basic idea guess and determine
play

Basic Idea Guess And Determine Determine partial internal state by - PowerPoint PPT Presentation

Jan 27, 2024 •176 likes •634 views

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

  1. Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India { dhimans,skakarla,smandava,drc } @cse.iitkgp.ernet.in SPACE 2016 Hyderabad, India

  2. Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce state space of some other part ◮ Exploits limited diffusion ◮ Build upon guessing strategy to mount key-recovery or forgery ◮ Our motivation: Use this strategy on Authenticated Encryption Schemes ◮ Demonstrated by Boura et al. in FSE 2016 on π − cipher We look at CAESAR submission PAEQ

  3. Authenticated Encryption Confidentiality + Authenticity Two at the cost of One!

  4. Preliminaries Authenticated Encryption ◮ Conventionally, ◮ Encryption scheme → confidentiality ◮ Message Authentication Code (MAC) → authentication and message integrity Authenticated Cipher Tries to merge both these primitives preferably at the cost of one. ◮ Many attempts to build AE schemes ◮ Serious attacks on OpenSSL and TLS exploiting AE!!! ◮ Lack of proper understanding of the problem ◮ Inspired CAESAR competition

  5. Preliminaries CAESAR CAESAR Competition for Authenticated Encryption: Security, Applicability, and Robustness ◮ A multi-year competition announced in 2014 ◮ Select final portfolio of AE schemes ◮ Possible standardization ◮ Benchmark: AES-GCM ◮ 57 accepted submissions ◮ Round 2 → 30 Candidates ◮ Round 3 → 15 Candidates (On-going) PAEQ was a Round 2 candidate at the time of this work

  6. PAEQ Bio PAEQ ↔ Parallelizable Authenticated Encryption based on Quadrupled AES ◮ Introduced by Biryukov and Khovratovich in ISC 2014 ◮ Along with a new generic mode of operation PPAE ◮ Parallelizable Permutation-based Authenticated Encryption ◮ And an AES based permutation AESQ ◮ Security level up to 128 bits & higher, equal to the key length ◮ Third-party Cryptanalysis ◮ Fault Attack - Saha and Roy Chowdhury (CHES 2016) ◮ Rebound attack - Bagheri et al. (ACISP 2016)

  7. Different PAEQ variants PAEQ | Key | | Nonce | | Tag | Security Extra Features 64 64 64 64-bit paeq-64 Primary paeq-80 80 80 80 80-bit sets paeq-128 128 96 128 128-bit Quick 64 64 512 64-bit paeq-64-t Tag Update Nonce-misuse + 64 128 512 64-bit paeq-64-tnm Tag Update Quick Secondary paeq-128-t 128 128 512 128-bit Tag Update sets Nonce-misuse + 128 256 512 128-bit paeq-128-tnm Tag Update 192 128 128 128-bit paeq-192 160 128 160 160-bit paeq-160 256 128 128 128-bit paeq-256

  8. PAEQ Focus of Current Attack PAEQ | Key | | Nonce | | Tag | Security Extra Features 64 64 64 64-bit paeq-64 Primary 80 80 80 80-bit paeq-80 sets PAEQ 128 96 128 128-bit paeq-128 Quick 64 64 512 64-bit paeq-64-t Tag Update paeq-64 Nonce-misuse + 64 128 512 64-bit paeq-64-tnm Tag Update paeq-80 Quick Secondary 128 128 512 128-bit paeq-128-t Tag Update paeq-128 sets Nonce-misuse + 128 256 512 128-bit paeq-128-tnm Tag Update 192 128 128 128-bit paeq-192 paeq-64-t 160 128 160 160-bit paeq-160 256 128 128 128-bit paeq-256

  9. AESQ The Internal Permutation ◮ Internal state size of 512 bits ◮ Comprises of 4 sub-states of 128 bits each ◮ Sub-states correspond to AES state matrix

