Analysis and Design of Symmetric Cryptographic Algorithms

Analysis and Design of Symmetric Cryptographic Algorithms
Author: Prof.Er.Dr.G.Manoj Someswar
Director General & Dean (Research)
GLOBAL RESEARCH ACADEMY-
Scientific & Industrial Research Organisation
[AUTONOMOUS]
Hyderabad, Telangana State, India
E-Mail: dg.gracad@gmail.com
Copyrights@ GLOBAL RESEARCH ACADEMY, HYDERABAD, INDIA (2014)
Statutory Warning: Anybody copying or reproducing the content of this Thesis either in part or in full are
liable for criminal prosecution under Infringement of Copyrights Act of India.

Abstract
This doctoral thesis is devoted to the investigation and the outline of symmetric cryptographic
calculations.
In the initial segment of the exposition, we manage blame construct assaults with respect to
cryptographic circuits which have a place with the field of dynamic execution assaults and plan
to recover mystery keys put away on such chips. Our fundamental concentrate lies on the
cryptanalytic parts of those assaults. Specifically, we target square figures with a lightweight
and (regularly) non-objective key calendar where the inferred sub keys are (nearly) autonomous
from each other. An aggressor who can remake one of the sub keys is in this manner not really
ready to straightforwardly recover different sub keys or even the mystery ace key by just
switching the key timetable. We present a system in view of diﬀerential blame examination that
permits to assault piece figures with a self-assertive number of autonomous sub keys and which
depend on a substitution-stage arrange. These techniques are then connected to the lightweight
square figures LED and PRINCE and we demonstrate to in the two cases generally accepted
methods to recoup the mystery ace key requiring just few blame infusions. Besides, we explore
approaches that use arithmetical rather than diﬀerential systems for the blame investigation and
talk about favorable circumstances and downsides. Toward the finish of the initial segment of
the paper, we investigate blame construct assaults with respect to the square figure Bel-T which
additionally has a lightweight key timetable however did not depend on a substitution-stage
organize yet rather on the purported Lai-Massey plot. The structure specified above is in this
way not usable against Bel-T. By the by, we additionally display methods for the instance of

Bel-T that empower full recuperation of the mystery enter in an exceptionally efficient way
utilizing differential blame investigation.
In the second piece of the proposition, we concentrate on validated encryption plans. While
customary figures just ensure protection of handled information, validated encryption plots
likewise secure its legitimacy and honesty. A significant number of these figures are moreover
ready to secure genuineness and uprightness of supposed related information. This kind of
information is transmitted decoded yet in any case should be shielded from being altered amid
transmission. Verified encryption is these days the standard system to secure in-travel
information. Nonetheless, the vast majority of the as of now sent plans have deficiencies and
there are numerous use focuses for upgrades. With NORX we present a novel validated
encryption plot supporting related information. This calculation was planned with high security,
efficiency in both equipment and programming, effortlessness, and strength against side-direct
assaults as a main priority. Alongside its determination, we introduce extraordinary highlights,
security objectives, usage points of interest, broad execution estimations and talk about focal
points over at present conveyed measures. At long last, we depict our preparatory security
examination where we research differential and rotational properties of NORX. Essential are
specifically the recently created procedures for differential cryptanalysis of NORX which

misuse the energy of SAT-and SMT-solvers and can possibly be effortlessly versatile to other
encryption plots too.
Acknowledgements
Following four years of taking a shot at my PhD and following quite a while of postulation
thinking of, the time has come to go to the most critical piece of this exposition. I am obligated
to numerous individuals who I have met and worked with and who have bolstered me en route. I
question that my way in life would have turned out the way it managed without their inclusion.
It is along these lines a genuine joy for me to thusly accept the open door and express my
affirmations to every one of them.
As a matter of first importance, I might want to thank my exploration manager,
Prof.Dr.G.Manoj Someswar for tolerating me as a PhD understudy, for ceaselessly supporting
me in all issues, be it logical or something else, and particularly for their open-entryway
strategy. Besides, I might want to express gratitude toward them for enabling me to seek after
my own way in look into which was much of the time just approximately associated with the
fundamental research points of their particular gatherings. I likewise need to express my
profound gratefulness to the researchers of Global Research Academy – Scientific and
Industrial Research Organization [Autonomous], Hyderabad, Telangana State, India who
benevolently consented to give me every one of the information and data applicable to my
Ph.D. postulation work.
My most profound and sincerest appreciation goes likewise to my family, my sibling and my
folks. I express gratitude toward them such a great amount for their ceaseless help, for the
conceivable outcomes you have given me throughout everyday life, and for continually being
there when required.
At long last, I might want to express my most extreme and genuine on account of every one of
my understudies and partners who have went with, empowered, and upheld me with their
adoration, fellowship, comprehension, and funniness through all the good and bad times of my
PhD and past. Without them, I would have never made it this far. A debt of gratitude is in order
for everything.

Contents
Acknowledgements i
Motivation vii
List of Symbols xi
1 Introduction 1
1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.2 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.3 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1.4 Message Authentication Codes . . . . . . . . . . . . . . . . . . . . 8
1.1.5 Authenticated Encryption Schemes . . . . . . . . . . . . . . . . . . 8
1.2 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2.1 Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.2.2
Diﬀerential Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
1.2.3 Linear Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.2.4 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1.2.5 Rotational Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
1.2.6 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 35
1.3 Security Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2 Fault-based Attacks on the Block Ciphers LED and PRINCE 43
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2 The Block Cipher LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.2.1 General Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.2.2 Round Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.3 The Block Cipher PRINCE . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.3.1 General Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.3.2 Round Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.4 Fault Attacks on LED-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.4.1 Fault Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.4.2 Fault Equations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.4.3 Key Filtering Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 54
2.4.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.4.5 Extensions of the Fault Attack . . . . . . . . . . . . . . . . . . . . 61
2.5 Multi-Stage Fault Attacks on LED-128 and PRINCE . . . . . . . . . . . . 64
2.5.1 The Multi-Stage Fault Attack Framework . . . . . . . . . . . . . . 64
2.5.2 Applications to LED-128 . . . . . . . . . . . . . . . . . . . . . . . . 66
2.5.4 Applications to PRINCE . . . . . . . . . . . . . . . . . . . . . . . 69
2.5.6 Extensions of the Fault Attacks . . . . . . . . . . . . . . . . . . . . 73
2.6 Algebraic Fault Attacks on LED-64 . . . . . . . . . . . . . . . . . . . . . . 74
2.6.1 Algebraic Representation of LED . . . . . . . . . . . . . . . . . . . 74
2.6.2 Algebraic Representation of the LED Fault Equations . . . . . . . 79
2.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3 Fault-based Attacks on the Bel-T Block Cipher Family 83
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.2 The Block Cipher Bel-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.3 Fault Attacks on Bel-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.3.1 Bel-T-128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
3.3.2 Bel-T-192 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3.3.3 Bel-T-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

3.4 Practical Issues and Countermeasures . . . . . . . . . . . . . . . . . . . . 91
3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4 NORX: Parallel and Scalable Authenticated Encryption 95
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.2 Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.2.2 Parameters and Interface . . . . . . . . . . . . . . . . . . . . . . . 100
4.2.3 Layout Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.2.4 The Round Function . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.2.5 Encryption Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.2.6 Decryption Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.2.7 Datagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.3 Security Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
4.4 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.4.1 List of Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.4.2 Recommended Parameter Sets . . . . . . . . . . . . . . . . . . . . 121
4.4.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.5 Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.5.1 The Parallel MonkeyDuplex Construction . . . . . . . . . . . . . . 130
4.5.2 The Functions F, G, and H . . . . . . . . . . . . . . . . . . . . . . 131
4.5.3 Selection of Constants . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.5.4 Number of Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.5.5 The Padding Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5 Analysis of NORX 139
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.2 General Observations on G and F . . . . . . . . . . . . . . . . . . . . . . . 139
5.2.1 Fix Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.2.2 Weak States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
5.2.3 Algebraic Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 141
5.2.4 Slide Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5.3
Diﬀerential Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . .
142
5.3.1 Simple Differentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.3.2 Impossible Differentials . . . . . . . . . . . . . . . . . . . . . . . . 147
5.3.3
NODE – NORX Diﬀerential Search
Engine . . . . . . . . . . . . . 149
5.4 Rotational Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Bibliogr 167

aphy
Test Vectors for NORX 187
Publications 195
Motivation
Cryptology comprises of two collaborating partners: cryptography, the art of planning secure
correspondence stations in nearness of outsiders, from one viewpoint, and tomb investigation,
the exploration of assessing the security of cryptographic developments, on the other.
Customarily sent by military and mystery administrations — we allude to Kahn [146] for a
broad treatment of the early history and to the fundamental distributions of Kerckho s [151] and
ﬀ
Shannon [223, 224] for the establishments of current cryptology — the circumstance changed
radically in the previous decades where cryptology discovered its way into our regular daily
existence. The principle reason, without a doubt, is the Digital Revolution activated by the
development of the PC and the presentation of the Internet, which prompted a quick expanding
impact of innovation and advanced media on essentially every part of current society.
Security of delicate computerized information against unapproved get to is these days not just a
profoundly applicable subject for industry and governments yet a worry for essentially
everybody. Security of information in telephone calls, email, versatile informing, internet
shopping, web based managing an account or in developing fields, for example, electronic
money frameworks (e.g. bitcoin [193]), brilliant networks, or the Internet-of-Things would be
unimaginable without sound cryptographic developments. The quality of the cryptographic
assurance is controlled by the (in)feasibility of inferring mystery data by unapproved parties.
Objectives of current cryptology incorporate for instance classification, honesty, credibility,
obscurity, and non-disavowal to give some examples of the numerous targets.
In spite of the fact that there exist numerous cryptographic plans which are viewed as secure,
there is no single, all around pertinent arrangement. Due to consistently changing necessities and
new application fields, there is a steady interest for inventive arrangements that ace rising
difficulties. Another issue is that belittled cryptographic developments are still moderately far
reaching. Those outlines regularly go back to times when essentially nobody could foresee the

