experimentally verifying a complex algebraic attack on
play

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 - PowerPoint PPT Presentation

Jan 22, 2024 •169 likes •754 views

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

  1. Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 – Washington D.C. Itai Dinur 1 , Tim Güneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1 Computer Science Dept., The Weizmann Institute, Israel 18.03.2012 2 Horst Görtz Institute for IT Security, Ruhr-University Bochum

  2. Outline  Introduction  Implementation  Problems and Solutions  Results and Conclusion SHARCS 2012 | Washington D.C. | 18.03.2012 2

  3. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 3

  4. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 4

  5. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 5

  6. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 6

  7. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 7

  8. Introduction Grain-128  128-bit key, 96-bit IV  Boolean functions  256 clock cycles SHARCS 2012 | Washington D.C. | 18.03.2012 8

  9. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 • SHARCS 2012 | Washington D.C. | 18.03.2012 9

  10. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 •  Uses CubeTesters • Aumasson/Dinur/Meier/Shamir (FSE 2009) • Related to higher order differential attacks • Distinguishes (special) polynomials from random functions SHARCS 2012 | Washington D.C. | 18.03.2012 10

  11. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 •  Uses CubeTesters • Aumasson/Dinur/Meier/Shamir (FSE 2009) • Related to higher order differential attacks • Distinguishes (special) polynomials from random functions  Multiple Steps • Guess and generate scores • Determine most likely values of secret expression • Recover the key SHARCS 2012 | Washington D.C. | 18.03.2012 11

  12. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic? SHARCS 2012 | Washington D.C. | 18.03.2012 12

  13. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic?  Simulate correct guess for known key 1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list SHARCS 2012 | Washington D.C. | 18.03.2012 13

  14. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic?  Simulate correct guess for known key 1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list Details: Dinur et al. (Asiacrypt 2011) SHARCS 2012 | Washington D.C. | 18.03.2012 14

  15. Outline  Introduction  Implementation  Problems and Solutions  Results and Conclusion SHARCS 2012 | Washington D.C. | 18.03.2012 15

  16. Implementation Hardware Design Goals  Considerations  Flexibility  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 16

  17. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 17

  18. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility • Adaptable to modified cube attacks • Adaptable to modified parameter sets  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 18

  19. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility • Adaptable to modified cube attacks • Adaptable to modified parameter sets  Operability • Fully working post-place and route design • Fully working on RIVYERA FPGA Cluster SHARCS 2012 | Washington D.C. | 18.03.2012 19

  20. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs SHARCS 2012 | Washington D.C. | 18.03.2012 20

  21. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs  16 Boards SHARCS 2012 | Washington D.C. | 18.03.2012 21

  22. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs  16 Boards  i7 Processor SHARCS 2012 | Washington D.C. | 18.03.2012 22

  23. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 23

  24. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 24

  25. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 25

  26. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 26

  27. Implementation The Algorithm - Hands-On  Focus on time consuming steps 1. Chose random key 2. Generate boolean functions (polynomials to evaluate) Compute 2 50 times the first output bit (Grain-128 Initialization) 3. 4. XOR the results in some way SHARCS 2012 | Washington D.C. | 18.03.2012 27

  28. Implementation The Algorithm - Hands-On  Focus on time consuming steps 1. Chose random key 2. Generate boolean functions (polynomials to evaluate) Compute 2 50 times the first output bit (Grain-128 Initialization) 3. 4. XOR the results in some way Sounds easy! Let’s try it in Software… SHARCS 2012 | Washington D.C. | 18.03.2012 28

  29. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 1 0 0 0 1 1 0 1 0 1 0 0 1 0 1 • Red: cube indices • Blue: dynamic variables SHARCS 2012 | Washington D.C. | 18.03.2012 29

  30. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 1 0 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 30

  31. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 0 1 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 31

  32. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 1 1 0 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 32

  33. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup SHARCS 2012 | Washington D.C. | 18.03.2012 33

  34. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup  But: Very slow in Software (2 50 Grain iterations per key) SHARCS 2012 | Washington D.C. | 18.03.2012 34

  35. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: Let’s try hardware! • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup  But: Very slow in Software (2 50 Grain iterations per key) SHARCS 2012 | Washington D.C. | 18.03.2012 35

Recommend

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on joint work with Herv e Gaussier) Institut Fourier, Universit e de Grenoble Alpes & Acad emie des Sciences de Paris CIME School on Complex

971 views • 57 slides
The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA

The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA

The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA Min Ru The constant appeared in algebraic and complex geometry Nevanlinna theory: Introduction the notations Let X be a complex projective

1.14k views • 80 slides
Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008 Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne,

