Symmetric Cryptography, Volume 1 E-Book

SCIENCES

Computer Science, Field Directors –Valérie Berthé and Jean-Charles Pomerol

Cryptography, Data Security, Subject Head – Damien Vergnaud

Symmetric Cryptography 1

Design and Security Proofs

First published 2023 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the under mentioned address:

ISTE Ltd27-37 St George’s RoadLondon SW19 4EUUK

www.iste.co.uk

John Wiley & Sons, Inc.111 River StreetHoboken, NJ 07030USA

www.wiley.com

© ISTE Ltd 2023The rights of Christina Boura and María Naya-Plasencia to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s), contributor(s) or editor(s) and do not necessarily reflect the views of ISTE Group.

Library of Congress Control Number: 2023930945

British Library Cataloguing-in-Publication DataA CIP record for this book is available from the British LibraryISBN 978-1-78945-146-7

ERC code:PE6 Computer Science and InformaticsPE6_5 Cryptology, security, privacy, quantum cryptography

Preface

Christina BOURA1 and María NAYA-PLASENCIA2

1University of Paris-Saclay, UVSQ, CNRS, Versailles, France

2Inria, Paris, France

Symmetric-key cryptology is one of the two main branches of modern cryptology. On the one hand, it comprises primitives and constructions for providing security services such as confidentiality, integrity and authentication, the particularity being that the same secret key k is used at both sides. On the other hand, it studies and provides cryptanalysis and proof techniques for analyzing the security of the above constructions. Even if in general keyless, some hash functions are also considered as part of this family of algorithms because of the similarities in their construction and analysis with the other symmetric-key primitives.

Symmetric-key algorithms are essential for communication security as they are built on simple operations (e.g. XOR, logical AND and so on) and for this reason they can achieve a high speed in both software and hardware implementations. They are in particular much faster and lighter than public-key algorithms, having at the same time much shorter encryption keys. The security and efficiency of modern communications is heavily based on symmetric algorithms and for this reason symmetric-key cryptology is a very important and constantly developing branch of modern cryptography.

The first widely deployed symmetric-key algorithm was the block cipher data encryption standard (DES), whose design dates backs to the 1970s. Since then, tens if not hundreds, of new symmetric-key algorithms were designed either with the aim to be broadly deployed or with some specific design criteria or use case in mind.

From a historical point of view, the first widely used symmetric schemes were undoubtedly block ciphers and stream ciphers. The first ones encrypt a message by first dividing it into blocks of fixed size and then treating each block separately. The second ones encrypt one bit (or one word) at a time, by XORing each bit (or word) of the message with a bit of a stream, called keystream, derived from the key. Both types of primitives aim at providing confidentiality and are still extremely popular, even if an important part of the design space has been taken more recently by tweakable block ciphers and cryptographic permutations. The symmetric algorithms to ensure data authentification are known as message authentication code (MAC) functions. While keyless, hash functions are also considered as symmetric-key constructions aiming for integrity and play an important role in some cryptographic protocols. Finally, authenticated encryption (AE) schemes can provide both confidentiality and authenticity of data and their popularity constantly increases.

The goal of this project is to reflect the current scientific knowledge and present the most trending orientations on the design, security proofs and cryptanalysis of all the above symmetric-key schemes.

This book is divided into two volumes. The first volume is composed of 14 chapters, where the first nine chapters are dedicated to the description of the most important design principles for stream ciphers, (tweakable) block ciphers, cryptographic permutations, hash functions as well as for their inner components. The five remaining chapters are reserved to the presentation of the most important security proof techniques.

Chapter 1 introduces the main generic design goals, criteria and strategies for building robust symmetric constructions. This chapter starts by discussing the most important building blocks deployed in symmetric cryptography. As encryption schemes, MAC functions and authenticated encryption schemes usually support messages of arbitrary length, modes and constructions for building variable-length schemes are discussed next. This chapter examines then how to choose the adequate number of rounds for an iterated construction and gives some criteria that should be taken into account when designing a cipher’s round function. Finally, a number of ciphers that inspired both designers and cryptanalysts are presented.

Chapter 2 gives an overview of the main design principles for stream ciphers. It discusses first the most important generic constructions as well as attacks against them and gives an overview of the different stream cipher competitions and standards. This chapter focuses next on feedback shift register (FSR)-based constructions as well as on software-oriented constructions based on large tables. Next are presented stream ciphers that are constructed based on block ciphers and large permutations. The chapter concludes with a discussion on authenticated encryption based on stream ciphers and with a treatment of low-complexity stream ciphers that are optimized for use in advanced cryptographic protocols.

Chapter 3 is dedicated to block ciphers. It presents notably the two most popular constructions for these primitives: the Feistel construction and the substitution permutation network (SPN). To expand the master key to a series of subkeys, an algorithm called key-schedule should be used, and for this reason the design of these algorithms is next discussed. This chapter analyzes also some generic attacks against block ciphers and gives some positive results concerning their security. Finally, two particular classes of block ciphers are discussed: tweakable block ciphers, where an extra argument called the tweak is used to diversify the encryption function and algebraic block ciphers, essential for the encryption of data in some emerging scenarios and applications.

