a key recovery attack on 855 round trivium
play

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, - PowerPoint PPT Presentation

Jan 25, 2023 •125 likes •382 views

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018 Introduction to Trivium Outline Introduction to Trivium 1 Related

  1. A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018

  2. Introduction to Trivium Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 2 / 24

  3. Introduction to Trivium Trivium Initialization: ( s 1 , s 2 , . . . , s 93 ) ← ( K 0 , . . . , K 79 , 0 , . . . , 0) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 0 , . . . , IV 79 , 0 , . . . , 0) ( s 178 , s 179 , . . . , s 288 ) ← (0 , . . . , 0 , 1 , 1 , 1) . for i ← 1 : 4 · 288 do t 1 ← s 66 + s 91 · s 92 + s 93 + s 171 t 2 ← s 162 + s 175 · s 176 + s 177 + s 264 t 3 ← s 243 + s 286 · s 287 + s 288 + s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) end for X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 3 / 24

  4. Introduction to Trivium Trivium Generate the keystreams: for i ← N do t 1 ← s 66 + s 91 · s 92 + s 93 + s 171 t 2 ← s 162 + s 175 · s 176 + s 177 + s 264 t 3 ← s 243 + s 286 · s 287 + s 288 + s 69 o i ← s 66 + s 93 + s 162 + s 177 + s 243 + s 288 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) end for X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 4 / 24

  5. Introduction to Trivium Trivium Iterative expression: let s r w ( 0 ≤ w ≤ 2 ) denote s 1 , s 94 and s 178 at round r . = s r − 66 + s r − 109 s r − 110 + s r − 111 + s r − 69 s r , 0 2 2 2 2 0 = s r − 66 + s r − 91 s r − 92 + s r − 93 + s r − 78 s r , (1) 1 0 0 0 0 1 = s r − 69 + s r − 82 s r − 83 + s r − 84 + s r − 87 s r . 2 1 1 1 1 2 Output: z r = s r − 65 + s r − 92 + s r − 68 + s r − 83 + s r − 65 + s r − 110 0 0 1 1 2 2 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 5 / 24

  6. Related Works Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 6 / 24

  7. Related Works Cube-like Attack ANF: The output bit or state bit for a stream cipher over m IV bits and n key bits is � � � s = v i k j . (2) I,J i ∈ I j ∈ J IV term: t I = � i ∈ I v i Coefficient function: g I ( k ) = � j ∈ J k j Theorem 1 Cube sum of s over set I is g I ( k ) , i.e., � s = g I ( k ) , (3) i ∈ I where the IV bits v k ( k / ∈ I ) are fixed. 1 g I ( k ) is linear or of low degree over partial key bits (key-recovery) 2 g I ( k ) = 0 : t I ( k ) is a missing IV term (distinguisher) X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 7 / 24

  8. Basic Ideas Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 8 / 24

  9. Basic Ideas A new polynomial reduction technique Lemma 2 Suppose z is the output polynomial of a cipher, and z = P 1 P 2 + P 3 . (4) Then the polynomial can be reduced to a simpler one (1 + P 1 ) z = (1 + P 1 ) P 3 by multiplying 1 + P 1 in both sides of Eq. (4) if deg( P 1 P 2 ) > deg((1 + P 1 ) P 3 ) . How to distinguish right and wrong key guesses 1 Right guess: (1 + P 1 ) z = (1 + P 1 ) P 3 2 Wrong guesses: (1 + P ′ 1 ) z = (1 + P ′ 1 ) P 1 P 2 + (1 + P ′ 1 ) P 3 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 9 / 24

  10. Basic Ideas Outline of our attack Preprocess phase 1 Determine P 1 and obtain the reduced polynomial (1 + P 1 ) P 3 . There are 3 criteria for choice of P 1 : (1) the frequency of P 1 in high degree state terms is high; (2) the degree of P 1 is low; (3) the equivalent key guesses in P 1 are minimized. 2 Compute the degree bound of (1 + P 1 ) P 3 as d , then d + 1 -dimensional cubes can serve as distinguishers. Online attack phase Guess the partial key bits in P 1 and compute the sum of (1 + P 1 ) z over d + 1 cubes: 1 For right guess, the result is always 0. 2 For wrong guesses, the results are 0-1 balanced. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 10 / 24

