cryptanalysis of print cipher the invariant subspace
play

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack - PowerPoint PPT Presentation

Sep 28, 2022 •207 likes •598 views

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

  1. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics CRYPTO 2011 1 / 24

  2. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Outline Description of PRINT CIPHER 1 The Attack 2 Relation To Truncated Differential Attack 3 Conclusion 4 1 / 24

  3. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Outline Description of PRINT CIPHER 1 The Attack 2 Relation To Truncated Differential Attack 3 Conclusion 4 2 / 24

  4. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Introduction PRINT CIPHER Lightweight SPN block cipher proposed at CHES 2010. Idea: Take advantage of a key. Claim Secure against known attacks. So far: Attacks on reduced-round variants. 3 / 24

  5. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion One round of PRINT CIPHER -48 k 1(48 bits) XOR KEY P xor RC i Round Const p p p p p p p p p p p p p p p p k 2(32 bits) S S S S S S S S S S S S S S S S 48-bits block size, 48 rounds that use the same 80-bit key. Each two bits of k 2 permute 3 state bits in a certain way. Only 4 out of 6 possible permutations are allowed: p : k 2 : 00 01 10 11 Invalid 4 / 24

  6. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplify Things In this talk (not in the paper!): A simpler variant of PRINT CIPHER . Block size 24 Fix the permutation key Modified Sbox 5 / 24

  7. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Sbox Property Modified Sbox: S ( 000 ) = 000 S ( 001 ) = 001 S ( 010 ) = 010 S ( 100 ) = 100 Can be written as: S ( 00 ∗ ) = 00 ∗ S ( 0 ∗ 0 ) = 0 ∗ 0 S ( ∗ 00 ) = ∗ 00 Remark The original Sbox fulfils something similar. 6 / 24

  8. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version XOR KEY k 1(24 bits) P xor RC i Round Const S S S S S S S S S ( 00 ∗ ) = 00 ∗ S ( 0 ∗ 0 ) = 0 ∗ 0 S ( ∗ 00 ) = ∗ 00 7 / 24

  9. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Outline Description of PRINT CIPHER 1 The Attack 2 Relation To Truncated Differential Attack 3 Conclusion 4 8 / 24

  10. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Let’s Focus XOR KEY S S S S S S S S Invariant Subspace for P Set of highlighted bits is mapped onto itself. 9 / 24

  11. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion What about S An Invariant Subspace alone is not a problem! Question What about the S -layer? For this: we fix some bits in the plaintext in the (XOR)-key ⇒ The attack does not work for all keys. 10 / 24

  12. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version XOR KEY S S S S S S S S 11 / 24

  13. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version 00 00 00 00 S S S S S S S S 11 / 24

  14. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version 00 00 00 00 00 00 00 00 S S S S S S S S 11 / 24

  15. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version 00 00 00 00 00 00 00 00 00 00 00 00 S S S S S S S S 11 / 24

  16. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 00 00 00 00 00 00 00 00 S S S S S S S S 11 / 24

  17. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 00 00 00 00 S S S S S S S S 11 / 24

  18. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 xor RC i 00 00 00 00 S S S S S S S S 11 / 24

  19. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 xor RC i ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S S S S S S S S 11 / 24

  20. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 xor RC i ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S S S S S S S S S ( 00 ∗ ) = 00 ∗ S ( 0 ∗ 0 ) = 0 ∗ 0 S ( ∗ 00 ) = ∗ 00 11 / 24

  21. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 xor RC i ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S S S S S S S S ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S ( 00 ∗ ) = 00 ∗ S ( 0 ∗ 0 ) = 0 ∗ 0 S ( ∗ 00 ) = ∗ 00 11 / 24

  22. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Simplified Version ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 = xor RC i ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S S S S S S S S ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 00 00 00 00 S ( 00 ∗ ) = 00 ∗ S ( 0 ∗ 0 ) = 0 ∗ 0 S ( ∗ 00 ) = ∗ 00 11 / 24