518 views • 34 slides
demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman

demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman

Meeting today's demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman Harris Corporation THIS INFORMATION WAS APPROVED FOR PUBLISHING PER THE ITAR AS `BASIC MARKETING INFORMATION OF DEFENSE ARTICLES` OR AS

352 views • 31 slides
Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University

Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University

Transcendental lattices of complex algebraic surfaces Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University November 25, 2009, Tohoku 1 / 27 Transcendental lattices of complex algebraic surfaces

419 views • 27 slides
Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in

Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in

Introduction: The problem of CSG r-matrix structure Algebraic structures of Poisson brackets of L The YB equations for a,s On the Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in collaboration with Luc

594 views • 22 slides
Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20,

Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20,

Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20, 2017 Gereon Quick NTNU Algebraic classes: smooth complex schemes Let E be a motivic spectrum over Sm C . Algebraic classes: smooth complex

1.81k views • 144 slides
Algebraic and combinatorial methods for bounding the number of the complex embeddings of

Algebraic and combinatorial methods for bounding the number of the complex embeddings of

Algebraic and combinatorial methods for bounding the number of the complex embeddings of minimally rigid graphs E. Bartzos, I.Z. Emiris, J. Schicho 14 June 2019 Geometric constraint systems: rigidity, flexibility and applications Lancaster

606 views • 31 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
A Brief Comparison: some experimentally verified Generalize the key constraints and

A Brief Comparison: some experimentally verified Generalize the key constraints and

MN1 T. Metodiev D. Copsey F.T. Chong I.L. Chuang M. Oskin J. Kubiatowicz Motivation Many Proposed Technologies All work toward the same goal A Brief Comparison: some experimentally verified Generalize the key

361 views • 5 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Two-dimensional materials from high-throughput computational exfoliation of experimentally known

Two-dimensional materials from high-throughput computational exfoliation of experimentally known

Two-dimensional materials from high-throughput computational exfoliation of experimentally known compounds Nicolas Mounet, Marco Gibertini, Philippe Schwaller, Davide Campi, Andrius Merkys, Antimo Marrazzo, Thibault Sohier, Ivano Eligio

500 views • 23 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law

Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law

Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law for the behavior of gases. Choose and answer one of the following: Why do divers get the bends? Why do your ears pop going up a

892 views • 62 slides
Algebraic cycles in generalized cohomology theories Mathematisches Forschungsinstitut Oberwolfach

Algebraic cycles in generalized cohomology theories Mathematisches Forschungsinstitut Oberwolfach

Algebraic cycles in generalized cohomology theories Mathematisches Forschungsinstitut Oberwolfach April 20, 2018 Gereon Quick NTNU Lefschetz s theorem: X projective complex surface Lefschetz s theorem: X projective complex surface

2.1k views • 181 slides
SysML-Sec Attack Graphs: Compact Representations for Complex Attacks Institut Ludovic Apvrille

SysML-Sec Attack Graphs: Compact Representations for Complex Attacks Institut Ludovic Apvrille

SysML-Sec Attack Graphs: Compact Representations for Complex Attacks Institut Ludovic Apvrille Mines-Telecom ludovic.apvrille@telecom-paristech.fr Yves Roudier yves.roudier@eurecom.fr GraMSec2015 Context: Security for Embedded Systems

470 views • 23 slides
Placebos in Pain and Sadness Tobias Kube, PhD Agenda Study 1: Experimentally induced pain

Placebos in Pain and Sadness Tobias Kube, PhD Agenda Study 1: Experimentally induced pain

Mechanisms of Open-Label Placebos in Pain and Sadness Tobias Kube, PhD Agenda Study 1: Experimentally induced pain Study 2: Experimentally induced sadness Study 1 Deceptive and non-deceptive placebos to reduce pain An experimental

596 views • 30 slides
Examples of non- algebraic classes in the Brown-Peterson tower Freie Universitt Berlin

Examples of non- algebraic classes in the Brown-Peterson tower Freie Universitt Berlin

Examples of non- algebraic classes in the Brown-Peterson tower Freie Universitt Berlin November 16, 2017 Gereon Quick NTNU Lefschetz s theorem: X projective complex surface Lefschetz s theorem: X projective complex surface 2-dim.

1.79k views • 158 slides
Toxicity and Related Testing Run to reproduce AHPNS experimentally in the laboratory i t ll i

Toxicity and Related Testing Run to reproduce AHPNS experimentally in the laboratory i t ll i

11/3/2012 Toxicity and Related Testing Run to reproduce AHPNS experimentally in the laboratory i t ll i th l b t Possible Etiological Agents Toxicant From feed (new ingredient(s) in feed?) Remember the melamine contamination

179 views • 16 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a

SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a

ECE 552 Numerical Circuit Analysis Chapter Three SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a set of n linear algebraic equations Ax = b where A is a real or complex n x n nonsingular matrix.

1.18k views • 96 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides

More recommend