Periodic Reporting for period 4 - LightCrypt (New Directions in Lightweight Cryptanalysis)
Reporting period: 2022-04-01 to 2023-09-30
Cryptography has become an essential part of our everyday life. Cryptanalysis studies the practical security of the encryption schemes we use. The importance of this study has been demonstrated by the fact that numerous widely used schemes were shown to be practically insecure.
This project concerns cryptanalysis of resource constrained (so-called, 'lightweight') encryption schemes, deployed in most Internet-of-Things (IoT) devices. Our motivation is that in order to address the challenge of lightweight cryptography, it is not sufficient to adjust the current designs and analysis to the constrained environment. Instead, we must establish a new research methodology, aiming directly at the problems arising in the 'lightweight realm'.
The project concentrates on four main directions. First, in order to enable conceptually new designs, we go 'a level up' to study the security of the generic schemes serving as building blocks of most ciphers. Second, considering specific ciphers we pursue low complexity cryptanalysis, being more relevant to the lightweight realm than 'standard' attacks. Third, we pursue new directions toward establishing 'white-box cryptography' – a central challenge in cryptography for the IoT. Finally, we explore further applications of discrete analysis to lightweight cryptography, aiming in particular to address the fundamental question of establishing rigorous conditions under which the standard cryptanalytic techniques apply.
For the near future, we hope that our project will enable detecting weaknesses in the lightweight ciphers we use and fixing them before being exploited by the 'bad guys'. Looking forward farther, we hope to understand how to design secure lightweight ciphers for the billions of IoT devices to come.
Conclusions: During the project, we obtained numerous significant results which advanced our understanding of lightweight encryption schemes and also had a practical impact on current design of encryption schemes. Most notably, we found a way to use discrete analysis to show that widely used techniques of cryptanalysis cannot be improved. This achievement is very important as it allows proving rigorously that our encryption schemes are immune to various types of attacks. Futhermore, we significantly advanced the state-of-the-art on the security of the AES, the most widely used cipher worldwide. We achieved this by improving by a large margin the best known practical attacks on reduced round versions of AES, resolving a 20-year old open problem. These results not only improve our understanding of the security of the AES, but also affect numerous lightweight cryptosystems which use reduced-round versions of the AES as a component. In addition, we mounted practical attacks on several other ciphers, which had an immediate practical impact: The ciphers Lilliput-AE and Flex-AEAD, which were candidates for selection by the US NIST as the new lightweight encryption standard were discarded from the competition due to our attacks. Finally, we developed a number of new attack techniques, which have already been adopted by numerous other research groups for assessing the security of new designs. The results we achieved in the project significantly advance the state-of-the-art of research in cryptanalysis, and as we hoped, give us a better understanding of how to design the lightweight ciphers for the billions of IoT devices to come.
This project concerns cryptanalysis of resource constrained (so-called, 'lightweight') encryption schemes, deployed in most Internet-of-Things (IoT) devices. Our motivation is that in order to address the challenge of lightweight cryptography, it is not sufficient to adjust the current designs and analysis to the constrained environment. Instead, we must establish a new research methodology, aiming directly at the problems arising in the 'lightweight realm'.
The project concentrates on four main directions. First, in order to enable conceptually new designs, we go 'a level up' to study the security of the generic schemes serving as building blocks of most ciphers. Second, considering specific ciphers we pursue low complexity cryptanalysis, being more relevant to the lightweight realm than 'standard' attacks. Third, we pursue new directions toward establishing 'white-box cryptography' – a central challenge in cryptography for the IoT. Finally, we explore further applications of discrete analysis to lightweight cryptography, aiming in particular to address the fundamental question of establishing rigorous conditions under which the standard cryptanalytic techniques apply.
For the near future, we hope that our project will enable detecting weaknesses in the lightweight ciphers we use and fixing them before being exploited by the 'bad guys'. Looking forward farther, we hope to understand how to design secure lightweight ciphers for the billions of IoT devices to come.
Conclusions: During the project, we obtained numerous significant results which advanced our understanding of lightweight encryption schemes and also had a practical impact on current design of encryption schemes. Most notably, we found a way to use discrete analysis to show that widely used techniques of cryptanalysis cannot be improved. This achievement is very important as it allows proving rigorously that our encryption schemes are immune to various types of attacks. Futhermore, we significantly advanced the state-of-the-art on the security of the AES, the most widely used cipher worldwide. We achieved this by improving by a large margin the best known practical attacks on reduced round versions of AES, resolving a 20-year old open problem. These results not only improve our understanding of the security of the AES, but also affect numerous lightweight cryptosystems which use reduced-round versions of the AES as a component. In addition, we mounted practical attacks on several other ciphers, which had an immediate practical impact: The ciphers Lilliput-AE and Flex-AEAD, which were candidates for selection by the US NIST as the new lightweight encryption standard were discarded from the competition due to our attacks. Finally, we developed a number of new attack techniques, which have already been adopted by numerous other research groups for assessing the security of new designs. The results we achieved in the project significantly advance the state-of-the-art of research in cryptanalysis, and as we hoped, give us a better understanding of how to design the lightweight ciphers for the billions of IoT devices to come.
