PhD-FSTC-2017-24 The Faculty of Sciences, Technology and Communication DISSERTATION Defence held on 25/04/2017 in Belval to obtain the degree of DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE by Léo Paul PERRIN Born on the 20th of November 1990 in Lons-le-Saunier (France) C , R -E RYPTANALYSIS EVERSE NGINEERING AND D S C ESIGN OF YMMETRIC RYPTOGRAPHIC A LGORITHMS Dissertation defence committee DR ALEX BIRYUKOV, dissertation supervisor Professor, Université du Luxembourg Dr Henri Gilbert HDR, Agence Nationale pour la Sécurité des Systèmes d'Information Dr Jean-Sébastien Coron, Chairman Associate Professor, Université du Luxembourg Dr Gregor Leander Professor, Ruhr-Universität Bochum Dr Volker Müller, Vice Chairman Associate Professor, Université du Luxembourg Toskipjacks,sponges,pollocksandwhales; tograsshoppers,butterfliesandskippers. i Abstract Inthisthesis,IpresenttheresearchIdidwithmyco-authorsonseveralaspectsof symmetriccryptographyfromMay2013toDecember2016,thatis,whenIwasaPhD studentattheuniversityofLuxembourgunderthesupervisionofAlexBiryukov.My researchhasspannedthreedifferentareasofsymmetriccryptography. InPartIofthisthesis,Ipresentmyworkonlightweightcryptography.Thisfield of study investigates the cryptographic algorithms that are suitable for very con- straineddeviceswithlittlecomputingpowersuchasrfidtagsandsmallembedded processorssuchasthoseusedinsensornetworks.Manysuchalgorithmshavebeen proposedrecently,asevidencedbythesurveyIco-authoredonthistopic. Ipresent this survey along with attacks against three of those algorithms, namely Gluon, Prince and Twine. I also introduce a new lightweight block cipher called Sparx whichwasdesignedusinganewmethodtojustifyitssecurity:theLongTrailStrat- egy. PartIIisdevotedtoS-Boxreverse-engineering, afieldofstudyinvestigatingthe methods recovering the hidden structure or the design criteria used to build an S- Box.Ico-inventedseveralsuchmethods:astatisticalanalysisofthedifferentialand linearpropertieswhichwasappliedsuccessfullytotheS-Boxofthensablockcipher Skipjack, astructuralattackagainstFeistelnetworkscalledtheyoyogame andthe TU-decomposition.ThislasttechniqueallowedustodecomposetheS-Boxofthelast Russianstandardblockcipherandhashfunctionaswellastheonlyknownsolution totheapnproblem,along-standingopenquestioninmathematics. Finally,PartIIIpresentsaunifyingviewofseveralfieldsofsymmetriccryptog- raphybyinterpretingthemaspurposefullyhard.Indeed,severalcryptographicalgo- rithmsaredesignedsoastomaximizethecodesize,ramconsumptionortimetaken bytheirimplementations.Byprovidingauniqueframeworkdescribingallsuchde- signgoals,wecoulddesignmodesofoperationsforbuildinganysymmetricprimitive withanyformofhardnessbycombiningsecurecryptographicbuildingblockswith simplefunctionswiththedesiredformofhardnesscalledplugs. AlexBiryukovand Ialsoshowedthatitispossibletobuildplugswithanasymmetrichardnesswhereby theknowledgeofasecretkeyallowstheprivilegedusertobypassthehardnessof theprimitive. iii Acknowledgements This section is my attempt at expressing my gratitude to all those who helped me throughmyfouryearsasaPhDstudent,academicallyorotherwise. Firstofall,IthankmysupervisorAlexBiryukov.Foracceptingmeashisstudent and for giving me the opportunity to work in his group of course, but also for his advice and guidance during my studies. He always pushed me to improve our re- sultsasfaraspossibleandmyworkwouldnotbehalfasmeaningfulwithoutthese encouragements. I also thank Jean-Sébastien Coron, Henri Gilbert, Gregor Leander and Volker Müllerforacceptingtobeinmyjury;meaningtheyagreedtobothgothroughthe 380-oddpagesofthisthesisandtocomeallthewaytoBelvalwhich,forthoseliving outsideLuxembourg,isnosmalljourney! Noneoftheworkpresentedinthisthesiswouldhavebeenpossiblewithoutmy