block cipher cryptanalysis ii block cipher cryptanalysis
play

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear - PowerPoint PPT Presentation

Dec 29, 2022 •349 likes •659 views

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

  1. Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC

  2. Outline Outline • Distribution of Correlation • Data Complexity • Linear Hulls • Zero Correlation Linear Cryptanalysis • Related ‐ Key Linear Cryptanalysis Related Key Linear Cryptanalysis

  3. Linear Cryptanalysis: Basics I Action of an n ‐ bit block cipher on plaintext P : Action of an n bit block cipher on plaintext P : Input and output linear masks: , Linear approximation : Probability of linear approximation: Correlation of linear approximation: Correlation of linear approximation:

  4. Linear Cryptanalysis: Basics II • Since probability varies from 0 to 1, the correlation p y , varies from ‐ 1 to 1 • For probability 1/2, one gets correlation 0 • Of course, there is much more behind the notion of correlation – correlation matrices [D94]

  5. Linear Cryptanalysis: Distribution of Correlation I • Fix a non ‐ trivial approximation • Randomly choose an n ‐ bit permutation • What is the probability for to have a particular value? [O94] particular value? [O94] • Normal approximation [DR07]:

  6. Linear Cryptanalysis: Distribution of Correlation I • Fix an n ‐ bit permutation Fi bi i • What is the probability for to have a particular value? [BT11, work in progress] i l l ? [BT11 k i ] • Normal approximation: • The distribution holds already for just a single randomly picked permutation with n=8 y p p (experiments)

  7. Linear Cryptanalysis: Distribution of Correlation II • Which correlations are in basic linear cryptanalysis exploitable? – Very roughly speaking, those with – About 68.5% of linear approximations do not fulfill that • In basic linear attacks, this has to hold for (at least) a large part of the key space, once the linear approximation is fixed – Not the case for a randomly picked block cipher y p p • The average proportion of linear approximations with e.g. with e.g. is still relatively high is still relatively high

  8. Linear Cryptanalysis: Distribution of Correlation III • Two more observations: – Zero is the most frequent single correlation value – For a randomly drawn permutation, a non ‐ trivial linear approximation is unlikely to have correlation linear approximation is unlikely to have correlation significantly deviating from 0 • For permutations with structure however non ‐ trivial • For permutations with structure, however, non ‐ trivial linear approximations with high deviation of correlation might exist for each key correlation might exist for each key

  9. Linear Cryptanalysis: Procedure [M93] • Let a linear approximation be over all but L li i i b ll b last round of an iterative block cipher last round all but last round with key k • N PC ‐ pairs given for right key k 0 • For each key guess of the last round k i , partially decrypt from C to V in each PC ‐ pair and count the number of times T i the approximation is satisfied ti fi d • We want T 0 (corresponding to right key k 0 ) to deviate f from N/2 significantly N/2 i ifi tl

  10. Linear Cryptanalysis: Advantage [S08] • For instance, we want T 0 be among the top counters T i for p>1/2 • Say, we guess m bits in the last round key, i.e. there are candidates • Advantage a is m – r , i.e., the number of bits gained

  11. Linear Cryptanalysis: Data Complexity [S08] • If (essential assumptions) – Counters T i are independent – For wrong key guesses, approximation has correlation 0 has correlation 0 – N and m are sufficiently large • Then for s ccess probabilit P • Then for success probability P S

  12. Linear Cryptanalysis: Linear Hulls I • Iterative structure of a block cipher: • Correlation of a linear approximation over one round one round : : Linear trail Linear trail : …

  13. Linear Cryptanalysis: Linear Hulls II [N94], [D94], [DR02] • Linear hull = linear approximation of an iterative block cipher • Linear hull contains many linear trails U • Each U has its correlation contribution C U Each U has its correlation contribution C U • Correlation of linear hull

  14. Linear Cryptanalysis: Linear Hulls III Rounds in a key ‐ alternating block cipher look like: S S S S S S S S S S S S S S S S Key schedule map Linear diffusion S S S S S S S S Key schedule map Key schedule map Linear diffusion

  15. Linear Cryptanalysis: Linear Hulls IV [D94], [DR02] • The correlation of a linear hull in a key ‐ alternating block cipher can be computed as – d U is the sign of correlation contribution for key 0 – K is the expanded key K is the expanded key – The sum is over all compatible linear trails • Thus the correlation value varies due to the key only • Thus, the correlation value varies due to the key only

