cryptanalysis of the counter mode of operation
play

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras - PowerPoint PPT Presentation

Oct 31, 2023 •228 likes •975 views

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

  1. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gaëtan Leurent Inria, équipe SECRET April 10, 2018 1 / 29

  2. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction • Cryptography: Alice encrypts then sends messages to Bob. • Symmetric: Alice and Bob share the same key. • Public channel: Eve (attacker) can see and/or manipulate what is being sent. Eve ...11001101011... Alice Bob 2 / 29

  3. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. 3 / 29

  4. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. Mode of operation Describes how to use a block cipher along with a plaintext message of arbitrary length to achieve some concrete cryptographic goals. 3 / 29

  5. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. 4 / 29

  6. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. • There are authentication modes (GMAC, ...). They aim at authenticating the plaintext. → Forgery attacks. 4 / 29

  7. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. • There are authentication modes (GMAC, ...). They aim at authenticating the plaintext. → Forgery attacks. • There are authenticated encryption modes (GCM, ...). They aim at both authenticating and hiding the plaintext. 4 / 29

  8. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i 5 / 29

  9. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. 5 / 29

  10. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. Inputs IV � i to the block cipher never repeat. 5 / 29

  11. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . 6 / 29

  12. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . Security proof ( σ the number of blocks) Adv CPA CTR- E k ( σ ) ≤ Adv PRF E k ( σ ) ≤ Adv PRP E k ( σ ) + σ 2 / 2 n + 1 Distinguishing attack After σ ≃ 2 n / 2 encrypted blocks we expect a collision on the K i with high probability in the case of a random ciphertext. That is the birthday bound coming from the birthday paradox. 6 / 29

  13. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • allowing attacks when nearing the bound c 0 c 1 c 2 7 / 29

  14. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • allowing attacks when nearing the bound c 0 c 1 c 2 Folklore assumptions [Ferguson, Schneier, Kohno] CTR leaks very little data. [...] It would be reasonable to limit the cipher mode to 2 60 blocks, which allows you to encrypt 2 64 bytes but restricts the leakage to a small fraction of a bit. When using CBC mode you should be a bit more restrictive. [...] We suggest limiting CBC encryption to 2 32 blocks or so. 7 / 29

  15. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . 8 / 29

  16. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . 8 / 29

  17. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguishing attack uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . 8 / 29

  18. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguishing attack uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . Main Idea Collect many keystream blocks K i and encryptions of secret block c j = K j ⊕ S ; then look for a value s such that K i ⊕ c j � = s ∀ i � = j . 8 / 29

  19. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 9 / 29

  20. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem Main Idea Collect many keystream blocks K i ∈ A and encryptions of secret block c j = K j ⊕ S ∈ B ; then look for a value s ∈ S such that ∀ ( a , b ) ∈ A × B , s � = a ⊕ b . The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 9 / 29

  21. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 n via coupon collector problem • To exclude 2 n candidates of S , we need n · 2 n values a i ⊕ b j • Lists A and B of size √ n · 2 n / 2 . Complexity: ˜ O ( 2 n ) 10 / 29

  22. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 • To exclude 1 candidate of S , we need 2 n values a i ⊕ b j • Lists A and B of size 2 n / 2 . Complexity: ˜ O ( 2 n ) 10 / 29

  23. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 b 6 ? a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 11 / 29

Recommend

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent, Ferdinand Sibleyras Inria, quipe SECRET EUROCRYPT 2018 1 /

856 views • 56 slides
Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

917 views • 70 slides
Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and

Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and

Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and dynamics Stephen Wilson Stephen Wilson ECONOMIC CONSULTING ECONOMIC C NSULTING ASSOC SSOCIATES LIMI ES LIMITED TED 41 Lonsdale Road London NW6

538 views • 26 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and

1.1k views • 45 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel

Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel

Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel Centaur Technology Technology Workshop 2018 x86 Modes of Operation x86 Modes of Operation power on Real-Address or reset Mode no memory management,

2.01k views • 137 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count.

Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count.

Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count. No practical limit on maximum charge/channel (2) Use calibration mode of QIE: ~1 fC/count. Maximum charge/channel of ~30 fC. (3) Place

560 views • 15 slides
Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team &

Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team &

25 th IAEA FEC, Oct 13-18, 2014 St. Petersburg, Russia ASIPP Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team & collaborators** *Email: bnwan@ipp.ac.cn Institute of Plasma Physics, Chinese Academy of

367 views • 25 slides
Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *,

Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *,

Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *, Stan Metcalfe* & Abdelouahid Tajar + # Advanced Institute of Management (AIM) Research * ESRC Centre for Research on Innovation & Competition

743 views • 18 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection

Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection

Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection Mode source 2 Digital laser resonator as the mode source 3 Digital laser in operation Nd:YAG Monitor 2 SLM Driver CCD PC 2 PC 1 SLM Video

315 views • 17 slides
2. Hypothesis Car use as a habit Car use is often the first choice , mainly because of: Real

2. Hypothesis Car use as a habit Car use is often the first choice , mainly because of: Real

International Co-operation on Theories and Concepts in Traffic Safety 1. Background theory: Mode choice The Theory of Interpersonal Behaviour (Galdames et al., 2011) suggests that mode choices depend on: Can an experience with no car use

451 views • 5 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons.

HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons.

HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons. 3. Damper Mode selection Button. 4. Operation Mode selection button. 5. Operation Mode Display. 6. Set Temperature Display. 7. Room Temperature

306 views • 6 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
CLIC MODULE Nominal Operation Mode Temperature Results Daskalaki Elena Vamvakas Alex Xydou

CLIC MODULE Nominal Operation Mode Temperature Results Daskalaki Elena Vamvakas Alex Xydou

CLIC MODULE Nominal Operation Mode Temperature Results Daskalaki Elena Vamvakas Alex Xydou Anastasia Contents 1. Description 2. FEA simulator 3. Tests summary 4. Preparation phase 5. Experiment 6. Temperature a) Results b) Theoretical

349 views • 19 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Timer/Counter Two internal Timers/Counters 16-bit timer/counter Timer uses system clock as source of input pulses Counter uses external

273 views • 8 slides
Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford University Joint work with: Yi Lu, Andrea Montanari , Sarang Dharmapurikar and Abdul Kabbani Overview Counter Braids Background: current

601 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Communications Deadlock 1 2 5 3 4 0 Communicator 2 Completion The mode of a

Communications Deadlock 1 2 5 3 4 0 Communicator 2 Completion The mode of a

Non-Blocking Communications Deadlock 1 2 5 3 4 0 Communicator 2 Completion The mode of a communication determines when its constituent operations complete. - i.e. synchronous / asynchronous The form of an operation determines

567 views • 23 slides

More recommend