  11. Basic Ideas The preprocessing phase Internal Internal State bits State bits Forward  discarding ( ,..., , ,..., ) j j  k k v v s (1 ) s P P 1 80 1 80  monomials i 1 3 i IV Representation Step 1 Step 3 Step 2 1 Compute the state bits s j i ( j ∈ [0 , 2] ) for i ∈ [0 , 340] over key and IV bits. 2 Decompose the output bit and obtain (1 + P 1 ) P 3 over state bits at rounds less than 450 . 3 ”Meet-in-the-middle”: decomposition & IV representation X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 11 / 24

  12. Basic Ideas Key techniques In Step 2 and Step 3 , repeated-term removing algorithm and fast discarding techniques are used during decomposition, including degree evaluation and degree reduction techniques, set a bound d : 1 if the evaluated degree of a state term deg T i , then T i can be deleted; 2 if deg( T i ) − d t ( T i ) < d , then T i can be deleted, where d t ( T i ) is the degree reduction of T i . X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 12 / 24

  13. Basic Ideas Repeated-(state)term Removing Algorithm Algorithm 1 Repeated-(state)term Removing Algorithm Input: The vector � T with n terms, i.e., T 1 , T 2 , . . . , T n . Output: Updated � T with m terms, where m ≤ n . 1: Initialize an empty Hash Set H . 2: for i ← 1 : n do Compute the Hash value of T i , i.e., H ( T i ) 3: if H.contains ( T i ) is true then 4: H.delete ( T i ) 5: else 6: H.insert ( T i ) 7: end if 8: 9: end for The complexity of Algorithm 1 is O ( n ) for processing n state terms. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 13 / 24

  14. Basic Ideas Degree evaluation algorithm Algorithm 2 Degree Evaluation Algorithm ( DEG ) of State Bit Input: The value t and r which indicates the state bit s r t . Output: DEG ( s r t )= d . 1: Initialize the degree bound d similar to the above Step 2. , the end point end . 2: len ← 0 3: while len = 0 do t using state bits s j 4: Iteratively express s r i , where 0 ≤ j ≤ 2 and 0 ≤ j < end . During each expression, discard the state terms of degree lower than d . Let len be the number of remaining state terms. 5: if len = 0 then 6: d ← d − 1 7: end if 8: end while 9: return d Where end = ⌊ r 32 ⌋ × 32 − 128 in the cryptanalysis of Trivium. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 14 / 24

  15. Basic Ideas Degree evaluation: example Degree evaluation of s 341 ( end = ⌊ r 32 ⌋ × 32 − 128 = 192 ): 1 Step 1. First, we decompose s 341 = s 272 + s 259 s 258 + s 257 + s 254 . 2 1 1 1 1 2 Step 2. Let d = max { deg( s 272 ) , deg( s 259 )+deg( s 258 ) , deg( s 257 ) , deg( s 254 } = 10 . 1 1 1 1 2 Step 3. Discarding the state terms of degree lower than 10 , we get s 341 ∗ = s 259 s 258 . Decompose and discard again, there is no state 2 1 1 term surviving. Reset d = d − 1 = 9 and repeat the above process. We can get the result s 341 ∗∗ = s 166 s 167 s 193 + s 167 s 168 s 192 + ... . 2 0 0 0 0 0 0 Step 4. Continue to decompose and discard, and we get: s 341 ∗∗∗ = s 56 2 s 57 2 s 83 2 s 84 2 s 101 + s 57 2 s 58 2 s 83 2 s 84 2 s 100 + ... (5) 2 2 2 Step 5. The decomposition ends and there are still state terms surviving. d = 9 is the estimated degree of s 341 . 2 Step 6. Note that, if there is no state item in s 341 ∗∗∗ surviving, 2 which means the degree must be less than 9. We reset d = 8 and continue the above steps 3-5. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 15 / 24

Recommend

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented by Orhun Kara 1 Outline The AES A 5-round distinguisher Attack on 7-round AES-192, AES-256 and 8-round AES-256 Some optimizations

504 views • 19 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

381 views • 26 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 &quot; 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

381 views • 36 slides
Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

454 views • 27 slides
Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell n, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA

817 views • 33 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu) Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium

1.1k views • 75 slides
Diffusion and a Key-Recovery Attack on a WM Scheme by Li and Yuan (Hans) Georg Schaathun

Diffusion and a Key-Recovery Attack on a WM Scheme by Li and Yuan (Hans) Georg Schaathun

Diffusion and a Key-Recovery Attack on a WM Scheme by Li and Yuan (Hans) Georg Schaathun Department of Computing University of Surrey 22-23 September 2008 (Hans) Georg Schaathun Diffusion 22-23 September 2008 1 / 23 Do not reuse the key

606 views • 48 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides

More recommend