  10. Inside AESQ SB SRMC SB SRMC SB SRMC SB SRMC ◮ Composition of 20 round 1 2 3 4 functions SB SRMC SB SRMC SB SRMC SB SRMC 5 6 7 8 ◮ Shuffle operation after every 2 rounds ◮ Basically a Column permutation SB SRMC SB SRMC SB SRMC SB SRMC 9 10 11 12 SB SRMC SB SRMC SB SRMC SB SRMC 13 14 15 16 ◮ Round function almost similar to AES ◮ SubBytes ◮ ShiftRows ◮ MixColumns ◮ AddRoundConstants 4 Rounds of AESQ Fig. Source: PAEQ submission document

  11. PAEQ Encryption

  12. PAEQ Authentication

  13. PAEQ Handling Associated Data

  14. PAEQ Final Tag Generation

  15. PAEQ Focus of This Work

  16. PAEQ Encryption ( i th Branch) Input/Output of f ◮ Look at input of permutation ◮ 3 out of 4 inputs known ◮ Also P i ⊕ C i gives partial output of f Note: We have to deal with partially specified states Our Intuition Can we guess part of f output to recover the internal state?

  17. Handling Partial States Byte-Entropy Notion of Byte-Entropy ( E ) The number of unknown bytes in the state/sub-state ◮ Byte-Entropy ◮ Unchanged under SubBytes ( β ), ShiftRows ( ρ ), AddRoundConstants ( α ) ◮ Might increase under Mixcolumns ( µ )

  18. Some Observations on PAEQ

  19. Observation 1 Look at first two rounds of AESQ

  20. Observation 1 Limited Key Diffusion ◮ Recall: Round function works on individual substates ◮ Propagate permutation inputs forward for 2 Rounds ◮ Key diffusion limited to fourth substate

  21. Observation 2 How far can we go forward from the input?

  22. Propagate forward input of i th branch Observation 2

  23. Observation 2 Apply Shuffle

  24. Observation 2 Apply SubBytes, ShiftRows

  25. Observation 2 Three-Fourth Rule Three-Fourth Rule Three-fourth of every column known before Mix-Columns of Round 3

  26. Observation 3 How far can one invert if one of the substates is known?

  27. Observation 3 Propagate Backward Assumption Attacker has knowledge of single substate after R n

  28. Observation 3 Invert R n , R n − 1 Assumption Attacker has knowledge of single substate after R n

  29. Observation 3 Apply Inverse Shuffle Assumption Attacker has knowledge of single substate after R n

  30. Observation 3 Invert R n − 2 and α n − 3 Assumption Attacker has knowledge of single substate after R n

  31. Observation 3 One-Fourth Inversion Implication Using one substate one can invert up to the state after R n − 3 Mix-Columns One-Fourth Inversion One-Fourth of every column known after inversion

  32. Meet-in-the-middle When do Observations 2 and 3 converge?

  33. Meet-in-the-middle Theorem (Meet-in-the-middle) For n = 6 , the Three-fourth Rule and One-Fourth Inversion strategy converge at the input and output of µ 3 respectively which results in a unique solution for input of µ 3 . ◮ Main result used in all attacks here

  34. Gain − (G)uess (A)nd (In)vert Key Recovery Attacks

  35. Gain Primary Aim How can we make the assumption in One-Fourth Inversion true from the observable part of output? ◮ Recall: At least one substate in output of Round 6 must be known/determined Strategy ◮ Identify which bytes to guess ◮ Combine Guess-and-Invert steps

  36. Note What Attacker Actually Observes

  37. 6 - Round Attack Just Guess and Invert

  38. Guess and Invert Gain - 6 Rounds ◮ Guess substate with minimum Byte-Entropy ◮ Invert and apply MITM Theorem ◮ Recover internal state = ⇒ Key Recovery ◮ Complexity?