measurements current advancements, for example, the present Internet, could reach and are
currently generally obsolete and not appropriate for use in current applications. One noticeable
case is the RC4 stream figure, which was outlined by Rivest in 1987, turned out to be freely
known in 1994, and discovered far reaching selection because of its straightforwardness and
generally great execution. The security of RC4 has been examined completely finished the
previous decades and numerous shortcomings in the calculation itself and in frameworks it has
been sent in were revealed [5, 114, 157, 221, 232]. Cryptographers have been prompting against
its use as of now for a considerable length of time however eliminating such a generally
conveyed framework is normally a di cult assignment and an ease back process because of
ﬃ
complex interdependencies, issues with in reverse similarity, and different reasons. For instance,
in mid 2014, RC4 was as yet a standout amongst the most broadly utilized figures in usage of
the Transport Layer Security (TLS) convention which secures correspondence on the Internet. In
2015, the Internet Engineering Task Force (IETF) at last disallowed its use in TLS [207]. There
are numerous comparable cases of cryptographic natives whose shortcomings have been
uncovered because of ceaseless advances in cryptanalysis. Justifiably, the intrigue is colossal to
supplant heritage plans by new, present day variations that correct the defects of their more
established partners, give new highlights, and frequently guarantee an extreme decrease of
operational expenses. In addition, current figures are usually composed with sufficiently
enormous security edges so they can oppose future cryptanalytic or computational leaps
forward. This is completely key to guarantee security over the long haul since numerous
cryptographic natives are utilized for quite a long time, as can be seen on the case of RC4.
One major danger to huge numbers of the known cryptographic frameworks are quantum
computers [197]. While there at present exist early models that must be utilized for extremely
basic calculations, the enthusiasm from the scholarly world, industry, and governments alike is
significant to develop a genuine and for all intents and purposes usable quantum PC. It would
give gigantic computational advantages in contrast with traditional PCs. In spite of the fact that
there are as yet numerous difficulties to beat, unanticipated advancements in building could
rapidly prompt the development of a first quantum PC with a sensible number of quantum-bits
(qubits). We allude to the quantum calculations of Grover [120] and Shor [226] which yield, in
contrast with the best known established calculations, significant speed-ups to the issues of
database hunt and whole number factorization. Figures, for example, RSA which has a place
with a standout amongst the most generally conveyed open key crypto frameworks and whose
security depends on the hardness of whole number factorization could be broken effectively by a

quantum PC outfitted with enough qubits. It is in this manner nothing unexpected that post-
quantum cryptography is an exceedingly dynamic research field where cryptographers explore
new frameworks that stay secure even in nearness of quantum PCs.
On the opposite end of the range there is a tremendous enthusiasm for the field of lightweight
cryptography inspired by unavoidable registering, empowered through little versatile and
installed gadgets, as RFID chips and hubs of sensor systems. These machines progressively
discover their way into our regular daily existence and are frequently used to process delicate
(individual) information, for instance as monetary or therapeutic data. Clearly, ensuring such
data is basic and is in extensive parts accomplished through the sending of cryptographic
techniques. In any case, the worthy intricacy of cryptographic calculations implementable on
low-end gadgets is ordinarily confined by stringent cost limitations, by control utilization
restrains because of battery life-time, or by warm scattering issues. The plan of cryptographic
natives that give satisfactory security against ordinary cryptanalysis and usage assaults, and that
can be acknowledged on gadgets with entirely restricted assets is an exceptionally difficult
errand and has brought huge enthusiasm up over the most recent couple of years [158]. It is
accordingly nothing unexpected that various new calculations [15, 61, 71, 72, 73, 78, 85, 86,
125, 126] were proposed tending to the complex difficulties of lightweight cryptography.
To condense, cryptology is an exceedingly dynamic and testing research field with incalculable
unsolved and practice-arranged issues. The consistently expanding need and interest for security
and protection of computerized correspondence of our cutting edge society in the data age
guarantees that examination in cryptology will remain important for a long time to come.
Research Contributions and Outline
This postulation manages inquire about issues in symmetric cryptology, where it is expected that
the imparting parties share a mystery key. Specifically, we examine systems for blame based
cryptanalysis of square figures, talk about the plan of a novel verified encryption plot, and
furthermore portray our security assessment of the last mentioned. The blueprint of the
postulation is as per the following.
In Chapter 1, we talk about fundamental ideas from symmetric cryptology. We present square
figures, stream figures, hash capacities, and message verification codes, the essential natives
from symmetric cryptography, and furthermore examine confirmed encryption conspires, a

further developed development. Also, we give a prologue to the essential apparatuses of
cryptanalysis including beast constrain, di erential, direct, arithmetical, rotational, and usage
ff
assaults. The motivation behind this section is to start essential phrasing required later on in the
proposal.
In Chapter 2, we talk about strategies for blame investigation of the lightweight piece figures
LED and PRINCE. We begin with a blame construct assault in light of LED-64 and present
sifting strategies which rapidly kill wrong key theories. We demonstrate that the quantity of
staying key hopefuls is as of now sufficiently little after a solitary blame infusion to make
thorough pursuit plausible. We additionally propel why those systems are not specifically
pertinent to LED-128 and PRINCE. A while later, we introduce a speculation of the LED-64
assault which prompts the multi-arrange blame assault system and permits di erential blame
ff
examination of both LED-128 and PRINCE. We demonstrate that in the two cases in the vicinity
of 3 and 5 blame infusions are su cient for a fruitful reproduction of the whole 128-piece key
ffi
and furthermore show the outcomes from our broad recreation based investigations. At long last,
we examine an expansion of the LED-64 assault to a mathematical setting. The aftereffects of
this section are distributed (halfway as preprints) in [138, 139, 140]. Besides, in [172, 173], the
appropriateness of the blame examination strategies in blend with new techniques for high-
exactness blame infusions is researched.
In Chapter 3, we exhibit di erential blame investigation of the square figure family Bel-T which
ff
has been received as of late as a national standard of the Republic of Belarus. Our assaults
effectively recuperate the mystery key of the 128-piece, 192-piece, and 256-piece adaptations of
Bel-T utilizing 4, 7, and 10 blame infusions, individually. We likewise talk about the plausibility
of the required blame infusions and demonstrate the outcomes from our far reaching
reproduction based tests. The consequences of this section are distributed in [143].
In Chapter 4, we present NORX, a novel confirmed encryption plot with help for related data,
which was submitted in 2014 as a first-round contender to CAESAR, the Competition for
Authenticated Encryption: Security, Applicability and Robustness. NORX was arranged with a
consideration on high-security, straightforwardness, prevalent, and side-channel control. It relies
upon the monkey Duplex advancement which has a place with the gathering of wipe limits and
features a special space separation plan for direct getting ready of header, payload, and trailer

data. NORX was enhanced for efficiency in both fragile and hardware, having an inside sensible
for vectorised executions, about byte-balanced turns, no secret subordinate memory questions,
and just bitwise sound operations. On a Haswell processor, a serial version of NORX continues
running at 2:51 cycles for every byte. Diversions of a gear outline for 180 nm UMC ASIC give a
throughput of around 10 Gbps at 125 MHz. The standard results of this part are circulated in
[20] and help upgrades on the nonexclusive security points of confinement can be found in
[141]. Besides, an exchange about CAESAR and NORX was given at the 31st Chaos
Communication Congress (31C3) [17].
In Chapter 5, we demonstrate an escalated security examination of NORX and focus,
particularly, on differential and rotational properties. After the trading of some major properties,
we show logical models that delineate differential spread with respect to the non-straight
operation of NORX. From that point, we present NODE, the NORX differential web file, which
is an alteration of a framework here to fore proposed for ARX designs, empowering us to
modernize the sweep for differentials and characteristics. We give maximum cutoff points on the

diﬀerential probability for few phases of the NORX focus change. For example, in a
circumstance where an aggressor can simply change the nonce in the midst of initialization, we
exhibit that there are no diﬀerential characteristics with higher probabilities than 2 67 (32-bit)
and 2 62 (64-bit) after only a solitary round. Furthermore, we portray how we found the best
traits for four rounds, which have probabilities of 2 584 (32-bit) and 2 836 (64-bit),
independently. Finally, we discuss some rotational properties of the middle stage which yield
some to begin with, offensive security restrains and can be used as a purpose behind future
examinations. The delayed consequences of this area are circulated in [19].

List of Symbols
N set of natural numbers including 0
Z ring of integers
Zn residue class ring of integers modulo n
K[x1; : : : ; xn] polynomial ring in determinates x1; : : : ; xn over the field K
Q field of rational numbers
Fpn finite field with pn
elements, p prime, n 1
F2
n
F2-vector space of bit strings X = (x0; : : : ; xn 1) with length n 1
F2 set of bit strings with arbitrary but finite length
0n
bit string consisting of n zeroes
jXj length of bit string X in bits
jXjr length of bit string X in r-bit blocks
hw(X) Hamming weight of bit string X
bXcn truncation of bit string X to its first, i.e. least-significant, n bits
X k Y concatenation of bit strings X and Y
X n left-shift of bit string X by n bits
X n right-shift of bit string X by n bits
X n n cyclic left-rotation of bit string X by n bits
X o n cyclic right-rotation of bit string X by n bits
:, ^, _, bitwise logical NOT, AND, OR, and XOR
, integer addition and subtraction
a b assignment of value b to the variable a
$
sample x uniformly at random from the set X
x X
f g composition of functions f and g

Chapter 1
Introduction
1.1 Cryptography
There are three noteworthy classifications of cryptographic natives, to be specific un keyed,
symmetric, and uneven calculations. Figure 1 gives a diagram on the most well-known
cryptographic natives. The recognizing property of those classes is the diﬀerent utilization of
key material: un keyed calculations don't require any mystery data to be utilized. Symmetric
calculations utilize a solitary mystery key that is shared among all substantial correspondence
accomplices and is utilized by every one of them to execute cryptographic operations, for
example, encryption and unscrambling of information. For the utilization of topsy-turvy
calculations every member is required to forces a couple of keys, an open key and a private key.
The two keys of a member are emphatically identified with each other and every ha its own
motivation which can be generally compressed as takes after: people in general key is utilized
for encryption or confirmation of computerized marks, while the private key is utilized for
decoding or production of advanced marks. By and by, the diﬀerent sorts of natives are
normally not simply utilized without anyone else but rather are consolidated to frame
cryptographic conventions. This proposition focusses on symmetric cryptography and the
current segment presents its center standards. Moreover, we additionally give a concise outline
on hash works because of their essential part in cryptography. For alternate themes, we allude
the intrigued peruse to standard writing about cryptography [202].
There are numerous objectives that can be accomplished with (symmetric) cryptography, yet
three of the basic ones are:

