a model for structure attacks with applications to
play

A Model for Structure Attacks, with Applications to PRESENT and - PowerPoint PPT Presentation

A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18 Outline


  1. A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18

  2. Outline 1. Motivation 2. Modeling structure attacks 3. Attacking PRESENT and Serpent 4. Conclusions and outlook 2 / 18

  3. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  4. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  5. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  6. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  7. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  8. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  9. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  10. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  11. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  12. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  13. Modeling structure attacks: The setting Notation ◮ m -bit block cipher, k bit key ◮ Attack on R rounds with r -round differentials ◮ Set ∆ 0 of input differences, one output difference ∆ r Modeling structure attacks 6 / 18

  14. Modeling structure attacks: The setting N p bits active S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 r rounds S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 N c bits not active R rounds Modeling structure attacks 6 / 18

  15. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Modeling structure attacks 7 / 18

  16. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Modeling structure attacks 7 / 18

  17. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Structure 2: s 0 0 s s s 10 s s s s s s s 0 s 0 15 12 11 9 8 7 6 5 4 3 1 s F F s s s 10 s s s s s s s F s F F 12 11 9 8 7 6 5 4 3 1 and so on Modeling structure attacks 7 / 18

  18. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  19. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  20. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

Recommend


More recommend