  39. 7 - Round Attack Invert last round first

  40. Invert-Guess-Invert Gain - 7 Rounds ◮ Invert last round first ◮ Note: Uniform Byte-Entropy for each PAEQ variant ◮ Next apply 6 round attack ◮ Complexity?

  41. 8 - Round Attack Guess, invert and repeat

  42. Guess-Invert-Guess-Invert Gain - 8 Rounds ◮ Note: Last Shuffle has to be dropped for this to work ◮ Guess first then invert ◮ We get same Byte-Entropy for all PAEQ variants ◮ Next apply 6 round attack ◮ Complexity?

  43. Complexities Gain Gain Complexities PAEQ Variant Security Level 6-Rounds 7-Rounds 8-Rounds 2 24 2 48 64-bit 1 paeq-64 2 16 2 32 2 48 80-bit paeq-80 2 32 2 40 2 48 128-bit paeq-128

  44. Epilogue Gain ◮ Made some interesting observations on PAEQ ◮ Developed a meet-in-the-middle scenario using them ◮ Devised guess-and-determine strategies to satisfy the scenario ◮ Got Key-Recovery for up to 8 out of 20 rounds ◮ Practical complexities ◮ Current strategy cannot be extended beyond 8 rounds ◮ No other key-recovery attacks known News: 15th Aug 2016 PAEQ did not make it to Round 3!!!

  45. Thanks! Queries crypto@dhimans.in

Recommend

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1 Guess 0 Guess 1 Guess 0 Guess 1 2 ATM Alternating Turing Machine Guess 0 Guess 1 Guess 0 Guess 1

1.35k views • 120 slides
Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine Cryptographic Attacks Artem Pavlenko, Maxim Buzdalov, Vladimir Ulyantsev GECCO 2019, July 16 Symmetric cryptography Alice wants to send a secret

715 views • 44 slides
by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc(

by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc(

Deriving Generic Functions by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc( (cBa bCd) ABC( aaBBcc(( ac Basic idea f :: A B I pick: a A You pick f, give me b (where b

318 views • 27 slides
CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get! Guess a 1/2! The expected value. Win X, 100 times. How much will you win the 101st. Guess average! Lets Guess! How much does random person

410 views • 27 slides
INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

MATHEMATICAL PERSEVERANCE: INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE RULE? 4, 6, 8 10, 12, 14 Guess the rule that applies to both sequences OR You can guess a set of three numbers you

544 views • 25 slides
Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320 Million Guess ss their net worth: $440 Million Guess ss their net worth: $3.2 Billion https://www.youtube.com/watch?v=ib-0_N9G0Lo Guess ss their

1.71k views • 145 slides
Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling

Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling

Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling vs. observation Discussion Basic Idea Surface Energy Balance Equation Diagnostic form: Heat capacity of ground zero ; ground heat

581 views • 57 slides
Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial

Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial

Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial solution x Iteration 1. Determine neighbor y of x by changing x a little 2. Decide to reject or accept y as your current solution 3. Go to Step 1,

505 views • 23 slides
Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner? HOSPITALITY Jesus the Lover and Host Passover The Lords Supper (Eucharist) The Marriage Feast of the Lamb Jesus the Stranger and Guest

274 views • 10 slides
Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is

Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is

Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is a logical consequence of KB . An answer clause is of the form: yes a 1 a 2 . . . a m The SLD Resolution of this answer clause on atom

389 views • 7 slides
Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical

Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical

Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical consequence of KB . An answer clause is of the form: yes a 1 a 2 . . . a m The SLD Resolution of this answer clause on atom a i with

291 views • 7 slides
Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location

Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location

Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location inside a building Sample applications: Position-aware reminders Location-aware buddy list Guidance for the cognitively impaired

501 views • 13 slides
Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h) truncation Assume y ( t ) is known error y ap (t+h) For small h approximate tangent line y ( t + h ) y ( t ) y(t) y ( t ) h

246 views • 6 slides
Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the

Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the

Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the <category name> you can think of Typically loosely timed, no questions allowed An example of Spradleys grand tour question

