few other cryptanalytic techniques
play

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant - PDF document

Jul 14, 2023 •127 likes •305 views

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

  1. Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives • Boomerang Attack • Square Attack D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 1

  2. Some Common Cryptanalysis Techniques 1. Linear Cryptanalysis 2. Differential Cryptanalysis 3. Differential-Linear Cryptanalysis 4. Impossible Differential Attack 5. Truncated Differential Attack 6. Higher Order Differential Attack 7. Probabilistic Higher Order Differential Attack 8. Integral Attack Some Common Cryptanalysis Techniques 9. Boomerang Attack 10. Rectangle Attack 11. Slide Attack 12. Interpolation Attack 13. Square Attack 14. Fault Attacks/ Side Channel Attacks 15. Correlation (Statistical) Attack 16. Algebraic Attack (XL/XLS) D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 2

  3. Recap about Differential Cryptanalysis • We have seen in our discussion on Differential Cryptanalysis: – eliminating high probability differentials guarantees security. – if p is the upper bound on the probability of any differential for the cipher, at least 1/p texts are needed to break the cipher. – so to increase the security, reduce p. The folk theorem is wrong… • Impossible Differential Attacks: A differential with sufficiently low probability can be used for an attack. • Boomerang attacks: Even if no differentials for the whole cipher does not have either high or low probability, may still be vulnerable to differential style attacks. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 3

  4. Boomerang Attack Basics • The attack considers four plaintexts, P, P’, Q and Q’. • The attacker also notes four ciphertexts, C, C’, D and D’. • Quartet: (P, P’, Q, Q’) • 4 queries: – 2 encryption: P, P’ – 2 decryption: D, D’ Boomerang Attack Basics = � E E E 1 0 :first half of the cipher. E 0 E :second half of the cipher. 1 Differential Characteristics for the half ciphers: ∆ → ∆ * : E 0 E − ∇ → ∇ 1 * : 1 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 4

  5. Boomerang Attack Basics ⊕ = ⊕ ⊕ ⊕ ⊕ ⊕ E Q ( ) E Q ( ') E P ( ) E P ( ') E P ( ) E Q ( ) E P ( ') E Q ( ') 0 0 0 0 0 0 0 0 ⊕ ⊕ − ⊕ − ⊕ − ⊕ − 1 1 1 1 = E P ( ) E P ( ') E ( ) C E ( D ) E ( C ') E ( D ') 0 0 1 1 1 1 ∆ ⊕∇ ⊕∇ = ∆ * * * * = . Note that this characteristic is the same as that of the inverse of E 0 . Thus, the difference in the plaintexts Q and Q’ is the same as that in P and P’. Hence, the name is “Boomerang”. Example: COCONUT98 • Designed to protect against DC. – full cipher provides no good differential characteristics. • Uses a 256 bit key, K=(k 1 ,k 2 ,…,k 8 ) i 1 2 3 4 k i k 1 k 1 ^k 3 k 1 ^k 3 ^k 4 k 1 ^k 4 i 5 6 7 8 k i k 2 k 2 ^k 3 k 2 ^k 3 ^k 4 k 2 ^k 4 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 5

  6. Coconut98 • 64 bit block parameters cipher • 3 parts • An M layer between 4 Feistel rounds Feistel Rounds of COCONUT98 x y k i + Ф Roll 11 c + Ф + D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 6

  7. The Phi Function x x mod 256 SBox: SBox {0,1} 8 � {0,1} 24 multiply 256 + The M layer = ⊕ × 64 M xy ( ) ( xy K K ) K K mod GF (2 ) 5 6 7 8 = + + + + 64 11 2 Here, ( ) p x x x x x 1 Design is based on decorrelation theory. If K 7 K 8 are unknown then the probability of a non-zero input differential to produce an output differential is 1/(2 64 -1). But for a fixed key, the output differential does not depend on the input value but depends only on the input differential. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 7

  8. Differential Analysis of the Phi Function j=8 to 31 e j Consider an input differential 0 =e j , which SBox: SBox is a 32 bit {0,1} 8 � {0,1} 24 differential with the j th multiply 256 bit flipped. Output differential is + also e j , with a probability ≈ ½ Differential taking into account ROL 11 • ROL 11 is a circular shift by 11 bits. • If the entire Feistel function is considered, there are 3 additions. – (x+a mod 2 32 )+b mod 2 32 is equivalent to x+c mod 2 32 , where c=a+b • Thus the output differential is e j+11 . The subscripts are taken modulo 32. • Similarly, e j ^e k � e j+11 ^e k+11 with probability ≈ 1/4 D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 8

  9. Good characteristics for 4 rounds e 18 ^e 8 e 19 e 29 ^e 19 e 18 ^e 8 e 29 e 18 e 29 e 0 e 18 By symmetry, Probability we also get corresponding ≈ 2 -4 backward characteristics Obtaining full round characteristics • Need to find some way to take advantage of these half round characteristics. • The M layer creates problem for standard DC. • Boomerang attack helps us to control the effect of the M layer. • Key idea! M is affine. So, for a fixed key, there is an excellent characteristics with probability 1: ∇ → M − ∇ * 1 * ( ) D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 9

