Design And Cryptanalysis Of Lightweight Block Ciphers

With the rapid development and deep integration of 5th generation(5G)net-working technology and Internet of Things(IoT),our world has been charac-terized by more and more communication devices,that is Internet of Every-thing(IoE).It also brings us many new application scenarios,like smart home,smart cities and industry 4.0.These nodes in many different scenarios,which are actually the electronic sensors and connected devices deployed in the resource-constrained environment,are becoming the part of IoT for perceiving the world.However,this fast growing number of the connected devices and ubiquitous com-munications in the network also poses a potential threat to the security of data and privacy.In particular,the presence of plenty of constrained devices,which can only devote a small fraction of resources to security.Consequently,the de-sign and analysis of lightweight symmetric schemes have been one of the most productive line of researches in recent years.This work focuses the design and cryptaualysis of lightweight block ciphers.On the aspect of designing,we firstly proposed the ANT family of block ciphers,aiming at taking part in the National Cryptologic Designing Competition and ac-cumulating the experiences of designing and analyzing.For ANT block ciphers,we optimize the design of ANT in terms of the hardware efficiency,which leads us to a family of block ciphers with efficient hardware performance,excellent parallel software performance and high redundancy of security.Then,we revisit the Feistel construction and AND-RX(AND-Rotation-XOR)based block ciphers and propose a novel design ideas for AND-RX based block ciphers,utilizing the creative way of equivalent transformation of the round function,which turns the cipher into an S-box based structure.Based on this flexible construction,we can perform the security evaluation in an efficient method.Thus,we finally present the lightweight block ciphers—BAT,which has efficient hardware and software performance and even ensures the related-key security.These two designs,ANT and BAT,both are very competitive among the current most efficient block ci-phers.As for the aspect of cryptanalysis,considering the more likely differential effect in the lightweight designs,we focus on the automatic search method for mul-tiple differentials.So,a new heuristic multiple differential clustering algorithm and an improved enumerating multiple differential algorithm are given.Then,we apply our new automatic search method to the lightweight block ciphers—MANTIS,which is proposed in CRYPTO 2016.For MANTIS-6,we get a new 10-round multiple differential distinguisher,which leads to an improved key re-covery attack.For MANTIS-7,we find the longest 11-round multiple differential distinguisher so far as we know and exploring its security margin against multiple differential attack.The ANT Family of Block Ciphers:We present a new family of block ciphers named as ANT.According to block-size/keysize,it has three versions,namely ANT-128/128,ANT-128/256,and ANT-256/256.The ANT cipher adopts the classical Feistel construction and has a bit-based round function,which is com-posed of AND,Rotation,and XOR operations.Combined with the Express-then-compress design principle,ANT achieves fast speed of diffusion.The bit-based round function ensures ANT a high level security and a competitive performance in hardware implementation,and is suitable for lightweight implementation.As a design competing with SIMON,ANT has an advantage for both hardware area cost and througliput/area ratio over that of SIMON.Since AND operation is the only non-linear operation,ANT also has an obvious advantage for the protective implementations against side-channel attack.Considering software performance,the bitslice efficiency was also taken into consideration during the algorithm de-sign,making ANT to have an efficient bitslice implementation.Some state-of-the-art cryptanalytic methods have been conducted on ANT,which show that all versions of ANT have high security margins.The BAT Lightweight Block Ciphers:We revisit designing AND-RX block ciphers,that is,ciphers solely built upon AND,Rotation,and XOR oper-ations.Likely,the most popular representative is NSA's SIMON,which remains one of the most efficient designs,but suffers from difficulty in security evaluation.As our main contribution,we propose BAT,a new family of lightweight AND-RX block ciphers.To overcome the difficulty regarding security evaluation,BAT follows a novel design approach,the core idea of which is to restrain the AND-RX operations to be within nibbles.By this,BAT admits an equivalent representation based on 4×8 synthetic S-box(SSb).This enables the use of classical S-box based security evaluation approaches.Consequently,for all versions of BAT,(a)we proved nice security bounds with respect to differential and linear attacks,and in both single-key and related-key scenarios;(b)we also proved security against impossible differential,zero correlation linear attacks,integral attacks,Rotational XOR differential attacks and meet-in-the-middle attacks.This better understanding of the security enables the use of a relatively sim-ple key schedule,which pushes the ASIC round-based hardware implementation of BAT to the most compact compared with the state-of-art lightweight block ciphers.As to software performance,due to the natural bitslice structure,BAT reaches the same level of performance as SIMON and becomes among the most software efficient block ciphers.Automatic Search Method for Multiple Differential Attack:Multiple differential cryptanalysis is one of the extensions of classic differential cryptanal-ysis.In this paper,we present a generic automatic search method for clustering multiple differentials on a target block cipher.Our search method has two steps.Firstly,the sets of input and output differences will be determined.With these sets,we get different multiple differentials.Then for each one of these multiple differentials,we enumerate and record all satisfied differential trails,which leads to a more accurate evaluation of the multiple differentials distinguisher.Among these different multiple differentials distinguishers,we can choose the best one for key recovery attack.We demonstrate our search method by applying it on the part of differentials of the lightweight block cipher MANTIS.As a result,we find a new 10-round multiple differentials distinguisher with probability 2-55.98 and an 11-round multiple differentials distingnisher with probability 2-63.71,which is the longest distinguisher for MANTIS so far as we know.This new 10-round distinguisher can lead to a better signal-to-noise ratio,so we derive an improved key recovery attack on MANTIS-6 with the complexity of about 251.79 chosen-plaintext queries,251.91 encryptions and data-time product 2103.70,which is better than the previous best one with data-time product 2110.61.Aiming at exploring the gap between the performance of multiple differential attack and the security margin on MANTIS,we also use the 11-round distinguisher to derive a key recov-ery attack on MANTIS-7 with the complexity of about 261.86 chosen-ciphertext queries,2102.92 encryptions and data-time product 2164.78.It does not threat the security of full version MANTIS(MANTIS-7)since the security bound of data-time product claimed by the designers is 2126.