Mathematics / Matematik
Permanent URI for this collectionhttps://hdl.handle.net/11147/8
Browse
Search Results
Article Citation - WoS: 1Citation - Scopus: 1Plaintext Recovery and Tag Guessing Attacks on Authenticated Encryption Algorithm Colm(Elsevier, 2022) Ulusoy, Sırrı Erdem; Kara, Orhun; Efe, Mehmet ÖnderThere are three main approaches related to cryptanalysis of Authenticated Encryption with Associated Data (AEAD) algorithms: Simulating the encryption oracle (universal forgery attack), simulating the decryption oracle (plaintext recovery attack) and producing the valid tag of a given ciphertext (tag guessing attack). In this work, we analyze the security of COLM in these approaches. COLM is one of the AEAD algorithms chosen in the final portfolio for defense-in-depth use case of the CAESAR competition. The ciphers in this portfolio are supposed to provide robust security with their multiple layered defense mechanisms. The main motivation of this work is to examine if COLM indeed satisfies defense-in-depth security. We make cryptanalysis of COLM, particularly in the chosen ciphertext attack (CCA) scenario, once its secret whitening parameter L=EK(0) is recovered. To the best of our knowledge, we give the first example of querying an EME/EMD (Encrypt-linearMix-Encrypt/Decrypt) AEAD scheme in its decryption direction for arbitrary ciphertexts, not produced previously by the oracle, namely either a forgery or tag guessing attack. We construct SEBC/SDBC (Simulation models of the Encryption/Decryption oracles of the underlying Block Cipher) of COLM, thereby forming the first examples of these models of an authenticated EME scheme simultaneously. The combination of our SEBC/SDBC is a powerful tool to mount a universal forgery attack, a tag guessing attack and a plaintext recovery attack. All of these attacks have polynomial time complexities once L is recovered in the offline phase, indicating that the security of COLM against plaintext recovery and tag guessing attacks is limited by the birthday bound. Apart from exploiting SEBC/SDBC, we mount a pair of plaintext recovery attacks and another universal forgery attack. Finally, we make some suggestions to prevent our attacks.Article Citation - WoS: 2Citation - Scopus: 3Integral Characteristics by Keyspace Partitioning(Springer, 2022) Demirbaş, Fatih; Kara, OrhunIn this work, we introduce a new method we call integral by keyspace partitioning to construct integral characteristics for some block ciphers by introducing new integral properties. We introduce the concepts of active with constant difference and identically active integral properties. Then, we divide the key space into equivalence classes and construct integral characteristics for each equivalence class individually by using these integral properties. We exploit the binary diffusion layer and key schedule algorithm of a block cipher to propagate these integral properties through rounds. We apply the new method to the Byte-oriented Substitution-Permutation Network (BSPN) cipher and Midori64 to show its effectiveness. We construct the first iterative integral characteristic for a block cipher to the best of our knowledge. We extend this iterative characteristic for the (M, n)-(BSPN) block cipher where each block of BSPN contains M number of n× n S-Boxes with the block and key sizes M· n. Using at most (M-12)+1 (only 106 when M= 16) chosen plaintexts, we mount key recovery attacks for the first time on BSPN and recover the key for the full round. The time complexity of the key recovery is almost independent of the number of rounds. We also use our method to construct an integral characteristic for Midori64, which can be utilized for a key recovery attack on 11-round Midori64. Our results impose a new security criteria for the design of the key schedule algorithm for some block ciphers.