  23. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion An Iterative One-Round Distinguisher If certain key bits are zero: Distinguisher Zero bits in the plaintext ⇒ zero bits in the ciphertext. Some Remarks: Round-constant does not help Works for the whole cipher Let’s look at PRINT CIPHER -48 12 / 24

  24. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion The Attack on PRINT CIPHER -48 00 10 00 10 00 10 00 10 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ 01 01 01 01 ∗ ∗ 11 ∗∗∗ ∗∗∗ ∗ ∗ 11 ∗∗∗ ∗∗∗ ∗ ∗ 11 ∗∗∗ ∗∗∗ ∗ ∗ 11 ∗∗∗ ∗∗∗ = xor RC i 00 11 00 11 00 11 00 11 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ S S S S S S S S S S S S S S S S 00 10 00 10 00 10 00 10 ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ ∗ ∗ ∗∗∗ ∗∗∗ S ( 00 ∗ ) = 00 ∗ S ( 1 ∗ 0 ) = 1 ∗ 1 S ( ∗ 11 ) = ∗ 10 13 / 24

  25. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion PRINT CIPHER -48 Attack Summary Prob 1 distinguisher for full cipher 2 50 out of 2 80 keys weak. Similar for PRINT CIPHER -96 Abstraction: R ( U ⊕ d ) = U ⊕ c If k ∈ U ⊕ ( d ⊕ c ) R k ( U ⊕ d ) = U ⊕ d Thus an invariant subspace 14 / 24

  26. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Outline Description of PRINT CIPHER 1 The Attack 2 Relation To Truncated Differential Attack 3 Conclusion 4 15 / 24

  27. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion The Probability of A Characteristic Given a r -round differential characteristic p p p → α → · · · → α α Theorem Given independent round keys the average probability is p r Hypothesis of Stochastic Equivalence All keys behave similarly. 16 / 24

  28. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Two Round Characteristics K R R α α α A := { x | R ( x ) ⊕ R ( x ⊕ α ) = α } “ A is the set of good pairs” Two Rounds, fixed Key Probability of the characteristic for a key K : | ( R ( A ) ⊕ K ) � A | 2 n 17 / 24

  29. Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Two Rounds, fixed Key K R R α α α Good Pairs: A := { x | R ( x ) ⊕ R ( x ⊕ α ) = α } Probability (scaled): | ( R ( A ) ⊕ K ) � A | A R(A) +K 18 / 24

Recommend

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
A Projected Preconditioned Conjugate Gradient algorithm for computing a large invariant subspace

A Projected Preconditioned Conjugate Gradient algorithm for computing a large invariant subspace

A Projected Preconditioned Conjugate Gradient algorithm for computing a large invariant subspace of a Hermitian matrix Eugene Vecharynski Lawrence Berkeley National Laboratory joint work with Chao Yang (LBNL) and John E.Pask (LLNL) Scientific

1.02k views • 52 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Invariant Subspace Computation in Scientific Computing: Gramian Based Model Order Reduction

Invariant Subspace Computation in Scientific Computing: Gramian Based Model Order Reduction

Invariant Subspace Computation in Scientific Computing: Gramian Based Model Order Reduction RANMEP 2008 D.C. Sorensen M. Heinkenschloss, A.C. Antoulas , M. Shah and K. Sun Support: NSF and AFOSR NCTS Taiwan, Jan 2008 SVD Type

739 views • 54 slides
A z k -invariant subspace without the wandering property Daniel Seco Universidad Carlos III de

A z k -invariant subspace without the wandering property Daniel Seco Universidad Carlos III de

A z k -invariant subspace without the wandering property Daniel Seco Universidad Carlos III de Madrid and Instituto de Ciencias Matemticas Workshop on Banach spaces and Banach lattices, ICMAT 12 th September 2019 Seco (UC3M/ICMAT) Wandering

676 views • 56 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in

On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in collaboration with: Christof Beierle, Anne Canteaut,

1.41k views • 120 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides

More recommend