Secrecy. It guarantees that an enemy who approaches a correspondence channel can't infer data
about the substance of messages traded by the interchanges accomplices.
Respectability: It guarantees that an enemy who approaches a correspondence channel can't alter
the substance of traded messages in an unapproved way. At the end of the day, it keeps a
dynamic enemy from altering transmitted messages without the control being taken note.
Validness: It guarantees that an enemy who approaches a correspondence channel can't alter the
data about the beginning of traded messages,
Hash Functions
Unkeyed Algorithms . . .
Randomness Extractors
Block Ciphers
Stream Ciphers
Cryptography Symmetric Algorithms . . .
Message Authentication Codes
Authenticated Encryption Schemes
Signature Schemes
Asymmetric Algorithms . . .
Public-Key Ciphers
Figure 1: Categories of common cryptographic algorithms
i.e. it prevents an attacker from impersonating as a valid source of messages to any of the true
communication partners.
Different kinds of symmetric cryptographic constructions can be specified which achieve a
varying number of the above goals. In the following, we introduce the basic symmetric
cryptographic primitives, as listed in Figure 1, and describe their respective roles in achieving
the three goals above. As a basis, we use standard literature on (symmetric) cryptography such
as [162, 202].
1.1.1 Block Ciphers
Block ciphers are a core building block of symmetric cryptography and ensure the
confidentiality of processed data. They are often used to design other cryptographic primitives,
such as stream ciphers, hash functions or message authentication codes. In the following, we

introduce the basic definition and discuss thereafter common approaches for the construction of
block ciphers.
Let k; b 1. A block cipher is a tuple= (E; D) such that the encryption function
E : Fk
2 Fb
2 ! Fb
2; (K; M) 7!C
is a permutation on the set of plaintexts M 2 Fb
2 for a fixed secret key K 2 Fk
2. The value b is
also called the block size. The inverse of the encryption function E 1
, also called the decryption
function, is denoted by D. In particular, the equation DK (EK (M)) = M holds for all plaintexts M
2 Fb
2 and a fixed secret key K 2 Fk
2, where we denote EK ( ) = E(K; ) and DK ( ) = D(K; ),
respectively.
Common values for k are 64, 80, 96, 128, 192, and 256 bits and for b often values of 64, 128 or
256 bits are used. Block ciphers specify families of permutations. The block size of b bits
determines the space of all possible permutations, while the key size of k bits determines the
number of permutations that are actually created. More precisely, for a given key size of k bits
there exist 2k
different keys, and choosing one of them (at random) selects one of the
permutations on the set of 2b
inputs (at random). There are (2b
)! different permutations on b-bit
input blocks which corresponds roughly to the value 2(b 1)2b
by Stirling’s approximation. Usually,
one also demands that keys which are related to each other in some way, yield permutations
sharing no recognizable relations, which could be exploited in cryptanalytic attacks otherwise.
Block ciphers are commonly constructed in an iterative way based on objective, key-dependent
round functions fi(Ki; ) which operate on b-bit blocks of data. Note that Ki denotes the ith round
key for i 2 f0; : : : ; r 1g and r denotes the number of rounds. Thus, the encryption function of
such an iterative block cipher can be described by
E(K; ) = fr 1(Kr 1; ) fr 2(Kr 2; ) f1(K1; ) f0(K0; )
where denotes function composition. Analogously, decryption can be described by
D(K; ) = f0
1
(K0; ) f1
1
(K1; ) fr
1
2(Kr 2; ) fr
1
1(Kr 1; )
where fi
1
(Ki; ) denotes the inverse to fi(Ki; ). To obtain the round keys Ki the master
key K is expanded using a key schedule g, meaning
g : Fk
2 ! Fqr
2 : K 7!(K0; K1; : : : ; Kr 2; Kr 1)

where q denotes the bit size of a round key. In many cases, q coincides with the block size b, i.e.
q = b. Figure 2 illustrates the encryption function of such an iterative block cipher. Depending
on the design of the block cipher often so-called whitening keys are used before and after the
application of all the round functions to mask plain- and cipher text, respectively.
K
g
K0 K1 Kr−2 Kr−1
M f0 f1 fr−2 fr−1 C
Figure 2: Encryption function of an iterative block cipher
If the block cipher design can be modeled as a sequence of un keyed round functions interleaved
with addition of round keys using bitwise logical XOR, then we usually speak of a key-
alternating [97] construction. Note that Feistel ciphers can also be key-alternating in some sense
but cannot necessarily be modeled in such a way directly.
Now we give a brief overview on three common design approaches for block ciphers, namely Feistel
networks, substitution-permutation networks, and Lai-Massey schemes. Figure 3 illustrates the concepts
of the rounds functions for each of the aforementioned design strategies.
. . .
. . .
. . .
Xi Yi Xi Xi Yi
Ki
S S . . . S S H
f
P
Ki
f Ki
X
i+1
Y
i+1
X
i+1
X
i+1
Y
i+1
. . .
. . .
. . .
(a) (b) (c)
Figure 3: Round functions of (a) Feistel networks, (b) substitution-
permutation networks, and (c) Lai-Massey schemes
Feistel Networks
Block ciphers based on Feistel networks, see Figure 3a, have their state split into two halves,
usually denoted by a left one Xi and a right one Yi, for 0 i r. The plaintext is loaded into X0 k Y0.

In a single round, a non-linear function f depending on a round key Ki is applied onto one of the
halves and the result is XORed to the other. Finally, the two halves are swapped, which also
finishes the round. Thus, a single encryption round of a Feistel network can be described
through
Xi+1 = Yi
Yi+1 = Xi fKi (Yi)
which is additionally delineated in the primary outline of Figure 3. This procedure is rehashed
insofar as determined by the quantity of rounds r. The figure message at last compares to Xr k
Yr. Note that f does not really need to be objective. Decoding can be accomplished in a
fundamentally the same as approach to encryption, by basically trading the parts of Xi and Yi
and perhaps adjusting the key calendar. The comparability of encryption and decoding
capacities clearly chops down expenses, for instance when the figure is actualized in equipment.
In this way, it isn't amazing that square figures in view of Feistel systems are regularly utilized
as a part of gadgets which just approach extremely constrained assets. Unmistakable agents of
this class are the Data Encryption Standard (DES), the AES finalist Twofish [219], or Simon
[27], a lightweight piece figure outlined and distributed by the NSA.
Substitution-Permutation Networks
Another predominant way to deal with configuration square figures are substitution-stage
systems (SPN), see Figure 3b. The fundamental building squares of SPN piece figures are a
substitution layer S, which changes the state in a non-direct manner through parallel substitution
of gatherings of bits as per certain substitution tables, also called S-boxes, a straight stage layer
P , which permutes either single bits or whole gatherings of bits, lastly expansion of a round key
Ki more often than not utilizing bitwise XOR or number expansion. At times the round capacity
likewise incorporates an operation for expansion of a round consistent, to make the single
rounds particular from each other, which blocks certain sort of assaults, for example, slide
assaults [65]. The fundamental variation of the round capacity can be portrayed as takes after:
Xi+1 = P (S(Xi)) Ki :
SPN block ciphers are by definition key-alternating and the decryption function is usually quite
different from encryption compared to their Feistel network based counterparts. Lately however,
there have been increased efforts to create SPN ciphers using involutive building blocks which

allow to specify encryption and decryption functions in similar ways. For instance, PRINCE
[78] falls into the latter category. Other prominent examples of substitution-permutation
network based block ciphers include AES [96], PRESENT [71], and LED [126]. In Chapter 2,
we analyze the ciphers LED and PRINCE against certain cryptanalytic attacks.
Lai-Massey Schemes
A third however less normal alternative for square figure configuration is the supposed Lai-
Massey plot, see Figure 3c. Like Feistel systems, the plan works with a state isolated in two
sections Xi and Yi. The building pieces of the round capacity are a half-round capacity H and a
keyed change fKi , where Ki signifies the round key. The capacity H regularly refreshes the left
state component Xi by use of an uncommon operation, i.e. ( (Xi); Yi), which is required to avert
paltry recognizing assaults [236]. The above segments are then consolidated as takes after:
(Ai; Bi) = H(Xi; Yi)
Ci = fKi (Ai Bi)
(Xi+1; Yi+1) = (Ai Ci; Ai Ci) :
Comparably to Feistel square figures, the capacity f does not need to be invertible. The Lai-
Massey plot was presented close by of IDEA [176]. Different delegates are FOX [144], now
otherwise called IDEA-NXT, and, to some degree, likewise Bel-T [98], the national encryption
standard of the Republic of Belarus. We break down Bel-T in more detail in Chapter 3.
Piece Cipher Modes
Piece figures can scramble just a solitary settled size square of information at once. To have the
capacity to process messages of self-assertive length, however, a square figure must be utilized
together with a legitimate piece figure method of operation. The principal square figure modes
were proposed and institutionalized by NIST for utilization with DES in FIPS 81 [194] and were
later likewise institutionalized for the use with AES [195]. The essential modes incorporate
Electronic Codebook (ECB), Block Cipher Chaining (CBC), Cipher text-Feedback (CFB),
Output-Feedback (OFB), and Counter (CTR). We are not examining the subtle elements of
those modes now yet rather allude the intrigued peruser to standard writing [162, 202].
1.1.2 Stream Ciphers
Stream figures go with square figures as the second essential class of symmetric-key natives.
While piece figures encode information square insightful, a stream figure accomplishes
encryption by first delivering a pseudo-haphazardly created stream of bits (in some cases as
entire piece obstructs), the key stream, of an indistinguishable size from the message and by

