Skip to main content

New Directions in Lightweight Cryptanalysis

Periodic Reporting for period 3 - LightCrypt (New Directions in Lightweight Cryptanalysis)

Reporting period: 2020-10-01 to 2022-03-31

Cryptography has become an essential part of our everyday life. Cryptanalysis studies the practical security of the encryption schemes we use. The importance of this study has been demonstrated by the fact that numerous widely used schemes were shown to be practically insecure.
This project concerns cryptanalysis of resource constrained (so-called, 'lightweight') encryption schemes, deployed in most Internet-of-Things (IoT) devices. Our motivation is that in order to address the challenge of lightweight cryptography, it is not sufficient to adjust the current designs and analysis to the constrained environment. Instead, we must establish a new research methodology, aiming directly at the problems arising in the 'lightweight realm'.
The project concentrates on four main directions. First, in order to enable conceptually new designs, we go 'a level up' to study the security of the generic schemes serving as building blocks of most ciphers. Second, considering specific ciphers we pursue low complexity cryptanalysis, being more relevant to the lightweight realm than 'standard' attacks. Third, we pursue new directions toward establishing 'white-box cryptography' – a central challenge in cryptography for the IoT. Finally, we explore further applications of discrete analysis to lightweight cryptography, aiming in particular to address the fundamental question of establishing rigorous conditions under which the standard cryptanalytic techniques apply.
For the near future, we hope that our project will enable detecting weaknesses in the lightweight ciphers we use and fixing them before being exploited by the 'bad guys'. Looking forward farther, we hope to understand how to design secure lightweight ciphers for the billions of IoT devices to come.
In the first half of the project, we achieved significant advancements toward the main goals of the project. In particular, we established several of the goals we set at the beginning of the project, and also obtained surprising new results that were beyond our hopes at the beginning of the project. Our main results so far are the following:

1. New cryptanalytic techniques. We developed several new cryptanalytic techniques that can be applied to various cryptographic primitives, and should be taken into account in the design of any new primitive. These techniques include the retracing boomerang and rectangle techniques, four new types of slide attacks, the dissection technique, and new types of higher order differential attacks.

2. Security analysis of generic constructions. We contributed to the understanding of the security level of several generic cryptographic constructions, including cascade constructions, almost self-similar constructions, and HADES constructions. Our results in this direction had a direct practical impact, by affecting the design of the hash functions Starkad and Poseidon, currently being candidates for use in the Ethereum platform.

3. Lower bounds on cryptographic attacks. One of the hardest research topics in cryptanalysis is proving lower bounds, which assert that an attack technique cannot succeed beyond some barrier. The importance of such results is obvious, as they allow for obtaining security guarantees for new designs. We achieved an important advancement in this direction, proving that the time/memory tradeoff curve of the classical "parallel collision search" algorithm cannot be superseded in a wide variety of settings.

4. Low complexity cryptanalysis. We developed low complexity attacks against several ciphers and cipher variants, including attacks that are much stronger than what we could imagine at the beginning of the project. In particular:

a. We broke a 20-year record in the complexity of attacks on a 5-round version of AES – the most widely used block cipher today. Out attack requires less than 100 thousand operations, which is over 10,000 times faster than any previously known attack on this version.
b. We obtained practical attacks on the authenticated encryption schemes Flex-AEAD and Lilliput-AE, which were candidates for the NIST lightweight cryptography project. Our attack on Lilliput-AE was especially surprising, since the design of Lilliput-AE looks very secure and no weaknesses of it were known prior to our attack. Following our findings, Lilliput-AE was not selected for the second round of the competition. Thus, our results had practical impact on the selection of the next lightweight cryptography standard.
c. We obtained improved low complexity attacks on the format preserving encryption standard FF3. Our results call for further increasing the minimal size of domain for which this cryptosystem can be used securely.

5. Rigorous analysis of cryptanalytic attacks. We developed the Differential-Linear Connectivity Table (DLCT), a new tool which allows for a more rigorous computation of the bias of differential-linear attacks, thus allowing analyzing the complexity of this classical attack technique more rigorously.

6. Provable optimal algorithm for the distributive discrete logarithm problem. We developed a provably optimal algorithm for the distributed discrete logarithm problem. This result has applications to homomorphic secret sharing, and to various problems in theoretical computer science.
In the second half of the project we plan to further develop cryptanalytic techniques that will allow better understanding of the security level of lightweight cryptographic primitives. In particular, we aim at:
a. Developing new cryptanalytic techniques, in addition to those we already developed.
b. Applying our techniques to assess the practical security of the finalists of the NIST lightweight security project.
c. Obtaining better understanding of the security level of variants of the AES (which is, arguably, the most important cipher today).
d. Using our results and methodologies for proposing new designs of lightweight cryptographic primitives.
e. Studying the effect of quantum computing abilities on the security of lightweight primitives, and its implications on lightweight cryptographic designs.
f. Developing rigorous versions of additional classical cryptanalytic techniques.
g. Exploring further applications of discrete analysis to cryptanalysis.
We hope that combination of these results will bring us close to our main goal: understanding how to design secure lightweight ciphers for the billions of IoT devices to come.