cube testers and key recovery attacks on reduced round
play

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and - PowerPoint PPT Presentation

Apr 08, 2023 •239 likes •515 views

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

  1. Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27

  2. Cube attacks 2 / 27

  3. Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper on ePrint, attack on 771-round Trivium Oct 08 : cube attacks reported on 14-round MD6 Oct 08 : cube testers reported on 18-round MD6 Dec 08 : Dinur/Shamir paper accepted to EUROCRYPT Jan 09 : cube testers reported on Shabal 3 / 27

  4. Cube attacks in a nutshell Can attack any primitive with secret and public variables ◮ keyed hash functions ◮ stream ciphers ◮ block ciphers ◮ MACs Target algorithms with low-degree components ◮ stream ciphers based on low-degree NFSR ◮ hash functions with only XORs and a few ANDs 4 / 27

  5. Cube attacks in a nutshell Requirements of the attacker: ◮ only black-box access to the function ◮ negligible memory Cube attacks work in 2 phases ◮ precomputation : chosen keys and chosen IVs ◮ online : fixed unknown key and chosen IVs 5 / 27

  6. Key observation 1 Any function f : { 0 , 1 } m �→ { 0 , 1 } n admits an algebraic normal form (ANF) Example: f : { 0 , 1 } 10 �→ { 0 , 1 } 4 f 1 ( x ) = x 1 x 2 + x 2 x 8 x 9 + x 3 x 4 x 5 x 6 x 7 f 2 ( x ) = x 2 x 4 + x 6 x 8 x 9 + x 5 x 6 x 7 x 8 x 9 x 10 f 3 ( x ) = 1 f 4 ( x ) = 1 + x 1 + x 3 + x 5 6 / 27

  7. Key observation 2 Computation of the largest monomial’s coefficient f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 + 0 × x 1 x 2 x 3 x 4 Sum over all values of ( x 1 , x 2 , x 3 , x 4 ) : f ( 0 , 0 , 0 , 0 )+ f ( 0 , 0 , 0 , 1 )+ f ( 0 , 0 , 1 , 0 )+ · · · + f ( 1 , 1 , 1 , 1 ) = 0 7 / 27

  8. Key observation 3 Evaluation of factor polynomials f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 ( x 3 + x 4 ) Fix x 3 and x 4 , sum over all values of ( x 1 , x 2 ) : � f ( x 1 , x 2 , x 3 , x 4 ) = 4 × x 1 + 4 × x 3 + 1 × ( x 3 + x 4 ) ( x 1 , x 2 ) ∈{ 0 , 1 } 2 = x 3 + x 4 8 / 27

  9. Key observation 3 Evaluation of factor polynomials f ( x 1 , x 2 , x 3 , x 4 ) = · · · + x 1 x 2 ( x 3 + x 4 ) Fix x 3 and x 4 , sum over all values of ( x 1 , x 2 ) : � f ( x 1 , x 2 , x 3 , x 4 ) = x 3 + x 4 ( x 1 , x 2 ) ∈{ 0 , 1 } 2 9 / 27

  10. Terminology f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 ( x 3 + x 4 ) ( x 3 + x 4 ) is called the superpoly of the cube x 1 x 2 10 / 27

  11. Evaluation of a superpoly x 3 and x 4 fixed and unknown f ( · , · , x 3 , x 4 ) queried as a black box ANF unknown , except: x 1 x 2 ’s superpoly is ( x 3 + x 4 ) f ( x 1 , x 2 , x 3 , x 4 ) = · · · + x 1 x 2 ( x 3 + x 4 ) + · · · Query f to evaluate the superpoly: � f ( x 1 , x 2 , x 3 , x 4 ) = x 3 + x 4 ( x 1 , x 2 ) ∈{ 0 , 1 } 2 11 / 27

  12. Key-recovery attack On a stream cipher with key k and IV v f : ( k , v ) �→ first keystream bit Offline : find cubes with linear superpolys f ( k , v ) = · · · + v 1 v 3 v 5 v 7 ( k 2 + k 3 + k 5 ) + · · · f ( k , v ) = · · · + v 1 v 2 v 6 v 8 v 12 ( k 1 + k 2 ) + · · · · · · = · · · f ( k , v ) = · · · + v 3 v 4 v 5 v 6 ( k 3 + k 4 + k 5 ) + · · · (reconstruct the superpolys with linearity tests) Online : evaluate the superpolys, solve the system 12 / 27

