algebraic cryptanalysis of stark friendly designs
play

Algebraic Cryptanalysis of STARK-Friendly Designs: Application to - PowerPoint PPT Presentation

Jul 04, 2023 •275 likes •895 views

S C I E N C E P A S S I O N T E C H N O L O G Y Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin Albrecht Carlos Cid Lorenzo Grassi Dmitry Khovratovich Reinhard Lfenegger

  1. S C I E N C E P A S S I O N T E C H N O L O G Y Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin Albrecht – Carlos Cid – Lorenzo Grassi – Dmitry Khovratovich – Reinhard Lüfenegger – Christian Rechberger – Markus Schofnegger Asiacrypt 2019 > www.iaik.tugraz.at

  2. To Put the Cart Before the Horse... Our main contribution is a known-plaintext key-recovery attack on the block cipher J ARVIS with a single plaintext-ciphertext pair. Rounds Security level (bits) Attack complexity ( log 2 # ops ) 10 ( JARVIS -128) 128 72 12 ( JARVIS -192) 192 85 14 ( JARVIS -256) 256 98 Practically verified up to 6 rounds of JARVIS Extends to a preimage attack on the hash function FRIDAY 1 / 23

  3. To Put the Cart Before the Horse... Our main contribution is a known-plaintext key-recovery attack on the block cipher JARVIS with a single plaintext-ciphertext pair. Rounds Security level (bits) Attack complexity ( log 2 # ops ) 10 ( JARVIS -128) 128 72 12 ( JARVIS -192) 192 85 14 ( JARVIS -256) 256 98 Practically verified up to 6 rounds of JARVIS Extends to a preimage attack on the hash function FRIDAY 1 / 23

  4. Overview Introduction Preliminaries The MARVELlous Design Key-Recovery Attack on JARVIS Attack Idea Results 2 / 23

  5. Algebraic Cryptanalysis Model a cryptographic primitive as a system of multivariate polynomial equations f 1 ( x 1 , . . . , x n ) = ⋯ = f k ( x 1 , . . . , x n ) = 0 in several variables x 1 , . . . , x n over some finite field F � → In general, result is a non-linear equation system Solve the system (e.g. for a specific variable) � → Several techniques available. Gröbner bases are one of them. 3 / 23

  6. Algebraic Cryptanalysis Model a cryptographic primitive as a system of multivariate polynomial equations f 1 ( x 1 , . . . , x n ) = ⋯ = f k ( x 1 , . . . , x n ) = 0 in several variables x 1 , . . . , x n over some finite field F � → In general, result is a non-linear equation system Solve the system (e.g. for a specific variable) � → Several techniques available. Gröbner bases are one of them. 3 / 23

  7. Solving Equation Systems with Gröbner Bases Formally, a Gröbner basis is a special generating set for an ideal in a multivariate polynomial ring Informally, a Gröbner basis is a different representation of an equation system with the same solution set Gröbner bases assist in solving systems of polynomial equations over some (finite) field F Used together with factorisation algorithms for univariate polynomials 4 / 23

  8. Solving Equation Systems with Gröbner Bases Formally, a Gröbner basis is a special generating set for an ideal in a multivariate polynomial ring Informally, a Gröbner basis is a different representation of an equation system with the same solution set Gröbner bases assist in solving systems of polynomial equations over some (finite) field F Used together with factorisation algorithms for univariate polynomials 4 / 23

  9. Solving Equation Systems with Gröbner Bases Formally, a Gröbner basis is a special generating set for an ideal in a multivariate polynomial ring Informally, a Gröbner basis is a different representation of an equation system with the same solution set Gröbner bases assist in solving systems of polynomial equations over some (finite) field F Used together with factorisation algorithms for univariate polynomials 4 / 23

  10. Solving Equation Systems with Gröbner Bases Formally, a Gröbner basis is a special generating set for an ideal in a multivariate polynomial ring Informally, a Gröbner basis is a different representation of an equation system with the same solution set Gröbner bases assist in solving systems of polynomial equations over some (finite) field F Used together with factorisation algorithms for univariate polynomials 4 / 23

  11. MARVELlous MARVELlous [AD18] is a family of cryptographic primitives, comprising J ARVIS (block cipher) and FRIDAY (hash function) Designed to be efficient in the STARK setting “Algebraic” design that works with low-degree polynomials The hash function FRIDAY is based on the block cipher JARVIS 5 / 23

  12. MARVELlous MARVELlous [AD18] is a family of cryptographic primitives, comprising JARVIS (block cipher) and FRIDAY (hash function) Designed to be efficient in the STARK setting “Algebraic” design that works with low-degree polynomials The hash function FRIDAY is based on the block cipher JARVIS 5 / 23

  13. MARVELlous MARVELlous [AD18] is a family of cryptographic primitives, comprising JARVIS (block cipher) and FRIDAY (hash function) Designed to be efficient in the STARK setting “Algebraic” design that works with low-degree polynomials The hash function FRIDAY is based on the block cipher JARVIS 5 / 23

