chosen plaintext and known plaintext etc. We pro-pose attack on a recently designed cipher KLEIN-64[20] reduced to 9 rounds(the cipher has total of 12 rounds). This attack is an extension of previous8 round attack on KLEIN by Aumasson et al [3]. In chapter 4 we will firstexplain eight round attack by Aumasson et al [3] and then will present anextension of this attack till nine rounds of KLEIN. Previous attack presentstruncated differential of 32 bit with a probability of 2−33.90 for seven rounds.This seven round characteristics is used in 1-R setting for recovering the keybits for 8 round KLEIN. We have extended the differential characteristicsin 2-R setting to extend the attack by one round.Along with the attack wealso analyze the structure of the KLEIN cipher and explains the various de-terministic properties of the cipher and key schedule. During the course ofthis thesis we also analyzed other block cipher as LED[22], LBLock[47] andPiccolo[40]. There has not been much success in breaking these ciphers, butwe have been able to find certain properties in structure of the cipher andthe key schedule which could be used to attack the cipher. We are going topresent our findings related to these ciphers. Besides, we studied 3 × 3 and4 × 4 S-boxes to find a S box permutation that have bipartite componentin its differential distribution table as well as a non-trivial linear approxima-tion. We will explain the reasoning for finding such S boxes in later chapterdealing with the cryptanalysis.

1.3 Structure of the Thesis

The rest of the thesis consists of 4 chapters. Chapter 2 provides a brief intro-duction to the design principles of lightweight block cipher. It also touchesthe implementation aspects for the lightweight block ciphers. Chapter 3presents a literature survey of various cryptanalysis methods. In chapter4 we present attack on 9 round of KLEIN. It also present analysis of keyschedule of LBlock. This chapter also explores 4 × 4 bit S boxes. Chap-ter 5 presents future directions in the field of lightweight cryptography and


concludes the thesis.

Chapter 2

Design of LightweightBlock Ciphers

In this chapter first we will present symmetric cryptography in detail, whichis very necessary to understand the concept of block ciphers. Symmetric en-cryption scheme also called secret key scheme, is the cryptographic primitivein which the sender and recipient of the information share a secret calledkey. Apart form the key, they also share the same algorithm to encryptand decrypt the information. A succinct and precise definition of symmetriccryptography is given by Stinson in his book as below [43].

Definition 2.1 A symmetric cryptosystem, also called a symmetric encryp-tion scheme, is a five-tuple (P , C, K, ξ, D) where P is the finite set ofplaintexts, C is the finite set of ciphertexts and K is the key space. For eachkey K ∈ K there is an encryption function EK ∈ ξ with input as K and P ∈P such that EK(P )= C and a corresponding decryption function DK ∈ Dsuch that DK(C) = P .

Block cipher is a type of symmetric cipher where the data is dividedinto plaintext of fixed size and each such plaintext is given as input to anencryption algorithm. The algorithm consists of a round function that isrepeated N times (N being the number of rounds of the algorithm). Theround function is a weak function and it is repeated many times to make theencryption algorithm stronger. For each round, the output of previous roundacts an input. We call these intermediate input and output as internal state.From now on, we will refer the intermediate input and output to the roundfunction as state. Besides, there is a separate key for each round called roundkeys. These round keys are derived form a master key using a key schedulingalgorithm which is also a part of encryption algorithm. We can represent one

13

CHAPTER 2. DESIGN OF LIGHTWEIGHT BLOCK CIPHERS 14

round operation of block cipher as

Si = f(Si−1, Ki−1)

where f is the round function, Si is the output of the function and the Si−1and Ki−1 is input to the function.

After the last round of operation a whitening operation is performed. Itinvolves xor of key with the output of last round. The whitening operationconceals the output of last round. This helps to increase security againstcertain attacks, e.g. dictionary attack, meet in the middle attacks [38]. Ablock cipher can be represented as below in figure-2.1.

Figure 2.1: A general representation of block cipher

2.1 Design principle of block ciphers

As we have already learned about the parameters of the block cipher. In thissection, we will learn design strategies for block cipher and we will slowlymove the focus towards the lightweight block cipher. The choice for blocksize, key size, round function and ciphertext size is dependent on the machinespecification, security requirement and purpose of the deployment.

Before we delve deeper into the technical aspect of the design, we shouldalso give a brief look to the other aspect of security design i.e. purpose andcost of security. A perennial question that every designer needs to addresswhile designing any cipher is “how much of security is a good security”. Itis an accepted principle that we should not overdo security as it adds to thecost. So, if a deployed security mechanism is not utilized to its full capability,then it is wastage of resource. For example, we all know that AES (advancedEncryption standard) [19] a standard block cipher, has already been analyzed


widely for its security. Till now, it has resisted various attacks. So ideally, thedevice vendors should have deployed AES in their devices. But the problemwith AES is that, it is bulky and requires a lot of resource. Apart from that itprovides more security than what is needed to user. Hence the need was feltto design primitives to suit the resource constraints of small devices and atthe same time these primitives should provide adequate security to the user.These are the major reasons for push towards lightweight cryptography.

Now coming to the technical aspect of the design of block cipher, aftershe is decided with the input parameters the next thing that a designer hasto focus is the round function. Especially for lightweight block cipher, theround function has to be simple for the implementation in the hardware asthese ciphers are directly written into the device. A round function consistsof a non-linear function and a linear function. The non-linear function iscalled confusion layer and linear function is called diffusion layer. Shannonintroduced the concept of diffusion and confusion as the building block ofround function [39]. The purpose of both the functions can be stated asfollows.

Confusion: This is a complex non-linear function, by non-linear functionwe mean that from the difference of input we should not be able to get thedifference of output with probability 1 and vice versa. A good confusionfunction should not give any information about the key by analyzing thedistribution of ciphertext and plaintext (i.e. encryption function). The con-fusion function is usually implemented by S-box.

Diffusion: This a linear function. By linear function we mean that fromthe input difference of the pair of input to the function we can calculate theoutput difference between them and vice versa. The main purpose of thediffusion function is to neutralize the knowledge of statistical properties ofplaintext. It distributes the input to the complete domain of output withequal distribution. The diffusion function is usually implemented by permu-tation of bits.

A block cipher design can be broadly divided into two types:

Feistel networks : In Feistel network,the input is divided into two halvesof equal length i.e. left (Li) and right (Ri). At each round, only half ofthe state is subjected to the round function. After each round, there is aninterchange of the left and right halves of the state. The round function ofFeistel network is as follows.


Figure 2.2: A representation of Feistel networks

Li = Ri−1

Ri = Li−1 ⊕ f(Ri−1, Ki−1)

A two branch Feistel network based cipher is shown above in figure 2.2.

SPN (substitution and permutation network): In such type of ciphersthe entire state is subjected to the confusion layer. The Diffusion is achievedby either permuting the bits or by subjecting the state to a linear functione.g. MDS matrix. We will see about these later in this chapter with anexample.

Both type of cipher design are prevalent in today’s world. The samedesign principles has been carried over to the lightweight block ciphers too.But in case of lightweight block cipher a designer does not have the samelevel of freedom as in traditional environment. For the block and the statesize the designer selects multiple of machine word size. For lightweight blockciphers plaintext and state size is generally selected as 64 bits. The nextfocus of designer is round function. This is the one part ofdesign where shehas to optimize between various design parameters.


Figure 2.3: A general representation of SPN

Why not AES: Before we go further, this question needs to be addressedto justify the need for lightweight cryptography. As said earlier, the AESdesign is bulky and requires area of about 3400 gate equivalents. AES hasslow performance in constrained devices as compared to powerful devices.Apart from the resource and performance constraints, there is one moreconsideration that necessitates the need for lightweight ciphers. AES providesmore security than what is needed in deployment scenarios for the theseminiaturized devices, which result in more consumption of resources evenduring the passive state. Besides, security is one of features of the devices,itshould not eclipse the main feature of devices. So, there was need felt forcipher design which suits the need and functionality of these small devices.

2.2 Lightweight block cipher design

After a brief introduction to the lightweight block cipher and the motivationbehind it, we will detail the design choices of lightweight block cipher. Thefirst question that weigh in the mind of designers is to choose which of the twodesign strategies i.e. Feistel or SPN. There are advantages and disadvantagesfor the both the strategies. The major advantage that Feistel design offersthat the decryption is almost free. But we need to add more number ofrounds to Feistel that reduces the throughput of the cipher. SPN has lessernumber of rounds because of slightly complex round function. But decryptionis not free in SPN, so this strategy requires more area. But certain decisionsremain same for both the strategies e.g. block size, key size etc. Since thereis restriction of memory and data paths so the smaller block size is chosen.


Generally 64 bit is the universal choice for the block size. Since these ciphersare designed for the need of moderate security so the keys sizes varies form 64-128 bits. The round function is kept simple so that it does not occupy muchspace. The general choice for confusion layer (for both the design strategy)is 4 × 4 bit S-box. 4 × 4 bits S-box keeps the implementation of the ciphercompacts as compared to larger e.g. 8 × 8 bit S-box. S-box is implementedby a table lookup. For any n× n bit S-box we need 2n× 22n bits of memoryto store S-box. So for smaller S-box, implementation is compact.

The permutation of bits is easily achieved in hardware. So, the choicefor diffusion layer is permutation of bits (e.g in cipher PRESENT ). Thenewly designed ciphers as KLEIN and LED has proposed a different kindof diffusion layer. It is same as used in AES i.e. multiplying the stateby a maximum distance separable (MDS) matrix [19]. The advantages ofusing these matrix is that it helps the designer to prove security with tighterbounds along with good diffusion properties. We will study these matrix indetail in later section. Besides these choice of design strategy, the designershave to also focus on the various parameters with respect to the hardware.There is a broader agreement in the community on the metrics impactingthe lightweight block cipher design. The designer has to maintain a optimumbalance between these objectives for the design of lightweight block cipher.Below we are listing them.

• Gate count : It is measure of area, also called Gate equivalents (GE).In many hardware technologies, unit of gate equivalent or gate countis equal to amount of space occupied by a NAND gate. The numberof gate equivalent is calculated by dividing the area occupied by thetotal circuit of the cipher by the area occupied by the two input NANDgate. For lightweight block cipher lesser the gate equivalent , better itis. Generally the gate equivalent for lightweight block cipher is equalto 2000 ∼ 4000.

• Power: It is the amount of battery consumed during the computationof one bit of output. Its unit is watts. If we have power then we canalso calculate energy ber bit as it is equal to power consumed duringa period of time, divided by number of bits produced during this time.Similarly, we can calculate current as it is equal to power consumeddivided by the voltage of the battery or power source.

• Throughput:It signifies the speed of the cipher. It is calculated bynumber of bits of output produced in a cpu cycle. Designers aim forhigher throughput. It is measured in kbps.


To summarize, below we are listing the various consideration that everydesigner should keep in mind while designing a lightweight block cipher.

• Designer should always keep in mind that algorithm needs to be writ-ten into the devices so, design should utilize less device resource i.e.memory, cpu cycles, circuit area etc.

• The S-box (confusion layer) should be small usually (4 × 4 bit) forcompact implementation. At the same time it should provide requirednon-linearity to the cipher.

• Key schedule should be simple so as to occupy less area, the newlydesigned cipher keeps the keys fixed.

• The is no option for re-keying as the cipher is directly written into thedevice.

• The diffusion layer should be implemented such that it achieves optimalbalance between area and mixing of bits.

• The designer should try to achieve an optimal balance between thevarious parameters of above defined metric.

• The designer aims for increase in throughput and decrease the area.

• The cipher should be strong enough, to not let attacker defeat its pur-pose of deployment.

2.3 Example Ciphers

In this section, we will present two of the lightweight block ciphers to high-light the design strategies used by the designers. The first one PRESENT[10] is released in CHES 2007 giving a kind of legacy perspective into thedesign of the cipher. The second one, LED [22] presents an innovative wayto design a lightweight block cipher using AES (Advanced encryption stan-dard) as underlying design block. These two ciphers are based on SPN blockcipher. We will study one of the Fiestel cipher LBlock [47] when we discussthe cryptanalysis in chapter 5.


2.3.1 PRESENT

PRESENT designed by Bogdanov et al. in 2007. This was one of the firstdesign which caught the attention of research community. It has been widelyanalyzed. PRESENT is a substitution and permutation based cipher. It hasa block size and internal state of 64 bits. It has key length of 80 bits or128 bits. It has 31 rounds. For confusion layer PRESENT uses a S-box of4×4 bits. So, 16 same S-boxes are applied separately to 16 four bit nibbleof data. For diffusion layer it relies on permutation of bits. The S-box andpermutation of bits is given below.

x 0 1 2 3 4 5 6 7 8 9 A B C D E FS(x) C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

Table 2.1: S-box for PRESENT

i 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15P(i) 0 16 32 48 1 17 33 49 2 18 34 50 3 19 35 51i 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31P(i) 4 20 36 52 5 21 37 53 6 22 38 54 7 23 39 55i 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47P(i) 8 24 40 56 9 25 41 57 10 26 42 58 11 27 43 59i 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63P(i) 12 28 44 60 13 29 45 61 14 30 46 62 15 31 47 63

Table 2.2: Diffusion layer of PRESENT

The round function of the present consists of three steps as shown infigure-2.4. It consists of three steps as follows.

• addRoundkey : XOR the 64 bits of round key

• sBoxlayer : Divide the state into 16 four bits and substitute fourbits of values according to the S-box.

• pLayer : Permutation of bits of state.


Besides, PRESENT has a key schedule algorithm to derive a 64 bit keyfor each round. The algorithm for 80 bits master key is given below. Thebelow steps are repeated for each round, round counter is the value of round.Xor with round counter is used to avoid slide attacks [9].

[k79k78.......k1k0] = [k18k17k20k19]

[k79k78k77k76] = S[k79k78k77k76]

[k19k18k17k16] = [k19k18k17k16]⊕ round counter

Figure 2.4: PRESENT block cipher [10]

PRESENT is easy to implement in hardware with 1570 gate equivalents.The choice of diffusion layer as permutation of bits is suitable for smalldevices as it can be easily achieved. It has also been implemented for 4bit micro-controller [45]. The choice of 4 × 4 S-box makes the hardwareimplementation compact which is not very for easy 8 × 8 bit S-box. Thethroughput of PRESENT is 200 Kbps on 8 bit devices. With regard tosecurity, PRESENT has performed very well. It has been analyzed widely.Till now there has been practical attack till 15 rounds with complexity 235.6

[14].

2.3.2 Maximum distance separable matrix

Before we explain another example cipher, it will be good idea to explainMDS (Maximum distance separable matrix) matrix. This matrix is used as


diffusion layer in many ciphers e.g AES (Advanced encryption standard),Piccolo [40]. The matrix used in AES is given below.

