Preface

Christina BOURA1 and María NAYA-PLASENCIA2

1University of Paris-Saclay, UVSQ, CNRS, Versailles, France

2Inria, Paris, France

Symmetric-key cryptology is one of the two main branches of modern cryptology. On the one hand, it comprises primitives and constructions for providing security services such as confidentiality, integrity and authentication, the particularity being that the same secret key k is used at both sides. On the other hand, it studies and provides cryptanalysis and proof techniques for analyzing the security of the above constructions. Even if in general keyless, some hash functions are also considered as part of this family of algorithms because of the similarities in their construction and analysis with the other symmetric-key primitives.

Symmetric-key algorithms are essential for communication security as they are built on simple operations (e.g. XOR, logical AND and so on) and for this reason they can achieve a high speed in both software and hardware implementations. They are in particular much faster and lighter than public-key algorithms, having at the same time much shorter encryption keys. The security and efficiency of modern communications is heavily based on symmetric algorithms and for this reason symmetric-key cryptology is a very important and constantly developing branch of modern cryptography.

The first widely deployed symmetric-key algorithm was the block cipher data encryption standard (DES), whose design dates backs to the 1970s. Since then, tens if not hundreds, of new symmetric-key algorithms were designed either with the aim to be broadly deployed or with some specific design criteria or use case in mind.

From a historical point of view, the first widely used symmetric schemes were undoubtedly block ciphers and stream ciphers. The first ones encrypt a message by first dividing it into blocks of fixed size and then treating each block separately. The second ones encrypt one bit (or one word) at a time, by XORing each bit (or word) of the message with a bit of a stream, called keystream, derived from the key. Both types of primitives aim at providing confidentiality and are still extremely popular, even if an important part of the design space has been taken more recently by tweakable block ciphers and cryptographic permutations. The symmetric algorithms to ensure data authentification are known as message authentication code (MAC) functions. While keyless, hash functions are also considered as symmetric-key constructions aiming for integrity and play an important role in some cryptographic protocols. Finally, authenticated encryption (AE) schemes can provide both confidentiality and authenticity of data and their popularity constantly increases.

The goal of this project is to reflect the current scientific knowledge and present the most trending orientations on the design, security proofs and cryptanalysis of all the above symmetric-key schemes.

This book is divided into two volumes. The first volume is composed of 14 chapters, where the first nine chapters are dedicated to the description of the most important design principles for stream ciphers, (tweakable) block ciphers, cryptographic permutations, hash functions as well as for their inner components. The five remaining chapters are reserved to the presentation of the most important security proof techniques.

Chapter 1 introduces the main generic design goals, criteria and strategies for building robust symmetric constructions. This chapter starts by discussing the most important building blocks deployed in symmetric cryptography. As encryption schemes, MAC functions and authenticated encryption schemes usually support messages of arbitrary length, modes and constructions for building variable-length schemes are discussed next. This chapter examines then how to choose the adequate number of rounds for an iterated construction and gives some criteria that should be taken into account when designing a cipher's round function. Finally, a number of ciphers that inspired both designers and cryptanalysts are presented.

Chapter 2 gives an overview of the main design principles for stream ciphers. It discusses first the most important generic constructions as well as attacks against them and gives an overview of the different stream cipher competitions and standards. This chapter focuses next on feedback shift register (FSR)-based constructions as well as on software-oriented constructions based on large tables. Next are presented stream ciphers that are constructed based on block ciphers and large permutations. The chapter concludes with a discussion on authenticated encryption based on stream ciphers and with a treatment of low-complexity stream ciphers that are optimized for use in advanced cryptographic protocols.

Chapter 3 is dedicated to block ciphers. It presents notably the two most popular constructions for these primitives: the Feistel construction and the substitution permutation network (SPN). To expand the master key to a series of subkeys, an algorithm called key-schedule should be used, and for this reason the design of these algorithms is next discussed. This chapter analyzes also some generic attacks against block ciphers and gives some positive results concerning their security. Finally, two particular classes of block ciphers are discussed: tweakable block ciphers, where an extra argument called the tweak is used to diversify the encryption function and algebraic block ciphers, essential for the encryption of data in some emerging scenarios and applications.

Chapter 4 presents the most important design approaches for building secure cryptographic hash functions and extendable output functions (XOFs). It first discusses some necessary generic requirements for a hash function to be secure. The random oracle model is then defined as the model that hash functions and XOFs should follow and is accompanied by a discussion on how the security claim of a hash function or an XOF should be formulated. Next, the most popular hash function constructions are presented, notably the Merkle-Damgård construction. The weaknesses of this construction and different ways to repair it are presented. A focus is given next on how to build robust compression functions for hash functions that follow this principle. Then, the indifferentiability framework used to prove that a construction is secure against generic attacks is discussed. The sponge construction and the KECCAK family are introduced next. Finally, the principle of tree hashing that permits efficient hashing of long messages in multi-processor environments is presented.

Cryptographic schemes are usually designed with a bottom-up approach. We first start with primitives that operate on small message blocks and achieve a well-defined security notion and then choose a mode of operation to deal with messages of arbitrary length. Chapter 5 describes the main modes for encryption and authentication and discusses their security.

Authenticated encryption offers the combined security properties of an encryption scheme and a message authentication code. Gradually, authenticated ciphers take over classical encryption schemes as from one side authenticity of data is an important security requirement and from the other side it has become more clear over the years how to securely build such schemes. Chapter 6 is dedicated to the design of authenticated encryption schemes. It details the relevant security notions before presenting the most promising design strategies for building authenticated ciphers. Dedicated designs are next discussed, and an overview of different authenticated encryption designs used as Internet standards or issued from some cryptographic competitions is given.

The next two chapters are dedicated to the construction of linear and nonlinear layers for an important class of symmetric-key primitives. Chapter 7 discusses the construction of the so-called maximum distance separable (MDS) matrices that are linear layers with optimal properties used in many SPN ciphers. A part of this chapter is notably focused on the construction of MDS matrices with a low implementation cost that are particularly relevant in the context of lightweight cryptography.

Nonlinearity, essential for the security of cryptographic constructions, is typically achieved by the mean of small nonlinear permutations, called S-boxes. Chapter 8 gives an overview of the most important properties cryptographic S-boxes should verify and presents some classical S-box constructions.

Chapter 9 discusses what it means for a primitive to be trustworthy. It presents notably what the typical lifecycle of a primitive is from the design phase to the final deployment and the role played by cryptanalysis. Next is analyzed what happens when an algorithm fails to adhere to a typical deployment process, in the cases notably of some proprietary algorithms or of backdoored designs. Examples of primitives found to have hidden properties are given next. The chapter is concluded by presenting some rules of thumb to follow when choosing a primitive to deploy.

Once a primitive has been designed, it is important to prove it secure against advesaries. The second part of this volume is dedicated to security proofs in symmetric cryptography. Chapter 10 is concerned with how to formalize security of cryptographic primitives. It first discusses the most common adversary models and what it means for an attack to be successful under these models. As we want an encryption function to look like a function that responds randomly for each input, a theoretical function that behaves ideally in this respect and called the...