  14. MARVELlous MARVELlous [AD18] is a family of cryptographic primitives, comprising JARVIS (block cipher) and FRIDAY (hash function) Designed to be efficient in the STARK setting “Algebraic” design that works with low-degree polynomials The hash function FRIDAY is based on the block cipher JARVIS 5 / 23

  15. STARKs STARK [BBH+18] S calable T ransparent AR gument of K nowledge General goal: Given a public function f , a private input x and a public value y proof that f ( x ) = y without revealing x. Features of STARKs Arithmetisation-based Use Merkle-trees � → requirement of dedicated hash-function designs for efficiency 6 / 23

  16. STARKs STARK [BBH+18] S calable T ransparent AR gument of K nowledge General goal: Given a public function f , a private input x and a public value y proof that f ( x ) = y without revealing x. Features of STARKs Arithmetisation-based Use Merkle-trees � → requirement of dedicated hash-function designs for efficiency 6 / 23

  17. J ARVIS : the Design JARVIS is similar to MiMC [AGR+16] and works entirely over F 2 n , with n ∈ { 128 , 160 , 192 , 256 } MiMC JARVIS k i k i s i s i + 1 s i s i + 1 x 3 x − 1 B − 1 C B , C are affine polynomials of degree 4 and B − 1 the compositional inverse of B . 7 / 23

  18. Key-Reco very Attack on JARVIS I k p JARVIS ... c x − 1 B − 1 x − 1 B − 1 C C Go al: Given one plaintext p and corresponding ciphertext c = E k ( p ) recover the secret key k . Idea: Relate consecutive rounds by low-degree polynomial relations! 8 / 23

  19. Key-Reco very Attack on JARVIS I k = k 0 k 1 k r p ... c x − 1 B − 1 x − 1 B − 1 C C Go al: Given one plaintext p and corresponding ciphertext c = E k ( p ) recover the secret key k . Idea: Relate consecutive rounds by low-degree polynomial relations! 8 / 23

  20. Key-Reco very Attack on JARVIS II k i − 1 k i + 1 k i x − 1 B − 1 x − 1 B − 1 x − 1 B − 1 C C C Basic strategy Introduce variables x i for intermediate states between B − 1 and C in each round Relate each x i to the previous and next intermediate state x i − 1 and x i + 1 respectively 9 / 23

  21. Key-Reco very Attack on JARVIS II k i − 1 k i + 1 k i x i − 1 x i + 1 x − 1 B − 1 x − 1 B − 1 x i x − 1 B − 1 C C C Basic strategy Introduce variables x i for intermediate states between B − 1 and C in each round Relate each x i to the previous and next intermediate state x i − 1 and x i + 1 respectively 9 / 23

  22. Key-Reco very Attack on JARVIS II k i − 1 k i + 1 k i x i − 1 x i + 1 x − 1 B − 1 x − 1 B − 1 x i x − 1 B − 1 C C C Basic strategy Introduce variables x i for intermediate states between B − 1 and C in each round Relate each x i to the previous and next intermediate state x i − 1 and x i + 1 respectively 9 / 23

  23. Key-Reco very Attack on JARVIS III k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 s i − 1 s i + 1 C C C Basic equations B ( x i ) = 1 C ( x i − 1 ) + k i − 1 C ( x i ) = B ( x i + 1 ) + k i 1 10 / 23

  24. Key-Reco very Attack on JARVIS III k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 s i − 1 s i + 1 C C C Basic equations B ( x i ) = 1 C ( x i − 1 ) + k i − 1 C ( x i ) = B ( x i + 1 ) + k i 1 10 / 23

  25. Key-Reco very Attack on JARVIS III k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 s i − 1 s i + 1 C C C Basic equations B ( x i ) = 1 C ( x i − 1 ) + k i − 1 C ( x i ) = B ( x i + 1 ) + k i 1 10 / 23

  26. Key-Reco very Attack on JARVIS III k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 s i − 1 s i + 1 C C C Basic equations B ( x i ) = 1 C ( x i − 1 ) + k i − 1 C ( x i ) = B ( x i + 1 ) + k i 1 10 / 23

  27. Key-Reco very Attack on JARVIS III k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 s i − 1 s i + 1 C C C Basic equations B ( x i ) = 1 C ( x i − 1 ) + k i − 1 C ( x i ) = B ( x i + 1 ) + k i 1 10 / 23

  28. Key-Reco very Attack on JARVIS IV k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 C C C Idea for improvements: Only use every second intermediate state by finding affine polynomials B ′ , C ′ such that B ′ ○ B = C ′ ○ C ! 11 / 23

  29. Key-Reco very Attack on JARVIS V k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 C C C Improved equations 12 / 23

  30. Key-Reco very Attack on JARVIS V k i − 1 k i + 1 k i B − 1 x i − 1 B − 1 x i + 1 x − 1 x − 1 B − 1 x i x − 1 C C C Improved equations = 1 C ( x i − 1 ) + k i − 1 12 / 23

Recommend

Zoo Architecture - Animal / Visitor / Management Friendly Designs, Presentation at the SAZARC

Zoo Architecture - Animal / Visitor / Management Friendly Designs, Presentation at the SAZARC