2 3 1 11 2 3 11 1 2 33 1 1 2

The internal state of cipher is multiplied by a MDS matrix to achievediffusion for each round. MDS concept is taken from linear coding. A linearcode(a sequence of symbols) is characterized by three parameters n-lengthof codeword (sum of number of input and output symbols) k-dimension ofmatrix, d-number of positions where the two codewords differ. It i importantto clarify that in any machine one symbol occupy one byte, so the length ofcodeword n is nothing but the sum of number of bytes input and output.Similarly, d- number of positions where the two codewords differ is same astotal number of byte difference between two input codewords. A linear codeis called MDS if d = n− k + 1. For matrix which is used in AES, length ofcodeword n is 8 bytes because it has input of length 4 bytes and producesan output of 4 bytes. Dimension of matrix k is 4, so d = 8 − 4 + 1 is 5. Tounderstand the meaning of it in simple words, if we apply two inputs withparticular number of difference to MDS matrix then we are sure to get atleast certain number of difference in the output. If we denote total numberof difference in input bytes as din and total number of difference in output asdout, then for MDS matrix din + dout ≥ V , where V is called branch number.For the matrix used in AES the branch number is 5. The branch numberis very important as it helps the designers to give a tighter bounds for thesecurity of the cipher. It gives the number of outputs that will change if wechange one byte of input for single round.

There is another important concept of field arithmetic which is necessaryfor understanding the modern day ciphers. For example, all multiplicationoperations in AES is performed in a finite field. In field arithmetic, whenthere are finite set of elements, the field is called Galois field or finite fielddenoted by GF (pn), where p is a prime number and n > 0. If we simplyuse a GF (p), then it is called primitive field and if n > 1 it is called exten-sion field. In AES we use the finite field of GF(28) with primitive field ofGF (2). The reason for choosing the field of GF(28) is because it is easierfor byte operations. We can represent any element of the field in GF (28)


with a polynomial representation. The coefficient of the polynomial is 0 or1 (elements of GF (2)) depending upon whether the binary representation ofthat element has 0 or 1 in that place. For example we can represent 5 i.e.(0101)2 as X2 + 1 in polynomial representation. Similarly all the elements ofGF (28) can be represented by

b7x7 + b6x

6 + b5x5 + b4x

4 + b3x3 + b2x

2 + b1x+ b0, bi ∈ 0, 1

The operation as addition and subtraction in the field of GF (28) is nothingbut xor so, they do not cross the field. But it is not the case with multi-plication as the degree of polynomial after multiplication can change. Theresult after multiplication should be kept in the field. For this purpose, af-ter multiplication we need to check whether the result has crossed the field.If so, then we need to divide it by a irreducible polynomial in the field ofGF (28) and take the remainder as result. Irreducible polynomial are thosewhich are divided by none other than 1 and itself. We choose an irreduciblepolynomial for reduction because every element in the field will have a uniqueinverse with respect to the irreducible polynomial which will help during thedecryption. The irreducible polynomial in case of AES is x8 +x4 +x3 +x+1.The next question that arises is why we have chosen the polynomial of degree8. It is because the maximum degree of the multiplication result in field ofGF (28) for byte representation can be 15. But we need to keep the resultwithin the degree of 7, so we have to divide with the polynomial of degree8(15-7). To represent it formally, if M denotes a MDS matrix X the inputY the output and m(x) the field of irreducible polynomial then we can writeas

Y = X ×Mmod (m(x))

where mod operation reduces the result to the field of irreducible polynomial.Below we will see the operation of multiplication by a AES MDS matrix asan example to further familiarize with the concept.

Multiplication by MDS in a field: In binary arithmetic, the multipli-cation with any power of 2 i.e. 2k is performed by right shift by k bits. Usingthis fact we can multiply any number with any fixed number very easily. Forexample, in case of multiplication of 5 by 3, we can represent 3 as 2⊕1 hencewe can write 5 × 3 as 5 × (2 ⊕ 1). Multiplication operation in any field isdistributive so we can write 5×3 as (5×2)⊕(5×1). Thus the multiplicationoperation is nothing but shift and xor. The shift and xor operation is easilyachieved in hardware.

5× 3 = 5× (0011)2 = (5 << 1)⊕ (5 << 0) = 15


Below we will explain how to implement MDS multiplication operation in afield using shift and xor operation. In AES, below MDS matrix is used. Themultiplication is performed in a field x8 +x4 +x3 +x+1 which is polynomialrepresentation of 0x11b. Suppose if we have input as [x0, x1, x2, x3]

T . Thenwe can write

x0x1x2x3

×

2 3 1 11 2 3 11 1 2 33 1 1 2

asy0 = (2× x0)⊕ (3× x1)⊕ (1× x2)⊕ (1× x3)

y1 = (1× x0)⊕ (2× x1)⊕ (3× x2)⊕ (1× x3)

y2 = (1× x0)⊕ (1× x1)⊕ (2× x2)⊕ (3× x3)

y3 = (3× x0)⊕ (1× x1)⊕ (1× x2)⊕ (2× x3)

Multiplication with 2 can be performed by shifting by 1 bits. Multiplica-tion with 3 can be performed as is explained in the above example. If anyof the x0,x1,x2,and x3 has its most significant bit set then multiplying by 2or 3 will make the result cross the field (it will make the result of degree 8).So, in such cases, after the shifting operation we have to make the result intofield.This can be done by xoring the result with the 0x1b , as subtaction issame as xor in GF (28).

It should be clear by now that the implementation of diffusion layer bymultiplication with MDS matrix can be easily done in hardware because itjust involves shifting and xor operation. But MDS multiplication requiresa lot circuit area for byte serial implementation of this function. Serial im-plementation means that we can update one byte of output at a time. Sothe compact implementation of this MDS matrix is not possible. But forLED, the designers have come up with an innovative idea to implement thediffusion layer efficiently using MDS matrix which we describe below.

2.3.3 LED

LED cipher is designed by Guo et al., presented in CHES 2011 [22]. It isinspired by design of AES (advanced encryption standard). It has a block


size of 64 bits arranged in 4×4 matrix of 16 four bit nibble. It comes in fourvariants of key length, 64 bits (LED-64) 80 bits (LED-80), 96 bits (LED-96)and 128 bits (LED-128). LED-64 has 32 rounds and rest others 48 rounds. The rounds key is same in every round. The round function is repeated 8times in case of LED-64 and 12 times in other cases. This cipher has arousedmost of the interest because of its very strong design of round function. Itsround function consists of four iteration of:

AddConstants : Xor the fixed round constants

SubNibbles : Substitute the element of matrix with the values of S-box.

ShiftRows : Rotate left the elements of ith rows by i.

MixNibbles : Perform the permutation of state by multiplying with a MDSmatrix.

Figure 2.5: LED Round function [22]

LED uses the same S-box as PRESENT. It has a diffusion layer same asAES. All the operations are performed in the field GF (24). The irreduciblepolynomial is X4 +X + 1. The implementation of AES like diffusion is verycostly (it occupies a lot of space) in small devices. However, the designersof LED have come up with a innovating way to implement the diffusionlayer so that cost is minimized. The problem with multiplication with theAES matrix is that its implementation can not be made compact. For AESmatrix multiplication, if we want to achieve the diffusion operation for eachcolumn vector with four operation then it will require very large circuit areaas the bytes need to be updated serially. To do away with this problem,the designers of LED came up with a matrix design that updates only thelast byte of the input column vector and then rotates the last row of matrixupwards to get the remaining result bytes. We can understand this betterwith an example, suppose we have an input vector X = [x0, x1, x2, x3]

T andMDS matrix as A. Then output Y = [y0, y1, y2, y3]

T can be written as Ad×X.A is a sparse matrix which is very compact to implement in hardware. We


can achieve the multiplication with only four operations for each column withsuch matrix. The MDS matrix for LED is

A =

1 0 0 00 1 0 00 0 1 03 1 1 2

4

=

4 1 2 28 6 5 6B E A 92 2 F B

Figure 2.6: LED Block Cipher

There has been no effective attack against LED. One of the reason isstrong permutation because of four rounds, but then it is still early days.But the underlying design of AES has been analyzed widely with no effectiveattack till date so, LED is presumed to be a very safe design.

Variants BlockSize

KeySize

GateCount

Tput@100KHz

Tech.

LED-64 64 64 966 5.1 0.18LED-80 64 80 1040 3.4 0.18LED-96 64 96 1116 3.4 0.18LED-128 64 128 1265 3.4 0.18

Table 2.3: LED performance details

The lightweight block cipher design space is mainly dominated by SPNand Feistel designs. Ciphers as mCrypton [32] uses SPN design. DESXL [36],KASUMI [1] and CLEFIA [41] uses Feistel design. There has been designas KATAN and KTANTAN [18] which has been very different from the SPNand Feistel. KATAN and KTANTAN [18] family of ciphers comes in varying


block length of 32,48 and 64, their key size is fixed to 80 bits. Their designresembles more like stream cipher. The one of the advantages of this designis that it occupies very less area. The gate equivalent for the family variesfrom 462-1269. But apart from these, most of the ciphers use either SPN orFeistel as building block.

2.4 Conclusion

Lightweight cryptography as a whole is still in its nascent stage. Thereare many questions that needs to be researched and answered convincingly.Among all the lightweight cryptographic primitives the lightweight blockcipher seems to be most developed. Traditionally, research community un-derstands block cipher primitives better than other cryptographic primitives.The lightweight block cipher seems to be benefited from earlier works. Nev-ertheless, there are still open questions for the designers of lightweight blockcipher.

• What should be optimum key length, 64 bit key seems to be susceptibleto brute force attack as the computing power increases.

• How much should a designer should pay for key schedule or key shouldbe same for each round.

• What should be focus of design of the round function.

• How much costly should a confusion layer be, generally it is the costliestpart of design.

• How expansive should the linear layer(diffusion layer) to compensatethe cost of confusion layer.

• What should be the optimum balance between strength of round func-tion and number of rounds.

• Is there a need for standard lightweight block cipher similar to the lineof AES.

As the hardware technology is shrinking these question will come to thefore. The future direction in the design of lightweight block cipher can be toseek the answers of the above questions.

Chapter 3

Cryptanalysis ofSymmetric Ciphers

In this chapter, we will describe various cryptanalysis technique for blockcipher. Cryptanalysis is the technique of extracting either useful informationabout the key by observing the plaintext and ciphertext. Using cryptanalysis,we try to break the secrecy provided by the cipher. There is no fixed methodfor cryptanalysis and perhaps there will never be a fixed method. Everycipher is a different challenge to the attacker and hence demands differentinsight to attack. To understand cryptanalysis of the cipher, first we need tounderstand what do we mean by the “secrecy” or “security” provided by thecipher. Similarly, when can we say that a particular cipher has been brokenor the security provided by the cipher has been breached. First we will seewhat is meant by the “secrecy” of the cipher. The cipher can be classifiedinto two class based on the claim of security provided by them. First beingthe “perfect secrecy” the ideal security and another being “computationalsecurity”.

Perfect secrecy: A cipher achieves perfect secrecy when ciphertext revealsno information about the plaintext. Expressive in terms of probability, theevent of knowing the probability of a ciphertext should not change the prob-ability of a plaintext, i.e. all the plaintext should be equi-probable. We canexpress this with conditional probability as follows:

Pr(P |C) = Pr(P )

Only, one-time pad cipher could achieve the perfect secrecy. In thismethod every bit of the message is xored with a randomly generated string

28

CHAPTER 3. CRYPTANALYSIS OF SYMMETRIC CIPHERS 29

of bits which is the key, and the same key is never used again. Such a systemis very difficult to achieve in real world. It suffers from two problems: first,transfer of the key between two parties is an overhead as the key size is sameas the message size. Secondly, it is very difficult to design a random bitgenerator that generate string of bits that does not repeat itself for infinitetime.

Computational security: The designers of the cipher evaluate their cipherfor attack against the known techniques. If it requires 2n amount of com-putation (processing) to break the cipher, then we say the cipher provides2n amount of security. For the cipher to be secure in the real world this 2n

amount of computation should be infeasible for the attacker. If so, designerclaims that the cipher is computationally secure. But it is very difficult toprove the lower bound for computational security of the cipher. Till to date,no designer has proved the lower bound of security for their cipher except forthe one-time pad. When designers derive the security for their cipher basedon the current know-how of the cryptanalysis techniques, it has certain as-sumption behind it which may not hold for new attacks which are yet to bediscovered. So it is very difficult to prove the lower bound for computationalsecurity of the cipher. Besides, the processing power computational securityalso takes into account data complexity to break the cipher. It is a measureof how much of data (plaintext-ciphertext pair) is needed to break the cipher.

Now coming to the other question “when can we say that cipher hasbeen broken”. The answer largely depends upon the the goal of the attackerWhen the attacker is able to find the entire key of the cipher then the cipheris completely broken. But finding the key may not be the only target ofthe attacker. It means if the complete break of the cipher is difficult thenattacker can target the cipher to achieve a different objective e.g. extractingthe plaintext by observing the distribution of the ciphertext. The attackermay be successful in finding some bits of plaintext or key. These scenariosare also considered a breach of the security provided by the cipher but oflesser severity than that of complete break. In a nutshell, we can say thecipher is broken when the attacker defeats the purpose of deployment of thecipher. In section 3.2, we will see the attack scenarios for the ciphers.

3.1 Mode of operation

The block ciphers are used in many modes in real world. Some of them arelisted below.


Electronic codebook (ECB): In this mode, each block of plaintext isencrypted separately.

Ci = EK(Pi)

Pi = DK(Ci)

Cipher block chaining (CBC): In this mode before encryption, everyplaintext block is first xored with the ciphertext of previous block. The firstblock is xored with an initialization vector (IV ). Decryption is reverse ofencryption. This mode make block cipher similar to stream cipher.

Ci = EK(Pi ⊕ Ci−1), C0 = IV

Pi = DK(Ci)⊕ Ci−1, C0 = IV

Cipher feedback(CFB): In this mode, the previous block of ciphertext isgiven as input for encryption for the next block. The resulting ciphertext isxored with the current plaintext block. Ciphertext C0 is initialized with ainitialization vector IV .

I0 = IV, Ii = Ci−1, Oi = EK(Ii), Ci = Oi ⊕ Pi

I0 = IV, Ii = Ci−1, Oi = EK(Ii), Pi = Oi ⊕ Ci

Output feedback mode(OFB): In this mode, the encryption of previousblock of initialization vector is xored with the plaintext block.

I0 = IV, Ii = Oi−1, Oi = EK(Ii), Ci = Oi ⊕ Pi

I0 = IV, Ii = Oi−1, Oi = EK(Ii), Pi = Oi ⊕ Ci

Counter mode (CTR): In this mode, a “nonce” or “counter” is encryptedand xored with the plaintext to give the ciphertext. The counter or nonce isincremented serially for next blocks.