XORing this key stream therefore to the plaintext to acquire the cipher text. This property
makes stream figures extremely adaptable as for the most part no message-cushioning or unique
method of operation is required and discretionary estimated messages can be handled
immediately. In any case, take note of that a given square figure can be effectively changed into
a stream figure utilizing, for instance, the officially previously mentioned counter mode (CTR).
Let k; n 1. A stream cipher S is specified by
S : F
k
2 F
n
2 F2 ! F2; (K; N; M) 7!S M
Where K is a secret key, N is either a initialization vector (IV) or nonce, M a message, and S a
pseudo-randomly generated key stream of length jMj. The cipher text C corresponds to the
output S M of S. Since XOR is an involution, the same function can be used for decryption with
exchanged roles of C and M. Hence, the plaintext can be recovered by simply computing S(K;
N; C) = S C = M.
Note that there is a difference between an IV and a nonce: IVs are required to be chosen
uniformly at random while nonce’s only have to be unique in order to guarantee the security of
the algorithm. Thus, a nonce can be implemented through a simple counter, which is not
possible for an IV. Whether an IV or nonce has to be used depends on the concrete
cryptographic construction.
Doubtedly, a standout amongst the most surely understood stream figures is RC4, which was
concocted by Rivest in 1987 is still in wide utilize today notwithstanding the numerous found
shortcomings that all the time permit to mount commonsense assaults on RC4. Current and
secure partners incorporate Salsa20 [41], ChaCha [40], Trivium [86] and Grain-128a [2].
1.1.3 Hash Functions
Cryptographic hash capacities are another vital crude and can be utilized to guarantee the
trustworthiness of handled information. In symmetric cryptography, they are likewise regularly
utilized as building obstructs for other cryptographic natives, for example, stream figures,
message confirmation codes, or validated encryption plans. In spite of the fact that not shrouded
inside and out inside the current theory, we in any case talk about them quickly beneath because
of their significance and for fulfillment. Hash capacities don't utilize a mystery key, not at all
like the symmetric natives talked about up until now, and pack a self-assertive measured yet
limited contribution to a settled estimated yield. The last can be viewed as the unique mark, i.e.

the "one of a kind" identifier of the information. These natives have a place with the group of
alleged one-way works which implies that they are thought about for all intents and purposes
difficult to reverse. Because of their flexibility, hash capacities are frequently alluded to as the
"Swiss-armed force cut" of cryptography. Their field of utilization incorporates, yet isn't limited
to, information respectability checks, secret key confirmation, pseudorandom number age, and
message verification. The formal meaning of a hash work is as per the following.
Let n 1. A (cryptographic) hash work is a mapping
H: F2 ! Fn
2; M 7! H
That takes as input a message M of arbitrary but finite length and compresses it into a
fixed-size digest or hash H of length n.
Informally, a cryptographic hash function should be indistinguishable from a random
function with the same parameters and it should fulfil the following four properties:
Efficiency. Given the input M it is easy to compute H (M).
Collision Resistance: Finding two distinct inputs M 6= M0
, such that H (M) = H(M0
)
should require at least 2n=2
operations.
Pre-image Resistance: Given an image Z of H, it is hard to find an input M such that
H(M) = Z.
Second Preimage Resistance: Given an input M, it is hard to find a second input M0
,
such that H(M) = H(M0
).
Due to the above properties the value n is required to have a certain size. Common
choices for n are 160, 256 and 512 bits.
Well-known cryptographic hash functions include MD5, SHA1, SHA256, SHA512, Keccak
[47], which was the winner of the SHA3 competition [222] and is now the new SHA3 standard,
Grøstl [118], BLAKE [16], and BLAKE2 [21].
1.1.4 Message Authentication Codes

Hash functions that take a secret key as an additional input, are better known as message
authentication codes. These primitives do not only provide data integrity but also allow to
verify the authenticity of a message. This means that the receiver of a message can verify that it
originates from a valid sender, namely the one with whom the receiver had exchanged the
secret key before.
Concretely, a message authentication code (MAC) is a tuple (T; V) consisting of a tag
generation function T and a tag verification function V. The tag generation function is specified
by
T : F
k
2 F2 ! F
t
2; (K; M) 7!T
and takes as input a secret key K and an arbitrary long message M and compresses it into a
fixed-size authentication tag T of length t. The tag verification function is specified through
V ( if T = T 0
: F2
t
F2
t
! f?; >g; (T; T
0
) 7!
>
if T = T
0
? 6
and checks if the received tag T matches the computed tag T 0
. If they agree, then V returns the
symbol > for success, and otherwise the symbol ? for failure.
There are many ways to construct MACs. A common approach is to take a cryptographic hash
function and use it within the HMAC mode [30]. Another option are sponge functions [45]
which are discussed further below.
1.1.5 Authenticated Encryption Schemes
Verified encryption (AE) plans [32, 67] are an upgrade of normal symmetric encryption
calculations and give protection of prepared information as well as guarantee its respectability
and validness. As it were, AE plans endeavor to accomplish the majority of the three essential
objectives of symmetric cryptography presented in the start of this area. Validated encryption
with related information (AEAD) [211] is an expansion of AE that permits to process
furthermore alleged related information (AD) which isn't encoded, i.e. it is transmitted in clear,
however whose realness and uprightness is guaranteed. These days, AE(AD) plans are the
standard instrument to ensure in-travel information. Advertisement can have numerous
structures, such as steering data in headers of datagram bundles. Clearly, such a header
(containing data like an IP address) needs to remain decoded with a specific end goal to have the
capacity to transmit the bundle to the right goal. Moreover, the sender needs to guarantee that
the parcel surely achieves its goal and that a conceivable altering the in-travel bundle through

Man-In-The-Middle assaults is identified. At last, the collector needs to have the capacity to
confirm that the got information is from a substantial source, to be specific the one with whom
he traded mystery keys. Beneath, we present the scientific documentation for AEAD and mean
that AE is an extraordinary instance of the earlier where AD is left unfilled.
Let k; n; t1. A confirmed encryption conspire with related information is a tuple = (K; E; D),
where K is a key determination work, E is an encryption and D a decoding capacity. The
capacity K takes as info k and picks a mystery key K consistently at arbitrary from Fk2. We
mean this operation by K $ K(k) or just K $ K if the setting is clear. The encryption work is
determined as
E : F
k
2 F
n
2 F2 F2 ! F2 F
t
2; (K; N; A; M) 7!(C; T )
where K is a secret key, N a nonce, A associated data, M a plaintext message, C a cipher text,
and T an authentication tag. The decryption function, on the other hand, is defined by
D (
if T = T
0
: F2
k
F2
n
F2 F2 F2
t
! F2 [ f?g; (K; N; A; C; T ) 7! M
if T = T 0
? 6
where T 0
denotes the computed and T the received authentication tag.
Adroitly, a normal correspondence between two gatherings Alice and Bob is led as takes after:
accepting Alice and Bob have effectively traded a mystery key K, Alice performs EK (N; A; M)
= (C; T ) and sends the tuple (N; A; C; T ) over the correspondence channel to Bob. Under the
suspicion that the AEAD plot is secure, an enemy catching (N; A; C; T ) can neither master
something about the message M from C or T nor would he be able to adjust any of N, A, C or T
without being distinguished. Specifically, he can't build tuples (N0; A0; C0; T 0) of his own
that appear to be substantial to Bob since he isn't in control of the common mystery key K.
Weave, the legitimate correspondence accomplice, utilizes the decoding capacity DK of on (N;
A; C; T ), which initially checks that the got verification label T is substantial by contrasting it
and the processed label T 0 and if so DK restores the message M. In the event that label
confirmation falls flat, DK yields nothing aside from a blunder
? and safely eradicates every single middle of the road result. Presently, we will give a
diagram on basic AE(AD) developments.
Generic Composition

There are a few approaches to build AE(AD) plans. An exceptionally regular approach is bland
sythesis [32], for which we give a short review in the accompanying and talk about its masters
and contras. Bland structure consolidates a symmetric encryption plot, for example, a square or
stream figure and a message validation code (MAC) to shape an AE(AD) conspire. Generally
two diverse mystery keys Ke and Km are utilized for encryption E(Ke; ) and confirmation label
age T (Km; ), separately. To accomplish AE utilizing nonexclusive creation there exist three
surely understood methodologies which are examined in more detail beneath.
Scramble and-MAC (EaM). The sender encodes the message utilizing the symmetric encryption
calculation, packs the message utilizing the MAC to acquire the tag and attaches the tag to the
cipher text:
EKe (M) k TKm (M) :
The receiver first decrypts the cipher text to obtain the message and then uses the MAC on the
message to verify the received authentication tag. Extending EaM to include associated data is
straightforward:
A k EKe (M) k TKm (A k M) :
The very well-known SSH protocol [248] is one representative that uses EaM-based schemes
for authenticated encryption.
MAC-then-Encrypt (MtE). The sender compresses the message using the MAC, appends the
generated authentication tag to the message and encrypts the result:
EKe (M k TKm (M)) :
The receiver first decrypts the cipher text, extracts message and tag, and then uses the MAC on
the message to check if the received authentication tag is valid. The AEAD variant of MtE can
be again constructed in the obvious way:
A k EKe (M k TKm (A k M)) :
MtE-based authenticated encryption is used for example in (D)TLS [104], the protocol that
enables secure communication on the Internet.
Encrypt-then-MAC (EtM). The sender encrypts the message to produce the ciphertext, uses the
MAC on the cipher text to produce the authentication tag and finally appends the tag to the
cipher text:
EKe (M) k TKm (EKe (M)) :

The receiver first checks if the received authentication tag is valid by using the MAC on the
cipher text and if so only then decrypts the cipher text. The extension of EtM that includes
associated data is specified as follows:
A k EKe (M) k TKm (A k EKe (M)) :
IPSec [150], the conclusion to-end security plot working on the IP layer of the Internet Protocol
Suite, is utilizing EtM to acknowledge verified encryption.
Specialists and Contras: Each of the above varieties addresses a considerable method to
manage build up an AE (AD) plot. In any case, one needs to decisively consider which
contrasting option to pick, since each one of them have a couple of deterrents in a solitary way
or the other. We rapidly discuss these issues underneath. From a security perspective just EtM
satisfies all conditions for the improvement of an ensured AE scheme, see [32] for more
unobtrusive components, and along these lines EtM is the fundamental advancement among the
three that can be endorsed without imprisonments. Each of the three varieties can be found in
veritable traditions and applications, in any case, as we have quite recently watched beforehand.
EaM unmistakably gives no uprightness to the figure content since the approval tag is prepared
from the plaintext. Also, an attacker could (speculatively) decide information on the plaintext
from the MAC, for example, if the MAC just gives weak security. This issue is unmistakably
kept up a key separation from with EtM, where the tag is enlisted from the figure content.
Another drawback of EaM-based plans is the need to spend critical resources on the translating
of the figure message before name affirmation can be performed. If the last bombs by then time
spent on unscrambling the figure content is wasted. In the most skeptical situation, this could
incite an extended frailty of employments to Denial-of-Service strikes, where an aggressor
surges a goal with invalid figure writings trying to shut down the structure through the over-
load. One comprehended strike on the SSH tradition mishandling the already said EaM-
inadequacies is delineated in [31]. MtE, the second variety, is from a speculative perspective a
predominant choice than EaM, see again [32]. From a useful point of view, in any case, it is
disastrously not immaculate either and su ers from near drawbacks as EaM: the figure content
ﬀ
isn't guaranteed by the MAC and the check label must be affirmed after the figure content has
been decoded. Along these lines, resources spent on figure content unscrambling are misused if
name check misses the mark. Moreover, the thought of the affirmation tag into the figure
message easily prompts security issues as mishandled by charged padding prophet attacks [237].