co-authorswhohaveallmygratitude: AlexBiryukov,AnneCanteaut,PatrickDer- bez,DanielDinu,SébastienDuval,JohannGroßschädl,DmitryKhovratovich,Yann LeCorre,GaëtanLeurent,AlekseiUdovenko,andVesselinVelichkov. Beyond our work together, I also thank my colleagues for fun and interesting conversationsaroundacoffeeorabeer:PatrickDerbez,DanielDinu,DanielFehrer, Johann Großschädl, Dmitry Khovratovich, Yann Le Corre, Zhe Liu, Ivan Pustoga- rov, Arnab Roy, Sergei Tikhomirov, Aleksei Udovenko, Praveen Vadnala, Vesselin VelichkovandSrinivasVivek. Iwasfortunatetohavehadpriorexperienceinresearchbeforethestartofmy PhD. I thank Céline Blondeau, my master thesis advisor, for teaching me how to doresearch,writepapersandadvisingmetoapplyforthisPhDposition. Shealso introducedmetoBooleanfunctions,anareainwhichIamstillworking. Ifitwere notforher,Iwouldprobablynothavedoneanacademiccareer! I thank Anne Canteaut for inviting me and welcoming me for a week in her group at Inria as well as for helping me with a grant application. Her knowledge inBooleanfunctionsandthediscussionswehadduringconferencesandworkshops contributedtoseveralofmypapers. Iamlookingforwardtojoininghergroupina coupleofmonths! Unfortunately, aPhDthesisdoesnotsimplyinvolvedoingresearchandteach- ing. Thus, I thank Fabienne Schmitz for her help with administrative matters. My work was made possible by the Fond National de la Recherche (FNR) through the CoreprojectAcrypt(IDC12-15-4009992). Manythankstothem. Moregenerally,I alsothanktheuniversityofLuxembourgandindeedthecountryofLuxembourgfor v vi providingsuchastimulatingworkenvironment. Ithankthechairsof Esc’2015,thechairsoftheDagsthulseminar16021onsym- metriccryptography,andthechairsof Esc’2017forinvitingmetotheirworkshops. Theopportunitytopresentmyworktosomeofthebestcryptographersleadtovery fruitfuldiscussionsandcollaborations. I thank Daniel Dinu and Virginie Lallemand for checking parts of my thesis. I alsogiveaspecialthankyoutoBrianShaftforproof-readingallofthismanuscript andfindingamuchtoohighnumberoftypos!Virginiealsohelpedmesolveacrucial question:towhom/whatshouldthisthesisbededicated? AsfarbackasIcanremember,Ialwayswantedtoworkinscience. Ithankmy familyandinparticularmyparentsforalwaysbeingsupportiveofmyunquenchable curiosity. Ialsothankthemforbeingpresentonthedayofmydefencedespitethe distance. IthankBrianandZezinhaforSundaysthattookmymindoffofworkthrough interesting conversations and delicious food, and the members of my martial arts clubthattookmymindoffofworkthroughphysicalexercise. Finally,myworkreliedheavilyonseveralopensourceprojectswhosedevelopers have all my gratitude. In particular, I thank the authors of Sage [Dev16], LATEX, UbuntuandEmacs. Summary ListofFigures ix ListofTables xiii ListofAlgorithms xv NotationsandAbbreviations xvii Chapter1. Introduction 1 PartI— OnSymmetricLightweightCryptography 23 Chapter2. ASurveyofLightweightSymmetricCryptography 29 Chapter3. VanishingDifferencesinGluon 55 Chapter4. DifferentialandStructuralAnalysisof Prince 73 Chapter5. TruncatedDifferentialsinTwine 89 Chapter6. DesignStrategiesforARX-basedBlockCiphers 103 Chapter7. TheSparxFamilyofLightweightBlockCiphers 117 PartII— OnS-BoxReverse-Engineering 131 Chapter8. DefinitionsandLiteratureSurvey 137 Chapter9. StatisticalAnalysisoftheddt/lat 159 Chapter10. StructuralAttacksAgainstFeistelNetworks 181 Chapter11. StructuralAttacksAgainstSpns 207 vii viii Contents Chapter12. PollockRepresentationandTU-Decomposition 227 Chapter13. DecomposingtheGost8-bitS-Box 245 Chapter14. DecomposingtheOnlyKnownApnPermutationonF 267 22n PartIII— OnPurposefullyHardCryptography 299 Chapter15. SymmetricandAsymmetricHardness 303 Conclusion 325 FinalWords 327 OpenProblems 329 Bibliography 331