Ci = EK(Counteri)⊕ Pi

Pi = DK(Counteri)⊕ Ci

3.2 Attack models

One of the guiding principles of cryptography is Kerchoff’s principles: “Themethod must not need to be kept secret, and having it fall into the enemy’shands should not cause problems”. This implies that apart from the key,adversary has access of every other parameter of the algorithm. Based on


this premise we can broadly divide the attack model into following types.

Ciphertext only attack: This is the most powerful attack. In this sce-nario, attacker has only the knowledge of ciphertext. This type of attack issuccessful only on the weakest of the ciphers.

Known plaintext attack: In this scenario, attacker has the knowledge ofplaintext and the corresponding ciphertext. This is a very practical attackscenario, e.g. if an attacker is eavesdropping then he can also guess the plain-text corresponding to some ciphertexts depending upon the position or stateof communication (e.g. a letter will start with the word “Hello“ etc.)

Chosen plaintext: In this scenario, the attacker can choose its plaintextand get the ciphertext corresponding to those chosen ciphertext.

Adaptive chosen plaintext: In this scenario, attacker first observes a largenumber of ciphertexts. Based on the distribution of the ciphertexts the at-tacker chooses a plaintext to get the corresponding ciphertext. This kind ofattack is not likely in practical scenarios.

Chosen ciphertext: In this scenario, attacker is able to get the decryptedplaintext corresponding to his choice of ciphertext. This attack is same asthe chosen plaintext but in a reverse direction.

Related key: This is a relatively new attack model. Here the attacker canencrypt two plaintext (same plaintext or the two plaintexts with a constantdifference) with two keys which have a fixed relation between each other.This attack model is very weak as there is very little chance for the attackerto get encryption with two keys with a constant relation. For lightweightblock ciphers as the key is written to the device, this type of attack is notvery probable.

3.3 Cryptanalytic technique

In this section we will explain various cryptanalytic technique. As said ear-lier that, there are no fixed methods for cryptanalytic techniques for anyblock ciphers. But there are some methods which can be applied to everyciphers with some variation, though there can not be any guarantee thatthese methods may break the cipher. Cipher designers apply these methodsto analyze security level for the computational security. Informally, we can


broadly classify these techniques as brute force techniques non-brute forcetechniques. As the name suggest brute force techniques involves search ofentire key space. Other techniques utilize the weakness in the structure ofthe ciphers to find key bits.

3.3.1 Birthday paradox

This is an important concept from probability with many application todifferent fields. If a set contains N elements and there is a function f thatmaps from this fixed input set of N elements to a fixed output set of same Nelements. Now the question is to find, what is probability of collision for tworandomly selected different inputs i.e. x1 and x2 such that f(x1) = f(x2). Tofind this, suppose we have selected |Q| elements randomly from the set of |N |elements. There will be no collision for these |Q| elements with probability

p = (1− 1

N)(1− 2

N − 1) · · · (1− Q− 1

N) =

Q−1∏i=1

(1− i

N)

∏Q−1i=1 (1− i

N) ≈

∏Q−1i=1 e

−iN

= e∏Q−1

i=1 (1− iN )

= e−Q(Q−1)

2N

The probability of at least one collision is

p = 1− e−Q(Q−1)

2N

If we solve the above equation for the probability of 50%, then we getQ ≈ 1.17

√N . This implies we have to try almost 2N/2 times for getting at

least one collision. The obvious result from this birthday paradox is thatsuppose if we have a function that takes 64 bit input and gives 64 bit output.Then it will take at least 232 trials to find a input-output pair of particularpattern with the probability of 1/2. This result is applied more often in hashfunction to estimate the probability for collision of a hash function.

3.3.2 Exhaustive Search

As the name signifies this involves searching entire key space for finding thevalid key. Attacker has a ciphertext C and corresponding plaintext P . Theattack can also be launched if the attacker has only ciphertext and some


prior information about the composition of plaintext. It searches the entirekey space to find the key that satisfies this plaintext and ciphertext pair i.e.EK(P ) = C. The key size is chosen large enough (generally of size greaterthan 64 bits) to defeat the computing power of present day, so that theattacker can not find the key by an exhaustive attack.

3.3.3 Dictionary attack

When the block size of a cipher is small, attacker can encrypt a messagescorresponding to all the key and stores them in a table. When this blockis transmitted, the attacker can recover the key by matching the ciphertextwith the one stored in table.

3.3.4 Distinguisher

For any given input pattern if the output pattern occurs with the probabilitythat is substantially higher or lower than in the random output then we cansay that we have a distinguisher for the cipher. The input pattern can beanything such as input pair difference, a input having certain bit fixed etc.The only condition is that the corresponding output pattern should occurwith probability that is substantially higher or lower than the random output.This non-random behavior of the cipher for a particular input pattern canbe utilized for recovering the key bits.

3.3.5 Meet in the Middle attack

It was introduced by Diffie and Hellman [34]. In some ciphers, key bits |K|can be divided into two sets K1 and K2 (|K| = |K1|×|K2|). K1 is used in onlyr1 (first half of the cipher) and K2 is used in r2 (second half of the cipher)only, where r1 + r2 is the total number of rounds R. In such conditions, wecan guess the keys bits of K1 in the forward direction using the plaintextP . We can encrypt and store the values corresponding to all k1 ∈ K1 andstore it in table T1. Similarly, we can store the values corresponding to allk2 ∈ K2 from the backward direction using ciphertext C in T2. If the valuesin T1 and T2 for some k1 and k2 match then such k1||k2 is the one of thecandidate. This type of attack applies to cipher where keys can be dividedinto disjoints set. For example in a cipher as C = EK2(EK1(P )), we canapply meet in middle attack to find a collision, from the backward side usingK2 and ciphertext C, from the forward side using K1 and plaintext P .

Recently, there has been some developments in meet in middle attack.New techniques has been developed using meet in the middle attack. They


Figure 3.1: General representation of MITM

are explained below:

3 subset MITM attack: It is introduced by Bogdanov et al. [11]. Insteadof having two explicit disjoint sets of the master key, if we have two set ofmaster key K1 and K2 such that some of the bits overlap in K1 and K2. Thiscan be explained easily by considering master key as three set as A0, A1, andA2 such that A0 = K1 ∩K2, A1 = K1/(K1 ∩K2) and A2 = K2/(K1 ∩K2). Ifthe key bits used in round function satisfies this property then we can launchan attack to recover keys as follows.

1. Fix the value of A0.

2. Compute u = f1(P,A0||A1) and store them in a table as (u,A1).

3. Compute v = f2(P,A0||A2) and store them in a table as (v, A2).

4. if u = v, then (A0||A1||A2) is the candidate key.

5. Repeat the above steps (1-3) 2|A0| times.

After running 2|A0| times we can filter 2n−b keys where n is the key size andb is the block size.

Partial matching: It was introduced by Aoki et al.[2] in context of hashfunctions. In this variant of MITM, instead of matching the entire state ofthe cipher from the backward and forward direction we just need to matchthe “m” bits out of “n” bits. If we have some common bits between K1 andK2 i.e. Kc = K1 ∩K2, the common bits in forward and backward direction.Then after trying 2|K1|−|Kc| of plaintext and 2|K2|−|Kc| of corresponding cipher-text, if we match only “m” bits then only 2(|K1|+|K2|−2|Kc|−m)pairs will be left.

Indirect partial matching: This is the extension of above explained con-cept. If we can express first half of the cipher as G(K1) + φ(K2) and secondhalf and H(K1)+ϕ(K2). Then we can partition the cipher as G(K1)−ϕ(K1)and G(K2)−ϕ(K2). Now we can launch the MITM using K1 in one direction


and K2 in the other direction.

Splice and cut technique: This concept was first used in the cryptanal-ysis of hash function. The idea is to fix an intermediate state. This fixedintermediate state is called splice. Using the previous idea suppose if wedivide the cipher into three parts. E = f1 ◦ I ◦ f2. Now if we have fixedan intermediate state as Sinter. We have to create a table of having one en-try as hinter and other corresponding entry is E(f−11 (Sinter). E(f−11 (Sinter) isthe ciphertext corresponding to the chosen plaintext. Now we just have tocheck f−12 (E(f−11 (Sinter)) = I, then the key for which this holds is the candi-date key. This technique has high data complexity. Recently this techniquehas been applied for the full cryptanalysis of AES-128 [25]. But the datacomplexity is very high 289 along with the time complexity of 2126 [25].

3.3.6 Weak class of keys

Some ciphers exhibit a particular property with respect to certain keys orclass of keys. For example DES has six weak keys which result in fixed pointsi.e. DESweakkey(P ) = P . The weak keys for DES are {0000000000000000,ffffffffffffffff , e1e1e1e1f0f0f0f0, 1e1e1e1e0f0f0f0f}. DES has aFeistel structure consisting of 16 rounds. It has a block length of 64 bitsand key length of 56 bits with 8 bits of parity. If we partition the 64 bitinput message into two halves and denote them as M0 and M1 (each M0

and M1 being 32 bit message). Subsequently output after each round of en-cryption in DES can be denoted by (M2, M3 ) (M4, M5)...( M17, M16). Forfixed point to occur (e.g. DESfff...f (a) = a), there has to be a condition asM0 = M17, M1 = M16. Since round key is same for each round for a weakkey in DES. This can be naturally extended further as M2 = M15, M3 = M14

and M8 = M9 [15]. We can generate many messages of particular patternvery easily by checking condition M8 = M9.

Weak keys for PRINTCipher: Recently, for lightweight block cipherPRINTCipher, Leander et al. [30] have found there are 251 weak keys outof 280. For these keys there exists a distinguisher with probability 1. Theseweak keys result because of weakness in substitution and permutation layer.PRINTCipher is a lightweight block cipher is designed by Knudsen et al.[27]. It has a block size of 48 bits or 96 bits and key size of 80 or 160 bitsrespectively. The round function of the PRINTCipher is a SPN.

The weakness of the PRINTCipher lies in the design of the S-box. ForPRINTCipher, if there is a single bit of difference in S-box, there is a singleoutput bit difference in the same position with probability 1/4. This is shown


Figure 3.2: Round function of PRINTCipher-48 [27]

as follows:

S(00*) = 00*S(0*1) = 0*1S(*00) = *00

In permutation layer, there are set of S-boxes from which the outputbits goes as input to itself. The combination of these two properties can beused to create a distinguisher for the PRINTCipher as follows. If we givethe plaintext and key of particular pattern, we will get a particular outputpattern with probability 1. The plaintext pattern, key pattern and outputpattern is shown below.

Start 00* *10 *** *** 00* *10 *** *** 00* *10 *** *** 00* *10 *** ***Key xoring 01* *01 *** *** 01* *01 *** *** 01* *01 *** *** 01* *01 *** ***Lin. layer 00* 11* *** *** 0*0 1*1 *** *** *00 *11 *** *** 00* 11* *** ***RC 00* 11* *** *** 0*0 1*1 *** *** *00 *11 *** *** 00* 11* *** ***Perm. layer 00* *11 *** *** 00* *11 *** *** 00* *11 *** *** 00* *11 *** ***S-box layer 00* *10 *** *** 00* *10 *** *** 00* *10 *** *** 00* *10 *** ***

Table 3.1: Distinguisher for weak keys [27]

These keys are weak keys (keys of the form in Key xoring layer above).As there are (1/2)16× (1/2)13 (combination of xor key and permutation key)of such keys and there are 251 out of 280 keys.This example is of interestwith respect to the lightweight block cipher. This example shows how theweakness of a component of cipher can be exploited to attack the cipher. So,while choosing S-box and linear layers to make the round function we shouldbe careful that it should not have inherent weakness.


3.4 Differential Cryptanalysis

The Differential cryptanalysis was developed by Biham et al. in 1990 [6]. Itis one of the seminal work in the area of cryptanalysis. Two plaintext with afixed difference is given input to the encryption function E and the differencein ciphertext is observed. If the resulting ciphertext pair also have a fixeddifference then this can be used to recover the key. We will explain differentialcryptanalysis with an example toy cipher. The same cipher is used in lecturenotes of Howard Heys [23]. This will help us to understand the concept easily, mainly the idea behind how to find differential characteristics. Below is anexample toy cipher.

E(x, k) = (P (S(x⊕ k))4

The cipher is based on SPN, round function consists of a 4 bit S-boxas a confusion layer and 4 bit permutation as diffusion layer. S-box andpermutation layer of the ciphers is below.Total number of rounds we areconsidering is 4.

x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) e 4 d 1 2 f b 8 3 a 6 c 5 9 0 7

Table 3.2: S-box for toy cipher

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16P(x) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16

Table 3.3: Permutation for toy Cipher

Using the cipher (figure-3.3) as an example, we will try to understand thedifferential cryptanalysis. As we have said earlier that difference of plaintextis analyzed through the round functions for the distribution of output differ-ence. We are using the xor operation for the difference of the pair of messagesbecause the key is xored with the internal state in each round. The first termthat we need to familiarize ourselves is the differential trail or characteris-tic. The input difference which results in high or low probability output


Figure 3.3: Example Cipher

difference is called differential trail or characteristics We have to iterativelyfind the high or probability differential characteristics for the entire round ofthe cipher. Suppose if we have a high probability differential characteristicsα → β till round r. If we want to extend it to r + 1th round, then we haveto search for higher probability characteristics β → δ for the r + 1th round.This process continues iteratively till the last round of the cipher.

As we know any round function has two parts confusion and diffusionfunction. Diffusion function is linear hence we can determine the output dif-ference corresponding to the input difference. But S-box is non-linear layer,so we have to analyze the S-box to find the high probability input-outputdifference pair. Generally, we write a program to find high or low probabilityinput-output difference.Random distribution means for any random inputdifference, any output difference should occur with the probability (1/2n) , nis total number of input difference possible. To analyze probability of outputdifference corresponding to input difference, we need to construct a S-boxdistribution table. Distribution table for any n× n S-box can be defined as2n × 2n matrix which gives the number of output difference caused by eachinput difference.Impact of key on the input to S-box: As we are using xor of plaintexts


Algorithm 1 Algorithm for S-box differential distribution

Input: nn bit S-boxOutput: differential distribution of S-boxdist← 0for i = 0→ n do

for j = 0→ n dodist[i][Sbox[i]⊕ Sbox[j]] + +

end forend for

for difference of plaintext, it is important to analyze the impact of key bitswhen the input difference passes through the non-linear and linear layer ofround function. Suppose if we have two input I1 = P ⊕K and I2 = P ′ ⊕Kto S-box. Then we can write difference of inputs entering into S-box as:

MI = I1 ⊕ I2 = (P ⊕K)⊕ (P ′ ⊕K) = (P ⊕ P ′)

which is independent of keys. So there is no impact of key bits in case ofdifferential cryptanalysis. Same follows for linear layer.

