cryptanalysis of c2
play

Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, - PowerPoint PPT Presentation

Jul 15, 2023 •608 likes •979 views

Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19 Outline C2 - description Attack scenarios Conclusion C2 - description 1

  1. Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19

  2. Outline C2 - description Attack scenarios Conclusion C2 - description 1 Attack scenarios 2 The S-box recovery attack Key recovery attack Key and S-box recovery attack Conclusion 3 2 / 19

  3. Outline C2 - description Attack scenarios Conclusion The block cipher C2 64-bit block cipher with 56-bit key 8-to-8 S-box is kept secret ⇒ 2048 additional secret bits 10-round Feistel cipher Designed by 4C Entity (IBM, Intel, Matsushita and Toshiba) Used in CPRM/CPPM Digital Rights Management scheme DVD-Audio, SD-cards 3 / 19

  4. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  5. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  6. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  7. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  8. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  9. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  10. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  11. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  12. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  13. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  14. Outline C2 - description Attack scenarios Conclusion C2: round function The GF (2)-linear part is not relevant for the attack L i R i rk i GF (2)-linear function S L i +1 R i +1 4 / 19

  15. Outline C2 - description Attack scenarios Conclusion C2: key scheduling Produces 10 round keys rk i out of 56-bit master key K K 17 · i 56 × 16 i S 32 rk i 5 / 19

  16. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Possible attacks There are three possible attack scenarios provided we can . . . recover 1. set the key and query the device S-box 2. query the device and know the S-box the secret key 3. query the device S-box and secret key 6 / 19

  17. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Previous work Japanese distributed cracking effort in 2004. Brute force over key space for a guessed S-box. Guess was wrong and the project failed. Algebraic S-box recovery attack for 8 out of 10 rounds (R.-P. Weinmann). 7 / 19

  18. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Complexity The three attacks and their complexities provided we can . . . recover complexity 2 24 1. set key + query device S-box 2 48 2. query device + know S-box key 2 53 . 5 3. query the device S-box +key 8 / 19

  19. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Idea of attack 1 One encryption generates 20 inputs to the S-box 10 in the key schedule 10 in the encryption algorithm There are 2 20 × 8 = 2 160 possibilities if we guess the S-box entries. Try to minimize the S-box entries we have to guess 9 / 19

  20. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Outline of the attack 1 Preprocessing-phase masterkeys which generate only 3 distinct S-box inputs in key schedule Construct preprocessing Find plaintexts which generate only the same 3 S-box inputs in first 7 rounds Trial & Online-phase Error Encrypt each plaintext (one plaintext for each guess of the S-box outputs) online Check if the ciphertext after 7 rounds Test is the expected. If yes, determine 3 S-box entries. 10 / 19

  21. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Master key Fix the master key to 0x40, 0x84, 0x88, 0x40, 0x02, 0x80,0x09 . This key generates only the inputs 0x88, 0x04, 0x27, 0x27, 0x04, 0x04, 0x27, 0x27, 0x88, 0x88 to the S-box in the key schedule. 11 / 19

  22. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Fix the input to the S-boxes of 4 rounds L 0 R 0 L 2 R 2 X 0 X 2 C C rk 0 rk 2 GF (2)-linear GF (2)-linear function function S S L 1 R 1 L 3 R 3 X 1 X 3 C C rk 1 rk 3 GF (2)-linear GF (2)-linear function function S S L 4 R 4 12 / 19

  23. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Calculate backwards L i R i X i C rk i GF (2)-linear function R i , 0 ··· 7 S L i +1 R i +1 12 / 19

  24. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts For every 8-bit vector z holds F ( X ⊕ ( z ≪ 23)) 0 .. 7 = F ( X ) 0 .. 7 ⊕ z F maps X i to U i L i R i U i X i C 2 rk i 9 5 22 1 S L i +1 R i +1 12 / 19

  25. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts For every 8-bit vector z holds F ( X ⊕ ( z ≪ 23)) 0 .. 7 = F ( X ) 0 .. 7 ⊕ z F maps X i to U i L i R i U i X i C 2 rk i 9 5 22 1 S L i +1 R i +1 12 / 19

  26. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Find z 1 and z 2 L 0 R 0 L 2 R 2 F ( X 2 ⊕ ( z 2 ≪ 23)) X 0 X 2 C C 2 rk 0 rk 2 9 GF (2)-linear 5 function 22 1 S S L 1 R 1 L 3 R 3 F ( X 1 ⊕ ( z 1 ≪ 23)) X 1 X 3 C C 2 rk 1 rk 3 9 GF (2)-linear 5 function 22 1 S S L 4 R 4 12 / 19

  27. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Choose L ′ 2 = ( X 1 ⊕ ( z 1 ≪ 23) ⊕ C ) ⊟ rk 1 R ′ 2 = ( X 2 ⊕ ( z 2 ≪ 23) ⊕ C ) ⊟ rk 2 Decrypt 2 rounds, then the plaintext will satisfy the condition for 4 rounds. Complexity of generating a plaintext that also fits in round � 256 � 3 = 2 19 encryptions by trial-and-error. 5-7 is 3 12 / 19

  28. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Attacking a device Encrypt every plaintext Check whether ciphertext after 7 rounds is the expected one (three round test) If yes, 3 S-box entries are recovered Find plaintext which does not use unknown S-box entries in first 6 rounds and recover S-box entries of remaining rounds Complexity (in encryptions): 2 24 for the first 3 entries 2 20 for the remaining entries 13 / 19

  29. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Outline of attack 2 Find a characteristic for en- and decryption independent of the S-box with high probability Use this characteristic to build a boomerang Mount boomerang attack to recover parts of the first round key 14 / 19

  30. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Characteristics S-box and modular addition are nonlinear over GF (2) Differential behavior of the S-box may vary Search for characteristic in the linearized model of C2 5-round characteristic independent of the S-box with probability 2 − 12 (2 − 11 ) 15 / 19

  31. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Boomerang attack Assume S-box is known Q ′ P ′ ∆ ∆ Use the 5-round characteristic to P Q mount boomerang attack E 0 E 0 Boomerangs exist with average E 0 E 0 probability of 2 − 44 . 5 A ′ B ′ ∇ ′ ∆ ′ ∆ ′ All boomerangs follow the A B ∇ ′ characteristic for the first round E 1 E 1 Use boomerang attack to recover E 1 ∇ E 1 22 bits of the first round key C ′ D ′ ∇ Complexity: 2 48 encryptions and C D 2 44 . 5 chosen plaintext/ciphertext pairs 16 / 19

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University School of Science kaisa.nyberg@aalto.fi June 11, 2013 Introduction Piling-Up Lemma Multidimensional Linear Cryptanalysis SSA Link

962 views • 48 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides

More recommend