generic attacks on feistel ciphers with internal
play

Generic Attacks on Feistel Ciphers With Internal Permutations Joana - PowerPoint PPT Presentation

Feb 11, 2023 •506 likes •1.04k views

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

  1. Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit´ e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 1 / 39

  2. Summary Introduction 1 Generic attacks on the first 5 rounds 2 Generic attacks for any number of rounds 3 General method Computation of the H -coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds Table of results and conclusion 4 Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 2 / 39

  3. Feistel ciphers (1/3) Definition Let f be a function from { 1 , . . . , 2 n } to { 1 , . . . , 2 n } . A Feistel cipher with round function f is defined by : L R f S T Fig. : 1-round Feistel scheme We call ψ ( f ) or simply ψ such a construction. ψ ([ L , R ]) = [ R , L ⊕ f ( R )] = [ S , T ] Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 3 / 39

  4. Feistel ciphers (2/3) ψ is a permutation of { 1 , . . . , 2 2 n } : ψ − 1 ([ S , T ]) = [ T ⊕ f ( S ) , S ] = [ L , R ] S T T S f R L L R Fig. : ψ − 1 = τ ◦ ψ ◦ τ Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 4 / 39

  5. Feistel ciphers 3/3 Definition Let f 1 , . . . , f k be k functions from { 1 , . . . , 2 n } to { 1 , . . . , 2 n } . A k-round Feistel cipher with round functions f 1 , . . . , f k is defined by the succesion of k rounds of a Feistel cipher with round function f i : ψ k ( f 1 , . . . , f k ):= ψ ( f k ) ◦ . . . ◦ ψ ( f 1 ) L R f 1 R X 1 X S k−2 f k X 1 X 2 k−2 L R f f f X S f T 1 2 3 f k k −1 S T Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 5 / 39

  6. Luby-Rackoff revisited Derived structures : Classical Feistel ciphers. Unbalanced Feistel ciphers with expanding internal functions. Unbalanced Feistel ciphers with contracting internal functions. Feistel ciphers with internal permutations. Used in the design of Twofish, Camellia, DEAL. [Knudsen-02] : attack on 5 rounds, impossible differential [Piret-05] : security proofs for 3 and 4 rounds, ≥ O (2 n / 2 ) messages 3-round CPA − 2, 4-round CPCA − 2 Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 6 / 39

  7. Feistel ciphers with internal permutations Different behaviour of these Feistel networks and the classical ones. Example (3 rounds) : L R f X f S T 1 2 f 3 Attack on 3 round classical Feistel ciphers : Relations considered between two input/output couples : R 1 ⊕ S 1 = R 2 ⊕ S 2 . Random permutation : probability 1 / 2 n ; Feistel cipher : probability 2 / 2 n R 1 ⊕ S 1 = R 2 ⊕ S 2 ⇔ f 2 ( X 1 ) = f 2 ( X 2 ) f 2 ( X 1 ) = f 2 ( X 2 ) ⇔ X 1 = X 2 or ( X 1 � = X 2 and f 2 ( X 1 ) = f 2 ( X 2 )). Chosen plaintext attack : O (2 n / 2 ) messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 7 / 39

  8. Feistel ciphers with internal permutations Different behaviour of these Feistel networks and the classical ones. Example (3 rounds) : L R f X f S T 1 2 f 3 Attack on 3 round classical Feistel ciphers : Relations considered between two input/output couples : R 1 ⊕ S 1 = R 2 ⊕ S 2 . Random permutation : probability 1 / 2 n ; Feistel cipher : probability 2 / 2 n R 1 ⊕ S 1 = R 2 ⊕ S 2 ⇔ f 2 ( X 1 ) = f 2 ( X 2 ) f 2 ( X 1 ) = f 2 ( X 2 ) ⇔ X 1 = X 2 or ( X 1 � = X 2 and f 2 ( X 1 ) = f 2 ( X 2 )). Chosen plaintext attack : O (2 n / 2 ) messages. Known plaintext attack : O (2 n / 2 ) messages. Does not work on Feistel cipher with round permutations ! Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 7 / 39

  9. Generic attacks Definition A generic attack on a Feistel cipher with internal permutations, is an attack allowing to distinguish with high probability a Feistel cipher from a random permutation, when the round permutations are randomly chosen. We interest ourselves in generic attacks, necessiting < O (2 2 n ) messages (exhaustive search on the inputs). When the complexity is ≥ O (2 2 n ), we interest ourselves in attacks on Feistel permutation generators. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 8 / 39

  10. Two-point attacks Definition two-point attacks are attacks using correlations between blocks of pairs of distinct messages. Example : previous attack on 3 rounds, relations considered between 2 messages were R 1 ⊕ S 1 = R 2 ⊕ S 2 . Best known attacks against classical Feistel ciphers (except on 3 rounds, CPCA-2). Efficient against Feistel ciphers with internal permutations : the complexities of the two-point attacks found (except on 3 rounds, CPCA − 2) coincide with the known bounds of security (3 and 4 rounds, [Piret-05]). Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 9 / 39