Finding differential characteristics: Differential characteristics can befound by observing the S-box distribution table. The distribution table forS-box is given in appendix. The idea is to find a input and output differencedifference pair that hold with high probability. Now we will try to find thedifferential characteristics for our example toy cipher. We can observe thefollowing high probability input-output difference. We can observe following:

MBwith probability 1/2−→ M2

M4with probability 3/8−→ M6

M2with probability 3/8−→ M5

If we give the input difference M0200 of plaintext difference to our toycipher, then the differential path is as shown in the figure-3.4 below for fourrounds.

M0b001/2−→ M0040

3/8−→ M02209/64−→ M0606

As probability for each S-box is independent of each other,so the totalprobability for the characteristics is

1

2× 3

8× 9

64= 2−5.3


Figure 3.4: Differential path [23]

The purpose of this example was just to show how to find differentialtrail and how to determine the probability of a particular trail. The givenS-box is very weak and one can easily find the high probability differentials.This may not be true for real world ciphers and one has to write programsto check the S-box for high differentials or some distinguishing properties.Sometimes we can also combine non-linear and linear component of cipherto treat them as big S-box to analyze the cipher.How to find key : Using differential cryptanalysis we can recover the lastround key. We need input pairs satisfying differential characteristics for R-1round rounds i.e till penultimate round. Once we find a pair that satisfiesthe input and output differential characteristics, we invert the linear layerof the last round to get the output pair after S-Box i.e. the non-linear


layer. Then we guess the last round key and linearly combines them withthe output difference to check the input difference for the last round. Ifthe input difference to the last round satisfies the differential characteristicsfor the penultimate round, then we have a candidate key. We generate alot of pair that satisfies the differential characteristics. We count the keysthat satisfies the input to last round according to differential characteristics.The keys having highest count are the candidate keys. In our example ifwe are target to find only the 8 bits of keys corresponding to 8 active bitsof state, then we have total of 256 values of keys. We can easily countthe number of keys for large number of pairs. The key with the highestnumber of occurrence will be the correct key. But sometimes we have tocount large number of key bits. Number of key bits that needs to be countedand probability of differential characteristics will determine the number ofpairs needed for successful attack. Biham et al. [6] defined a term calledSignal to Noise ratio (SNR), which is ratio of number of right pairs and theaverage key count in a counting scheme. To put it simply, the value of SNRdetermines average number of correct pairs needed to recover the key. SNRis given by

SNR =2k · pα · β

where 2k is number of key bits counted, p -probability of differentialcharacteristics, α -average number of keys suggested by a pair and β -ratioof non-discarded pair to total number of pairs. If the value of SNR is highthen only 3-4 pairs are needed for attacks to succeed. For the SNR value of3 or 4, 40-50 correct pairs are needed for the attack to succeed.Complexity of attack: In cryptography, when we talk about complexityof attack it involves three things.

• Data complexity: It is equal to amount of data that needs to beavailable to the attacker to successfully attack the cipher

• Storage Complexity : The amount of space needed to successfullyattack the cipher. It is pre-storage and storage required for the attack.

• Computational Complexity: It is the amount of computation re-quired for the attack. It is generally expressed in 2n, where n is thenumber of times the attack steps needs to executed.

For differential complexity, first we need to generate a good pair. A goodpair can be found by trying 1/PD. PD is the probability for r round dif-ferential characteristics. We have to try all the keys for the good pairs, sothe computational complexity of the attack is the size of the key bits that


attacker is looking for. But as we need more than one pair, so for computa-tional complexity we also need to take into account the computation requiredfor generating the correct pairs i.e. data complexity. Data complexity is oneof the most important criteria for complexity of attack. Besides, there isalso storage required for storing the candidate keys and their respective suc-cessful count. There has been many other cryptanalytic technique whichhas been either derived from differential cryptanalysis or has been variant ofdifferential characteristics. Some of them have been explained below.

3.4.1 Truncated differential

This is introduced by Knudsen [26]. Instead of having differential charac-teristics for the complete state of the cipher i.e n bits, we look for the highprobability of output difference in m(m < n) bits of the ciphertext. Thesem bits can be any subsequence of n bits. Ciphers where it is very difficultto find differential characteristics, it may be easier to find a truncated dif-ferential. The process of finding the truncated differential characteristics issame as differential characteristics. The number of pair need to find the keycan be determined by signal to noise ratio as above. The cryptanalysis ofKLEIN presented in chapter 4 uses truncated differential.

3.4.2 Impossible differential

This has been introduced by Biham et al. [4]. This is just the reverse ofdifferential cryptanalysis. Instead of finding the a differential characteristicswith high probability or with probability 1, the attacker tries to find the dif-ferential characteristics with very low probability or zero probability. In caseof 0 probability, input difference M will never result into the output differenceO i.e. M 9 O. We can extend this to finding a differential characteristicsof low probability instead of zero probability. But it is very difficult to esti-mate the low probability for any differential characteristics. So, it is alwaysbetter to use the impossible differential when we have a characteristics withprobability zero. There are different methods to find the impossible differ-ential. One of them is shrinking [4], where the cipher is reduced to smallerdata space e.g. from the 64 bit cipher to 32 bit cipher. During shrinkingwe should be careful that we should not change the structure of the cipher.The new cipher should have the same properties as the original cipher. Weshould check the cipher for the entire range of input difference, whether itproduces all the output difference at least once. Other method is findingcontradiction from backward and forward direction. The idea is to achieve a


differential characteristics from the the forward direction as well as from thebackward direction for the same state. If two differential characteristics havea contradiction, then the input difference can not result into that particularoutput difference.

M→ M′;O′ ← O

ifM′ 6= O′ ⇒ M 9 O

The impossible differential are easier to find in ciphers where the diffusion ofbits is slower in one direction than the other.

3.4.3 Boomerang attack

It is proposed by Wagner [46]. It is an adaptive chosen plaintext attack.It is very useful in ciphers where there is very high probability differentialfrom the start as well as from end to some intermediate round, but not forthe complete cipher. We divide the cipher into two halves i.e E = E0 ◦ E1.There is high differential M→M∗ for E0. Similarly, if there is high probabilityfor O→ O∗ for E−11 . We have four plaintext P , P ′, Q, Q′, where P , P ′

satisfy differential characteristics for E0. Similarly, P , Q and P ′, Q′ satisfydifferential characteristics for E−11 . If these two conditions are satisfied, thenQ, Q′ will satisfy the characteristics for E−10 .

E0(Q)⊕ E1(Q′)) = E0(P )⊕ E0(P

′)⊕ E0(P )⊕ E0(Q)⊕ E0(Q′)⊕ E0(P

′)= E0(P )⊕ E0(P

′)⊕ E−11 (C)⊕ E−11 (D)⊕ E−11 (C ′)⊕ E1(D′)

= M∗ ⊕ O∗ ⊕ O∗

We need all the four quartets for the success of this attack. If we have allthe four differentials i.e. the difference values, then we can easily generateplaintext and ciphertext pairs. We can generate two plaintext as P andP ′ = P ⊕ M. We will have two ciphertext C = EK(P ) and C ′ = EK(P ′).Similarly, we can generate two ciphertexts D and D′ = D ⊕ O and decryptthem to obtain Q and Q′. If the probability for M→M∗ is p and probabilityfor O∗ ← O is q. The probability for the success of entire attack is p2 × q2.So for this attack to be efficient, we need to have high probability differentialcharacteristics from both direction. The boomerang attack has been refinedto amplified boomerang attack [24] to make it efficient even in case of slightlylower probability differential characteristics. These quartets of characteristicscan be used to attack the ciphers.


Figure 3.5: General representation of boomerang attack [46]

3.5 Linear Cryptanalysis

Linear cryptanalysis was given Matsui [33]. Linear cryptanalysis investigatesthe relation between the the plaintext bits, ciphertext bits and key bits. Therelationship is of the form as below. The aim of the linear cryptanalysis isto find any relation of below form with the probability greater than 1/2.

Pim ⊕ · · · ⊕ Pjn ⊕ · · · ⊕ Cim · · · ⊕ Cjn · · · ⊕Kim · · · ⊕Kjn = 0

The amount variation from 1/2 is called linear probability bias. Linear proba-bility bias is calculated by subtracting 1/2 from the probability of any relationof plaintext, ciphertext and key bits. Linear cryptanalysis is a kind of statis-tical attack. We will continue with the same toy example to demonstrate onhow to find linear approximations with higher probability. The key recoveryprocess from a high probability trail is same as in differential characteristics.


Finding Linear characteristics: The idea is to find relationship betweenthe input bits output bits and key bits. We can find the relation between theinput and output bit through the linear component with probability 1. It isthe non-linear components of S-box that needs to be analyzed for high prob-ability relation between input and output bits. For analyzing the non-linearcomponent, we have to construct a linear approximation of S-box. Linearapproximation of non-linear component is calculated by counting numberof times and operation of input mask and output mask is equal for an in-put. One of the important concept with respect to the linear cryptanalysis

Algorithm 2 Algorithm for S-box linear approximation

Input: n bit S-boxOutput: linear approximation of S-boxdist← −2n−1

for i = 0→ n dofor j = 0→ n dovaluex← 0, valuex← valuex⊕ j · ifor k = 0→ n dovaluey ← 0, valuey ← valuey ⊕ k · Sbox[i]if valuex = valuey thendist[i][k] + +

end ifend for

end forend for

is Piling-Up lemma . It is helpful while calculating the probability of a re-sultant linear approximation by combing two or more approximation.

Piling-up Lemma : Matsui [33] states it as follows. Let Xi (1≤i≤n)be an independent random variable with the value of 0 with probabilitypi and 1 with 1 − pi. The the probability that {Xi⊕X2 · · · ⊕Xn} = 0 is1/2 + 2n−1∏n

i=1(pi − 1/2).

This lemma can be extended for deriving the probability of linear equations,which is result of combination of two or more equation. For example, if wehave Pr[X1⊕X2 = 0] = ε12 and Pr[X2⊕X3 = 0] = ε12, then Pr[X1⊕X3 =0] = 1/2 + 2ε12ε23.

Coming back to finding the approximation, from the S-box table we haveto find the considerably high or low probability relation between the inputand output bits of S-box. After finding such linear approximation, we have


to iteratively construct the approximation by finding the high probabilityrelation between the input and output. If X is the input to S-box and Ythe corresponding output. Xi or Yi is the corresponding ith bit of input andoutput respectively. For the given S-box following relation holds:

Y2with probability 3/4−→ X1 ⊕X3 ⊕X4

Y2 ⊕ Y4with probability 1/4−→ X2

The bias for these two relation will be (3/4-1/2 = 1/4) , (1/4-1/2 =-1/4)respectively. Using these two above relations, we can construct characteristicsfor the entire cipher for four rounds. For our example cipher,if we denote thejth input bit of ith round as Ui,j, similarly, we denote jth output bit of ith

round as Vi,j. Then we can write for first round as below.

V1,6with probability 3/4−→ U1.5 ⊕ U1.7 ⊕ U1.8 ⇒ P5 ⊕K1,5 ⊕ P7 ⊕K1,7 ⊕ P8 ⊕K1,8

For second round

V2,6 ⊕ V2,8with probability 1/4−→ U2,6 ⇒ V1,6 ⊕K2,6

Similarly, for third round we have

V3,6 ⊕ V3,8with probability 1/4−→ U3,6 ⇒ V2,6⊕K3,6

V3,14 ⊕ V3,16with probability 1/4−→ U3,14 ⇒ V2,8 ⊕K3,14

Combining the above four equation we get

V3,6⊕V3,8⊕V3,14⊕V 3, 16⊕P5⊕P7⊕P8⊕K1,5⊕K1,7⊕K1,8⊕K2,6⊕K3,6⊕K3,14 = 0.

with a probability of 15/32. The probability can be calculated with the helpof Pilling-up lemma stated above.

We have presented the above relation just to drive home a point that wehave to find a relation between the input bits and the output bits of penul-timate round. This relationship should hold with certain probability. Oncewe have a relation which holds for considerably high or low probability, thenwe can recover the key.


Figure 3.6: Path for linear approximation [23]

Extracting the key bits: Finding the key bits is similar as in differentialcryptanalysis. We have to decrypt the last round for all the key for the lastround. The key for which the linear expression( as is of above form,composedof ciphertext bits and plaintext bits) holds is the candidate key. The countercorresponding to such key should be incremented. The candidate key whichdiffers maximum from half number of plaintexts is the actual key. In otherwords the candidate key having maximum bias is the actual key. The keyvalue will occur with maximum variation from 1/2.

Complexity of attack: If the bias of linear approximations is ε then Matsui[33] showed that number of plaintext required for the attack is almost equalto 1/ε2. The computational complexity is number of keys that has to be


counted.

3.6 Algebraic attack

As we know that encryption and decryption is an bijective function for aparticular value of key K. So we can express the encryption and decryptionfunction as system of equations. One of the solutions for these systems ofequations for a given plaintext and ciphertext pair will also be secret key.Specifically, we have to express a round function in terms of system of equa-tions. Round function consists of a non-linear layer and linear layer. Theequation for linear layer is a monomial. For non-linear layers (S-boxes) wehave non-linear equations. Once we combine these equations for round func-tions for the complete cipher, we will get a multivariate non-linear booleanequations for the complete cipher. There are tools e.g. SAGE [42], that canhelp to convert the entire cipher into systems of equation.

Solving most of these multivariate system of equation is an NP-hard prob-lem. In some cases if we have prior knowledge about the dependence betweenthe different variable and structures of the equation, we may be able to solvethese system of equations. There are many techniques for solving these equa-tions. One of them is the linearization and re-linearization techniques usingalgorithms XSL and XL [16]. In this technique, each nonlinear equation istransformed to be linear equation by replacing the non-linear terms. Thenwe try to solve these new set of equation using Gaussian elimination. Butwe need sufficient number of linearly independent terms or equation for thistechnique to work. Other method used to solve these system of equation isGrobner bases algorithms [13]. But the problem with algebraic techniquesare that they require a lot of memory and are usually of high complexity,sometime it is difficult to estimate the complexity. Algebraic techniques havenot been able to attack block ciphers with much success, but they have beeneffective against stream ciphers. Recently, an attack on full round GOST[17] has been achieved using algebraic techniques, these improvements hasmade future of algebraic techniques interesting.