  16. Linear Cryptanalysis: Linear Hulls V [L11], [O09] • For vast classes of keys, the correlation value can deviate greatly from the average over all keys • Correlation amplification [O09] for PRESENT

  17. Linear Cryptanalysis: Some Extensions • Zero correlation linear cryptanalysis yp y – Linear approximations with probability 1/2 • Related ‐ key linear cryptanalysis – Equal correlations under different keys – For key ‐ alternating ciphers with simple key For key alternating ciphers with simple key schedule

  18. Linear Cryptanalysis: Zero Correlation I [BR11] • Standard linear cryptanalysis tries to make use of S d d li l i i k f linear approximations with highly nonzero correlation values correlation values • Zero correlation linear cryptanalysis uses linear Z l i li l i li approximations with correlation exactly zero • It is the counterpart of impossible differential cryptanalysis in the domain of linear cryptanalysis t l i i th d i f li t l i • Cf. [ER10], [CS11], [RN11]

  19. Linear Cryptanalysis: Zero Correlation II [BR11] • Zero correlation linear hulls exist in many popular cipher constructions • Feistel networks CAST256 Balanced Feistel Skipjack CLEFIA

  20. Linear Cryptanalysis: Zero Correlation III [BR11]

  21. Linear Cryptanalysis: Zero Correlation IV [BR11] • For each subkey guess: – Partially decrypt the ciphertext and encrypt the plaintext up to the boundaries of the zero correlation linear hull – Evaluate the correlation value C – If C=0 , the subkey guess survives the test • Low probability that a wrong key exhibits zero correlation • Exact evaluation of correlation needed for this • Exact evaluation of correlation needed for this distinguisher

  22. Linear Cryptanalysis: Zero Correlation V [BR11] • Round ‐ reduced AES ‐ 192 and AES ‐ 256: Round reduced AES 192 and AES 256:

  23. Linear Cryptanalysis: Related ‐ Key I [BR11] • The attack uses the properties of linear hulls for key ‐ Th k h i f li h ll f k alternating block ciphers • Differential related ‐ key model: – Adversary supplies two unknown keys with a specified known difference • Distinguisher is based on the equality for correlations C=C’ under two distinct keys K and K’ C=C under two distinct keys K and K • Cf. [K06], [BDK07], [ZWZF06] Cf [K06] [BDK07] [ZWZF06]

  24. Linear Cryptanalysis: Related ‐ Key II [BR11] • For two randomly drawn permutations and a fixed linear hull, their correlations are equal C=C’ with a probability of about • Now, if we choose a relation between keys K and K’ in a way that C C’ deterministically we have a in a way that C=C’ deterministically, we have a distinguisher based on correlation evaluation

  25. Linear Cryptanalysis: Related ‐ Key III [BR11] • Correlation for a key ‐ alternating cipher under two expanded keys: • The difference of two correlations:

  26. Linear Cryptanalysis: Related ‐ Key IV [BR11] A way to turn the sum to 0 is to make each summand 0: with ith Th Thus, if for each linear trail in the hull, then if f h li t il i th h ll th

  27. Linear Cryptanalysis: Related ‐ Key V [BR11] • 5 rounds of AES ‐ 256 are distinguishable using this fact, since AES ‐ 256 is a key ‐ alternating block cipher with relatively sparse key schedule • Key difference • Input/output masks /

  28. Linear Cryptanalysis: Related ‐ Key VI [BR11] • 5 rounds of AES ‐ 256 • This exhibits C=C’ for every pair of keys with the specified difference • To distinguish, exact evaluation of C and C’ is needed g ,

  29. Linear Cryptanalysis: Selected Further Topics • Linear cryptanalysis with multiple linear approximations [HCN08], [HCN09], [GT09], pp [ ] [ ] [ ] [HN10] • Equivalence to some saturation attacks [L11] • Equivalence to some saturation attacks [L11] • Related ‐ key differential ‐ linear attacks [BDK06], [K06] • Experiments with linear approximations • Experiments with linear approximations [CSQ08], [CS10]

  30. Linear Cryptanalysis: Selected Open Problems • Provable bounds on ELP for real ‐ world ciphers • Linear hull effect for real ‐ world ciphers Linear hull effect for real world ciphers • Reduction of data requirements for zero correlation linear cryptanalysis l i li l i • More linear techniques in related ‐ key attacks q y • More precise models for attack complexity estimations in linear attacks ti ti i li tt k

Recommend

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

915 views • 56 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides

More recommend