  11. Notations KPA : known plaintext attack CPA − 1 : non-adaptive chosen plaintext attack CPA − 2 : adaptive chosen plaintext attack CPCA − 1 : non-adaptive chosen plaintext and ciphertext attack CPCA − 2 : adaptive chosen plaintext and ciphertext attack B n : permutation on n bits. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 10 / 39

  12. Generic attack by hand : 1 and 2 rounds R=S L f T 1 Relation considered : R = S . Random permutation : probability 1 / 2 n ; Feistel cipher : probability 1. KPA : 1 message. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 11 / 39

  13. Generic attack by hand : 1 and 2 rounds R=S L f T 1 Relation considered : R = S . Random permutation : probability 1 / 2 n ; Feistel cipher : probability 1. KPA : 1 message. L R f S f T 1 3 Relations considered : R 1 = R 2 , S 1 ⊕ S 2 = L 1 ⊕ L 2 . CPA − 1. Random permutation : probability 1 / 2 n ; Feistel cipher : probability 1. CPA − 1 : 2 messages. KPA : O (2 n / 2 ) messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 11 / 39

  14. Generic attacks by hand : 3 rounds L R X f f S f T 1 2 3 Relation considered : L 1 = L 2 , R 1 ⊕ R 2 = S 1 ⊕ S 2 . CPA − 1. Random permutation : probability 1 / 2 n ; Feistel cipher : probability 0 R 1 ⊕ R 2 = S 1 ⊕ S 2 ⇒ X 1 = X 2 ⇒ R 1 = R 2 . CPA − 1 : O (2 n / 2 ) messages. KPA : O (2 n ) messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 12 / 39

  15. Generic attack by hand : 4 rounds 1 2 L R X f X f f S f T 1 2 3 4 Relation considered : R 1 = R 2 , L 1 ⊕ L 2 = S 1 ⊕ S 2 . CPA − 1. Random permutation : probability 1 / 2 n ; Feistel cipher : probability 0 R 1 = R 2 ⇒ X 1 1 ⊕ X 1 2 = L 1 ⊕ L 2 . L 1 ⊕ L 2 = S 1 ⊕ S 2 = X 1 1 ⊕ X 1 2 ⇒ X 2 1 = X 2 2 ⇒ L 1 = L 2 . CPA − 1 : O (2 n / 2 ) messages. KPA : O (2 n ) messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 13 / 39

  16. Generic attack by hand : 5 rounds [Knudsen-02] 1 2 3 L R f X f X f X S T 1 f 4 f 2 3 5 Relation considered : R 1 = R 2 , S 1 = S 2 , L 1 ⊕ L 2 = T 1 ⊕ T 2 . CPA − 1. Random permutation : probability 1 / 2 2 n ; Feistel cipher : probability 0. S 1 = S 2 ⇒ X 3 1 ⊕ X 3 2 = T 1 ⊕ T 2 . R 1 = R 2 ⇒ X 1 1 ⊕ X 1 2 = L 1 ⊕ L 2 . T 1 ⊕ T 2 = L 1 ⊕ L 2 ⇒ X 2 1 = X 2 2 ⇒ X 1 1 = X 1 2 ⇒ L 1 = L 2 . CPA − 1 : O (2 n ) messages. KPA : O (2 3 n / 2 ) messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 14 / 39

  17. Special case : 3 rounds, CPCA − 2 L R X S T f f f 1 2 3 Best attack is 3-point attack. The same attack as for classical Feistel ciphers [LR-88]. 3 messages : [ L 1 , R 1 ] / [ S 1 , T 1 ], [ L 2 , R 1 ] / [ S 2 , T 2 ] and [ L 3 , R 3 ] / [ S 1 , T 1 ⊕ L 1 ⊕ L 2 ]. Relation considered : R 2 ⊕ R 3 = S 2 ⊕ S 3 . CPCA − 2. Feistel cipher : probability 1 ; Random permutation : probability 1 / 2 n R 1 = R 2 ⇒ X 1 ⊕ X 2 = L 1 ⊕ L 2 . S 1 = S 3 ⇒ X 1 ⊕ X 3 = T 1 ⊕ T 3 . T 3 ⊕ T 1 = L 1 ⊕ L 2 ⇒ X 2 = X 3 . X 2 = X 3 ⇒ R 2 ⊕ R 3 = S 2 ⊕ S 3 . CPCA − 2 : 3 messages. Joana Treger, Jacques Patarin (PRiSM, Universit´ Generic Attacks on Feistel Ciphers With Internal Permutations e de Versailles) 2008-11-27 15 / 39

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques Patarin CANS 2013 20 November 2013 Outline Introduction 1 State of the Art Our Contribution Definition of the schemes Attacks on Type-1

893 views • 45 slides
Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

426 views • 24 slides
Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der

Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der

Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der Ham &amp; Marc Smeets Master System and Network Engineering University of Amsterdam 2 July 2014 Introduction Motivation Ciphers like DES and

544 views • 18 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi

New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi

Intro SelfSimilar New Summary New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi Shamir Eurocrypt 2020 Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 1/ 28 Intro SelfSimilar

819 views • 40 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems, School of ICT, KTH - Royal Institute of Technology, Stockholm Email:{shsm,dubrova}@kth.se

457 views • 17 slides
Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides

More recommend