Thesis Open Access
Mendel, Florian; Rechberger, Christian; Daemen, Joan
We cryptanalyze several symmetric encryption and hashing algorithms. A central factor in the security of symmetric cryptographic algorithms is the resistance of their core building block, the primitive, against cryptanalytic attacks such as differential, linear, and algebraic cryptanalysis. The fundamental idea of differential cryptanalysis is to extract secret information or forge malicious messages by investigating the behavior of the primitive for two related, slightly different inputs, and has proven both very powerful and highly versatile since its inception in the 1990s. Resistance against such attacks is thus one of the cornerstones in the design of block ciphers. More recently, alternative symmetric primitives have risen to general attention: Permutations and tweakable block ciphers in particular have shown the potential to rival block ciphers in their role as the ideal primitive for efficient and elegant schemes. However, the available cryptanalytic tools and theory on the design and analysis of these alternative primitives are arguably less mature than for block ciphers. We investigate the security of these primitives against differential cryptanalysis. Compared to classic block ciphers, adversaries who target permutations or tweakable block ciphers can take advantage of known, chosen, or related round-key material. We find that in some cases, the designers' block-cipher-based design strategies do not sufficiently protect against variations of the classical differential strategy. In particular, we break the full security claims of the tweakable block cipher MANTIS-5 and the permutation Simpira v1. We provide a key recovery attack for the round-reduced block cipher LowMC and analyze the authenticated cipher Prost in a related-key setting. We also develop techniques to improve the computer-aided differential analysis of unkeyed primitives, leading to the best practical collision attacks on the round-reduced hash standard SHA-2.