Table Of ContentPhD-FSTC-2017-24
The Faculty of Sciences, Technology and Communication
DISSERTATION
Defence held on 25/04/2017 in Belval
to obtain the degree of
DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG
EN INFORMATIQUE
by
Léo Paul PERRIN
Born on the 20th of November 1990 in Lons-le-Saunier (France)
C , R -E
RYPTANALYSIS EVERSE NGINEERING AND
D S C
ESIGN OF YMMETRIC RYPTOGRAPHIC
A
LGORITHMS
Dissertation defence committee
DR ALEX BIRYUKOV, dissertation supervisor
Professor, Université du Luxembourg
Dr Henri Gilbert
HDR, Agence Nationale pour la Sécurité des Systèmes d'Information
Dr Jean-Sébastien Coron, Chairman
Associate Professor, Université du Luxembourg
Dr Gregor Leander
Professor, Ruhr-Universität Bochum
Dr Volker Müller, Vice Chairman
Associate Professor, Université du Luxembourg
Toskipjacks,sponges,pollocksandwhales;
tograsshoppers,butterfliesandskippers.
i
Abstract
Inthisthesis,IpresenttheresearchIdidwithmyco-authorsonseveralaspectsof
symmetriccryptographyfromMay2013toDecember2016,thatis,whenIwasaPhD
studentattheuniversityofLuxembourgunderthesupervisionofAlexBiryukov.My
researchhasspannedthreedifferentareasofsymmetriccryptography.
InPartIofthisthesis,Ipresentmyworkonlightweightcryptography.Thisfield
of study investigates the cryptographic algorithms that are suitable for very con-
straineddeviceswithlittlecomputingpowersuchasrfidtagsandsmallembedded
processorssuchasthoseusedinsensornetworks.Manysuchalgorithmshavebeen
proposedrecently,asevidencedbythesurveyIco-authoredonthistopic. Ipresent
this survey along with attacks against three of those algorithms, namely Gluon,
Prince and Twine. I also introduce a new lightweight block cipher called Sparx
whichwasdesignedusinganewmethodtojustifyitssecurity:theLongTrailStrat-
egy.
PartIIisdevotedtoS-Boxreverse-engineering, afieldofstudyinvestigatingthe
methods recovering the hidden structure or the design criteria used to build an S-
Box.Ico-inventedseveralsuchmethods:astatisticalanalysisofthedifferentialand
linearpropertieswhichwasappliedsuccessfullytotheS-Boxofthensablockcipher
Skipjack, astructuralattackagainstFeistelnetworkscalledtheyoyogame andthe
TU-decomposition.ThislasttechniqueallowedustodecomposetheS-Boxofthelast
Russianstandardblockcipherandhashfunctionaswellastheonlyknownsolution
totheapnproblem,along-standingopenquestioninmathematics.
Finally,PartIIIpresentsaunifyingviewofseveralfieldsofsymmetriccryptog-
raphybyinterpretingthemaspurposefullyhard.Indeed,severalcryptographicalgo-
rithmsaredesignedsoastomaximizethecodesize,ramconsumptionortimetaken
bytheirimplementations.Byprovidingauniqueframeworkdescribingallsuchde-
signgoals,wecoulddesignmodesofoperationsforbuildinganysymmetricprimitive
withanyformofhardnessbycombiningsecurecryptographicbuildingblockswith
simplefunctionswiththedesiredformofhardnesscalledplugs. AlexBiryukovand
Ialsoshowedthatitispossibletobuildplugswithanasymmetrichardnesswhereby
theknowledgeofasecretkeyallowstheprivilegedusertobypassthehardnessof
theprimitive.
iii
Acknowledgements
This section is my attempt at expressing my gratitude to all those who helped me
throughmyfouryearsasaPhDstudent,academicallyorotherwise.
Firstofall,IthankmysupervisorAlexBiryukov.Foracceptingmeashisstudent
and for giving me the opportunity to work in his group of course, but also for his
advice and guidance during my studies. He always pushed me to improve our re-
sultsasfaraspossibleandmyworkwouldnotbehalfasmeaningfulwithoutthese
encouragements.
I also thank Jean-Sébastien Coron, Henri Gilbert, Gregor Leander and Volker
Müllerforacceptingtobeinmyjury;meaningtheyagreedtobothgothroughthe
380-oddpagesofthisthesisandtocomeallthewaytoBelvalwhich,forthoseliving
outsideLuxembourg,isnosmalljourney!
Noneoftheworkpresentedinthisthesiswouldhavebeenpossiblewithoutmy
co-authorswhohaveallmygratitude: AlexBiryukov,AnneCanteaut,PatrickDer-
bez,DanielDinu,SébastienDuval,JohannGroßschädl,DmitryKhovratovich,Yann
LeCorre,GaëtanLeurent,AlekseiUdovenko,andVesselinVelichkov.