3.7 Side channel techniques

In above sections, we presented the classical cryptanalytic technique. Theydealt with finding the weakness of the cryptographic primitives by exploitingtheir properties with respect to the input and output. In other words, aboveattacks analyzed the building blocks of the round function as a mathematical


function. In side channel attacks, we exploit the environment in which thecryptographic algorithms are implemented. It means that attacker has eitheraccess to the device or is able to record important characteristics in relationto instruction execution e.g. time and power consumed for execution of cryp-tographic algorithms. If the device is in the possession of attacker then hecan also modify the components of device to find the key. The side channelattacks are significant for the lightweight ciphers as these are directly writ-ten into small devices which can be easily lost or stolen. Apart from that,some of these devices (e.g. smart card) need power supply and clock from anexternal source. This enable the attacker to measure clock tick and powerconsumed precisely. This can be used to mount an attack on the crypto-graphic primitive. Broadly, the side channel attacks can be classified intothree types:

Timing attack: It was first studied by Kocher [28]. It involves mea-surement of time taken for the execution of block of instructions. Kocher[28] effectively used this attack for public key cryptography RSA and Diffie-Hellman. In most of the cases, the execution path of the instruction isdependent on key or data bits. For example, below algorithm (square andmultiply) for calculation of modular exponentiation, takes more time to per-form the conditional block when the key bit is set. Kocher [28] took only5000 measurement to break 512 bit RSA. Similar attacks can be performedon algorithm implemented using Chinese remainder algorithm.The countermeasure against timing attack is that every instruction shouldtake constant time for execution.

Algorithm 3 Square and multiply algorithm

Input: m,{km−1,km−2,· · · k0}, nOutput: mK mod nx← mfor i = m− 2→ 0 dox← x2 mod nif Ki = 1 thenx← x·m mod n

end ifend for

Power attack:It is first studied by Kocher et al. [29]. As the name signi-fies power attack involves recording the power consumed for the encryption.We know that amount of power consumed is dependent on the execution ofinstructions i.e. type of instruction, path of execution. There are two types


of power analysis attack. First one being simple power analysis in which theattacker simply measures the power consumed to determine the key. Thepower measurement is recored only for the instruction where the key is used.The simple power attack can be extended to differential power attack. Inthis we collect the many samples of power traces a particular set of encryp-tion operation (where key is used). Then we apply statistical methods e.g.correlation analysis and distance of mean to filter the noise.

Fault analysis attack: This is first studied by Boneh et al. [12] .Thisinvolves exploiting the faulty behavior of the devices. The fault can be ofthree type. First one is transient i.e. fault which can occur with very lessprobability. Second class of fault is the error in certain functionality (e.g.boundary use case) of device which is permanent, but functionality is a rareuse case. Third classification is where the attacker has the access to the de-vice and he can induce the fault in the device. In fault analysis attack, theerror in functionality is exploited to find the key. For example, Boneh et al.[12] applied fault attack to find the private key for an asymmetric encryptionalgorithm RSA which are implemented using Chinese remainder algorithm.They determined the key using one faulty output and one correct output.Shamir et al. [7] extended this attack to differential fault analysis to attacksymmetric cipher DES.

Side channel attack is very powerful and practical to achieve. We onlypresented a succinct overview of side channel attack to just give an idea ofvarious environment parameters that can be measured for the attack. At thesame time there have been many effective protection measures that has beenproposed against these attacks. But as the side channel attacks dependsupon the environment of implementation and usage, so there is no definiteguarantee against these attacks.

3.8 Cryptanalysis in real world

In previous section, we have detailed some of the cryptanalytic techniquesthat has been developed to attack a cipher. These techniques have beenapplied to real world ciphers and in most of the cases they have been ableto substantially reduce the security of the cipher as compared to exhaustivesearch. But still, there have been very less practical attack (of complexity lessthan 264) using above algorithmic cryptanalysis. Very often the attack modelin algorithmic cryptanalysis is impractical. In real world most of the attackon cryptographic primitives have been result of wrong choice of parameters


or usage e.g. RC4 used in stream cipher mode, weak block ciphers used ashash functions (tiny encryption algorithm was used at boot time of X-box).We should be very careful while using cryptographic primitives. We shouldavoid using non-standard cryptographic primitives. We should not try to usenon-standard mode of operation for block cipher.

If properly implemented, cryptography has emerged as a strong link of thesystem. Very rarely an attacker targets a cryptographic primitives to breaka system. Generally they target other weak links of the system e.g. hardcoded passwords, unencrypted data etc. So, there is still a lot to be studiedin the area of algorithmic cryptanalysis mainly, in the area of developinggeneral techniques (e.g. neutral bit techniques [5]) to reduce the complexityof attack.

Chapter 4

Cryptanalysis of KLEIN

KLEIN is proposed by Nikova et al. in RFIDSec 2011 [20]. KLEIN is a SPNbased block cipher. KLEIN takes a 64 bit plaintext as input and gives 64 bitof ciphertext as output. It has three variants namely KLEIN-64, KLEIN-80and KLEIN-96, having keysize of 64 bits 80 bits and 96 bits respectively.There are 12 16 and 20 rounds for KLEIN-64, KLEIN-80 and KLEIN-96respectively. All the variants of KLEIN maintain an internal state of 64 bit.Below we will briefly describe KLEIN cipher.

4.1 Description of KLEIN

In this section, we will describe the encryption function and key schedule ofKLEIN.

4.1.1 Encryption of KLEIN

The round function of KLEIN is shown below in figure-4.1. It consists of fourstep and after the last round, the round key is xored to achieve the whiteningeffect. The steps of round function are described below.

• addRoundKey : XOR the 64 bit state(8 bytes) to ith round key

• SubNibbles : Divide state into four bits each (16 nibbles) and pass itthrough 4× 4 bit S-box.

• RotateNibbles: Rotate state to the left by 16 bit.

• MixNibbles : Divide the state into two 32 bit words and multiply itwith the given MDS matrix. The MDS matrix used is same as in AESwith the same field of X4 + 1.

52

CHAPTER 4. CRYPTANALYSIS OF KLEIN 53

• addLastRoundKey : After the last round, XOR the state with thelast subkey.

Figure 4.1: Representation of KLEIN round function

S-box of the KLEIN is given below (Table-4.1).


Algorithm 4 Encryption function of KLEIN

Input: plaintext,keyOutput: ciphertextstate← plaintextroundkey ← keyfor i = 1→ NR do

for j = 0→ 7 dostate[j]← state[j]⊕ roundkey[j]

end forfor j = 0→ 7 dostate[j]← (SBOX[(state[j] >> 4)] << 4)|(SBOX[(state[j]&0xf)])

end forRotateNibbles(state)for j = 0→ 3 dotempstate[j]← state[j]

end forMixNibbles(tempstate)for j = 0→ 3 dostate[j]← state[j]

end forfor j = 4→ 7 dotempstate[j − 4]← state[j]

end forMixNibbles(tempstate)for j = 4→ 7 dostate[j]← tempstate[j − 4]

end forkeySchedule(roundkey, i)

end forfor j = 0→ 7 dostate[j]← state[j]⊕ roundkey[j]

end forciphertext← state


x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) 7 4 a 9 1 f b 0 c 3 2 6 8 e d 5

Table 4.1: S-box of KLEIN

4.1.2 Key Schedule of KLEIN

The key schedule for KLEIN-64 is shown in below figure-4.2. The key sched-ule follows a Feistel structure. It consists of following steps:

• Divide the key into two equal halves.

• Right half is assigned to left half. The right half is xored with left halfand assigned to right half.

• Two middle bytes of the right half is passed through the S-box.

• Penultimate byte of the left half is xored with the round counter.

For KLEIN-80 and KLEIN-96, first 64 bit of serves as round key for eachround. We have found that the above algorithm for round key gives deter-ministic properties, which we will list later.

Algorithm 5 Key Schedule of KLEIN-64

Input: RoundKeyi, iOutput: RoundKeyi+1

for j = 0→ 7 dotempkey[j]← RoundKey[j]

end forfor j = 0→ 3 doRoundKey[j]← tempkey[j + 4]

end forfor j = 4→ 7 doRoundKey[j]← RoundKey[j − 4]⊕ tempkey[j]

end forRoundKey[5]← (SBOX[(RoundKey[5]�4)]�4)|(SBOX[(RoundKey[5]&0xf)])

RoundKey[6]← (SBOX[(RoundKey[6]�4)]�4)|(SBOX[(RoundKey[6]&0xf)])

RoundKey[2]← RoundKey[2]⊕ i

Decryption of KLEIN is the reverse of encryption function. During de-cryption, RotateNibbles and MixNibble steps are inversed. The round keys


should be same as in encryption. Since the decryption is not same as encryp-tion, so decryption function has to be implemented separately in the device.The decryption function along with the key schedule algorithm requires extraspace. The performance and area required for different variant of KLEIN arelisted below in table-4.2.

Variants BlockSize

KeySize

GateCount

Tput@100KHz

Tech.

KLEIN-64 64 64 1981 20 0.18KLEIN-80 64 80 2097 27.2 0.18KLEIN-96 64 96 2213 32 0.18

Table 4.2: KLEIN performance details

Figure 4.2: Key Schedule for KLEIN-64


4.2 Shrinking of Cipher

We used the technique of shrinking the cipher from 64 bits to 32 bits, toanalyze for attacks as impossible differential etc. We could not achieve anyattack on the complete cipher. But it is worth explaining the technique. Itcan be used in future to attack complete KLEIN or any other cipher. We canreduce the cipher form 64 bits to 32 bits by reducing the internal state from64 bit(8 bytes) to 32 bits(4 bytes). The higher 4 bytes of the original KLEIN-64 map to the higher nibbles of 4 byte state. Similarly, 4 lower bytes of theoriginal KLEIN-64 maps to lower nibbles of the 4 bytes of 32 state. This ismore clearly visualized in the picture below (figure-4.3). This is important tonote that we are not mapping the values, but just the position of the higherand lower bytes of 64 bit states gets mapped to the higher and lower nibblesof 32 bit state. Shrinking has been explained by Biham et al. [4] in theirwork of cryptanalysis of skipjack. One important thing that needs to betaken care of while shrinking is that the new reduced cipher should exhibitsimilar properties as original cipher i.e. structural properties of the ciphermust remain the same [4].

Figure 4.3: Mapping of state bytes to nibbles

4.3 Cyclic structure of MRS(x)

The round function of KLEIN consists of SubNibbles, RotateNibbles,andMixNibbles function. It will be of interest to study the function composed ofthese functions. MRS(x) is concatenation of SubNibbles RotateNibbles,andMixNibbles function. Studying these function is of particular interest whenwe want to see whether the concatenation of these functions without the keyxor have some weakness. The idea is to study the randomness of the buildingblock the cipher without the key xor. We analyzed the cyclic properties of


building bocks of KLEIN. A function is said to be cyclic if for any given inputx

fn(x) = x,where n is cycle length.

It can be easily noted that SuNibbles step has a cycle length of 2 because ofinvolution of S-box i.e. S(S(x)) = x. RotateNibbles(R) has a cycle lengthof 4 for any x. SubNibbles and RotateNibbles(RS(x)) has a cycle of 4 forany x Similarly, MixNibbles(M(x)) has a cycle length of 4. RotateNibblesand MixNibbles(MR(x)) has cycle length of 4. SubNibbles and MixNibbles(MS(x)) has length of65189476, 41977441, 22615598203396,340666902922896,822757843600, 20903184, 877462173072144, 664997844676, 319428432400,and12240621795600. So, taking least common multiple of the above cycle lengthsof individual functions, we can say that maximum cyclic order of SRM fora random x is:

13291741227276008008540736400

which is a 29 digit number of 1028, which is much higher than the 264. Butthere are some specific inputs for which the cycle length is shorter. Forexample inputs like xS(x)xS(x)· · ·xS(x)xS(x), where x ∈ {0, 255} givescycle length of 126. Similarly, the input of the form (xxxxxxxx), wherex ∈ {0, 255} gives the cycle length of 2 for MRS. But since xoring with thekey in each step destroys these special structure of MRS(x), so these resultsdo not pose any threat to the cipher. Similar results have been analyzed forAES [44].

4.4 Properties of key schedule

It has been observed that the key schedule of KLEIN is weak and has deter-ministic properties.The finding regarding key schedule are mentioned below.

Property 1: There is no interaction between higher and lower nibbles inround keys. Simply stated, we can find the higher nibble of all round keysfrom the higher nibble of master key. The same holds for lower nibble of keys.

Property 2: For KLEIN-64, the round counter does not effect the highernibble of the round keys. For KLEIN-80,it only effects the last round keyand in case of KLEIN-96 it effects last four round keys.

Property 3: For KLEIN-64, 70077700 is a fixed point for the higher nibblesof key schedule.


Property 4: For KLEIN-64 the higher nibbles of the last round key(the keywhich is xored after the last round) is same as the higher nibble of the masterkey.

Property 5: For any given master key, it repeats itself after going throughthe two complete cycle of key schedule. It can be further clarified by givingan example. Suppose we have a master key ’K’ and after passing it throughthe key schedule of KLEIN-64 we have k12 as the last round key. If we inputthe key k12 to the key schedule in the forward direction then we will get againthe master key K after last round.

Property 6: Another important property, if we have two master key havingdifference in any of the first, second, fourth and sixth byte then the samedifference propagates to last round key.

K1 ⊕K ′1 = 0δδ0δ0δ0, then

K12 ⊕K ′12 = 0δδ0δ0δ0,where δ ∈ {0 · · · 255}

Property 7: There is a fixed relationship between some bytes of master keyand the last round key. These are as follows:

K1[1]⊕K12[1] = 0x4

K1[2]⊕K12[2] = 0x8

K1[6]⊕K12[6] = 0xC

K1[7]⊕K12[7] = 0x4

where subscripted values are byte positions.Properties 4, 5, 6 and 7 have not been previously discussed and is the con-tribution of this thesis.

4.5 Properties of MixNibbles and SubNibbles

Poperties of MixNibbles and SubNibbles steps are mentioned below. Someof these properties have been used in finding differential characteristics forthe cipher, which we will explain in next section.Property 1: S-box in KLEIN is an involution i.e. S(S(x)) = x as is seen inthe S-box and as said in [20].


Property 2: If we apply a input difference of 0δ0δ0δ0δ to MixNibbles step,where all the δ ∈ {0 · · · 15}, the output difference will be of the form 0δ0δ0δ0δwith probability 2−3..Property 3: If we apply a difference of 0δ0δ0δ0δ0δ0δ0δ0δ to MixNibblesstep, where all the δ ∈ {1 · · · 7}, the output difference will be of the form0α0α0α0α0α0α0α0α, where α ∈ {0 · · · 15}. Similarly, when all the δ ∈{8 · · · 15} then also the output difference will be of the form 0α0α0α0α0α0α0α0α.