  13. Cube testers 13 / 27

  14. Cube testers in a nutshell Like cube attacks: ◮ need only black-box access ◮ target primitives with secret and public variables and ◮ built on low-degree components Unlike cube attacks: ◮ give distinguishers rather than key-recovery ◮ don’t require low-degree functions ◮ need no precomputation 14 / 27

  15. Basic idea Detect structure (nonrandomness) in the superpoly, using algebraic property testers A tester for property P on the function f : ◮ makes (adaptive) queries to f ◮ accepts when f satisfies P ◮ rejects with bounded probability otherwise 15 / 27

  16. Examples of efficiently testable properties ◮ balance ◮ linearity ◮ low-degree ◮ constantness ◮ presence of linear variables ◮ presence of neutral variables General characterization by Kaufman/Sudan, STOC’ 08 16 / 27

  17. Superpolys attackable by testing... . . . low-degree (6) · · · + x 1 x 2 x 3 ( x 2 x 3 + x 4 x 21 + x 6 x 9 x 20 x 30 x 40 x 50 ) + · · · . . . neutral variables ( x 6 ) · · · + x 1 x 2 x 3 x 4 x 5 · g ( x 7 , x 8 , . . . , x 80 ) + · · · . . . linear variables ( x 6 ) · · · + x 1 x 2 x 3 x 4 x 5 · ( x 6 + g ( x 7 , x 8 , . . . , x 80 )) + · · · 17 / 27

  18. Results 18 / 27

  19. MD6 Presented by Rivest at CRYPTO 2008 Submitted to the SHA-3 competition ◮ quadtree structure ◮ construction RO-indifferentiable ◮ low-degree compression function ◮ at least 80 rounds ◮ best attack by the designers: 12 rounds 19 / 27

  20. MD6’s compression function { 0 , 1 } 64 × 89 �→ { 0 , 1 } 64 × 16 Input: 64-bit words A 0 . A 1 , . . . , A 88 Compute the A i ’s with the recursion x ← S i ⊕ A i − 17 ⊕ A i − 89 ⊕ ( A i − 18 ∧ A i − 21 ) ⊕ ( A i − 31 ∧ A i − 67 ) x ← x ⊕ ( x ≫ r i ) A i ← x ⊕ ( x ≪ ℓ i ) ◮ round-dependent constant S i ◮ quadratic step, at least 1280 steps 20 / 27

  21. Results on MD6 Cube attack (key recovery) ◮ on the 14-round compression function ◮ recover any 128-bit key ◮ in time ≈ 2 22 Cube testers (testing balance) ◮ detect nonrandomness on 18 rounds ◮ detect nonrandomness on 66 rounds when S i = 0 ◮ in time ≈ 2 17 , 2 24 , resp. 21 / 27

  22. Trivium Stream cipher by De Canni` ere and Preneel, 2005 eSTREAM HW portfolio ◮ 80-bit key and IV ◮ 3 quadratic NFSRs ◮ 1152 initialization rounds ◮ best attack on 771 rounds (cube attack) 22 / 27

  23. Cube testers on Trivium Test the presence of neutral variables Distinguishers (only choose IVs) ◮ 2 24 : 772 rounds ◮ 2 30 : 790 rounds Nonrandomness (assumes some control of the key) ◮ 2 24 : 842 rounds ◮ 2 27 : 885 rounds Full version: 1152 rounds 23 / 27

  24. Conclusions 24 / 27

  25. Cube testers + ◮ more general than classical cube attacks ◮ no precomputation ◮ “polymorphic” – ◮ only gives distinguishers ◮ only finds feasible attacks ◮ relevant for a minority of functions (like cube attacks) 25 / 27

  26. Open issues How to predict the existence of unexpected properties? How to find the best cubes? Attack on (reduced versions of) other algorithms: Grain, ESSENCE, Keccak, Luffa, Shabal,. . . 26 / 27

  27. Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 27 / 27

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

454 views • 27 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

412 views • 25 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides

More recommend