Zoo Architecture - Animal / Visitor / Management Friendly Designs, Presentation at the SAZARC Fourth Annual Meeting, Colombo, December 1-7, 2003 (usually uninformed) designer clearer. It results in The Principles of Zoo Friendly Architecture

319 views • 3 slides
Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru ITMO University, St. Petersburg, Russia ISDCT SB RAS,

431 views • 25 slides
Stark Law Stark Law Stark Law Stark Law Making the Confusion Understandable Making the

Stark Law Stark Law Stark Law Stark Law Making the Confusion Understandable Making the

Stark Law Stark Law Stark Law Stark Law Making the Confusion Understandable Making the Confusion Understandable Robert A. Wade Partner Krieg DeVault LLP 4101 Edison Lakes Parkway, Suite 100 Mishawaka, IN 46545 Telephone: 574-485-2002

1.17k views • 112 slides
Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX, cole polytechnique Nutmic 2019 A. Couvreur Cryptanalysis in codebased crypto Nutmic 2019 1 / 80 History of codebased cryptography 1

1.47k views • 116 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan University Crypto 2018 PKC foundations are mainly abelian (and quantum insecure) PKC foundations are mainly abelian (and quantum insecure) DLP in finite

614 views • 32 slides
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques in Cryptanalysis Algebra is the

659 views • 61 slides
Stark Exceptions The Stark exceptions are mandatory. That is, if an arrangement falls within

Stark Exceptions The Stark exceptions are mandatory. That is, if an arrangement falls within

Stark Exceptions The Stark exceptions are mandatory. That is, if an arrangement falls within the scope of Stark and an exception does not apply the arrangement would be in violation of Stark. There are 3 types of Stark exceptions

279 views • 4 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic

Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic

Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic Cryptanalysis presenter: Stepan Kochemazov A. Pavlenko, A. Semenov, V. Ulyantsev, O. Zaikin {alpavlenko,ulyantsev}@corp.ifmo.ru biclop.rambler@yandex.ru

313 views • 27 slides
A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer

A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer

A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer Science University of Aarhus Denmark July 1996 The Issue Languages like CCS and the -calculus provide an algebraic approach to concurrency:

560 views • 15 slides
Stark v. Ford Motor Co. Ch. 7 Strict Liability Daniel Gil | Leslie Chavez | Danielle Lagria

Stark v. Ford Motor Co. Ch. 7 Strict Liability Daniel Gil | Leslie Chavez | Danielle Lagria

Stark v. Ford Motor Co. Ch. 7 Strict Liability Daniel Gil | Leslie Chavez | Danielle Lagria Background Plaintiffs: Cheyenne, Cody, and Cory Stark through their Guardian ad Litem, Nicole Jacobsen and Ruby Stark as well as Gordon Stark. A

854 views • 11 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Reforming Stark/Anti- Kickback Policies KEVIN MCANANEY The Stark Law 42 USC 1395nn

Reforming Stark/Anti- Kickback Policies KEVIN MCANANEY The Stark Law 42 USC 1395nn

January 2019 Reforming Stark/Anti- Kickback Policies KEVIN MCANANEY The Stark Law 42 USC 1395nn Prohibits physicians from referring M/M patients to hospitals and other entities for hospital and other services if the physician has a

267 views • 7 slides
Using graphs and Laplacian eigenvalues to evaluate block designs R. A. Bailey University of St

Using graphs and Laplacian eigenvalues to evaluate block designs R. A. Bailey University of St

Using graphs and Laplacian eigenvalues to evaluate block designs R. A. Bailey University of St Andrews / QMUL (emerita) Ongoing joint work with Peter J. Cameron Modern Trends in Algebraic Graph Theory, Villanova, June 2014 1/52 Abstract

1.8k views • 168 slides
SE 162 nd Safety and Access to Transit Project SE Stark to SE Powell Blvd Where on 162nd? South

SE 162 nd Safety and Access to Transit Project SE Stark to SE Powell Blvd Where on 162nd? South

SE 162 nd Safety and Access to Transit Project SE Stark to SE Powell Blvd Where on 162nd? South of the STARK STREET Stark Street intersection - the Stark Street 162 ND AV intersection and 1.7 the area north miles of Stark Street is

692 views • 24 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Stark County Fatherhood Coalition Program Ohio Commission on Fatherhood Meeting May 9, 2019 Rob

Stark County Fatherhood Coalition Program Ohio Commission on Fatherhood Meeting May 9, 2019 Rob

Stark County Fatherhood Coalition Program Ohio Commission on Fatherhood Meeting May 9, 2019 Rob Pierson, Deputy Director of Child Support Stark County Job & Family Services, and Chairperson of the Stark County Fatherhood Coalition Stark

634 views • 38 slides
Lossless Dimension Expanders via Linearized Polynomials and Subspace Designs Venkat Guruswami,

Lossless Dimension Expanders via Linearized Polynomials and Subspace Designs Venkat Guruswami,

Lossless Dimension Expanders via Linearized Polynomials and Subspace Designs Venkat Guruswami, Nicolas Resch and Chaoping Xing Algebraic Pseudorandomness Traditional pseudorandom objects (e.g., expander graphs, randomness extractors,

710 views • 18 slides

More recommend