Chapter 4 presents the most important design approaches for building secure cryptographic hash functions and extendable output functions (XOFs). It first discusses some necessary generic requirements for a hash function to be secure. The random oracle model is then defined as the model that hash functions and XOFs should follow and is accompanied by a discussion on how the security claim of a hash function or an XOF should be formulated. Next, the most popular hash function constructions are presented, notably the Merkle-Damgård construction. The weaknesses of this construction and different ways to repair it are presented. A focus is given next on how to build robust compression functions for hash functions that follow this principle. Then, the indifferentiability framework used to prove that a construction is secure against generic attacks is discussed. The sponge construction and the KECCAK family are introduced next. Finally, the principle of tree hashing that permits efficient hashing of long messages in multi-processor environments is presented.

Cryptographic schemes are usually designed with a bottom-up approach. We first start with primitives that operate on small message blocks and achieve a well-defined security notion and then choose a mode of operation to deal with messages of arbitrary length. Chapter 5 describes the main modes for encryption and authentication and discusses their security.

Authenticated encryption offers the combined security properties of an encryption scheme and a message authentication code. Gradually, authenticated ciphers take over classical encryption schemes as from one side authenticity of data is an important security requirement and from the other side it has become more clear over the years how to securely build such schemes. Chapter 6 is dedicated to the design of authenticated encryption schemes. It details the relevant security notions before presenting the most promising design strategies for building authenticated ciphers. Dedicated designs are next discussed, and an overview of different authenticated encryption designs used as Internet standards or issued from some cryptographic competitions is given.

The next two chapters are dedicated to the construction of linear and nonlinear layers for an important class of symmetric-key primitives. Chapter 7 discusses the construction of the so-called maximum distance separable (MDS) matrices that are linear layers with optimal properties used in many SPN ciphers. A part of this chapter is notably focused on the construction of MDS matrices with a low implementation cost that are particularly relevant in the context of lightweight cryptography.

Nonlinearity, essential for the security of cryptographic constructions, is typically achieved by the mean of small nonlinear permutations, called S-boxes. Chapter 8 gives an overview of the most important properties cryptographic S-boxes should verify and presents some classical S-box constructions.

Chapter 9 discusses what it means for a primitive to be trustworthy. It presents notably what the typical lifecycle of a primitive is from the design phase to the final deployment and the role played by cryptanalysis. Next is analyzed what happens when an algorithm fails to adhere to a typical deployment process, in the cases notably of some proprietary algorithms or of backdoored designs. Examples of primitives found to have hidden properties are given next. The chapter is concluded by presenting some rules of thumb to follow when choosing a primitive to deploy.

Once a primitive has been designed, it is important to prove it secure against advesaries. The second part of this volume is dedicated to security proofs in symmetric cryptography. Chapter 10 is concerned with how to formalize security of cryptographic primitives. It first discusses the most common adversary models and what it means for an attack to be successful under these models. As we want an encryption function to look like a function that responds randomly for each input, a theoretical function that behaves ideally in this respect and called the random oracle is introduced. The central notion of distinguishing advantage is then presented and analyzed. Finally, typical security claims for both stream ciphers and block ciphers are given.

Chapter 11 is dedicated to the security of modes of operation. The most important modes are introduced (see also Chapter 5) and are analyzed from a security point of view. Then a concrete example of how one can prove the security of a particular mode is given. More precisely, it is demonstrated how to formally argue that the counter mode, based on advanced encryption standard (AES), is a secure stream cipher.

Chapter 12 investigates the provable security of message authentication and authenticated encryption. It starts by formalizing a message authentication code and discusses its security definition. Then the notion of universal hash functions is introduced and an example of the provable security result of Wegman-Carter-Shoup authenticator is given. Finally, the security of authenticated encryption is introduced and an example of the provable security result of Galois/counter mode is shown.

Chapter 13 is an introduction to the H-coefficients technique, a proof method allowing to upper bound the advantage of a computationally unbounded adversary in distinguishing between two random systems. This chapter presents next the Even-Mansour construction that defines a block cipher from a single permutation and shows how to apply the H-coefficients technique to prove its security in the random permutation model.

Chapter 14 presents the χ2-method, a proof technique that can help to obtain tight and simplified proofs for certain constructions. This technique is notably applied to prove the pseudo-random function (PRF)-security of the truncated random permutation construction. In addition, the proof of the PRF-security of the sum of two random permutations is given and some additional applications are discussed.

Finally, the specifications of four popular, standardized and widely employed symmetric schemes: DES, AES, PRESENT and KECCAK are given in the appendix, as many chapters of both volumes refer to them.

The second volume is dedicated to the most important cryptanalysis techniques for symmetric ciphers. It also discusses some promising future directions for the domain.

The field of cryptography is a domain that has never stopped evolving since the appearance of the first commercial cryptographic applications in the 1970s. Due to this constant evolution, providing a complete survey of all the design trends, cryptanalysis techniques or proof methods is an extremely difficult task. We believe however that this book offers a good starting point to all readers interested in learning about the most important and promising results of the field, in particularly to all those wishing to learn how to design and analyze a secure symmetric cipher. We believe that the two volumes of this work will be helpful to researchers, master’s and PhD students studying or working in the field of cryptography as well as to all professionals working in the field of cybersecurity.

July 2023

Part 1Design of Symmetric-key Algorithms