This ambush on a very basic level empowers an enemy to disentangle an entire message without
the learning of the puzzle key if the Cipher Block Chaining (CBC) mode is used for data
encryption. This is particularly dangerous since CBC has been one of the standard square figure
modes used as a piece of a sweeping extent of traditions. The issue can be taken after back to
flaws in the relationship between mark check and plaintext expansion to the piece length of the
square figure through the padding design.
EtM maintains a strategic distance from the above issues since the confirmation tag is figured
from the cipher text. The initial step on the beneficiary's side is in this way to check the tag and
just in the event that it is substantial, decode the figure content. From one perspective, this
disposes of any potential threat to spill data on the plaintext through the MAC, and, on alternate,
permits to dispose of invalid figure messages significantly speedier while no assets are
squandered on the unscrambling of counterfeit messages as on account of EaM and MtE. In
synopsis, EtM has hypothetical as well as functional favorable circumstances over the other two
variations and ought to be picked if non specific piece is considered for AE(AD). For instance,
the proceeded with issues with MtE-based plan in (D)TLS in the long run prompted exchanges
to supplant the last with EtM-figures which guarantee much better security, execution, and
vigor. The consequences of these dialogs are outlined in [127]. All the non specific organization
based plans, in any case, share the downside that two ignores are required the information,
specifically one for encryption and one for label age. While present day AE(AD) plans infer
extremely helpful security highlights from the two-pass technique, it is likewise frequently
alluring to have one-pass AE(AD) arrangements. This can be generally accomplished through
uncommon AE(AD) square figure modes or committed AE(AD) plans. We talk about some of
those alternatives in the following areas beneath.
AE (AD) Block Cipher Modes
AE(AD) block cipher modes of operation allow to transform an arbitrary block cipher into an
authenticated encryption scheme usually supporting associated data as well. In the following,
we present a short overview on the most important ones.
Galois Counter Mode (GCM). GCM [196] is a one-pass nonce-based AE square figure method
of operation supporting related information. Its format is reasonable to accomplish great speeds
in delicate and equipment and can be parallelized for significantly higher execution. For
instance, GCM instantiated with AES, which is fundamentally the default by and by,

accomplishes programming paces of 1:03 cycles for every byte on the Intel Haswell smaller
scale engineering [121], because of the accessibility of the extraordinary guidelines AES-NI
[122] and PCLMULQDQ [123]. In equipment, high speeds (even past 100 Gbps) can be
effortlessly come to on FPGAs [190] or ASICs [189]. AES-GCM can be found, for example, in
TLS 1:2 [104] as a contrasting option to regular MtE-based AEAD modes, in the IEEE 802:1ae
media get to control security (MACSec) standard [133], or in various industry centers [134, 179,
231].
Executing AES-GCM is a somewhat entangled undertaking, however, and consistent time usage
[149], important to ruin timing side-channel assaults [35], are considerably all the more difficult
to acknowledge without access to unique CPU guidelines, as AES-NI. Moreover, non-AES-NI
steady time usage suﬀer from an observable execution misfortune. Besides, Joux displayed an
assault [136] demonstrating that GCM is helpless to phony assaults if a nonce-key match is
rehashed, basically enabling an assailant to recover the mystery key utilized for the calculation
of the validation tag.
Counterbalance Codebook Mode (OCB). Like GCM, OCB1-3 [171, 212, 214] is a one-pass
nonce-based AE square figure mode supporting a piece size of 128 piece. It is typically
instantiated with AES, where it accomplishes great execution in delicate and equipment
surpassing that of AES-GCM. For example, AES-OCB keeps running at around 0:69 cycles for
each byte on the Haswell miniaturized scale design when AES-NI [122] guidelines are utilized
[121]. To accomplish considerably more noteworthy velocities, OCB permits parallelization of
information preparing too. Beginning with form 2 [212], OCB additionally bolsters related

information making it effectively an AEAD plot. OCB3 [171] presented some minor changes
with respect to offset calculation
what's more, enhanced yet again the execution of the plan. A further preferred standpoint of
OCB, when contrasted with GCM, is that it is substantially less demanding to execute, which
additionally holds for steady time usage. Lamentably, OCB never discovered broad
appropriation because of patent confinements. In 2013, Rogaway improved authorizing of OCB
significantly, e.g. permitting free use of the plan in open-source programming. In spite of its
numerous favorable circumstances it is likewise not totally without blemishes. One minor issue
called attention to in [111] is a crash assault that could be abused if a lot of information are
handled. With a specific end goal to keep this assault, the measure of prepared information per
key must be constrained to around 64 GiB.
Counter with CBC-MAC (CCM): CCM [242] is an AE piece figure mode for square lengths of
128 piece. It is typically instantiated with AES and was intended to be an option for OCB
maintaining a strategic distance from the licensing issues of the last mentioned. CCM
consolidates CBC-MAC for validation with CTR mode for encryption in a MAC-Then-Encrypt
way. CTR makes the plan effectively a stream figure that requires one of a kind nonces for
initialization as long as the key is settled. This is vital, as secrecy can not be ensured for CTR if
nonce’s are rehashed. A disadvantage of CCM is that it isn't web based, which means, the length
of the handled information must be known ahead of time before one can continue with
encryption and along these lines preparing of information streams is avoided. In [215]

significantly more plan defects are examined, focusing on diﬀerent subjects, for example,
eﬃciency, parametrization, intricacy, variable-tag-length nuances, and wrong security claims.
These all prompt the feeling that CCM was not planned altogether. In spite of these issues,
CCM discovered its way into different conventions like IEEE 802:11i (WPA2), IPSec [150] and
TLS 1:2 [104].
EAX Mode: EAX [33] is a nonce-based AEAD square figure mode without any limitations on
the piece length and backings validation label sizes up to the figure's square size, which makes
EAX exceptionally adaptable. EAX was planned by the OCB group, intending to address the
numerous issues of CCM [215]. EAX has numerous attractive highlights: above all else it is
went with a proof of security demonstrating that the security of the plan can be decreased to the
security of the basic piece figure; cipher text extension is insignificant, as in the cipher text has
an indistinguishable length from the plaintext in addition to the length of the verification tag;
CTR mode requires no unscrambling capacity essentially, since encryption and decoding are
done basically by XORing the plaintext and cipher text with a surge of pseudo-haphazardly
created bits; it is an online calculation fit for preparing floods of information without the need to
know the aggregate length of information ahead of time; at long last EAX can process static
AD, which is for instance helpful when taking care of session information that progressions just
rarely.
Sponge Functions
Many of the symmetric-key modes are based on block or stream ciphers, as we have already
seen above, but there exist also modes that use a fixed-size permutation as the underlying
primitive. Designing such a permutation in a cryptographically strong way is, in some sense,
equivalent to designing a block cipher without a key schedule. A very famous representative of
these modes are the family of cryptographic sponge functions [45] which were introduced
alongside of Keccak [47] during the SHA-3 competition [222]. One of the remarkable features

of sponge functions are their support for arbitrarily long input and output sizes which allows to
build various kinds of primitives like hash functions, such as Keccak, or stream ciphers. Beyond
that, sponge functions can also be used to construct authenticated encryption schemes
supporting associated data. These variants are then better known as duplex constructions. We
will focus in the following on this type, since NORX, the authenticated encryption scheme
introduced in Chapter 4, is also based on a duplex construction. Regarding basic definitions and
notation we let ourselves guide by the work of Bertoni et al. [48] which presents a
comprehensive introduction to the topic. Besides the specification we give an overview on the
most important properties of duplex constructions as well.
Duplex Constructions: Duplex constructions (and sponge functions) are defined over a fixed-
length function f, a padding scheme pad, and a parameter r in bits. The function f is specified as
f : F
b
2 ! F
b
2
with b = r + c bits, where b, r, and c are called width, rate and capacity, respectively. The first r
bits of the state are used for data processing while the last c bits ensure the security of the
primitive and are never affected directly by the input blocks or returned as output. Although not
essential, the function f is usually chosen to be a permutation on b bits, which gives better
security properties in general. The second component of a duplex construction, the padding rule
padr : F
n
2 ! F
rm
2
extends an n-bit string X to a multiple of the rate r, which is necessary for processing data of
arbitrary sizes. In order to guarantee security, such a padding scheme has to be sponge
compliant [45], which means that it must be injective, non-empty, and has to ensure that the last
block is non-zero. We assume in the following that all input data has been padded accordingly
and write X = X0 k k Xm 1 with jXij = r for 0 i m 1. While sponge functions are stateless in
between calls, a duplex construction accepts, after initialisation, calls that take as input a bit
string Xi and a requested number of output bits li, with 0 li r, and returns an li-bit sized output
string Yi such that the latter depends on all Xj for 0 j i. In other words, an output of a duplex
construction depends on all the inputs received so far. The process detailed above is also called
duplexing and is denoted by
Yi = D:duplexing(Xi; li)
where D denotes a duplex object, which is a concrete instance of a duplex construction.
Internally, first the input block Xi is XORed into the first r bits of the state, then the function f is

applied to the latter, and finally the first li bits of the state are extracted and returned as output.
Figure 4 shows the layout of a generic duplex construction.
X0 Y0 X1 Y1 X2 Y2
padr b·cl0 padr b·cl1 padr b·cl2
r 0
f f f . . .
c 0
init. duplexing duplexing duplexing
Figure 4: The duplex construction
Laying out an affirmed encryption plot with help for related data from a duplex improvement
can be expert as takes after. In any case, the state is initialised with 0b, trailed by absorption of a
secret key K and a nonce N in the primary duplexing call. Ordinarily, no yield is conveyed in
this stage. Dependent upon the strong sizes of r, N, and K, diverse duplexing calls might be
essential until the point when the moment that most of the data has been devoured. After this
basic setup-organize, one can start getting ready authentic data.
Directly, let A = A0 k Aa 1 mean the (adequately padded) related data, i.e. jAij = r for 0 I a 1,
and let M = M0 k Mm 1 demonstrate the (authoritatively padded) message, i.e. jMjj = r for 0 j m
1. Without loss of comprehensive explanation, we acknowledge that An is taken care of before
M, be that as it may it is moreover allowed to be the other way round. Frankly, duplex
improvements engage to process discretionarily interleaved data of diﬀerent composes, yet we
disregard this case here for reasons of straightforwardness.
Approval of related data is done by calling D to hold piece Ai without requesting any yield bits.
In this way, the call is of the shape D: duplexing (Ai; 0) for 0 I a 2. Finally, in the midst of the
duplexing of the last square Aa 1 of related data, r output bits are requested, i.e. Y 1 =
D:duplexing(Aa 1; r), which are then used to scramble the essential plaintext piece M0 and
obtain the looking at figure message square through C0 = Y 1 M0. In the midst of plaintext

