cryptanalysis of jambu
play

Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 - PowerPoint PPT Presentation

Dec 14, 2023 •643 likes •1.01k views

The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of

  1. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of Computer Science and Technology, Shandong University, China 3.Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China 10 March 2015 1 / 35

  2. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 2 / 35

  3. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 3 / 35

  4. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion CAESAR Candidate: JAMBU Designers: Hongjun WU, Tao HUANG (NTU, Singapore) mode of operation is similar to OFB 2n-bit block cipher as underlying cipher process blocks of n-bit information 4 / 35

  5. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : parameters AES-JAMBU is JAMBU with AES -128 as the underlying cipher: associated data + plaintext < 2 64 bits under the same key key = 128 bits tag = 64 bits Initialization Vector/Nonce = 64 bits 5 / 35

  6. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : initialisation Initial input: 64-bit zeroes and 64-bit nonce (IV) 6 / 35

  7. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : processing of associated data Associated data A is split into 64-bit blocks A i 7 / 35

  8. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : processing of plaintext Plaintext P is split into 64-bit blocks P i Ciphertext C is split into 64-bit blocks C i 8 / 35

  9. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : tag generation Last block P M is padded with 1 � 0 ∗ and output is truncated. If last block is a full block, an additional block of 1 � 0 63 is processed without output. 9 / 35

  10. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 10 / 35

  11. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : hardware performance JAMBU is a hardware-oriented candidate: compared with other AE modes instantiated with a 2 n -bit block cipher, JAMBU minimizes state size, which is an advantage for hardware implementations. Modes State size 6 n GCM 6 n OCB3 8 n EAX 3 n JAMBU 11 / 35

  12. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : software performance On an Intel Core i5-2540M 2.6GHz processor with AES-NI: 512-byte messages AES -128- CCM 5.19 c/B AES -128- GCM 3.33 c/B AES -128- OCB3 1.34 c/B 12.27 c/B AES-JAMBU According to the designers, AES-JAMBU should be about two times slower than AES - GCM (their implementation is not optimized yet). 12 / 35

  13. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : security claims confidentiality (bits) integrity (bits) 128 64 nonce-respecting 128 ∗ not specified nonce-misuse *: except for first block or common prefix of the message. The designers gave very good arguments why a successful forgery should require 2 64 computations. “In case that the IV is reused under the same key, the confidentiality of AES-JAMBU is only partially compromised as it only leaks the information of the first block or the common prefix of the message. And the integrity of AES-JAMBU will be less secure but not completely compromised.” 13 / 35

  14. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : security claims confidentiality (bits) integrity (bits) 128 64 nonce-respecting 128 ∗ not specified nonce-misuse *: except for first block or common prefix of the message. Our attack: with about 2 34 queries and computations, we can produce a valid ciphertext block corresponding to some plaintext with a prefix that has never been queried before. 14 / 35

  15. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 15 / 35

  16. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 16 / 35

  17. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Observation 1 no difference in V i +1 ⇒ the differences in R i and Y i are the same ∆ s let the difference in X i be ∆ r 17 / 35

  18. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Observation 2 if the input difference in P i is equal to ∆ r ⇒ the difference in U i +1 will be cancelled out, and with no difference in P i +1 ⇒ the output difference in C i +1 will be ∆ s 18 / 35

  19. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Attack Overview Objective Find such a diff. structure, and find the values of ∆ r and ∆ s . Problem Seems hard to achieve: naively building the structure costs 2 64 computations, and we have no way of checking if we indeed found it (∆ s is unknown). Solution “Divide-and-conquer” use birthday attack to find a pair of nonce values partially follows this differential structure (nonce-respecting) enumerate all possible input differences in the plaintext block to force the rest of the differential structure and to find ∆ r and ∆ s (nonce-misuse) 19 / 35

  20. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 20 / 35

  21. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 1: birthday attack on V i +1 Using birthday attack, a collision on V i +1 can be found with about 2 32 encryption queries: query for encryption for the same one block of plaintext P 1 with 2 32 difference nonce IV find a collision in the ciphertext C 1 = C ′ 1 store the pair of nonce values IV and IV ′ 21 / 35

  22. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s To enumerate all 2 64 possible input differences of P i , we use 2 sets of 2 32 plaintext blocks. i and j ranged from 0 to 2 32 − 1 Any possible input difference [ i � j ] can be formed with a pair of plaintext blocks [ i � 0 32 ] and [0 32 � j ]. 22 / 35

  23. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s P i +1 is set to a constant value (e.g. all zeros) We ask for the encryption of [ i � 0 32 ] � [0 64 ] with nonce IV and [0 32 � j ] � [0 64 ] with nonce IV ′ . 23 / 35

  24. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s Question: how do we know that we insert the right ∆ r in P i ? Answer: the right ∆ r will give the same output difference ∆ s in the second block independent of the plaintext value in the first block. 24 / 35

  25. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s The right ∆ r will give the same output difference ∆ s independent of the value of P i , so we build a few tables. i and j ranged from 0 to 2 32 − 1 If ∆ r = [ i � j ], then C 2 [ i � 0] ⊕ C 2 [0 � j ] = C 2 [ i ⊕ 1 � 0] ⊕ C 2 [1 � j ] = ∆ s . Note that first and third tables are the same up to permutation. Hence, we need 3 · 2 32 encryption queries. 25 / 35

Recommend

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University School of Science kaisa.nyberg@aalto.fi June 11, 2013 Introduction Piling-Up Lemma Multidimensional Linear Cryptanalysis SSA Link

962 views • 48 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier &amp; Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides

More recommend