better than brute force
play

Better than Brute-Force Optimized Hardware Architecture for - PowerPoint PPT Presentation

Jan 07, 2024 •245 likes •467 views

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

  1. Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, *** DTU, Denmark

  2. Overview • Meet-in-the-Middle with Bicliques • Low Data Complexity Biclique Cryptanalysis of AES-128 • Optimized Brute Force Attack on AES-128 – on FPGA – on ASIC • Biclique Attack on AES-128 – on FPGA – on ASIC • Conclusion

  3. MITM with Bicliques plaintexts {P} ciphertexts {C} K 2 K K 1 K 2 m all key bits encryption oracle • Allow all key bits affect a part of the cipher • Stick to a structure to enable efficient enumeration of keys and states in this part • Structure = biclique!

  4. MITM with Bicliques

  5. Low Data Complexity Biclique Cryptanalysis of AES-128 • Start modifications in the first round of AES-128 • Divide entire space of 2 128 keys into of 2 124 non-overlapping groups of 2 4 keys • Fix a base key and enumerate all other keys in the key group x = (x 0 x 1 x 2 x 3 x 4 x 5 00) 2 a = (000000a 1 a 0 ) 2 y = (y 0 y 1 y 2 y 3 y 4 y 5 00) 2 b = (000000b 1 b 0 ) 2 • Modify base key at two byte positions independently (in 2 2 ways each) • Follow propagation of modifications forwards and backwards

  6. Low Data Complexity Biclique Cryptanalysis of AES-128

  7. Low Data Complexity Biclique Cryptanalysis of AES-128 Recomputation at matching

  8. Low Data Complexity Biclique Cryptanalysis of AES-128 Complexities: • Computational complexity to precompute all states S a and S b in each key group: 0.3 AES-128 runs (first step). • About 7.12 AES-128 runs to test all 16 keys in the key group (second step). • Negligible computation complexity (2 -32 ) for false positives • Overall computation complexity: 2 124 (0.3 + 7.12) = 2 126.89 AES executions. • Data complexity: Only 16 chosen plaintexts!!

  9. Implementation • FPGA target platform: RIVYERA Computing Cluster � 128 Xilinx Spartan3 XC3S500 high performance FPGAs � Equivalent computing power of 640 million system gates • ASIC target technology: NANGATE � 45 nm Generic Library

  10. Optimized Brute-Force Attack on AES-128 Key Gen Fixed Output Plaintext • Highly pipelined architecture for Round-1 highest possible speed (11-stage K 1 S 1 pipeline within each AES round) Round-2 K 2 S 2 • Composite field inverters over ORACLE GF((2 2 ) 2 ) 2 for s-boxes K 8 S 8 Round-9 • Register based (RAMless) design K 9 S 9 Round-10 – suitable for both FPGA and S 10 ASIC implementation Byte Match = FF ?

  11. Optimized Brute-Force Attack on AES-128 Key Gen Fixed Output Plaintext • Design implemented in two favors: Round-1 K 1 S 1 � All identical rounds (for a fair Round-2 comparison with respect to the K 2 S 2 ORACLE original biclique advantage figures) K 8 S 8 � Partial matching in the last three Round-9 rounds (for better area utilization – K 9 S 9 Round-10 makes no difference for FPGA) S 10 • Smaller and faster than the Byte Match reported fastest design (362 KGE vs 660 KGE and 2.5 GHz vs 2 GHz ) = FF ?

  12. Optimized Brute-Force Attack on AES-128 * Pipeline register cost negligible for FPGA implementation – already part of the slice!

  13. Optimized Brute-Force Attack on AES-128 GF(2 2 ) 2 [7:4] [7:4] Multiplier Input GF(2 2 ) 2 GF(2 2 ) 2 [3:0] Multiplier Inverter Output GF(2 2 ) 2 GF(2 2 ) 2 [3:0] Multiplier Multiplier P

  14. Optimized Brute-Force Attack on AES-128 FPGA Performance Slice % FPGA Maximum Freq Keys tested/sec/FPGA Utilization Utilization (MHz) 526 x 10 6 26949 / 33278 80.98 263.16 ASIC Performance Maximum Freq Average Power Core Area (GE) Keys tested/mW (MHz) (mW) 3.98 x 10 6 362181 2480 622.937

  15. Biclique Attack on AES-128 Plaintext + Key MixColumns Starting Point: Conceptual design S • One-to-one maps theory to implementation Key Key State State RAM(s) RAM(s) RAM(s) RAM(s) 0 1 0 1 • Based on precomputation of all K 3 S 3 Round-4 base and biclique states K 4 S 4 Round-5 Plaintext Regular • Not feasible for hardware (Full) K 5 S 5 Memory Rounds Round-6 K 6 S 6 implementation ORACLE Round-7 K 7 S 7 � Requires too many RAMs Round-8 K 8 S 8 � Interconnection and control logic Partial Round-9 Rounds K 9 S 9 too complex to allow an area and Round-10 speed efficient design S 10 Match

  16. Biclique Attack on AES-128 Key Ptxt Gen New Approach: Recomputation K P Round-1 • On the fly calculation of base K 1 S 1 Biclique Round-2 Rounds and biclique states K 2 S 2 Round-3 • Pipeline registers act as state K 3 S 3 Round-4 K 4 S 4 storage media Round-5 Regular (Full) K 5 S 5 ORACLE � No additional RAMs/registers Rounds Round-6 required – virtual storage K 6 S 6 Round-7 • Similar to optimized brute force K 7 S 7 Round-8 K 8 S 8 attack in structure Partial Round-9 Rounds K 9 S 9 � simpler control logic and Round-10 interconnections S 10 Match