getting ready r bits of yield are requested in each call Yj = D: duplexing (Mj; r) and the figure
content pieces are obtained by Cj = Yj 1 Mj for 0 j m 2. Then again, the last bit of plaintext
getting ready is managed diﬀerently, by requesting t instead of r yield bits which are used as the
affirmation name T , or, so to speak, the last call is indistinguishable to T = D:duplexing(Mm 1;
t). This consummations affirmation of An and confirmed encryption of M and the tuple (N; A;
C; T ) can be transmitted.
Properties of Duplex Constructions: Authenticated encryption modes in light of duplex
developments have numerous attractive properties:
Duplex developments acquire all the solid security limits of the wipe work family and
advantage from the broad investigation led on wipe capacities [7, 43, 45, 46, 48, 51, and 141].
Encryption is performed like in a stream figure specifically by XORing the plaintext with a
pseudo-arbitrarily created key stream, which permits to perform unscrambling comparably.
Therefore, the capacity f is adequate for both encryption and decoding and no backwards work f
1 is fundamental.
Information that requires confirmation and information that requires validated encryption can be
interleaved subjectively.
Duplex developments can issue halfway labels because of their adaptable information handling
capacities.
Encryption isn't extending, i.e. plaintext and cipher text have a similar length.
Duplex developments are single-pass and require just a single call to the capacity f for each
handled information piece.
There are additionally a few impediments, however. Right off the bat, the fundamental variation
of the mode is serial and can't be parallelized on an algorithmic level. By and by, in Chapter 4
we will present an altered rendition of the duplex development for NORX which is equipped for
preparing information in parallel. Also, since encryption works like in a stream figure, it is basic
for the security of the plan that the nonce freshness is ensured. Something else, the primary

varying plaintext pieces M 6= M0 that are scrambled with a similar key stream square Y release
their separate XOR through the XOR of the relating cipher texts C and C0, in particular C C0 =
(M Y ) (M0 Y ) = M M0.
Other AE Constructions
There are also AE (AD) schemes following other design approaches that do not fall into one of
the aforementioned categories. For example, Helix [113], Phelix [243], and Hummingbird-2
[106] are dedicated hybrid AE primitives offering efficient stream encryption and MAC
computation at the same time, similar to the duplex construction described above. However, all
three of these primitives were shown to be weak [192, 201, 203, 247]. Another example is the
stream cipher Grain-128a [2] which offers optionally an extension for authenticated encryption.
At this point, we do not go into further details but refer the interested reader instead to the
referenced literature.
1.2 Cryptanalysis
How secure is a given cryptographic construction? The main goal of cryptanalysis is to find the
answer to these questions. There are countless ways how a given cryptographic primitive can be
analyzed. In the following, we introduce the general categories of cryptanalytic attacks. An
overview is given in Figure 5 which is of course neither exhausting nor exact in every detail.
Brute-Force Attacks
Diﬀerential Attacks
Linear Attacks
Conventional Attacks
. . .
Algebraic Attacks
Rotational Attacks
Cryptanalysis
Power-Analysis Attacks
Timing Attacks
Implementation Attacks . . .
Electromagnetic Attacks
Fault-based Attacks
Figure 5: Categories of common cryptanalytic attacks
The success of an attack is usually measured in terms of required time, memory, and data. It
usually depends on two factors, namely on the attack outcomes, which categorizes the goals an

adversary tries to achieve with his attack, and the adversarial model, which specifies what an
adversary is allowed or capable of doing during an attack. Further, an attack against a class of
cryptographic constructions is called generic, if it works without exploiting any concrete details
of the members of that class. For example, exhaustively searching through all candidates of the
key space of a symmetric-key primitive is a generic attack. Otherwise, if an attack requires
certain features of a concrete cryptographic construction, it is called non-generic. In the field of
cryptanalysis, one when in doubt acknowledge that the foe knows each one of the unobtrusive
components of the struck cryptographic unrefined except for the puzzle scratch that was given
by the customer. This assumption is generally called Kerckhoffs' Principle, which backpedals to
Auguste Kerckhoffs who laid out essentials for a usable field figure in 1883 [151].
Time, Memory and Data
In cryptanalysis, the achievement of a strike is evaluated by the measure of advantages it
exhausts. As formally noted above, there are normally three sorts of advantages that are
entrancing for an ambush:
Time: The time, or work effort, required to mount an ambush. How time is assessed
unequivocally, consistently depends upon the given attack. One case is the measure of crucial

encryption operations. Time is regularly the basic resource by which the effectiveness of a strike
is ordered yet it isn't the only a solitary. Time is also routinely suggested as the offline versatile
nature of an ambush.
Memory: The required measure of memory to execute a strike is all around another basic
factor. Overall, if a strike has a high memory use it is significantly more dreadful than having a
comparative measure of time usage. There exists a general rule saying that "time is more
affordable than memory" [128], which wonderfully gets the intuition that, for example, when
given a 128-piece square figure, it is less difficult to perform 240 encryption continues fleeing
240 encryption occurs (= 16 TiB) in memory.
Data: The required measure of data is the third basic resource of a strike. If the time required to
recoup the data for an ambush far outperforms normal use outlines, by then the sensible impact
of the attack is compelled. Data is moreover consistently insinuated as the online versatile
nature of an attack.
Note that strikes normally don't require just a singular one of the above resources yet rather a
mix of each of the three. Resources can be in like manner traded against each other, which
prompts affirmed trade off strikes, a thought which is immediately inspected later.
The measure of used resources adds another estimation to the categorisation of an attack: if it
isn't feasible to bring the required resources up in a suitable setting (with current advancement),

by then the ambush is called speculative. Else, it is implied helpful. For example, an ambush
that destinations a 128-piece square figure and that requires 2120 encryption runs, can plainly be
delegated speculative. Strangely, a strike on the above assume that requires 240 encryption runs
(and immaterial diverse resources), can definitely be seen as feasible.
Ambush Objectives
The possible delayed consequences of an attack can diﬀer immensely and depend upon various
components. A to some degree adjusted categorisation of ambush focuses for piece figures, as
displayed in [162], can be given as takes after:
1. Key Recovery. The attacker can recover the riddle key K. This is the most skilled
eventual outcome of a strike.
2. Global Deduction. The aggressor can enroll encryption EK ( ) or translating DK ( )
without knowing the riddle key K.
3. Local Deduction. The assailant can figure encryption EK (M) or unscrambling DK (C)
without knowing K for a few messages M or ciphertexts C.
4. Distinguishing. The aggressor can eﬀectively recognize EK ( ) from a stage picked
consistently at irregular. Attempting to recognize scrambled from arbitrary information is the
most fundamental assault a foe can mount on a cryptographic crude.
These assault results are requested to such an extent that an enemy accomplishing one of them
naturally accomplishes all that take after. This implies specifically if an aggressor isn't fit for
recognizing a given piece figure from a stage picked consistently at irregular, at that point the
square figure is, in some sense, perfect.

Note that the above progressive system of assault results may differ for other cryptographic
natives. For instance, an assault objective for stream figures may be the reproduction of the
inside state, which is clearly an effective outcome, however does not really lead
straightforwardly to recuperation of the mystery key. Enemies focusing on keyless hash
capacities have once more differing assault targets. While recognizing a hash work from a
pseudorandom work still structures the premise in this specific circumstance, the goal of key
recuperation is clearly pointless. Rather, assailants are normally intrigued by developing
crashes, pre-pictures, or second pre-pictures, see Section 1.1.3.
Antagonistic Models
The abilities of a foe regarding operations he is capable or permitted to execute, is another vital
factor amid a cryptanalytic assault. These conditions are generally compressed in antagonistic
models and are classified by the kind of information and by the sort of access an enemy requires
to effectively mount a given assault. The sort of information differentiates amongst data sources
and yields of a cryptosystem, for example, mystery keys, plaintexts, and ciphertexts, and the
kind of access differentiates between perusing, composing and versatile composition get to,
which are meant as known esteems, picked values and adaptively picked values, individually.
An outline on the primary antagonistic models in traditional cryptanalysis, as displayed in [162],
is given underneath:

1. Ciphertext-just Attacks. The enemy knows just the ciphertext and has no entrance to the
plaintext. A cryptographic crude helpless against such sort of assaults is considered
uncommonly frail, since it is conceivable to recognize it from an irregular change by dissecting
just ciphertexts.
2. Known-plaintext Attacks. The enemy has perusing access to plain-and relating
ciphertexts prepared by the figure. An agent of this classification is, for instance, straight
cryptanalysis [182].
3. Chosen-plaintext Attacks. These are like known-plaintext assaults, with the diﬀerence
that a foe is permitted to pick the solid plaintexts to be encoded before the assault. An
outstanding assault kind of this classification is diﬀerential cryptanalysis [58].
4. Chosen-ciphertext Attacks. The foe can pick ciphertexts to be decrypted by the figure
before the assault begins and has perusing access to the subsequent plaintexts.
5. Adaptively Chosen-plaintext Attacks. The enemy can choose plaintexts to be scrambled
amid the assault and isn't compelled to pick them before the assault begins as on account of the
picked plaintext situation. The aggressor likewise approaches the subsequent ciphertexts.
6. Adaptively Chosen-ciphertext Attacks. The enemy can choose ciphertexts to be
unscrambled amid the assault and isn't compelled to pick them before the assault begins as on
account of the picked ciphertext situation. The aggressor likewise approaches the subsequent
plaintexts.

