Cryptanalysis of lightweight symmetric-key cryptographic algorithms

Abstract

Lightweight symmetric-key cryptography has gained significant traction in the recent years due to the rapid proliferation of resource-constrained devices and the increase in demand for secure communication and data protection in multiple domains. In response to the growing need, NIST, the National Institute of Standards and Technology, has issued a call to standardize lightweight cryptographic algorithms. The aim is to search a secure algorithm with low implementation cost that is suitable for use in constrained environments. With that in mind, many cryptographers gravitate towards designs that push the boundaries of what is considered secure. Complementing with the fact that these designs may one day become the next standard to be used by the industry, a thorough security analysis of these algorithms has to be conducted. In this thesis, we focus on the cryptanalysis of lightweight symmetric-key ciphers. This thesis contains three content-based chapters. First, we look at how we can use constraint programming as an automated tool to search for differential characteristics. Using these differential characteristics, we construct differential-based distinguishers for round-reduced ASCON permutation, build forgeries for ASCON-128 authenticated encryption scheme, and form a collision attack on ASCON-HASH. Second, we turn to neural distinguishers; a new type of distinguisher that is based on deep neural networks was introduced at CRYPTO’19. We examine the inner workings of the neural distinguishers and give an explanation as to what the neural distinguishers are using to detect and distinguish real ciphertext pairs from a uniform distribution. We then construct conventional distinguishers (not based on deep neuralnetwork) that are on par with the neural distinguishers in terms of accuracy. Finally, we return to a basic assumption that most cryptanalysts use when constructing differential characteristics: the Markov cipher assumption. We question the validity of many differential characteristics in the literature and found that many differential characteristics for the GIFT and SKINNY family of ciphers are in fact invalid. We also developed a tool that can automatically analyze such incompatibilities in differential characteristics of GIFT and SKINNY ciphers. For SKINNY, our tool is even able to give an estimated probability distribution based on the constraints we have detected. Eventually, we gave suggestions as to how these constraints can be incorporated into automated tools to improve the correctness of differential characteristics produced.