Property 4: If we apply a difference of 0δ0δ0δ0δ0δ0δ0δ0δ to MixNibblesstep, where δ ∈ {0 · · · 15}, the output difference will fall in a set of 64 states.These states will be from the set of 4 bytes states {0δ0δ0δ0δ, 0δ0δ1δ1δ,0δ1δ0δ1δ, 1δ0δ0δ1δ, 0δ1δ1δ0δ, 1δ0δ1δ0δ, 1δ1δ0δ0δ, 1δ1δ1δ1δ}.

Property 5: If we apply the input difference of 0000000δ where δ ∈ {1 · · · 7},then output difference will be of the form 0α0α0α0α where α ∈ {0 · · · 15}.This is because the branch number of MDS matrix is 5 (see section 2.3.2).

Property 6: If the difference of input is 0xb or 0xe then the output differencewill fall in {1 · · · 7} with probability (12/16) = 2−0.42, can be easily foundfrom differential distribution of S-box. [20].

Property 4 for MDS matrix has not been previously discussed and is thecontribution of this thesis.

4.6 Differential characteristics

In this section, we will explain the differential characteristics of KLEIN cipherfound by Aumasson et al. [3]. We will explain how Aumasson et al. [3] usedthis differential characteristics in construction of distinguisher for KLEIN tilleight rounds. We will also explain their attack on eight rounds of KLEIN torecover the key using this distinguisher.

4.6.1 Probability analysis

The designer of KLEIN has claimed that any four round differential will havethe probability of 2−30 [20]. But the Aumasson et al. [3] has proved that 32bit truncated differential has the probability of 2−16.45. Below we will explain,how they have used the above properties to achieve this. We will go roundby round by round till round 4 to clearly explain the truncated differential


found by Aumasson et al. [3].

Round 1: If we have a pair of plaintext having difference of the form(00000b0000000000) then we have the output difference after SubNibbles(00000α0000000000) where α ∈ (1, 7). with probability 2−0.42. This dif-ference after passing through the RotateNibbles and MixNibbles step willresult in form (0δ0δ0δ0δ00000000).

Round 2: From the difference of the form (0δ0δ0δ0δ00000000), we reachthe output difference (0δ0δ000000000δ0δ) after RotateNibbles. If the δ ∈{1, 7} then MixNibbles will transform the input difference (0δ0δ0000) to(0α0α0α0α). The input difference δ will lie in {1 · · · 7} with the probabil-ity of (7/15). So, (0δ0δ000000000δ0δ) → (0α0α0α0α0α0α0α0α). will occurwith probability (7/15)4, i.e. 2−4.40.

Round 3: From the output of each MixNibbles of round 2 there will beon average 3.75 active nibbles out of 4 nibbles. The probability of all activenibble is 15/16. Other condition that we have, all the output difference(active nibbles) after SubNibbles must fall in the set (8 · · · 15), which willhappen with probability (8/15)4. Combining together all the probabilities,we have

(7/15)3.75 + (15/16)(8/15)4 ≈ 2−2.91, for one half

((7/15)3.75 + (15/16)(8/15)4)2 ≈ 2−5.82, for both halves

From the input difference of 0δ0δ0δ0δ0δ0δ0δ0δ we can get a difference of0α0δ0α0α0α0α0δ0α0α0α with a probability of 2−5.82. The same differentialpattern continues with same probability for the rest of the round.

Round 4: The probability for continuing from round 3 to round 4 withsame pattern of all non-active higher nibbles will have the same probabil-ity of 2−5.82.So, for four round, the differential (0x00000b0000000000) →(0x0δ0δ0δ0δ0δ0δ0δ0δ) will result with probability 2−0.42 × 2−4.4 × 2−5.82 ×2−5.82 = 2−16.45. Continuing with this probability, we will get a distin-guisher for 5 rounds with probability2−16.45 × 2−5.82 = 2−22.27, 6 roundswith probability 2−22.27 × 2−5.82 = 2−28.08 and 7 rounds with the probability2−28.08×2−5.82 = 2−33.90. Using this distinguisher, we can attack till 8 roundsof KLEIN. The differential pattern and corresponding probability is shownin figure (figure-4.4) below.


Figure 4.4: Truncated differential characteristics for KLEIN

4.6.2 Neutral bits technique

It is first discovered by Biham and Chen[5]. It is a very useful concept thathelps in generating further satisfying pairs from a pair that already satisfya differential characteristics. If we have one good pair satisfying a differen-tial characteristics then using this technique we can increase the probabilityof finding other pairs satisfying the same differential characteristics. Thistechnique utilizes the fact that if n bits of the input pair does not play anyrole in determining the characteristics till r round of the cipher, then we cangenerate 2n more such pairs by varying the non-impacting n bits i.e. theneutral bits. These 2n pairs will satisfy the characteristics till r rounds forfree i.e. with probability 1. Hence the chances for getting more numberof satisfying pairs for the same differential characteristics will increase. Asin above case for KLEIN, we can see that the first two bytes and the last


two bytes of the state did not impact the differential characteristics till tworounds. So, if we find a good pair that satisfies for 7 rounds of above differ-ential pattern, then we can generate further satisfying pairs by varying 32bits(first two bytes and last two bytes). All the newly generated pairs willsatisfy the characteristics for two rounds with probability 1. So for newlygenerated pairs, we can find pairs characteristics for 7 rounds with higherprobability of 2−33.90−(−4.80) = 2−29.10.

4.7 Attack on 8 rounds of KLEIN

Aumasson et al. [3] attacked 8 rounds of KLEIN using the above distin-guisher. First we will analyze attack on seven rounds of KLEIN. For theattack on seven rounds, we need the distinguisher for six rounds. The com-plete differential characteristics for six round occur with the probability of2−28.08. Once we find a pair that satisfy the characteristics for six rounds,then we can find other pairs with 2−23.28 using neutral bit technique as ex-plained above. Once we find 7-8 pairs, then we can find lower nibbles of thelast round key. We have to perform a partial decryption of last round andthen guess the lower nibbles of last round keys. The guessed keys should belinearly combined with the output difference of input pair. Then the resultshould be inversed through the MixNibbles step to check if the resultant out-put has all non-active higher nibbles. If so, then we have a candidate key. Theattack algorithm for recovering the key is given below. Since the key nibblesdo not mix with each other, so from the last round key we can find the lowernibbles of the master key. Remaining key bits i.e. the higher nibbles(32 bits)can be recovered by brute force. Hence the complexity of the attack is 232.For eight rounds, we need a distinguisher for seven rounds. The probabilityfor satisfying the characteristics for seven rounds is 2−33.90. But the genericprobability for achieving the a differential of the form (0δ0δ0δ0δ0δ0δ0δ0δ).is 2−32. So, if we collect 234 pair (data complexity) then we will get at least 5pairs that will have the all non-active higher nibble for the state after eightrounds. Out of these 5 only one will satisfy our characteristics. So, we willend up trying 4× 232 of false pairs. Hence, the over all cost for eight roundwill become 233.90 + 4× 232 ≈ 235.

How to detect good pairs: The most important part of the attack is to findgood pair. Aumasson et al. [3] has filtered the good pair by checking the ci-phertext difference after eight round. If the ciphertext difference for the inputpair difference ∆(00000b0000000000) is of the form ∆(0δ0δ0δ0δ0δ0δ0δ0δ),where δ ∈ {0 · · · 15}, then the input plaintext pair is the candidate for


good pair. The generic probability for the pattern ∆(0δ0δ0δ0δ0δ0δ0δ0δ)is 2−32.As shown above, probability for such truncated differentials is higherthan generic probability till six rounds. So, it is highly likely to find completecharacteristics (for less than 8 rounds) if we just check the ciphertext differ-ence after the last round to satisfy for the characteristics ∆(0δ0δ0δ0δ0δ0δ0δ0δ).But to find distinguisher for eight round, if we try 234 times then we willfind one pattern that satisfies above differential characteristics till sevenrounds. In the light of property 4 mentioned in section-4.6, after eightrounds we can extend check of ciphertext difference to include all the 64differentials {0δ0δ0δ0δ, 0δ0δ1δ1δ,0δ1δ0δ1δ, 1δ0δ0δ1δ, 0δ1δ1δ0δ, 1δ0δ1δ0δ,1δ1δ0δ0δ,1δ1δ1δ1δ} where δ ∈ {0 · · · 15}. This will slightly increase theprobability of finding the good pair.

4.8 Attack on 9 rounds

This section presents a attack on nine round KLEIN which is an extensionof above attack by Aumasson et al. [3]. The idea presented in this section isthe contribution of this thesis. The above attack uses a 32 bit check (eighthigher nibble) to filter the correct pairs. If we give the input difference of theform 0x(0δ0δ0δ0δ) to the MixNibbles then the output difference will belongto the set of elements {0δ0δ0δ0δ, 0δ0δ1δ1δ, 0δ1δ0δ1δ, 1δ0δ0δ1δ, 0δ1δ1δ0δ,1δ0δ1δ0δ, 1δ1δ0δ0δ, 1δ1δ1δ1δ} where δ ∈ {0 · · · 15}. So if we apply the inputdifference of the form (0δ0δ0δ0δ0δ0δ0δ0δ) to one round function of KLEIN,then there will be only 64 output difference that is possible. The highernibble difference is either 0 or 1. As mentioned in previous section, this factcan be used to make the attack by [3] efficient. Instead of looking for outputpairs, having all non-active higher nibbles, after eight rounds, we can alsoinclude the pairs having difference in the above set. This will increase theprobability of finding good pairs slightly for eight rounds attack.

For nine round KLEIN attack, we can use the same above characteristicstill seven rounds. For eighth round we will fall in set of 64 elements for all 232

inputs. So , we have a distinguisher till eight rounds with same probability asfor seven rounds in above characteristics. But the real problem is for findingthe correct output pairs. It will be important to note that that we will haveto filter the output pairs only after nine rounds. In our case, the filtering ofpairs is based only on 16 bits. This means we will have much higher datacomplexity. We are already on the boundary for seven round probability of(2−33.90) for differential characteristics with respect to the generic probability(232). So, with filter of 32 bit we will have at most 4 out of 5 pair whichcan be a false pair for above seven round characteristics. With the filter of


Algorithm 6 Key Recovery algorithm for KLEIN-64

Input: N correct pairs of output, (output1, output1⊕M) · · ·(outputN , outputN⊕ M)

Output: lower nibbles of last round keyfor k = 0→ N do

calculate output difference diffout for an output pairfor i = 0→ 216 do

Divide i to four Nibbles.set lower and higher bytes guessedkey to these four nibblestempguessedkey ← guessedkeytempguessedkey ← SubNibbles(tempguessedkey)stguessedkey ← guessedkeystguessedkey ← stguessedkey ⊕ diffoutstguessedkey ← SubNibbles(stguessedkey)stguessedkey ← stguessedkey ⊕ tempguessedkeystguessedkey ←MixNibbles inv(stguessedkey)if CheckLowerbyteNibbles(stguessedkey) thencandidate← diffout⊕ outputklowerbytesnibbles[candidate] + +

end ifif CheckHigherbyteNibbles(stguessedkey) thencandidate← diffout⊕ output1higherbytesnibbles[candidate] + +

end ifend for

end forfor i = 0→ 216 do

if lowerbytesnibbles[i] = N thenprint i { lower bytes nibbles}

end ifif higherbytesnibbles[i] = N then

print i {higher bytes nibbles}end if

end for


Figure 4.5: Output Difference from Input difference of form 0x0x0x0x

16 bit, false positives pair increase to 218. The total complexity will rise to218×229.10 = 247.10 ≈ 247. The cost of 229.10 comes for generating the confirm-ing pairs using neutral bit technique for each false positive pairs. The totalcomplexity for attack to 9 rounds will be approximately 247.

How to detect good pairs: We can find the good pairs by inverting theciphertext difference through MixNibbles step. The ciphertext differenceshould fall into set of 64 elements formed by the combination of elements fromthe set {0δ0δ0δ0δ, 0δ0δαδαδ, 0δαδ0δαδ, αδ0δ0δαδ, 0δαδαδ0δ, αδ0δαδ0δ,αδαδ0δ0δ, αδαδαδαδ}, where δ ∈ {0 · · · 15 and α ∈ {0x3,0x4,0x6,0x8,0xb,0xe,0xf}. But there will be lot of false pair that will be discovered using thismethod. But if we have correct pairs that satisfy differential characteristicsthen we can mount the attack with a complexity of 247 as explained above.

4.9 Experiments

We performed the attack for 6 and 7, 8 and 9 rounds of KLEIN. Here are theresults for the same. The experiment for 6 and 7 round took little time to findconfirming pair. But for 8 round it took more time (4-5 hours) and therewere many false negatives. The table below (Table-4.3) records the timestaken (average of 5 trials) for attack corresponding to number of rounds.

For 6 rounds:Pair found in 223.258648: 0x57,0x97,0x41,0x5a,0xa0,0x23,0x13,0x72Pair found in 215.012494: 0xdf ,0x84,0x41,0x5a,0xa0,0x23,0x6b,0x32Pair found in 212.684748: 0xb1,0xf5,0x41,0x5a,0xa0,0x23,0x07,0x8bPair found in 216.713280: 0x87,0xea,0x41,0x5a,0xa0,0x23,0x70,0x65


Rounds Timetaken

5 1 second6 22 seconds7 45 minutes8 4-5 hours

Table 4.3: Time taken for different rounds

Pair found in 218.046234: 0xa3,0x7f ,0x41,0x5a,0xa0,0x23,0x71,0x57Pair found in 214.159556: 0xb0,0xe4,0x41,0x5a,0xa0,0x23,0x66,0x13lower nibbles found :c8fd18ae6588correct key’s lower nibbles: c8fd18ae

For 7 rounds:Pair found in 227.920285: 0xc3,0x65,0x4e,0xa6,0xf6,0x30,0xe0, 0xd3Pair found in 221.683439: 0xd4,0x5b,0x4e,0xa6,0xf6,0x30,0xee, 0xf1Pair found in 224.308031: 0xce,0x28,0x4e,0xa6,0xf6,0x30,0x53, 0x39Pair found in 223.679928: 0x84,0x32,0x4e,0xa6,0xf6,0x30,0x89, 0x19Pair found in 221.728618: 0xe5,0x72,0x4e,0xa6,0xf6,0x30,0xfd, 0xe0Pair found in 224.399814: 0xbb,0xff ,0x4e,0xa6,0xf6,0x30,0x2d, 0x18lower nibbles found :2eeebbcccorrect key’s lower nibbles:2eeebbcc

For higher rounds, we have to try for long and there were lot of falsepositives for nine rounds and eight rounds. It took 4-5 hours for finding onegood pair for 8 round attacks. For nine round we manually found one goodpair and then generated 6-7 confirming pairs. By manually we mean thedifferential characteristics for the pair was checked till seven rounds and onlythose pairs that satisfy the characteristics were selected. This demonstratesthat if we have good pairs we may attack nine round KLEIN. But it shouldbe explicitly mentioned that there are lot of false positives while generatingconfirming pairs that satisfy the complete differential characteristics for at-tack on nine round KLEIN. The experiment for attack on 9 round has beenperformed by manually generating all 6-7 pairs.

