automatic search of attacks on round reduced aes and
play

Automatic Search of Attacks on round-reduced AES and Applications - PowerPoint PPT Presentation

Oct 02, 2023 •172 likes •576 views

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

  1. Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011

  2. Introduction Algebraic Structure Automated Tools Conclusion Block-Cipher Cryptanalysis The Object: a Block Cipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n � �� � � �� � � �� � key plaintext ciphertext often k = n , but not always (e.g. AES-256: n = 128 and k = 256) The Subject: an Attacker ◮ Objective: recover the secret key (or maybe distinguish from random) ◮ Resources: ◮ Time: less than 2 k encryptions ◮ Data: less than 2 n plaintext/ciphertext pairs Total Breaks of widely-used block ciphers are relatively rare (in comparison with hash functions/stream ciphers)

  3. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 1 : ◮ First weaken it ◮ Then break it Plaintext k 0 Round k 1 Round k 2 Round Key Schedule K k r Round Ciphertext

  4. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 1 : ◮ First weaken it (reduce number of rounds) ◮ Then break it Plaintext k 0 Round k 1 Round k 2 Round Key Schedule K k 3 Round Ciphertext

  5. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger ◮ Then break it

  6. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger (chosen ciphertexts, ) ◮ Then break it

  7. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger (chosen ciphertexts, related keys, etc.) ◮ Then break it

  8. Introduction Algebraic Structure Automated Tools Conclusion Solution #3: Play Another Game In this talk: Low Data Complexity Attacks ◮ Has to be faster than exhaustive search ◮ Only very few plaintext/ciphertext pairs available Why ? ◮ Rather unexplored territory ◮ What is harder in practice? ◮ performing 2 50 elementary operations? ◮ or acquiring 50 Plaintext/Ciphertext pairs? ◮ LDC attacks can sometimes be recycled, and used as sub-components in other attacks ◮ e.g. attack on GOST uses a 2-plaintext attack on 8 rounds

  9. Introduction Algebraic Structure Automated Tools Conclusion Target Block Cipher: the Advanced Encryption Standard ◮ Designed by Rijmen and Daemen for AES competition ◮ Selected as the AES in 2001 ◮ One of the most widely used encryption primitive ◮ AES basic structures : ◮ Substitution-Permutation network ◮ Block size: 16-bytes (128 bits) ◮ key lengths: 128 , 192 or 256 bits ◮ 10 rounds for the 128-bit version

  10. Introduction Algebraic Structure Automated Tools Conclusion Description of the AES z i w i 0 4 8 12 ARK � 1 5 9 13 SB SR MC 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns

  11. Introduction Algebraic Structure Automated Tools Conclusion Description of the AES z i w i 0 4 8 12 ARK � 1 5 9 13 SB SR MC 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns ◮ Single-key attacks up to : ◮ 8 rounds on AES-128 ◮ 9 rounds on AES-192/256 ◮ Related-subkey attacks on the full AES-256/AES-192 ◮ Complexities just slightly less than the naturals bounds

  12. Introduction Algebraic Structure Automated Tools Conclusion Techniques for Low Data Complexity Attacks The problem with“Usual”attack techniques ◮ Statistical attacks ( e.g. , differential, impossible,linear) ◮ “Golden-plaintext”attacks ( e.g. , reflexion, slide) They require (VERY) LARGE QUANTITY of data What’s left? ◮ Algebraic Attacks/SAT-solvers ? ◮ Guess-and-Determine attacks ◮ Meet-in-the-Middle attacks

  13. Introduction Algebraic Structure Automated Tools Conclusion Techniques for Low Data Complexity Attacks The problem with“Usual”attack techniques ◮ Statistical attacks ( e.g. , differential, impossible,linear) ◮ “Golden-plaintext”attacks ( e.g. , reflexion, slide) They require (VERY) LARGE QUANTITY of data What’s left? ◮ Algebraic Attacks/SAT-solvers ◮ Guess-and-Determine attacks ◮ Meet-in-the-Middle attacks

  14. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2

  15. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table

  16. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table ◮ For all k 2 , look-up AES − 1 k 2 ( C ) in the hash table

  17. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table ◮ For all k 2 , look-up AES − 1 k 2 ( C ) in the hash table ◮ We expect ≈ 1 value of k 1 per value of k 2 Time complexity ≈ 2 128 encryptions, with 256-bit keys!

  18. Introduction Algebraic Structure Automated Tools Conclusion Cryptanalytic Tools We want to find Guess-n-determine/Meet-in-the-middle attacks Problems ◮ We are lazy ◮ It is delicate and complicated, and nearly made us crazy Standard Solution: build a tool to do the job for you! We are not alone! E.g. , Tools to find differential paths : DES [Matsui, 93], SHA-1 [de Canni` ere et. al, 06], Grindhal [Peyrin et al., 07], RadioGat` un [Fuhr et al., 09], MD4/MD5 [Leurent et al., 07], AES [Biryukov et al., 10], etc.

  19. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Is it a Problem? ◮ Concerns about the AES’s algebraic simplicity have been expressed several times ◮ But so far, no attack directly exploited this property... ...Until now

  20. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Round Function z i w i 0 4 8 12 ARK SB SR MC � 1 5 9 13 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns y i [ ℓ ] = S ( x i [ ℓ ])     02 03 01 01 y i [0] y i [4] y i [8] y i [12] 01 02 03 01 y i [5] y i [9] y i [13] y i [1]     x i +1 =  ×  + k i     01 01 02 03 y i [10] y i [14] y i [2] y i [6]   03 01 01 02 y i [15] y i [3] y i [7] y i [11]

  21. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i k i +1

  22. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i + S k i +1

  23. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) + S k i +1

  24. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + S k i +1

  25. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + S ◮ k i +1 [3] = k i [3] + S ( k i [12]) k i +1

  26. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + ◮ k i +1 [3] = k i [3] + S ( k i [12]) ◮ k i +1 [4 .. 7] = k i +1 [4 .. 7] + k i [0 .. 3] k i +1

  27. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + ◮ k i +1 [3] = k i [3] + S ( k i [12]) ◮ k i +1 [4 .. 7] = k i +1 [4 .. 7] + k i [0 .. 3] k i +1 ◮ k i +1 [8 .. 11] = k i +1 [8 .. 11] + k i [4 .. 7]

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems Igor Pontes Duff Joint work with Peter Benner (MPI, Magdeburg) Pawan Goyal (MPI, Magdeburg) ICERM Workshop - Mathematics of Reduced Order Models

1.46k views • 108 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the

BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the

EUROPEAN BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the European BPM Round Table The European BPM Round Table is a lenges that urgently need to be ad- federation of 21 national BPM round dressed by

182 views • 4 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for

433 views • 11 slides
Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi Meier Indocrypt 2011 1 / 28 Overview Sponge construction and K ECCAK Previous analysis results Differentials in K ECCAK Differential

311 views • 28 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search,

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search,

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 19: Search, Decoding and La tu ices Instructor: Preethi Jyothi Mar 27, 2017 Recap: Static and Dynamic Networks Static network: Build compact decoding graph

350 views • 21 slides
Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of

Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of

Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of Heuristics - Macro Problem Solving - Hierarchical A* and Voltortas Theorem - Pattern Databases - Disjoint Pattern Databases - Multiple, Bounded,

476 views • 29 slides

More recommend