exhausting demirci sel cuk meet in the middle attacks
play

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against - PowerPoint PPT Presentation

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup


  1. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel¸ cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 ´ Ecole Normale Sup´ erieure, France Universit´ e de Rennes 1, France March 13, 2013

  2. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Outline Introduction 1 Description of the AES AES and recent attacks Demirci and Sel¸ cuk Attack 2 Original attack Previous Improvements New improvements Finding Best Attacks Results Differential Enumeration Technique 3 The Technique New attack on 8 rounds Results Conclusion 4

  3. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Outline for section 1 Introduction 1 Description of the AES AES and recent attacks Demirci and Sel¸ cuk Attack 2 Original attack Previous Improvements New improvements Finding Best Attacks Results Differential Enumeration Technique 3 The Technique New attack on 8 rounds Results Conclusion 4

  4. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Advanced Encryption Standard ◮ Advanced Encryption Standard competition began in 1997 ◮ Rijndael was selected to be the new AES in 2001 AES basic structures ◮ iterated block cipher ◮ substitution permutation network ◮ block size: 128 bits ◮ 3 different key lengths: 128, 192, 256 bits ◮ number of rounds depends on key lengths: 10, 12, 14 rounds

  5. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Description of the AES ◮ Each 16-byte block is represented as a 4 × 4 matrix of bytes ◮ Each byte representing an element from F 256 ◮ 4 simple operations on the state matrix every round (except the last round) C ← M × C S X X SB X SR X MC AK X X X X k i x i y i z i w i x i +1

  6. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Description of the AES ◮ Each 16-byte block is represented as a 4 × 4 matrix of bytes ◮ Each byte representing an element from F 256 ◮ 4 simple operations on the state matrix every round (except the last round) C ← M × C S X X SB X SR X AK MC X X X X u i x i y i z i x i +1 ˜ w i k i = M × u i

  7. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion AES and recent attacks ◮ Designed to be strong against Linear and Differential cryptanalysis. ◮ Fairly simple algebraic description... ◮ ... but attacks using SAT-solver or Gr¨ obner basis algorithms never endanger it. ◮ Related-subkey attacks on the full AES-192/AES-256. ◮ Bicliques attacks on the full AES-128/AES-192/AES-256: Version Data Time Memory 2 88 2 126 . 2 2 8 128 2 80 2 189 . 4 2 8 192 2 40 2 254 . 4 2 8 256

  8. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Outline for section 2 Introduction 1 Description of the AES AES and recent attacks Demirci and Sel¸ cuk Attack 2 Original attack Previous Improvements New improvements Finding Best Attacks Results Differential Enumeration Technique 3 The Technique New attack on 8 rounds Results Conclusion 4

  9. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Preliminary Definition: δ -set Set of 256 AES-states that are all different in one state byte and all equal in the other state bytes.

  10. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Preliminary Definition: δ -set Set of 256 AES-states that are all different in one state byte and all equal in the other state bytes. ◮ At FSE 2008, Demirci and Sel¸ cuk described a 4-round property for AES. 4-round property Consider the encryption of a δ -set through four full AES rounds. For each of the 16 bytes of the state, the ordered sequence of 256 values of that byte in the corresponding ciphertexts is fully determined by just 25-byte parameters.

  11. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Preliminary Definition: δ -set Set of 256 AES-states that are all different in one state byte and all equal in the other state bytes. ◮ At FSE 2008, Demirci and Sel¸ cuk described a 4-round property for AES. 4-round property Consider the encryption of a δ -set through four full AES rounds. For each of the 16 bytes of the state, the ordered sequence of 256 values of that byte in the corresponding ciphertexts is fully determined by just 25-byte parameters. ◮ At most 2 8 × 25 = 2 200 possible sequences out of the 2 8 × 256 = 2 2048 theoretically possible.

  12. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Proof of the 4-round property ◮ Let consider the encryption of a δ -set through four full AES rounds: z i x i +1 z i +1 x i +2 z i +2 x i +3 z i +3 x i +4 Reminder: z j = SR ◦ SB ( x j ) and x j +1 = AK ◦ MC ( z j ).