During the project, we obtained numerous significant results which advanced our understanding of lightweight encryption schemes and also had a practical impact on current design of encryption schemes. In particular, we established numerous goals we set at the beginning of the project, and also obtained surprising new results that were beyond our hopes at the beginning of the project. Our main results are the following:
1. We proved that two widely-used cryptanalytic techniques cannot be improved, unless "standard" complexity-theoretic assumptions fail. These unexpectedly strong results open the way for a new research direction in cryptanalysis.
2. We developed several new cryptanalytic techniques that can be applied to various cryptographic primitives, and should be taken into account in the design of any new primitive.
3. We contributed to the understanding of the security level of several generic cryptographic constructions. Our results in this direction had a direct practical impact, by affecting the choice of the cryptosystem to be used in the Ethereum platform.
4. We developed low complexity attacks against several ciphers and cipher variants, including attacks that are much stronger than what we could imagine at the beginning of the project. In particular, we broke a 20-year record in the complexity of practical attacks on reduced-round versions of AES – the most widely used block cipher today. In addition, we obtained practical attacks on the authenticated encryption schemes Flex-AEAD and Lilliput-AE, which were candidates for the NIST lightweight cryptography project. Following our findings, both ciphers were not selected for the second round of the competition.
5. We developed new tools which allow analyzing the complexity of statistical cryptanalytic attacks more rigorously.
Dissemination of the results was achieved via four routes:
1. Two conferences and three workshops organized within the framework of the project.
2. Presentation of the project outcomes in international meetings and symposia.
3. Journal and conference publications.
4. Public repositories. We made sure that all deliverables of the project are made available to public, using the "eprint" and "arXiv" repositories.
As was mentioned above, the results of the project already had an immediate practical impact on the NIST lightweight cryptography standard selection process, as two candidate ciphers (Lilliput-AE and Flex-AEAD) were discarded due to practical attacks on them which we presented.
1. We proved that two widely-used cryptanalytic techniques cannot be improved, unless "standard" complexity-theoretic assumptions fail. These unexpectedly strong results open the way for a new research direction in cryptanalysis.
2. We developed several new cryptanalytic techniques that can be applied to various cryptographic primitives, and should be taken into account in the design of any new primitive.
3. We contributed to the understanding of the security level of several generic cryptographic constructions. Our results in this direction had a direct practical impact, by affecting the choice of the cryptosystem to be used in the Ethereum platform.
4. We developed low complexity attacks against several ciphers and cipher variants, including attacks that are much stronger than what we could imagine at the beginning of the project. In particular, we broke a 20-year record in the complexity of practical attacks on reduced-round versions of AES – the most widely used block cipher today. In addition, we obtained practical attacks on the authenticated encryption schemes Flex-AEAD and Lilliput-AE, which were candidates for the NIST lightweight cryptography project. Following our findings, both ciphers were not selected for the second round of the competition.
5. We developed new tools which allow analyzing the complexity of statistical cryptanalytic attacks more rigorously.
Dissemination of the results was achieved via four routes:
1. Two conferences and three workshops organized within the framework of the project.
2. Presentation of the project outcomes in international meetings and symposia.
3. Journal and conference publications.
4. Public repositories. We made sure that all deliverables of the project are made available to public, using the "eprint" and "arXiv" repositories.
As was mentioned above, the results of the project already had an immediate practical impact on the NIST lightweight cryptography standard selection process, as two candidate ciphers (Lilliput-AE and Flex-AEAD) were discarded due to practical attacks on them which we presented.
As was described above, the results we achieved in the project significantly advanced the state of the art of research in cryptanalysis of lightweight ciphers. We would like to especially emphasize two results, which - in our view - comprise the most significant advances beyond the state of the art.
The first advancement is the new 'lower bound' results which assert that some widely used techniques of cryptanalysis cannot be improved. One of the research goals of the project was to find ways to use discrete analysis to bring more rigor into cryptanalysis. But even with this goal in mind, we have not proposed explicitly achieving lower bounds on the abilities of cryptanalytic techniques, as such a result was "beyond our dreams". In my view, these results – which open an entire new field of research in cryptanalysis – form an extraordinary achievement which was even beyond our hopes.
The second advancement is the new results on the AES. Since the AES is the most widely used cipher today, and since its reduced-round versions are used as components in many lightweight ciphers, the security level of this versions was considered as a central open problem in the field of lightweight cryptanalysis and we stated it as a main goal of the research proposal. No advancement on these problems was obtained for over 20 years, and our results achieved a very significant improvement over the previous records. Hence, there results advance the state of the art significantly.
The first advancement is the new 'lower bound' results which assert that some widely used techniques of cryptanalysis cannot be improved. One of the research goals of the project was to find ways to use discrete analysis to bring more rigor into cryptanalysis. But even with this goal in mind, we have not proposed explicitly achieving lower bounds on the abilities of cryptanalytic techniques, as such a result was "beyond our dreams". In my view, these results – which open an entire new field of research in cryptanalysis – form an extraordinary achievement which was even beyond our hopes.
The second advancement is the new results on the AES. Since the AES is the most widely used cipher today, and since its reduced-round versions are used as components in many lightweight ciphers, the security level of this versions was considered as a central open problem in the field of lightweight cryptanalysis and we stated it as a main goal of the research proposal. No advancement on these problems was obtained for over 20 years, and our results achieved a very significant improvement over the previous records. Hence, there results advance the state of the art significantly.