For 8 roundspair found 229.653700: 0xc4,0xee,0xec,0x7f ,0x1a,0xda,0x55,0x55pair found 225.200279: 0xc7,0x80,0xec,0x7f ,0x1a,0xda,0xc7,0x7cpair found 225.725811: 0xc9,0x57,0xec,0x7f ,0x1a,0xda,0x26,0xe3


pair found 225.886242: 0x94,0x1c,0xec,0x7f ,0x1a,0xda,0x99,0x62pair found 225.216885: 0x15,0x68,0xec,0x7f ,0x1a,0xda,0xcc,0x93pair found 221.629680: 0xfd,0x4a,0xec,0x7f ,0x1a,0xda,0x3f ,0xd2lower nibbles found :d6914ebfcorrect key’s lower nibbles:d6914ebf

For 9 roundspair found 230.339192: 0x3d,0xee,0x81,0x73,0xc8, 0x3e,0x76,0xcdpair found 230.229275: 0x76,0xd8,0x81,0x73,0xc8,0x3e,0xed,0x3apair found 231.882769: 0x3d,0xee,0x81,0x73,0xc8,0x3e,0x76,0xcdpair found 231.232449: 0x3d,0xee,0x81,0x73,0xc8,0x3e,0x76,0xcdpair found 230.418349: 0x3d,0xee,0x81,0x73,0xc8,0x3e,0x76,0xcdpair found 229.071176: 0x76,0xd8,0x81,0x73,0xc8,0x3e,0xed,0x3alower nibbles found :a194d633563acorrect key’s lower nibbles:a194d633

Chapter 5

Miscellaneous

In this chapter we will present analysis of one of the cipher LBlock. Althoughwe were not able to find any attack on LBlock, the details presented will helpin understanding of one of the concepts regarding how to find impossibledifferentials in a cipher. Along with this, we present analysis of key scheduleof LBlock, similar results have been also presented by [35]. In second part ofthis chapter we will present an experimental result on 3× 3 and 4× 4 S-box.

5.1 LBlock Cipher

Lightweight block cipher LBlock is presented by Wu et al. in 2011 [47]. Itis based on Feistel design. It has a block length of 64 bits and key size of80 bits. It has 32 rounds. The round function of the cipher is simple. Ituses eight 4×4 S-boxes bit as non-linear layer (figure-5.2). As in two branchFeistel structure the 64 bit state is divided into two 32 bit halves. The lefthalf is passed through the round function. Inside the round function 32 bitinput is divided into eight 4 bits which in turn given as input to each S-box. The output of the S-box is permuted nibble by nibble within 32 bits.There has been no attack on full LBlock as of now. But designers havelisted 16 impossible differentials for LBlock. Using these differentials, theyhave attacked 20 rounds for key recovery [47]. Below, We will explain howthese impossible differential characteristics have been found which will be anexample of how to find impossible differential by contradiction. Apart fromthat we will also present one of properties regarding differential path in keyschedule of LBlock.

69

CHAPTER 5. MISCELLANEOUS 70

Figure 5.1: LBlock Cipher

5.1.1 Impossible differential for 14 rounds

The designer of LBlock stated a impossible differential of the form

(00000000, 00α00000)14r9 (0β000000, 00000000)

It means to say that the input difference (00000000, 00α00000), will neverresult the output difference of the form (0β000000, 00000000) after 14 roundsof LBlock. There will 15 other such impossible differential of this kind. Thisarises because of the structure of the cipher. As there is no bit mixingbetween the nibbles in the round function (figure-5.2), so it does not havebetter diffusion. In case of LBlock, there is very slow diffusion from thedecryption side.

If we give plaintext difference of form (00000000, 00α00000) in the forwarddirection to LBlock, it will result into:

(00000000, 00α00000)1r−7r→ (αδαααααα, αααααααα), α ∈ {0 · · · 15}, δ = 0

after seven rounds. Similarly, the difference of (0β000000, 00000000) fromthe backward direction will result into


Figure 5.2: Round function of LBlock

(0β000000, 00000000)14r−7r→ (αδαααααα, αααααααα), α ∈ {0 · · · 15}, δ 6= 0

with probability 1.We can see that both difference in the right hand side of above equation

refer to same state but are contradictory to each other. This is further shownin figure below (figure-5.3). This implies that the input difference can notresult into output difference that result in contradiction in any intermedi-ate state. Similarly, we can list other 15 impossible differentials by havingdifference at other 15 nibbles.

5.1.2 Key Schedule of LBlock

Key schedule of LBlock is inspired by PRESENT [10]. It has 80 bit of keylength and for each round the 32 bits round key is derived using a key schedulealgorithm. The key schedule for LBlock is given below.

Algorithm 7 Key Schedule of LBlock

for i = 1→ 32 doK ← K ≪ 29k79k78k77k76 ← S9[k79k78k77k76]k75k74k73k72 ← S8[k75k74k73k72]k50k49k48k47 ← [k50k49k48k47]⊕ iKi ← k0.....k31

end for

We can find two keys which can result in total hamming weight as less as11 over the entire 32 rounds. For example for the below two keys, hamming


Figure 5.3: Round function of LBlock

weight is 11.4db9b0d04d84bb7f6e4f

4db9b0d04d84bb3f6e4f

The overall hamming weight across 32 rounds is less for two master keyswhich has low hamming weight itself (1 or 2). One of the reason for this lowhamming weight for round key is because the difference bits pass through S-box on an average after 8-9 rounds. In case of LBlock, it is very easy to findtwo keys having a particular bit of difference for 32 rounds using brute forceas there are at most only two active S-boxes. In other cases, we can also usestandard algorithms e.g. hill climbing or simulated annealing algorithms tofind two keys with low hamming weight. These algorithm converge towardsthe result faster than the brute force. The above mentioned properties ofthe keys can be used to investigate various attacks as related key impossibledifferentials etc. Actually the differential path of the round keys can becontrolled by the controlling the difference in some bits of the master keys.For example, the above differential path (table-4.1) between the keys canbe controlled by fixing the values of [k56k57k58k59] to ∈ {1, 4, 5} and fixing


∆K0: 00000000 ∆K16: 00000000∆K1: 00000008 ∆K17: 00000000∆K2: 00000000 ∆K18: 00020000∆K3: 00000000 ∆K19: 00000000∆K4: 00000400 ∆K20: 00000000∆K5: 00000000 ∆K21: 02000000∆K6: 00000000 ∆K22: 00000000∆K7: 00020000 ∆K23: 00000008∆K8: 00000000 ∆K24: 00000000∆K9: 00000000 ∆K25: 00000000∆K10: 02000000 ∆K26: 00000400∆K11: 00000000 ∆K27: 00000000∆K12: 00000008 ∆K28: 00000000∆K13: 00000000 ∆K29: 00020000∆K14: 00000000 ∆K30: 00000000∆K15: 00000400 ∆K31: 00000000

Table 5.1: Difference of round keys

k60 = 1. Similarly other differential paths can be found by variating theother bits of master keys. But any attack involving two keys or related keysare weaker attack model in case of lightweight primitives.

5.2 Analyzing S-boxes

As we know that non-linear component of round function is usually imple-mented by S-box. S-box has been analyzed widely [8, 31, 37]. There are16 optimal family of S-box for 4 × 4 bit [37]. By optimal we mean, therewill be non-trivial linear approximation and differential distribution for suchpermutation. To put it in simple words, there should not be any single valuenon-zero occurrence (rest all 0) in differential distribution table or linear ap-proximation table corresponding to a input difference or input mask (e.g.table-5.3)

We started with intention to design a SPN cipher that that maps a par-ticular difference set to itself with certain probability p. Such ciphers canbe used for trapdoor in certain application. The round function of the ci-pher is combination of linear and non-linear functions. If this difference ofinput passes through nonlinear layer then it should map to set of itself withprobability of 1. The linear layer should map to set of itself with certainprobability p. The idea is to start with a pair of plaintext with difference


in a particular set and end up in the same particular set. The whole con-cept can be illustrated with an example, if we have set of difference a, b, c, dthen passing it through S-box should give the output difference in the sameset with probability 1. Then passing this output difference as input to alinear layer should give the output in the same set of {a, b, c, d} with someprobability p. This can be expressed as follows:

Mx ∈ {a, b, c, d}, S(Mx) ∈ {a, b, c, d}

L(Mx) ∈ {a, b, c, d},with probability p

The first task was to find a S-box that satisfies the above property. Thisled us to find an interesting property of S-box with respect to differentialdistribution and linear approximation. We can visualize distribution of S-box as a graph where the the input difference and output difference actsas node and if there is a input difference that can take us to a particularoutput difference then there is an edge between the two nodes. For examplein below figure (figure-5.3) input difference of 1 can take to output differenceof 3 , similarly input difference of 3 takes to 2. The node 0 will alwaysbe a disconnected node in any S-box differential distribution. So if we re-

Figure 5.4: S-box representation as graph

formulate our problem then finding two or more disjoint set in the differentialdistribution of S-box is nothing but finding two connected components in thegraph. We can do this using the algorithm below.

We found many three connected components (one being 0) permutationfor 3 × 3 (8! permutation) and 4 × 4 (16! permutation) S-boxes with eithera non-trivial differential distribution or linear approximation but not both.If this phenomenon exits for any n × n bits S-box then such our design fortrapdoor will be obvious to see for the attacker. We checked exhaustively for3×3 and 4×4 S-box, if there is non-trivial differential distribution with threeor more connected components then there exists trivial linear approximationfor such S-box. So designing such trapdoor with 3 × 3 and 4 × 4 bit S-box is difficult. For example, for 4 × 4 S-box, the following S-box has threecomponents:


Algorithm 8 Algorithm to find the connected component in S-box.

Input: S-box tableOutput: Connected components for S-boxM ← differential distribution of S-boxM ←M30

for i = 0→ N − 1 dofor j = 0→ N − 1 do

if M [i][j] = 0 thencomponets← BFS(M)return component

end ifend for

end forreturn NULL

x 0 1 2 3 4 5 6 7 8 9 a b c d e fS(x) e f c d b a 8 5 7 0 2 9 4 3 6 1

Table 5.2: Example S-box

1st connected component:02nd connected component:{1, 7, 11, 13, 6, 10, 12}3rd connected component: {2,3,5,9,15,14,4,8}The above s-box satisfies the requirement for connected components in dif-ferential distribution table. But it has a trivial linear approximation for theinput mask of (1110)2 = (14)10

o/pMask

0 1 2 3 4 5 6 7 8 9 a b c d e f

0xe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -8 0

Table 5.3: Linear approximation for o/p mask (1110)2

This phenomenon is experimentally verified for 3× 3 and 4× 4 S-boxes. Butto say that same holds for a n×n S-box, we have to prove it mathematicallywhich is still an open question.

Chapter 6

Conclusions

This thesis studies the design and cryptanalysis of lightweight block cipher.In the first part, we described the need for lightweight cryptographic prim-itives. We briefly explained why the existing standard block cipher as AESis not suited for small devices. It presents the design principles of the blockcipher and how the lightweight block cipher evolved from the existing de-sign primitives. Generally, the block cipher design can be broadly classifiedinto Feistel based cipher and substitution permutation(SPN) cipher. Thesame design classification and block primitives, albeit a few exception as theKATAN and KTANTAN family [18], of block ciphers have been carried overto lightweight block ciphers. Both designs, SPN as well as Feistel, have beenused in designing lightweight block ciphers. In Feistel design, the encryptionand decryption function are the same. So, there is an obvious advantage ofspace in case of Feistel ciphers for resource constrained devices. The roundfunctions of both the designs are kept simple. The designers have also triedto reuse the AES design as this design has been analyzed for cryptanalysiswidely without much success. Traditionally, block cipher designers prefer theAES design unless an other design offers a distinct advantage in the contextof usage. Recent innovation in implementing the costly linear layer of AES ina cost effective manner [21] can establish the same trend in lightweight blockciphers too. Nowadays, for most of the ciphers theround keys are either fixedor are derived from a simple key scheduling algorithm to gain advantage interms of speed and space.

Although there is no consensus in the research community for the ex-act definition of lightweight ciphers, there is a broader agreement in termsof the requirement for the design of lightweight block ciphers. These havebeen formulated keeping the concerns of the resource constrained devicesand sufficient security that is required of lightweight cryptographic primi-tives. We have listed design goals of lightweight block ciphers in chapter

76

CHAPTER 6. CONCLUSIONS 77

2 with two examples PRESENT [10] and LED [22]. In brief, we can sum-marize the lightweight cryptography as cryptography designed for resourceconstrained devices. The design should achieve an optimal balance betweenspace, performance and security. Although most of the aspects regardingdesign of lightweight block ciphers have benefited from the traditional blockcipher design, there are still open question regarding the optimal design oflightweight block cipher. Some of these research questions have been listedin chapter 2.

The Second part of the thesis presents the cryptanalysis of the blockciphers. It first details the various cryptanalytic techniques with focus mainlyon differential and linear cryptanalysis. In chapter 4, we present an attack on9 round KLEIN. This is an extension of a previous attack on 8 round KLEINby Aumasson et al. [3]. Besides the attack, we present various propertiesof KLEIN that can be used to derive further results for ciphers similar instructure to KLEIN. In chapter 3, we also presented how [30] exploited theweakness in the S-box of PRINTCipher to find weak keys. This attack canserve as an example to future designers so that they should be careful inchoosing the non-linear or linear layer of the cipher. S-boxes and othercomponents should be chosen carefully so as to prevent any anomalies in thedifferential distribution and the linear approximation of cipher. In chapter5, we presented properties regarding the key schedule of LBlock. Apartfrom that we also present the experimental result for 3 × 3 and 4 × 4 bitS-boxes. The experimental result can be summarized as: There is no S-boxwith non-trivial differential distribution and linear approximation for 3 × 3and 4 × 4 S-box for which there exists a disconnected component in S-boxdifferential distribution table. But this result requires mathematical prooffor its complete verification for n×n bit S-box.

Lastly, there have been many lightweight cipher proposed in recent past.Majority of the ciphers are secure against pure differential and linear crypt-analysis. Designers have taken care to protect against most known attacks.In lightweight block ciphers, as the round function is simple, it is somewhateasier to find weakness for small number of rounds. But, the large num-ber of rounds makes the practical attack against the ciphers very difficult.The large number of rounds makes the complexity of attackA§ much higherthan that can be executed practically. Although there have been very fewpractical attacks (of complexity less than 264) with the help of traditionalcryptanalysis, but it has played an important role in judging the securityprovided by the ciphers.