  13. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Proof of the 4-round property ◮ Let consider the encryption of a δ -set through four full AES rounds: ◮ To build the 256 values of the circled byte... z i x i +1 z i +1 x i +2 z i +2 x i +3 z i +3 x i +4 Reminder: z j = SR ◦ SB ( x j ) and x j +1 = AK ◦ MC ( z j ).

  14. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Proof of the 4-round property ◮ Let consider the encryption of a δ -set through four full AES rounds: ◮ To build the 256 values of the circled byte... ◮ ...guess the black bytes for one message and propagate the differences. z i x i +1 z i +1 x i +2 z i +2 x i +3 z i +3 x i +4 Reminder: z j = SR ◦ SB ( x j ) and x j +1 = AK ◦ MC ( z j ).

  15. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Basic attack ◮ They first use the property to mount an attack on 7 rounds of AES-256. x 0 z 0 x 1 z 1 4 rounds P x 5 z 5 x 6 z 6 C

  16. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Basic attack ◮ They first use the property to mount an attack on 7 rounds of AES-256. 1 Compute the 2 200 possible sequences and store them in a hash table. x 0 z 0 x 1 z 1 4 rounds P x 5 z 5 x 6 z 6 C

  17. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Basic attack ◮ They first use the property to mount an attack on 7 rounds of AES-256. 1 Compute the 2 200 possible sequences and store them in a hash table. 2 Ask for a structure of 2 32 plaintexts and choose one of them. x 0 z 0 x 1 z 1 4 rounds P x 5 z 5 x 6 z 6 C

  18. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Basic attack ◮ They first use the property to mount an attack on 7 rounds of AES-256. 1 Compute the 2 200 possible sequences and store them in a hash table. 2 Ask for a structure of 2 32 plaintexts and choose one of them. 3 Guess gray bytes to identify a δ -set and sort it. x 0 z 0 x 1 z 1 4 rounds P x 5 z 5 x 6 z 6 C

  19. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Basic attack ◮ They first use the property to mount an attack on 7 rounds of AES-256. 1 Compute the 2 200 possible sequences and store them in a hash table. 2 Ask for a structure of 2 32 plaintexts and choose one of them. 3 Guess gray bytes to identify a δ -set and sort it. 4 Guess black bytes to compute the sequence and check if it belongs to the table. x 0 z 0 x 1 z 1 4 rounds P x 5 z 5 x 6 z 6 C

  20. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Comments ◮ Let B on (resp. B off ) be the state bytes needed in the online (resp. offline) phase. ◮ A priori, the time complexity of the online phase is 2 8 ×|B on | × 2 8 partial encryptions/decryptions and the memory requirement is 2 8 ×|B off | 256-byte sequences. ◮ In our case |B on | = 10 and |B off | = 25. ◮ The memory complexity of this attack is too high to apply it on the 128 and 192-bit versions. ◮ But its time complexity is low enough to mount an attack from it on 8 rounds AES-256.

  21. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Comments (cont.) ◮ Bytes of B off (resp. B on ) are related by the AES equations = ⇒ they may assume less values than expected. x i +1 z i +1 x i +2 z i +2 x i +3 z i +3 x i +4 z i u i +1 u i k i +2 k i +3 ◮ Let K off be the vector space generated by these subkey bytes. ◮ In a similar way, we define K on from B on .

  22. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Previous Improvements ◮ Difference instead of Value: Store sequences of differences to remove the byte of x 5 from B off or from B on .

  23. Introduction Demirci and Sel¸ cuk Attack Differential Enumeration Technique Conclusion Previous Improvements ◮ Difference instead of Value: Store sequences of differences to remove the byte of x 5 from B off or from B on . ◮ Multiset: Store unordered sequences to slightly reduces the memory requirement and, as the S-box is a bijection, to remove the byte of x 1 from B on .

Recommend


More recommend