| Summary: | Differential cryptanalysis is one of the most basic and powerful attacks against symmetric key cryptosystems. The idea is to consider the effect of the difference in two inputs to the difference of the output of some cryptosystem. When the probability is high enough, this can be used to recover some information about the secret key or state value that should not be available to the attacker. Differential cryptanalysis has also been extended and improved to many different variants, some of them are truncated differential cryptanalysis, impossible differential cryptanalysis, boomerang attack and differential-linear cryptanalysis. In this thesis, we consider the security of some symmetric key cryptosystems using the analyses of the relation of pairs of inputs and its corresponding outputs. We first give a brief review on different symmetric key cryptosystems and some cryptanalysis technique that is mainly focused on differential cryptanalysis. We then analyse the security of three concrete designs and one general design. We first consider the security of Simpira v2, a Feistel cipher with 3 branches. We apply truncated differential analysis, impossible di erential cryptanalysis and boomerang attack to study the number of rounds that can be attacked using these analysis. We exploit the asymmetry of encryption and decryption of the three branches Feistel Design and analyze the decryption function of Simpira v2. Based on the three variants of the differential attack, we found an attack with 2 24 and 2 70 queries for partial key recovery attack in the 9- and 10- round Simpira-3 v2. Next, we analyse five types of Generalized Feistel Schemes with ideal round function. In this chapter, we provide a lower bound for the maximum number of rounds that still can be distinguishable from a random permutation. Since the round function is assumed to be any ideal function, the attack is applicable to any block cipher design using the Generalized Feistel structure. After that, two authenticated encryption schemes are analyzed. First, we apply differential-linear cryptanalysis on the authenticated encryption ICEPOLE. In the 11 attack we consider the design under the assumption that the nonce can be reused. We found that in this assumption, it is possible to recover the state value of the ICEPOLE. Furthermore, in some of the variants that do not use secret message number, the secret key can be recovered. Lastly, we consider the hash function-based authenticated encryption COFFE. In this analysis, we assume that the underlying hash function is any ideal hash function. We are considering the possibility of a pair of distinct input can be used to recover more information about the scheme. In our case, with some specific parameter value, it is possible to distinguish a full COFFE implementation from a random permutation and in the related key setting, it is even possible to launch a key recovery attack based on it. In some pairs of parameters, this can even be done using 2 queries.
|
|---|