cube like attack on round reduced initialization of ketje
play

Cube-like Attack on Round-Reduced Initialization of Ketje Sr - PowerPoint PPT Presentation

Apr 01, 2024 •171 likes •454 views

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

  1. Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan

  2. Outline--divided into 3 parts u Ketje u Related Works u Cube-like attack u auxiliary variable u Linear stucture u Our Attacks 2

  3. Ketje u designed by the Keccak Team u one of the 16 survivors of 3rd CAESAR competition u Specification of Ketje u Keccak-p permutations u MonkeyWrap u Four instances: Ketje Sr, Jr, Minor, Major 3

  4. Keccak-p permutations u designed by the Keccak Team u tunable number of rounds u 7 state sizes: b u b ∈ {25, 50, 100, 200, 400, 800, 1600} u round function       R     4

  5. Keccak-p* permutations u a twisted permutation proposed in Ketje v2 5

  6. MonkeyWrap u an authenticated encryption mode proposed by the Keccak team 1. Initialization Associate date Plaintext n start = 12, 2. Proc. Associate n step = 1, 3. Proc. Plaintext n stride = 6 4. Finalization Note that: When the AD is empty, it is padded to a block, so 13-round is applied until the ciphertext outputs. Ciphertext Finalization: Tag 6

  7. MonkeyWrap u an authenticated encryption mode proposed by the Keccak team 1. Initialization Associate date Plaintext The AD and Plaintext 2. Proc. Associate are divided in to rho-bit 3. Proc. Plaintext and padded, 4. Finalization absorbed successively. Note that: When the AD is empty, it is padded to a block, so 13-round is applied until the ciphertext outputs. Ciphertext Finalization: Tag 7

  8. Figure. Ketje Sr v1 Figure. Ketje Sr v2 128-bit key and 254-bit nonce; Pink lanes are key and blue lanes are padding u 8

  9. Summary for ketje u Using MonkeyWrap u n start = 12, n step = 1, n stride = 6 u Four instances, 9

  10. ketje u Using MonkeyWrap u n start = 12, n step = 1, n stride = 6 u Four instances, u ρ denotes the block size absorbed in each n step 10

  11. Related Works u Cube Attack proposed by Dinur and Shamir ü they write the ANF of output bit: P = tP t + Q, t is maxterm and P t is superpoly ü exploit the linear superpolys ü u Dynamic Cube Attack (Dinur and Shamir) u Cube-like Attack, divide-and-conquer (Dinur et al. ) u Conditional Cube Attack (Huang et al .) u Linear Structure 11

  12. Cube-like Attack (Dinur et al. ) u In the 1st round, cube bits are not multiplied together u In the 1st round, only a part of key bits multiply with cube bits u Let k i be the key bits which do not multiply with cube bits {v 1 ,...,v 32 } u degree of round function is 2 u after 6r, k i v 1 v 2 ...v 32 will not appear 12

  13. Auxiliary variables (Dinur et al. ) u Auxiliary variables are introduced as follows u Suppose nonce in A[0,1] is equal to key bits in A[0,0] u After θ ρ π, the diffusion of the key in A[0,0] is reduced to pink lanes. Thus, key in A[0,0] will not multiply with cube bits. 13

  14. Linear Structure u Proposed by Guo, Liu and Song at ASIACRYPT 2016 u Find ways to get a set of variables that will not multiply together after the first/second round Figure. 1-round Linear Structure 14

  15. u Explore the linear structure in small state u Find 32/64-dimension cubes that do not multiply together in the first round u The cube do not multiply with as many key bits as possible 15

  16. u Property 1: In Ketje Sr v1, 32 cube variables do not multiply with 32- bit keys in A[1, 0] and A[1, 1] in the first round, bits of ci are the cube variables and c1+c2 = const1, c3+c4 = const2, const1 and const2 are constants. 16

  17. u Property 2: In Ketje Sr v1, without considering the last 2-bit padding in the nonce3,there are 64 cube variables that do not multiply with 16- bit keys in A[0, 1] in the first round, bits of ciare the cube variables and c1+c2 = const1,c3+c4+c5+c6 =const2, const1and const2 are constants. 17

  18. u Property 3: In Ketje Sr v2, 32 cube variables do not multiply with 56- bit keys in A[0, 2],A[3, 0], A[3, 3] and half of A[0, 0] in the first round, bits of ci are the cube variables and c1+c2+c3 = const1, const1 is constant. 18

  19. u Property 4: In Ketje Sr v2, 64 cube variables do not multiply with 32- bit keys in A[3, 0] and A[3, 3] in the first round, bits of ci are the cube variables and c1+c2+c3 = const1 and c4+c5+c6 = const2, const1and const2 are constants. 19

  20. u Explore the linear structure in small state u Dynamic cube variables u provide the same cube size with few variable lanes Lower probability to multiply together 20

  21. u A[1,0],A[1,1] will not multiply with cube variable according to Pro 1 u the pink lanes are the key that will not multiply with cube variables under conditions 21

  22. u So only 40bits key in A[3,0],A[3,1] and A[4,0] will multiply with cube variables under conditions, hence affect the cube sums after 6- round. 22

  23. 23

  24. 24

  25. 25

  26. 26

  27. Thank you Q?

Recommend

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

381 views • 26 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented by Orhun Kara 1 Outline The AES A 5-round distinguisher Attack on 7-round AES-192, AES-256 and 8-round AES-256 Some optimizations

504 views • 19 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors DIAC 2014 1 / 19 Overview Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current

339 views • 33 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides

More recommend