a model for structure attacks with applications to
play

A Model for Structure Attacks, with Applications to PRESENT and - PowerPoint PPT Presentation

Apr 10, 2024 •163 likes •636 views

A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18 Outline

  1. A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18

  2. Outline 1. Motivation 2. Modeling structure attacks 3. Attacking PRESENT and Serpent 4. Conclusions and outlook 2 / 18

  3. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  4. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  5. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  6. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  7. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  8. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  9. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  10. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  11. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  12. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  13. Modeling structure attacks: The setting Notation ◮ m -bit block cipher, k bit key ◮ Attack on R rounds with r -round differentials ◮ Set ∆ 0 of input differences, one output difference ∆ r Modeling structure attacks 6 / 18

  14. Modeling structure attacks: The setting N p bits active S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 r rounds S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 N c bits not active R rounds Modeling structure attacks 6 / 18

  15. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Modeling structure attacks 7 / 18

  16. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Modeling structure attacks 7 / 18

  17. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Structure 2: s 0 0 s s s 10 s s s s s s s 0 s 0 15 12 11 9 8 7 6 5 4 3 1 s F F s s s 10 s s s s s s s F s F F 12 11 9 8 7 6 5 4 3 1 and so on Modeling structure attacks 7 / 18

  18. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  19. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  20. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

Recommend

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in

Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in

Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in Partitioned Applications Partitioned Applications Charles W. ODonnell 1 , G. Edward Suh 2 Marten van Dijk 1 , Srinivas Devadas 1 1 Massachusetts Institute

336 views • 32 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

685 views • 19 slides
Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Large-scale electronic structure methods Introduction Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications Outlook Taisuke Ozaki (ISSP, Univ. of Tokyo) The Summer School on DFT: Theories and

689 views • 55 slides
Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries,

Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries,

Learning' Probabilis2c' Graphical' BN'Structure' Models' Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries, when domain expertise is not perfect For structure discovery, when inferring network

752 views • 61 slides
The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category

The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category

The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category Theory 2019 1/11 The classical KanQuillen model structure Theorem The category of simplicial sets carries a proper cartesian model structure

731 views • 34 slides
Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are

TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are

TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are believable Model Predictions match observation Important to remember that the model is an approximation - ignore less important features,

593 views • 26 slides
Not Killer Applications but perhaps Killer Solutions. Model Model Results Results

Not Killer Applications but perhaps Killer Solutions. Model Model Results Results

Problem Problem Not Killer Applications but perhaps Killer Solutions. Model Model Results Results Conclusions Conclusions Success Factors for Mobile Computing Applications and Business Models: An Empirical Study. Hans Juergen Ott The

258 views • 4 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web

3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web

Gerti Kappel c03.tex V2 - March 31, 2006 4:34 P.M. Page 39 39 3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web applications in practice. This is unfortunate as a model- based approach provides a

506 views • 26 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim,

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks Amjad Ibrahim, Simon Rehwald, Antoine Scemama, Florian Andres, Alexander Pretschner Technische Universitt Mnchen Department of Informatics Chair of Software

512 views • 24 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The

The security of Mozilla Firefoxs Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting The attacks could result

517 views • 20 slides
Geostatistical Model, Covariance structure and Cokriging Hans Wackernagel Equipe de

Geostatistical Model, Covariance structure and Cokriging Hans Wackernagel Equipe de

Introduction Geostatistical Model Covariance structure Cokriging Geostatistical Model, Covariance structure and Cokriging Hans Wackernagel Equipe de Gostatistique MINES ParisTech www.cg.ensmp.fr Statistics and Machine Learning

1.25k views • 69 slides
Discontinuous Galerkin Methods: An Overview and Some Applications Daya Reddy U NIVERSITY OF C APE

Discontinuous Galerkin Methods: An Overview and Some Applications Daya Reddy U NIVERSITY OF C APE

Discontinuous Galerkin Methods: An Overview and Some Applications Daya Reddy U NIVERSITY OF C APE T OWN Joint work with Beverley Grieshaber and Andrew McBride SANUM, Stellenbosch, 22 24 March 2016 Structure of talk A model elliptic

987 views • 54 slides

More recommend