Bibliography

[1] TS 35.202 3G Security; Specification of the 3GPP confidentiality andintegrity algorithms; Document 2: Kasumi specification.

[2] Aoki, K., and Sasaki, Y. Meet-in-the-middle preimage attacksagainst reduced SHA-0 and SHA-1. Advances in Cryptology-CRYPTO2009 (2009), 70–89.

[3] Aumasson, J.-P., Naya-Plasencia, M., and Saarinen, M.-J. O.Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN.In INDOCRYPT (2011), pp. 134–145.

[4] Biham, E., Biryukov, A., and Shamir, A. Cryptanalysis of Skip-jack reduced to 31 rounds using impossible differentials. In Advances inCryptology Eurocrypt 99 (1999), Springer, pp. 12–23.

[5] Biham, E., and Chen, R. Near-Collisions of SHA-0. In Advancesin Cryptology - CRYPTO 2004, 24th Annual International Cryptology-Conference, Santa Barbara, California, USA, August 15-19, 2004, Pro-ceedings (2004), pp. 290–305.

[6] Biham, E., and Shamir, A. Differential cryptanalysis of DES-likecryptosystems. Journal of cryptology 4, 1 (1991), 3–72.

[7] Biham, E., and Shamir, A. Differential fault analysis of secret keycryptosystems. Advances in CryptologyaCRYPTO’97 (1997), 513–525.

[8] Biryukov, A., De Canniere, C., Braeken, A., and Preneel, B.A toolbox for cryptanalysis: Linear and affine equivalence algorithms.Advances in Cryptology-EUROCRYPT 2003 (2003), 648–648.

[9] Biryukov, A., and Wagner, D. Slide attacks. In Fast SoftwareEncryption (1999), Springer, pp. 245–259.

78

BIBLIOGRAPHY 79

[10] Bogdanov, A., Knudsen, L., Leander, G., Paar, C.,Poschmann, A., Robshaw, M., Seurin, Y., and Vikkelsoe, C.PRESENT:An ultra-lightweight block cipher. Cryptographic Hardwareand Embedded Systems-CHES 2007 (2007), 450–466.

[11] Bogdanov, A., and Rechberger, C. A 3-subset meet-in-the-middleattack: cryptanalysis of the lightweight block cipher KTANTAN. InSelected Areas in Cryptography (2011), Springer, pp. 229–240.

[12] Boneh, D., DeMillo, R., and Lipton, R. On the importance ofchecking cryptographic protocols for faults. In Proceedings of the 16thannual international conference on Theory and application of crypto-graphic techniques (1997), Springer-Verlag, pp. 37–51.

[13] Buchmann, J., Pyshkin, A., and Weinmann, R. Block cipherssensitive to grobner basis attacks. Topics in Cryptology–CT-RSA 2006(2006), 313–331.

[14] Collard, B., and Standaert, F. A statistical saturation attackagainst the block cipher PRESENT. Topics in Cryptology–CT-RSA2009 (2009), 195–210.

[15] Coppersmith, D. The real reason for rivest’s phenomenon. InAdvances in Cryptology-CRYPTOa85 Proceedings (1986), Springer,pp. 535–536.

[16] Courtois, N., and Pieprzyk, J. Cryptanalysis of block ciphers withoverdefined systems of equations. Advances in Cryptology-ASIACRYPT2002 (2002), 267–287.

[17] Courtois, N. T. Algebraic complexity reduction and cryptanalysisof gost. Cryptology ePrint Archive, Report 2011/626, 2011. http://

eprint.iacr.org/.

[18] De Canniere, C., Dunkelman, O., and Knezevic, M. KATANand KTANTAN- A family of small and efficient hardware-oriented blockciphers. Cryptographic Hardware and Embedded Systems-CHES 2009(2009), 272–288.

[19] FIPS, P. 197: Specification for the Advanced Encryption Standard(AES). Information Technology Laboratory, National Institute of Stan-dards and Technology, Gaithersburg, MD (2001), 20899–8900.

http://eprint.iacr.org/

http://eprint.iacr.org/

BIBLIOGRAPHY 80

[20] Gong, Z., Nikova, S., and Law, Y. W. KLEIN: A New Familyof Lightweight Block Ciphers. In Workshop on RFID Security – RFID-Sec’11 (Amherst, Massachusetts, USA, June 2011).

[21] Guo, J., Peyrin, T., and Poschmann, A. The PHOTON Familyof Lightweight Hash Functions. In CRYPTO (2011), pp. 222–239.

[22] Guo, J., Peyrin, T., Poschmann, A., and Robshaw, M. J. B.The LED Block Cipher. In CHES (2011), pp. 326–341.

[23] Heys, H. A tutorial on linear and differential cryptanalysis. Cryptologia26, 3 (2002), 189–221.

[24] Kelsey, J., Kohno, T., and Schneier, B. Amplified boomerangattacks against reduced-round mars and serpent. In Fast Software En-cryption (2001), Springer, pp. 13–23.

[25] Khovratovich, D., and Rechberger, C. A Splice-and-Cut Crypt-analysis of the AES.

[26] Knudsen, L. Truncated and higher order differentials. In Fast SoftwareEncryption (1995), Springer, pp. 196–211.

[27] Knudsen, L., Leander, G., Poschmann, A., and Robshaw, M.PRINTcipher: a block cipher for IC-printing. Cryptographic Hardwareand Embedded Systems, CHES 2010 (2011), 16–32.

[28] Kocher, P. Timing attacks on implementations of diffie-hellman, rsa,dss, and other systems. In Advances in Cryptology-CRYPTOa96 (1996),Springer, pp. 104–113.

[29] Kocher, P., Jaffe, J., and Jun, B. Differential power analysis. InAdvances in Cryptology-CRYPTOa99 (1999), Springer, pp. 789–789.

[30] Leander, G., Abdelraheem, M., AlKhzaimi, H., and Zenner,E. A cryptanalysis of PRINTcipher: the invariant subspace attack.Advances in Cryptology–CRYPTO 2011 (2011), 206–221.

[31] Leander, G., and Poschmann, A. On the classification of 4 bits-boxes. Arithmetic of Finite Fields (2007), 159–176.

[32] Lim, C., and Korkishko, T. mCrypton-A lightweight block cipherfor security of low-cost RFID tags and Sensors. Information SecurityApplications (2006), 243–258.

BIBLIOGRAPHY 81

[33] Matsui, M. Linear cryptanalysis method for DES cipher. In Advancesin Cryptology-EUROCRYPT’93 (1994), Springer, pp. 386–397.

[34] Merkle, R. C., and Hellman, M. E. On the security of multipleencryption. Commun. ACM 24 (July 1981), 465–467.

[35] Minier, M., and Naya-Plasencia, M. Some Preliminary Studieson the Differential Behavior of the Lightweight Block Cipher LBlock. inECRYPT Lightweight Cryptography Workshop, 2011.

[36] Poschmann, A., Leander, G., Schramm, K., and Paar, C. Afamily of light-weight block ciphers based on DES suited for RFID ap-plications. In Workshop on RFID Security (2006), pp. 12–14.

[37] Saarinen, M.-J. O. Cryptographic Analysis of All 4 x 4 - Bit S-Boxes.IACR Cryptology ePrint Archive 2011 (2011), 218.

[38] Schneier, B., and Sutherland, P. Applied cryptography: protocols,algorithms, and source code in C. John Wiley & Sons, Inc., 1995.

[39] Shannon, C. Communication theory of secrecy systems. Bell systemtechnical journal 28, 4 (1949), 656–715.

[40] Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita,T., and Shirai, T. Piccolo: an ultra-lightweight blockcipher. Crypto-graphic Hardware and Embedded Systems–CHES 2011 (2011), 342–357.

[41] Shirai, T., Shibutani, K., Akishita, T., Moriai, S., and Iwata,T. The 128-bit blockcipher CLEFIA. In Fast Software Encryption(2007), Springer, pp. 181–195.

[42] Stein, W., et al. Sage: Open source mathematical software, 2008.

[43] Stinson, D. Cryptography-Theory and Practice, 3rd ed. Chapman &Hall/CRC, 2002.

[44] Van Le, T., Sparr, R., Wernsdorf, R., and Desmedt, Y.Complementation-like and cyclic properties of AES round functions. Ad-vanced Encryption Standard–AES (2005), 572–572.

[45] Vogt, M., Poschmann, A., and Paar, C. Cryptography is feasibleon 4-Bit microcontrollers-A proof of concept. In RFID, 2009 IEEEInternational Conference on (2009), IEEE, pp. 241–248.

BIBLIOGRAPHY 82

[46] Wagner, D. The boomerang attack. In Fast Software Encryption(1999), Springer, pp. 156–170.

[47] Wu, W., and Zhang, L. LBlock: a lightweight block cipher. InApplied Cryptography and Network Security (2011), Springer, pp. 327–344.

Appendix A

Performance details oflightweight block cipher

A.1 Performance details

Name Designers Area(GE) Keysize

Blocksize

Tput (100kbps)

MeanPowerµW

Techn.µm

AES Rijmen etal.

3100 128 128 80 4.5 0.13

CLEFIA Shirai etal.

4950 128 128 355.6 – 0.09

DES IBM 2300 64 56 14.4 – 0.18DESXL Leander et

al.2168 64 184 44.4 1.6 0.18

HIGHT Hong et al. 3048 64 128 188.2 – 0.25KASUMI SAGE

group6000 32 80 128 25 –

KATAN Canniereet al.

802 32 80 12.5 0.38 0.13

KATAN Canniereet al.

802 64 80 25.5 0.38 0.13

KTANTAN Canniereet al.

462 32 80 12.5 0.15 0.13

KTANTAN Canniereet al.

462 64 80 25.5 0.15 0.13

mCRYPTON Lim et al. 2500 64 128 492.3 – 0.13

83

APPENDIX A. PERFORMANCE DETAILS OFLIGHTWEIGHT BLOCK CIPHER 84

PRESENT Bogdanovet al.

1000 64 80 11.4 11.2 0.35

SEA Standaertet al.

449 96 96 17.5 3.22 0.13

XTEA Needhamet al.

3490 64 128 57.1 19.5 0.13

KLEIN-64 Zheng etal.

2032 64 64 20 4.5 0.18


2202 64 80 27.2 4.5 0.18


2372 64 96 32 4.5 0.18

PUFFIN Cheng, etal.

2577 64 128 194 14.5 0.18

ICEBERG Standaertet al.

5817 64 128 400 6.5 0.18

NOKEON Daemen etal.

3000 4000 128 128 – – 0.18

Skipjack NSA 3000 4000 80 64 10.96 – 0.18ARMADILLO2-A

Badel et al. 2923 80 128 272 44 0.18

ARMADILLO2-B

Badel et al. 4353 80 128 250 65 0.18

ARMADILLO2-C

Badel et al. 5406 80 128 250 83 0.18

ARMADILLO2-D

Badel et al. 6554 80 128 250 102 0.18

PRINTCIPHER-48

Knudsenet al.

402 48 80 160 – 0.18

Hummingbird Engels etal.

– 16 256 23.5 2.75 –

Hummingbird-2 Engels etal.

2332 16 128 – 1.845 0.18

LBlock Wu et al. 1320 64 80 200 – 0.18Piccolo Shibutani

et al.1136 64 80 14.11 – 0.18

Piccolo Shibutaniet al.

1197 64 128 12.12 – 0.18

LED Guo et. al 966 64 64 5.1 – 0.18


LED Guo et. al 1265 128 128 3.4 – 0.18EPCBC-48 Yap et. al. 1008 48 96 12.12 – 0.18EPCBC-96 Yap et. al. 1333 96 96 12.12 – 0.18

A.2 Linear approximation of S-box

0 1 2 3 4 5 6 7 8 9 a b c d e f0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 -2 -2 0 0 -2 6 2 2 0 0 2 2 0 02 0 0 -2 -2 0 0 -2 -2 0 0 2 2 0 0 -6 23 0 0 0 0 0 0 0 0 2 6 -2 -2 2 2 -2 -24 0 2 0 -2 -2 -4 -2 0 0 -2 0 2 2 -4 2 05 0 -2 -2 0 -2 0 4 2 -2 0 -4 2 0 -2 -2 06 0 2 -2 4 2 0 0 2 0 -2 2 4 -2 0 0 -27 0 -2 0 2 2 -4 2 0 -2 0 2 0 4 2 0 28 0 0 0 0 0 0 0 0 -2 2 2 -2 2 -2 -2 -69 0 0 -2 -2 0 0 -2 -2 -4 0 -2 2 0 4 2 -2a 0 4 -2 2 -4 0 2 -2 2 2 0 0 2 2 0 0b 0 4 0 -4 4 0 4 0 0 0 0 0 0 0 0 0c 0 -2 4 -2 -2 0 2 0 2 0 2 4 0 2 0 -2d 0 2 2 0 -2 4 0 2 -4 -2 2 0 2 0 0 2e 0 2 2 0 -2 -4 0 2 -2 0 0 -2 -4 2 -2 0f 0 -2 -4 -2 -2 0 2 0 0 -2 4 -2 -2 0 2 0

Table A.2: Linear approximation of S-box of example cipher

A.3 Differential distribution of S-box


0 1 2 3 4 5 6 7 8 9 a b c d e f0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 0 2 0 0 0 2 0 2 4 0 4 2 0 02 0 0 0 2 0 6 2 2 0 2 0 0 0 0 2 03 0 0 2 0 2 0 0 0 0 4 2 0 2 0 0 44 0 0 0 2 0 0 6 0 0 2 0 4 2 0 0 05 0 4 0 0 0 2 2 0 0 0 4 0 2 0 0 26 0 0 0 4 0 4 0 0 0 0 0 0 2 2 2 27 0 0 2 2 2 0 2 0 0 2 2 0 0 0 0 48 0 0 0 0 0 0 2 2 0 0 0 4 0 4 2 29 0 2 0 0 2 0 0 4 2 0 2 2 2 0 0 0a 0 2 2 0 0 0 0 0 6 0 0 2 0 0 4 0b 0 0 8 0 0 2 0 2 0 0 0 0 0 2 0 2c 0 2 0 0 2 2 2 0 0 0 0 2 0 6 0 0d 0 4 0 0 0 0 0 4 2 0 2 0 2 0 2 0e 0 0 2 4 2 0 0 0 6 0 0 0 0 0 2 0f 0 2 0 0 6 0 0 0 0 4 0 2 0 0 2 0

Table A.3: Differential distribution of S-box of example cipher

Date post:	26-Apr-2018
Category:	Documents
Upload:	doankhuong
View:	226 times
Download:	4 times

Cryptanalysis of Lightweight Block Ciphers - … University School of Science Degree Programme of...

Documents