7. Related-key Attacks. The enemy can encode plaintexts and unscramble figure writings
with the assaulted key and with keys identified with the last [53], which, for instance, diﬀer just
at certain piece positions.
The aggressor has more control over the examination of the square figure with each of the above
advances and enables him to make progressively capable assaults. In any case, in the meantime
gathering information of a given kind turns out to be increasingly requesting the further we go
down that rundown. The above categorisation additionally introduces a sign on the
(im-)practicability of the assaults.
The above models likewise shape the reason for usage assaults, be that as it may, an aggressor is
expected to have extra capacities. Solid subtle elements are talked about later in this part.
1.2.1 Brute-Force Attacks
A conceptually very simple attack, operable against any symmetric cryptographic primitive, is
an exhaustive search for the shared secret key K. Obviously, this approach is independent of the
design of the cipher. For example, in the case of block ciphers, the adversary simply enumerates
all key candidates of the search space and tests every single one of them against a known
message-cipher text pair until the correct key is found. This particular category of cryptanalytic
techniques is also known as brute-force attacks. Since there is no way of preventing an
adversary from mounting such an exhaustive search, designers of cryptographic primitives try
to ensure that brute-force is the best attack available to an adversary. Exhaustive search
techniques are also often part of more advanced cryptanalytic attacks.
More formally, an attacker who knows a message-cipher text pair (M; EK (M)) and the
corresponding encryption algorithm E, “just” needs to try 2k
keys to find the secret key with
probability one, where k = jKj. In general, if he checks n 2k
keys, he succeeds with a probability
of n=2k
and if he targets m < n=2k
keys at once, he succeeds with a probability of mn=2k
.
Time-Memory Trade-Offs

Exhaustive search techniques test one key after another but take no role for memory into
account. However, in many cases it is possible to improve certain attacks if some form of
memory is available which also holds for brute-force. An obvious application of memory in
cryptanalysis of block ciphers are so-called dictionary attacks which are, in some way, the
counterpart to exhaustive search. In the offline phase, i.e. before the actual attack starts, an
attacker pre-computes all 2k
possible cipher texts for a single known plaintext and stores all of
the key-cipher text tuples in a table sorted by the value of the cipher text. If an adversary then
intercepts a cipher text in the online phase of the attack, he just needs to look up the cipher text
thereby retrieving the corresponding key which represents a candidate for the secret key. The
requirements for such dictionary attacks are 2k
words of storage where the size of a word
depends on the attacked cipher. These two extreme situations, i.e. exhaustive search versus
dictionary attacks, call out for a trade-off.
Time-memory trade-offs (TMTO) were introduced in the context of cryptanalysis by Hellman
[128] in 1980. The idea here is simple: if a certain attack has to be carried out multiple times, it
may be possible to execute the exhaustive search in advance and store all results in memory. In
other words, the values pre-computed in the offline phase are used to improve the running time
of the attack in the online phase. However, the storage requirements compared to a dictionary
attack are greatly reduced. The typical application of this method is the recovery of a key K
when a plaintext M and its corresponding cipher text C = EK (M) are known. The basic idea of
Hellman’s TMTO attack is to compute from a chosen plaintext M and a sequence of key
candidates K0;0; : : : ; Ks 1;0, the starting points, key sequences Ki;j+1 = R(EKi;j (M)) of length t,
with i 2 f0; : : : ; s 1g and j 2 f0; : : : ; t 2g, where R is a reduction function that maps a
cipher text to a key candidate. From those sequences only the starting and end points are saved
in a table as pairs (K0;0; K0;t 1); : : : ; (Ks 1;0; Ks 1;t 1). Once an attacker intercepts a cipher text C he
can use the pre-computed tables to check for potential key candidates by going step-wise
through the table partially reconstructing intermediate results of the t key sequences if no match
is found. Without going into the exact details at this point, the work in [128] shows that, for a
cryptosystem with 2n
keys, the secret key can be recovered in 22n=3
operations and 22n=3
words of
memory. To put Hellman’s TMTO attack into perspective, it is estimated that the above attack
can be used against DES requiring approximately 64 GiB of memory and 248
DES operations
instead of 256
DES operations for exhaustive search (in the worst case scenario).

Over the years many enhancements were published for Hellman’s TMTO attack. In 1992,
Rivest introduced distinguished points [102] where only key candidates of a particular shape are
saved as end points in the table, like keys that only have zeroes in the ten leftmost bits. This
approach offers a couple of advantages over normal Hellman tables. The structural knowledge
can be used to reduce the number of memory accesses in the online phase of the attack.
However, distinguished points also have some disadvantages. For example, it is harder to
estimate the actual key coverage since the computed sequences are very likely to have different
lengths. For a more detailed discussion we refer the interested reader to the literature [102, 162].
In 2003, Oechslin [200] presented another change, the alleged rainbow tables which settle a few
issues of Hellman's work and furthermore offer computational advantages in the online stage.
The most noteworthy change is that rainbow tables utilize an arrangement of diminishment
capacities R1; : ; Rl rather than only a solitary one, which gives them preferences like
recognized focuses while evading their shortcomings. An assault in view of rainbow tables
requires about a large portion of the online work effort contrasted with an assault in light of
Hellman's tables while the two assaults have a similar key scope, and prerequisites as for pre-
computation and memory. Rainbow tables turned out to be broadly known through their

application in watchword breaking. A thorough scope of the point is past the extent of this
doctoral proposal. Henceforth, we allude the intrigued peruse again to the writing [162, 200].
Time-Processor Trade-Offs
One incredible preferred standpoint of savage power cryptanalysis is that it is insignificant to
parallelize. An assault that checks n keys can be essentially disseminated to c hubs, bringing
down the workload on each to n=c surmises. Clearly, parallelization offers a direct speedup to
beast compel assaults.
The plan of committed equipment for parallel cryptanalytic assaults, purported time-processor
exchange offs, was talked about by Bernstein [38] in 2005. The work appears by estimation that
a modestly planned parallel machine can be considerably more efficient than a serial partner and
the parallel machine being just about twice as costly. Utilizing AES for instance, the work
represents that a parallel machine comprising of 232 AES circuits and a tantamount measure of
memory has a likelihood of achievement of around 2 69 to discover an AES enter in just 227
AES calculations. In the event that more than one key is focused on, say 210 keys, at that point
the likelihood increments to 2 59 however the quantity of required AES calculations stays
settled at 227. For examination, the serial machine is relied upon to locate a solitary mystery key
separately one out of 210 keys with probabilities of 2 69 and 2 59 where the two situations
require 259 AES calculations. At the end of the day, the parallel machine is by a factor of

around 259=227 = 232 more efficient than its serial partner. With regards to beast constrain
assaults, time-processor exchange offs are (speculatively) considerably more efficient than a
period memory exchange off, since the last frequently dismisses the correspondence cost
between a processor and a huge memory. In correlation, the time-processor exchange offs above
accept that each circuit has its own particular little memory where just several middle of the
road comes about (around 24) are buffered, i.e. memory gets to are kept at the absolute
minimum. For additionally understanding we likewise allude to crafted by Wiener from 2004
[244] where he introduced a review on the genuine expenses of cryptanalytic assaults.
1.2.2 Differential Attacks
Differential cryptanalysis was discovered by Biham and Shamir in the early 1990s [58, 59]
where they investigated differential attacks on various block ciphers and hash functions. They
noted, in particular, that DES seems to be remarkably resistant against differential attacks and
would be much more vulnerable with only a few minor modifications. Coppersmith, who is one
of the original designers of DES, published a paper in 1994 revealing that the IBM design team

of DES had been aware of differential cryptanalysis as early as 1974 [88]. Differential
cryptanalysis belongs to the most powerful tools in the repertoire of every cryptanalyst and,
despite being invented for the cryptanalysis of block ciphers [162], was extended to other
symmetric primitives as well [124, 187, 233, 247].
The basic idea of differential attacks is the exploitation of correlations between input and
output differences of a cryptographic primitive, i.e. differential attacks utilise non-ideal
propagation of differences in a primitive when considering plaintext-cipher text pairs.
Differences are usually computed with respect to bitwise XOR, but there are also other use
cases where differences are considered, for example, with respect to modular integer addition.
Differential cryptanalysis belongs to the category of chosen-plaintext attacks as introduced
above.
In the simplest case, consider a cryptosystem very similar to a one-time pad which encrypts a
plaintext M with a key K to a cipher text C by computing C = M K. If K is used a second time
to encrypt another message M0
, i.e. C0
= M0
K, then an attacker who intercepts both C and C0
is
able to trivially derive information on the plaintexts by computing the XOR-difference of the
cipher texts
C C0
= (M K) (M0
K) = M M0
:
Although this is a very simple example, it nevertheless illustrates the basic idea of differential
cryptanalysis very well. Since real-world ciphers are much more complex than the above
example, a more general approach to differential cryptanalysis is required.
Differences and Differentials
In this part, we introduce the basic notions and concepts that are used in differential
cryptanalysis.
Let x; x0
2 Fn
2 be n-bit strings. We call = x x0
the n-bit difference of x and x0
with respect to
bitwise XOR or just XOR-difference in short. For an n-bit difference with hamming weight
hw( ) = m, we call the m 1-entries of also the active bits of . Let f be a vector Boolean function
of the form
f : Fn
2 ! Fm
2; x 7!y

with n; m 2 N and let 2 Fn
2 and 2 Fm
2 be XOR-differences. We call ( ; ) an XOR-differential with
respect to f, if there exists a bit string x 2 Fn
2 such that the following equation holds:
f(x) f(x) = :
If no such bit string x exists, then ( ; ) is called an impossible XOR-differential with respect to f.
We denote a differential by
f
! :
If the context is clear we skip the f above the arrow and just write ! . Furthermore, we call the
input difference and the output difference of the differential with respect to the function f.
Each differential has an associated probability, which describes the likelihood that, for input
pairs x and x where x was chosen uniformly at random, the output difference indeed appears
after the application of f. Let f be a vector Boolean function as specified above and let = ( ; ) be
an XOR-diﬀerential with respect to f. The probability xdpf
that holds is defined as
xdpf
( ) = jfx 2 Fn
2 : f(x) f(x) = gj 2 n
:
The value xdpf
( ) is also called the XOR-differential probability of . Moreover, for xdpf
( ) = 2 w
we call w the XOR-(differential) weight of.
Note that the differential probability of an impossible differential is always 0 by definition, since
fx 2 Fn
2 : f(x ) f(x) = g = ;. To capture all information on a differential ( ; ) of f having
probability p in a compact form, we write
f
! :p
Differential cryptanalysis was originally developed for the security analysis of block ciphers as
already mentioned in the introduction. These cryptographic primitives are usually built from a
(cryptographically weak) round function f which is then iterated r times. However, for decently
designed block ciphers, it is usually infeasible to directly find differentials of high probability
for all r rounds. Therefore, it is reasonable to not only consider input and output differences of

the cryptographic primitive but to analyse intermediate values after each of the r rounds as well.
This leads to the concept of
differential characteristics (or paths, or
Boolean functions defined by
fi : Fn
2
for i 2 f0; : : : ; r 1g and let
0; : : : ; r
i
trails). Let f0; : : : ; fr 1 be a sequence of vector
! Fn
2; x 7!y
2 Fn
2 denote differences such that
f
i
! i+1 :