269 views • 24 slides
The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea

The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea

The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea II Monte Carlo Generators: Status & Perspectives III Charge Asymmetry and Radiative -Decays IV Nucleon Form Factors at B-Factories Pion

594 views • 32 slides
Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and

Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and

Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and Universidad Nacional de La Plata 1/29 A quotation The basic idea is simply to identify dimensions with levels and then try to determine what the

1.3k views • 90 slides
Project Minesweeper Andreas, Evy, Martin, Rebekka & Siripong Basic idea Possibility to

Project Minesweeper Andreas, Evy, Martin, Rebekka & Siripong Basic idea Possibility to

Project Minesweeper Andreas, Evy, Martin, Rebekka & Siripong Basic idea Possibility to reserve a group room From this Anarchy To this Democracy Transcending the traditional role of the library User-centered design Observations

485 views • 17 slides
Basic OS Progamming Abstractions Don Porter CSE 306 Recap Weve introduced the idea of

Basic OS Progamming Abstractions Don Porter CSE 306 Recap Weve introduced the idea of

Basic OS Progamming Abstractions Don Porter CSE 306 Recap Weve introduced the idea of a process as a container for a running program And weve discussed the hardware-level mechanisms to transition between the OS and

616 views • 35 slides
G2-1 Two Key Features Further details: void 1. The name of the function and The keyword void has

G2-1 Two Key Features Further details: void 1. The name of the function and The keyword void has

Big Idea for Code: Functions Deceptively Simple Big Idea One idea One definition, many uses One idea One definition, many uses One idea Identify a sub-problem that has to be solved in your One idea One definition, many uses

380 views • 6 slides
Chapter IX: Classification* 1. Basic idea 2. Decision trees 3. Nave Bayes classifier 4.

Chapter IX: Classification* 1. Basic idea 2. Decision trees 3. Nave Bayes classifier 4.

Chapter IX: Classification* 1. Basic idea 2. Decision trees 3. Nave Bayes classifier 4. Support vector machines 5. Ensemble methods * Zaki & Meira: Ch. 18, 19, 21, 22; Tan, Steinbach & Kumar: Ch. 4, 5.35.6 IR&DM 13/14 16

582 views • 42 slides
1 Story The story of Gemini started with a basic idea of developing and enhancing talent in the

1 Story The story of Gemini started with a basic idea of developing and enhancing talent in the

1 Story The story of Gemini started with a basic idea of developing and enhancing talent in the country As part of the Spring Rock Group of versatile service portfolio, soon we realized that talent development goes beyond training and knowledge

943 views • 47 slides
Computational Optimization Constrained Optimization Algorithms Same basic algorithms Repeat

Computational Optimization Constrained Optimization Algorithms Same basic algorithms Repeat

Computational Optimization Constrained Optimization Algorithms Same basic algorithms Repeat Determine descent direction Determine step size Take a step Until Optimal But now must consider feasibility, e.g. Pick a feasible descent

415 views • 25 slides
Semantic normalisation proofs Ulrich Berger Swansea 1 Basic idea Interpret -terms with

Semantic normalisation proofs Ulrich Berger Swansea 1 Basic idea Interpret -terms with

Types 2006 Nottingham Semantic normalisation proofs Ulrich Berger Swansea 1 Basic idea Interpret -terms with recursively defined constants in a domain model such that [ M ] = implies SN( M ) 2 Running example G odels

306 views • 11 slides
Brandom August 25, 2020 Plan for Week 2: Part One: Rortys basic idea articulated , in three

Brandom August 25, 2020 Plan for Week 2: Part One: Rortys basic idea articulated , in three

Brandom August 25, 2020 Plan for Week 2: Part One: Rortys basic idea articulated , in three parts: 1) History: neokantianism vs. socialized, historicized, naturalized alternative. 2) Functional epistemological assimilation of two kinds of

201 views • 18 slides

More recommend