International Association for Cryptologic Research

Ph.D. Database

The aim of the IACR Ph.D. database is twofold. On the first hand, we want to offer an overview of Ph.D. already completed in the domain of cryptology. Where possible, this should also include a subject classification, an abstract, and access to the full text. On the second hand, it deals with Ph.D. subjects currently under investigation. This way, we provide a timely map of contemporary research in cryptology. All entries or changes need to be approved by an editor. You can contact them via phds (at)


Dmitry Khovratovich (#327)
Name Dmitry Khovratovich
Personal Homepage
Topic of his/her doctorate. New Approaches to the Cryptanalysis of Symmetric Primitives
Category secret-key cryptography
Ph.D. Supervisor(s) Alex Biryukov
Year of completion 2010

Cryptography is the science of hiding information. It is now a part of the computer science formally, though first cryptographers appeared thousands years before the computer. The art of recovery of the hidden information, or cryptanalysis, appeared in the very beginning, and is still one of the most intriguing part of cryptography.

Cryptanalysis starts with a search for a weakness in a cryptosystem, for a flaw that was missed by its designer. An encrypted message must not reveal any information about its origin, so the cryptosystem must make it look as random as possible. Any mistake, any missed property may become a target for a cryptanalyst and a starting point for a compromise of the cryptosystem's security~--- a break.

This thesis is devoted to the cryptanalysis of symmetric primitives. Historically, by a symmetric encryption we understand that all the parties have the same information needed for encryption and decryption, with block and stream ciphers as the most famous examples. A block cipher transforms a large block of data with an algorithm parametrized by a secret key. A stream cipher expands a secret key into arbitrarily long sequence, which is mixed with a data stream.

Hash functions convert a data string to a fixed-length hash value, which serves as an integrity certificate. Though hash functions do not encrypt, they are designed similarly to block ciphers. A message authentication code (MAC) produces a hash value using a secret key, so they are somewhere in between ciphers and hash functions. As a result, the cryptanalysis of hash functions and MACs uses many methods, which were initially developed for the analysis of block ciphers.

Ciphers, hash functions and MACs process arbitrarily long data streams, the access to which is sequential. This leads to the principle of an iterative design, where data is divided into blocks, and each block is processed by an algorithm with a fixed-length input. Such algorithms for hash functions are called compression functions. In contrast, by a block cipher we mean a primitive with a fixed-length input, which is used to encrypt arbitrary long data in a mode of operation.

This thesis describes attacks on block ciphers and compression functions. We are primarily interested in the methods, that are used in attacks on at least two different primitives. Cryptanalysis is often described as a cloud of non-related and dedicated attacks, which can be used only once. We introduce it in a more structured way.

E-Mail Address khovratovich (at)
Last Change 2011-04-14 23:45:46
To provide an update on this entry, please click .

Contact: phds (at)

[ IACR home page ] [ IACR PhDs page ] © IACR