We call ( 0; : : : ; r) a (XOR-differential) characteristic, or path, or trail with respect to
the functions f0; : : : ; fr 1 and denote it by
f0 f
i 1 fi fr 1 0 ! : : : ! i ! : : : ! r :
The values 0 and r are called the input- and output difference and j with j 2 f1; : : : ; r 1g
are called the internal differences of the characteristic.
A visualisation of such a differential characteristic in an iterated block cipher with
rounds fi and round keys Ki is given in Figure 6 for i 2 f0; : : : ; r 1g.
α0 K0 α1 K1 Kr−2 αr−1 Kr−1 αr
M
0
f0 f1 fr−2 fr−1 C
0
Figure 6: XOR-differential characteristic in an iterated r-round block cipher
To compute the differential probability p of the entire characteristics, one generally assumes that
the sequence of differences forms a Markov chain and that the plaintexts and round sub keys are
independent and uniformly random [177]. Thus, p is simply the product of the probabilities of
each single step. More formally, let ( 0; : : : ; r) be a differential characteristic with
f
i
i ! i+1pi
where pi = xdp
fi
( i; i+1) for i 2 f0; : : : ; r 1g. The overall probability p of the
Characteristic ( 0; : : : ; r) is then approximated by
r 1
Y
p pi :
i=0
An obvious question that comes to mind at this point is how differentials and characteristics relate to each
other. Differentials can be composed of multiple differentials characteristics which share the same
input and output differences 0 and r, respectively, but have distinct internal differences i for i 2 f1;
: : : ; r 1g. In a first step, it is often assumed that the probability of a differential can be
approximated by the highest probability of one of its differential characteristics. While it works
in most cases as an initial approximation, the latter usually turns out to be too rough due to
differential effects such as trail clustering [49, 64] where many characteristics with a similar

probability and the same input and output differences form a differential and equally contribute
to its probability. As a consequence, the probability of the differential is much higher than that
of the single characteristics.
XOR-differentials are the most common type used in differential cryptanalysis. However, one
could transfer the above concepts to other group operations and their inverses, too. One such
class are, for example, f-differentials with respect to XOR where f is a vector Boolean function.
We briefly motivate this approach below. Assume that differences are expressed through a
vector Boolean function
f : F2
2
n
! Fn
2
instead of XOR. A tuple ( ; ; ) of differences is called an f-differential with respect to
XOR, if there exist n-bit strings x and y such that the following equation holds:
f(x; ) f(y; ) = f(x y; ) :
If no such n-bit strings x and y exist, the f-differential is called impossible with respect to XOR.
We denote such an f-differential by ( ; ) ! , where and are the input differences and is the output
difference.
Let f be a vector Boolean function and be a f-differential. The probability fdp that holds is
defined as
fdp ( ) = jfx; y 2 Fn
2 : f(x;) f(y; ) f(x y; ) = 0gj 2 2n
:
We call fdp ( ) the f-differential probability of . Moreover, for fdp ( ) = 2 w
we call w the f-
(differential) weight of.
The notions of an f-differential characteristic and its associated probability can be defined
analogously to those of XOR-differential characteristic above.
Using Differentials
Differentials can be used for cryptanalysis in various ways. Below we review the most common
applications, which are distinguishers, key recovery, and construction of collisions in hash
functions.

Distinguishers: Let E be a block cipher with a k-bit key and an n-bit block size and let ( ; ) be a
differential for E having probability p 2 n
, where means “significantly larger”. A simple
application of ( ; ) is to mount a distinguishing attack on E, i.e. an attack that tries to distinguish
E from an ideal cipher. For more information, refer to the attack objectives as introduced at the
beginning of the current section. The sketch of such an attack is given in Algorithm 1. It takes as
input the above differential and an encryption oracle OEK , which, when queried with a plaintext
M, returns the corresponding cipher text C. Note that the secret K is unknown to the attacker and
is assumed to remain fixed for the duration of the experiment. Then two oracles are queried 1=p
times with randomly chosen messages M and M and it is checked if the outputs C = OEK (M) and
C0
= OEK (M ) exhibit the required output difference, i.e. if C C0
= . If, at some point, such a
match is found the distinguisher returns false, meaning that E is not ideal. If no match is found it
returns true. The attack is expected to succeed with probability close to 1, since 1=p checks are
executed before two plaintext-cipher text pairs that match the differential are found. In contrast,
for an ideal cipher it is expected that about 2n 1
trials are necessary.
Algorithm 1: distinguish(( ; ); OEK )
Inputs:
differential ( ; ) for E of probability p, encryption oracle OEK Outputs:
ftrue; falseg
Algorithm:
1. for i 2 f0; : : : ; 1=p 1g do
$
Fn
2. M2
3. if OEK (M) OEK (M ) = then
4. return false
5. end
6. end
7. return true
Key Recovery: The ultimate aim of an attacker is not only to distinguish a cipher from a
random permutation but to recover the secret key. A distinguishing attack can be converted into
a key recovery attack as follows: Suppose the encryption E of an n-bit block cipher is composed
of round functions fi for i 2 f0; : : : ; r 1g, uses n-bit sub keys Kj for j 2 f0; : : : ; rg, with K = K0 k
k Kr, and can be written as
C = E(K; M) = fr 1(fr 2( ::: f1(f0(M K0) K1) ::: Kr 2) Kr 1) Kr :
In other words, E can be modeled as shown in Figure 7.

Further assume that an attacker found a differential ( ; ) of probability p stretching over
the first r 1 rounds fr 2 f0. The attacker initializes counters T0; : : : ; Tn 1

K0 K1 K2
K
r−2
K
r−1 Kr
Figure 7: The encryption function EK of a block cipher
with the value 0 each. For randomly chosen plaintexts M and M
0
= M he then queries the encryption
oracles to obtain C = OEK (M) and C
0
= OEK (M
0
). Afterwards, he iterates over all possible values k 2 f0;
: : : ; 2
n 1
g of Kr and checks if
= fr
1
1(C k) fr
1
1(C
0
k) :
If the equation holds then the counter Tk is increased by 1. This event occurs with probability p
if the kth guess for Kr is correct and with another probability p0
if it is incorrect. It is expected
that p p0
, i.e. that p is much larger than p0
. If the above experiment is repeated for l 1=p
randomly chosen message pairs M and M then the correct counter is expected to have a value of
approximately l p whereas the counters for the incorrect key hypotheses have values of
approximately l p0
. Since p p0
, it follows that l p l p0
, i.e. the counter for the correct key should
be clearly distinguishable from the counters of the other key hypotheses and the attacker can
thus reconstruct Kr. Afterwards, the last round can be stripped ok and Kr 1 can be attacked by a
similar technique using a differential over r 2 rounds. Obviously, the attacker can repeat this
approach until he has retrieved all sub keys. A sketch of the above key recovery attack is shown
in Algorithm 2. Obviously, the described attack can be transferred to other cipher constructions
as well.
The so-called signal-to-noise ratio SN = p=p0
measures the quality of a differential attack and is
used to describe the advantage of the differential attack over exhaustive search [220]. Instead of
trying to rank the correct n-bit key as the most significant one, as shown in Algorithm 2, one
instead tries to rank it within the top m out of 2n
key candidates. We then say that the attack
yields a log2 m-bit advantage over exhaustive search, i.e. the complexity is reduced by a factor
of 2n log
2 m
. Assuming that the key counters T0; : : : ; Tn 1 are independent and that they are
identically distributed for all wrong key candidates, one can compute the probability of success
ps for a diﬀerential attack using N plaintext-cipher text pairs as follows

Where is the cumulative distribution function of the standard normal distribution [220]. The
work [220] also shows, how to reformulate this result such that, given the targeted probability of
success ps, one can compute the corresponding data complexity of the
Algorithm 2: recover_key(( ; ); OEK )
Inputs:
(r 1)-round differential ( ; ) of probability p, encryption oracle OEK Outputs:
round key Kr
Algorithm:
1. (T0; : : : ; Tn 1) (0; : : : ; 0)
2. for i 2 f0; : : : ; l 1} do
$
Fn
3. M2
4. C OEK (M)
5. C
0
OEK (M )
6. for k 2 f0; : : : ; n 1g do
7. if fr
1
1(C k) fr
1
1(C
0
k) = then
8. Tk Tk + 1
9. end
10. end
11. end
12. Tj max(T0; : : : ; Tn 1)
13. return j
differential attack:
p
N = ( SN + 1
1
(ps) +
1
(1 2
log2 m
))
2
p 1 :
SN
In summary, this also shows that the data complexity of differential cryptanalysis is expected to
be proportional to 1=p. However, these results can only be used as a rough estimation, since the
assumption that the counters T0; : : : ; Tn 1 are independent is rather unrealistic.
From a theoretical perspective, the above approach gives the impression to be easily executable.
From a practical point of view, though, an attacker has to overcome many obstacles, which were
not mentioned above. Firstly, it is usually rather hard to find suitable differentials of a
reasonably low probability over r 1 rounds for any decently designed cipher. It counts as a
theoretical break if an attacker finds a differential whose probability p is larger than 2 b
where b
is the block size (and often also the round key size) of the attacked cipher. For example, an
attacker who targets a block cipher with 128-bit blocks (round keys) and who found an r 1-
round differential having probability p = 2 120
, is able to mount an attack which can break the
block cipher theoretically. From a practical perspective, though, the attack is infeasible, since
gathering 2120
(or more) plaintext-cipher text pairs is obviously impracticable. If p is sufficiently

Analysis and Design of Symmetric Cryptographic Algorithms

Analysis and Design of Symmetric Cryptographic Algorithms

Recommended

Recommended

More Related Content

Similar to Analysis and Design of Symmetric Cryptographic Algorithms

Similar to Analysis and Design of Symmetric Cryptographic Algorithms (20)

More from Deja Lewis

More from Deja Lewis (20)

Recently uploaded

Recently uploaded (20)

Analysis and Design of Symmetric Cryptographic Algorithms