  10. Success Probability ϕ ϕ � � Define the complete cipher, E= M 1 0 = ϕ = ϕ � Here, E , E M 0 0 1 1 − ∇ 1 * It does not matter that M ( ) is unknown to attacker. What is important is it depends only on the key and not on the values of the ciphertexts . ϕ − ϕ ∆ ⎯⎯ →∆ ∇ ⎯⎯ 1 →∇ * * Define, p =Pr[ ], q =Pr[ ] 0 1 ∆ * ∇ * ∑ ∑ ≈ 2 2 Success Probability p q ∆ ∇ * * ∆ ∇ * * ∆ ∇ ≈ Fact: If, = =(e , e ) provides p 1/1900. 10 31 The actual attack • Criteria of success: Q^Q’=(?,e 31 ) – improves the probability to 1/950. • Thus with about 950.4=3800 chosen plaintext/ciphertext queries, should give 1 useful quartet. • Thus with 16 x 3800 queries, 16 useful quartets are expected. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 10

  11. Finding k 1 • Take this quartet to find k 1 . – guess k 1 . – we have the fact that if (P,P’,Q,Q’) is a useful quartet then after round of encryption the XOR difference must be (e 31 ,0) for both P,P’ pair and Q,Q’ pair – for ½ of the wrong keys this holds. – Each useful quartet gives 1 bit of information from P,P’ pair and 1 bit information from Q,Q’ pair. – Thus 16 useful quartets should give the entire key k 1 Obtaining other keys • Similarly, we obtain k 1 , k 1 ^k 3 , k 1 ^k 3 ^k 4 , k 1 ^k 4 , k 2 ,k 2 ^k 3 ,k 2 ^k 3 ^k 4 ,k 2 ^k 4 This helps to obtain the entire 128 bits of the key. Complexity of the attack is around 2 16 . D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 11

  12. Square attacks on 4 round AES • Let Λ be an active set of 256 states, that are all different in some of the state bytes and are all equal in the other state bytes. ≠ ⎧ x y if (i,j) active ∀ ∈⎨ i j , i j , x,y = x y ⎩ i j , i j , Λ Since the bytes of a set are either constant or takes all possible values, ⊕ = ∀ x 0, i j , ∈Λ x i j , Invariance of the active set • Consider a Λ set in which only one byte is active. • Lets observe the propagation of the active set through 3 AES rounds. • SubBytes, AddRound keys does not alter the property of active set. • ShiftRow transposes the active byte position. • The column in which there is one active byte, because of the linear transformations with invertible coeffients, there is one column with 4 active bytes. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 12

  13. 2 nd Round • 2 nd round AddRoundkey and SubBytes does not alter the property of 4 active bytes. • In the 2 nd round, shift row transposes one active byte to each column. • MixColumn converts each column to have 4 active bytes. 3 rd Round • 3 rd round AddRoundkey and SubBytes does not alter the property of 4 active bytes per column. • ShiftRow merely transposes. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 13

  14. 3 rd Round If the input be denoted by and the outputs by : a b ∴⊕ = ⊕ b MixColumn a ( ) i j , i j , ⊕ = ⊕ ⊕ ⊕ (02. a 03. a a a ) + + + i j , i 1, j i 2, j i 3, j ⊕ ⊕ ⊕ ⊕ ⊕ = (02 ) (03 ) a a a a + + + i j , i 1, j i 2, j i 3, j =0 The Attack • Hence all bytes at the input of the last (4 th ) round add upto 0. • Last round does not have MixColumn. • So we can guess the last round key, and xor to check for the above property. • Probability of success for wrong keys 1/256. • Thus, with 2 8 plaintext queries the key is obtained. D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 14

  15. Points to ponder! • Can you rewrite the square attack to work for 5 rounds? • Can it work for 6 rounds? • Will the same attack work for AES- 192 and AES-256? Further Reading • S. Vaudenay, “Provable Security for Block Ciphers” • D. Wagner, “The Boomerang Attack”, FSE 99 • J. Daemen, V. Rijmen, The Design of Rijndael, Springer • J. Daemen, L. Knudsen, V. Rijmen, “The block cipher SQUARE” D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 15

  16. Next Days Topic • Overview on S-Box Design Principles D. Mukhopadhyay Crypto & Network Security IIT Kharagpur 16

Recommend

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on

784 views • 55 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple NewMITM Dissection Summary Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer Science Department University of Haifa 4th July, 2013 Orr Dunkelman Multiple Encryption 1/ 35 Multiple

1.49k views • 110 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu) Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium

1.1k views • 75 slides
Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya Mironov 13 1 Google, 2 Northeastern, 3 Facebook Solve For W Given: Given: Given: CAT Our Question: Given query access to a neural network,

1.8k views • 122 slides
Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

T-79.514 Special Course on Cryptology September 30, 2004 Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki University of Technology mjos@tcs.hut.fi T.79-514 Markku-Juhani O. Saarinen 1 Terminology