Beyond our work together, I also thank my colleagues for fun and interesting
conversationsaroundacoffeeorabeer:PatrickDerbez,DanielDinu,DanielFehrer,
Johann Großschädl, Dmitry Khovratovich, Yann Le Corre, Zhe Liu, Ivan Pustoga-
rov, Arnab Roy, Sergei Tikhomirov, Aleksei Udovenko, Praveen Vadnala, Vesselin
VelichkovandSrinivasVivek.
Iwasfortunatetohavehadpriorexperienceinresearchbeforethestartofmy
PhD. I thank Céline Blondeau, my master thesis advisor, for teaching me how to
doresearch,writepapersandadvisingmetoapplyforthisPhDposition. Shealso
introducedmetoBooleanfunctions,anareainwhichIamstillworking. Ifitwere
notforher,Iwouldprobablynothavedoneanacademiccareer!
I thank Anne Canteaut for inviting me and welcoming me for a week in her
group at Inria as well as for helping me with a grant application. Her knowledge
inBooleanfunctionsandthediscussionswehadduringconferencesandworkshops
contributedtoseveralofmypapers. Iamlookingforwardtojoininghergroupina
coupleofmonths!
Unfortunately, aPhDthesisdoesnotsimplyinvolvedoingresearchandteach-
ing. Thus, I thank Fabienne Schmitz for her help with administrative matters. My
work was made possible by the Fond National de la Recherche (FNR) through the
CoreprojectAcrypt(IDC12-15-4009992). Manythankstothem. Moregenerally,I
alsothanktheuniversityofLuxembourgandindeedthecountryofLuxembourgfor
v
vi
providingsuchastimulatingworkenvironment.
Ithankthechairsof Esc’2015,thechairsoftheDagsthulseminar16021onsym-
metriccryptography,andthechairsof Esc’2017forinvitingmetotheirworkshops.
Theopportunitytopresentmyworktosomeofthebestcryptographersleadtovery
fruitfuldiscussionsandcollaborations.
I thank Daniel Dinu and Virginie Lallemand for checking parts of my thesis. I
alsogiveaspecialthankyoutoBrianShaftforproof-readingallofthismanuscript
andfindingamuchtoohighnumberoftypos!Virginiealsohelpedmesolveacrucial
question:towhom/whatshouldthisthesisbededicated?
AsfarbackasIcanremember,Ialwayswantedtoworkinscience. Ithankmy
familyandinparticularmyparentsforalwaysbeingsupportiveofmyunquenchable
curiosity. Ialsothankthemforbeingpresentonthedayofmydefencedespitethe
distance.
IthankBrianandZezinhaforSundaysthattookmymindoffofworkthrough
interesting conversations and delicious food, and the members of my martial arts
clubthattookmymindoffofworkthroughphysicalexercise.
Finally,myworkreliedheavilyonseveralopensourceprojectswhosedevelopers
have all my gratitude. In particular, I thank the authors of Sage [Dev16], LATEX,
UbuntuandEmacs.
Summary
ListofFigures ix
ListofTables xiii
ListofAlgorithms xv
NotationsandAbbreviations xvii
Chapter1. Introduction 1
PartI— OnSymmetricLightweightCryptography 23
Chapter2. ASurveyofLightweightSymmetricCryptography 29
Chapter3. VanishingDifferencesinGluon 55
Chapter4. DifferentialandStructuralAnalysisof Prince 73
Chapter5. TruncatedDifferentialsinTwine 89
Chapter6. DesignStrategiesforARX-basedBlockCiphers 103
Chapter7. TheSparxFamilyofLightweightBlockCiphers 117
PartII— OnS-BoxReverse-Engineering 131
Chapter8. DefinitionsandLiteratureSurvey 137
Chapter9. StatisticalAnalysisoftheddt/lat 159
Chapter10. StructuralAttacksAgainstFeistelNetworks 181
Chapter11. StructuralAttacksAgainstSpns 207
vii
viii Contents
Chapter12. PollockRepresentationandTU-Decomposition 227
Chapter13. DecomposingtheGost8-bitS-Box 245
Chapter14. DecomposingtheOnlyKnownApnPermutationonF 267
22n
PartIII— OnPurposefullyHardCryptography 299
Chapter15. SymmetricandAsymmetricHardness 303
Conclusion 325
FinalWords 327
OpenProblems 329
Bibliography 331
Description:In Part I of this thesis, I present my work on lightweight cryptography. This eld gure out what a journalist, Alice, is discussing with her source, Bob.