  17. Biclique Attack on AES-128 First “Biclique” Round: • Serial AES implementation • 8-bit (!) datapath • Single S-Box

  18. Biclique Attack on AES-128 Second “Biclique” Round: • Slightly modified serial AES implementation • Still 8-bit (!) datapath • Two S-Boxes • Limited additional storage (shift registers) for biclique states

  19. Biclique Attack on AES-128 Third “Biclique” Round:

  20. Biclique Attack on AES-128 Third “Biclique” Round: • Serial AES implementation on 4 separate paths • Still 8-bit (!) datapath (on each path) • Four S-Boxes • Slightly more complex control logic • More registers for double-buffering of biclique states (still shift registers with minimal cost • Only covers the “SubBytes” stage of a full AES round – the rest implemented as in a regular round

  21. Optimized brute-force attack on AES-128 FPGA Performance Slice % FPGA Maximum Freq* Keys tested/sec/FPGA Utilization Utilization (MHz) 945 x 10 6 30720 / 33278 92.31 236.22 ASIC Performance Maximum Freq Average Power Core Area (GE) Keys tested/mW (MHz) (mW) 7.32 x 10 6 163912 1548 211.545 * Slower than the brute-force attack due to reduced number of pipeline stages

  22. Conclusion • The fastest brute-force attack implementation on AES-128 • The first biclique attack implementation on AES-128 � Almost a factor of 2 speed and cost gain � Only 16 chosen plaintexts (w.r.t. 288 in the original biclique attack paper) • Suitable for both FPGA and ASIC implementation • Applicable to AES-192 and AES-256 as well

Recommend

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of Mathematical and Geospatial Sciences RMIT University Melbourne, Australia Benjamin Burton (RMIT) Theorems, Algorithms and Brute Force November

444 views • 21 slides
MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE 473 Day 11 Questions? Donald Knuth Interview Amortization Brute force (if time) Decrease and conquer intro Q1 2 1 Donald

511 views • 11 slides
Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

One-Slide Summary Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and the and analysis to break the Lorenz cipher. Guessed wheel settings were likely to be correct if they resulted in a Story So Far

112 views • 9 slides
Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of Computer Science James Madison University Oct 16, 2015 CS: Just do it! Complete search = try every possibility Should never give you Wrong Answer

399 views • 15 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR9983950 Machine 1: His

428 views • 11 slides
1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

Outline Bayes theorem Discrete Bayesian classifiers Maximum likelihood classification Brute force Bayesian learning Nave Bayes Lecture 5 Bayesian Belief Networks Bayes theorem Maximum likelihood ( ) ( ) ( ) P x

72 views • 4 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

[Week 9] Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that finds a solution by trying all possibilities (usually VERY SLOW) - sometimes can be remedied by storing pre-computed values: called

116 views • 7 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force, Horspool, Boyer Moore STRING SEARCH 1 Brute Force String Search Example The problem: Search for the first occurrence of a pattern of length m in a

326 views • 10 slides
Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

[Week 3] Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all possibilities - related data structures - pruning to eliminate certain possibilities from the search - time complexity: usually really

662 views • 6 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III: Symbolic Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Binary Decision Diagrams -

1k views • 61 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II: Liveness & Timed Systems Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ...

861 views • 45 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Day I: Reachability Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Introduction Multi-core

583 views • 27 slides
Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model

Brute Force March 8, 2020 1 / 17 Symmetric Encryption k k m c m E D We often model encryption as a key alternating cipher: k 1 k 2 k 3 m c F 1 F 2 F 3 2 / 17 Symmetric Encryption (2) Two main constructions for practical

603 views • 17 slides
DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios,

DynaGuard: Armoring Canary-Based Protections against Brute-force Attacks Theofilos Petsios, Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromytis Columbia University Stony Brook University Brown University 2015 Annual Computer

736 views • 36 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part IV: Biology Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Signalling ANIMO In Silico

388 views • 22 slides
TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

TODAY Substring search Brute force Knuth-Morris-Pratt Boyer-Moore Rabin-Karp

BBM 202 - ALGORITHMS D EPT . OF C OMPUTER E NGINEERING S UBSTRING S EARCH Acknowledgement: The course slides are adapted from the slides prepared by R. Sedgewick and K. Wayne of Princeton University. TODAY Substring search Brute

993 views • 83 slides
Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable:

Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable:

Why is Go hard for computers to play? Game tree complexity = b d Brute force search intractable: 1. Search space is huge 2. Impossible for computers to evaluate who is winning Convolutional neural network Value network Evaluation v

444 views • 16 slides
MathCheck: A SAT+CAS Mathematical Conjecture Verifier Curtis Bright 1 Ilias Kotsireas 2 Vijay

MathCheck: A SAT+CAS Mathematical Conjecture Verifier Curtis Bright 1 Ilias Kotsireas 2 Vijay

MathCheck: A SAT+CAS Mathematical Conjecture Verifier Curtis Bright 1 Ilias Kotsireas 2 Vijay Ganesh 1 1 University of Waterloo 2 Wilfrid Laurier University July 26, 2018 1/25 SAT + CAS 2/25 SAT + CAS Brute force SAT + CAS Brute force +

661 views • 35 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides

More recommend