646 views • 35 slides
Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining

Intraday Techniques Intraday Techniques Intraday Techniques Intraday Techniques Combining intraday signals with longer time frame support or resistance. 141 Daily chart for support (slide 1 of 2) June 14 We see a solid band of support

979 views • 20 slides
Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand your teams skills and training needs. Agenda Introduction The idea explained Round 1: Card sorting techniques Round 2: Visualising

370 views • 10 slides
Presentation by: Prof. Maritere Cardona f it d Friday, March 24, 2006 Readin Readin e d e

Presentation by: Prof. Maritere Cardona f it d Friday, March 24, 2006 Readin Readin e d e

University of Puerto Rico at Humacao English Department Techniques and Activities for Reading in Techniques and Activities for Reading in the Classroom Techniques and Activities for Reading in Techniques and Activities for Reading in the

690 views • 35 slides
In the next 15 minutes we will: Look at some different techniques to help your children with

In the next 15 minutes we will: Look at some different techniques to help your children with

In the next 15 minutes we will: Look at some different techniques to help your children with revision. - Mnemonics - Memorising techniques - Creating a journey story The 4 key things that aid memory 1. Dual coding (words and pictures /

616 views • 15 slides
Chemical Synthesis Techniques Chemical Synthesis Techniques Chemical Synthesis Techniques

Chemical Synthesis Techniques Chemical Synthesis Techniques Chemical Synthesis Techniques

Chemical Synthesis Techniques Chemical Synthesis Techniques Chemical Synthesis Techniques Chemical Synthesis Techniques Thin Films & Variations Electrochemical Deposition Electrochemical Deposition (Electrodeposition, Electroplating)

669 views • 9 slides
Iterative Techniques in Matrix Algebra Jacobi & Gauss-Seidel Iterative Techniques II

Iterative Techniques in Matrix Algebra Jacobi & Gauss-Seidel Iterative Techniques II

Iterative Techniques in Matrix Algebra Jacobi & Gauss-Seidel Iterative Techniques II Numerical Analysis (9th Edition) R L Burden & J D Faires Beamer Presentation Slides prepared by John Carroll Dublin City University 2011

1.51k views • 107 slides
TRADE-OFFS AMONG AI TRADE-OFFS AMONG AI TECHNIQUES TECHNIQUES Christian Kaestner With slides

TRADE-OFFS AMONG AI TRADE-OFFS AMONG AI TECHNIQUES TECHNIQUES Christian Kaestner With slides

TRADE-OFFS AMONG AI TRADE-OFFS AMONG AI TECHNIQUES TECHNIQUES Christian Kaestner With slides adopted from Eunsuk Kang Required reading: Vogelsang, Andreas, and Markus Borg. " Requirements Engineering for Machine Learning:

760 views • 54 slides
Culling Techniques Sung-Eui Yoon ( ) Course URL:

Culling Techniques Sung-Eui Yoon ( ) Course URL:

Culling Techniques Sung-Eui Yoon ( ) Course URL: http://jupiter.kaist.ac.kr/~sungeui/SGA/ At the Previous Class The overview of the course Two main rendering techniques: rasterization and ray tracing Their issues with

461 views • 28 slides
Low Power Techniques for SoC Design: basic concepts and techniques Estagi ario de Doc encia

Low Power Techniques for SoC Design: basic concepts and techniques Estagi ario de Doc encia

Motivation Basic Concepts Standard Low Power Design Techniques Advanced Low Power Design Techniques References Low Power Techniques for SoC Design: basic concepts and techniques Estagi ario de Doc encia M.Sc. Vin cius dos Santos

982 views • 55 slides
Figurative Language 1 Seven Techniques of Figurative Language The seven techniques you need to

Figurative Language 1 Seven Techniques of Figurative Language The seven techniques you need to

Figurative Language 1 Seven Techniques of Figurative Language The seven techniques you need to know: l metaphor l onomatopoeia l personification l alliteration l idiom l simile l hyperbole 2 Onomatopoeia Examples of

364 views • 14 slides
Fundamental Techniques Chapter 5: Techniques 1 Outline and Reading The Greedy Method Technique

Fundamental Techniques Chapter 5: Techniques 1 Outline and Reading The Greedy Method Technique

Fundamental Techniques Chapter 5: Techniques 1 Outline and Reading The Greedy Method Technique (5.1) Fractional Knapsack Problem (5.1.1) Task Scheduling (5.1.2) Divide-and-conquer paradigm (5.2) Recurrence Equations

777 views • 45 slides
Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

EDA421/DIT171 - Parallel and Distributed Real-Time Systems, Chalmers/GU, 2011/2012 Lecture #14 Updated May 2, 2012 Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the effects if the

374 views • 9 slides
Curriculum on Health Wellness Techniques Wellness Techniques Agenda B1. Stress Management

Curriculum on Health Wellness Techniques Wellness Techniques Agenda B1. Stress Management

California Cadet Corps Curriculum on Health Wellness Techniques Wellness Techniques Agenda B1. Stress Management B2. Do Yoga or Tai Chi B3. Meditate B4. Aerobic Exercise B5. Declutter and Organize B6. Manage

788 views • 74 slides

More recommend