improved attacks on full gost
play

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and - PowerPoint PPT Presentation

Nov 26, 2022 •643 likes •995 views

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel GOST Designed by Soviet cryptographers in the 1980 s Motivated by the desire to construct an

  1. Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel

  2. GOST • Designed by Soviet cryptographers in the 1980 ’s • Motivated by the desire to construct an alternative to DES • Declassified in 1994

  3. Design philosophy • Like DES, a Feistel structure over 64-bit blocks • Use simpler components compared to DES • Try to get higher security • DES uses 56 bits of key and 16 rounds • GOST uses 256 bits of key and 32 rounds • Does not specify the Sboxes

  4. One Round of GOST

  5. The Key Schedule • Break the 256-bit key into 8 subkeys of 32 bits • In the first 24 rounds the keys are used in their cyclic order • In the final 8 rounds the round keys are used in reverse order • Perhaps to avoid slide attacks K1,K2 ,…,K 8,K1,K2 ,…,K 8,K1,K2 ,…K 8 ,K8,K7 ,…,K 1

  6. Previous Single Key Attacks • In 2011 Isobe published the first single key attack on full GOST • Data 2 32 , Time 2 224 , Memory 2 64 • Based on the reflection self-similarity property of GOST (Kara 2008) • Uses a meet-in-the-middle attack • Requires invertible Sboxes • Several attacks were later published by Courtois • Their complexity was evaluated for the Sboxes used by Russian banks • It is expected that the attacks have similar complexities for other choices of Sboxes (C’ 12)

  7. Self-Similarity Properties Used in Our Attacks • The reflection property (Kara 2008) • A new fixed point property (independently discovered by Courtois’ 11) • Reduce attacking 32-round GOST to attacking 8- round GOST given 2 input-output pairs

  8. The Reflection Property (Kara 2008) • Requires about 2 32 known plaintext-ciphertext pairs • Guess the 64-bit value X • Altogether, apply the 8-round attack 2 96 times • We have another “half pair” since we know that the two sides of Y are equal • We do not know how to efficiently exploit this information

  9. The Fixed-Point Property (independently discovered by Courtois’ 11) • Requires about 2 64 known plaintext-ciphertext pairs (the full codebook) • Apply the 8-round attack 2 64 times • Given c·2 64 known plaintexts for c<1, this fixed point occurs with probability c • The success probability is reduced by c

  10. Given Two 8-Round Input-Output Pairs • 128-bit constraint • The 8-round attacks leave 2 256-128 =2 128 keys • Need to test the remaining 2 128 keys • The time complexity of the 8-round attacks is at least 2 128

  11. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle ( 2DMITM ) attack • Time 2 128 , memory 2 36

  12. Attacks on Full GOST • Select one of the two self-similarity properties for the outer loop: • If we have 2 64 data , select the fixed point property • If we have 2 32 data , select the reflection property • Select one of last two 8-round attacks: • If we have 2 36 memory , select the 2DMITM attack • If we have 2 19 memory (fits cache), select the low-memory attack • Altogether we obtain 4 attacks on full GOST

  13. Attacks on Full GOST LOG(T) 256 2 32 data 236 I’ 11 224 C ’ 11 204 2 64 data 192 LOG(M) 0 19 36 64

  14. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  15. A Basic MITM Attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 128-bit value of K 1 -K 4 • Partially encrypt I and I *, and store the 128-bit suggestions for Y and Y* in a sorted list • For each 128-bit value of K 5 -K 8 • Partially decrypt O and O*, and look for matches in the list • For each match test the full key • Time 2 128 , memory 2 128

  16. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  17. A More Efficient MITM attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 64-bit value of Y • Use a 4-round attack to obtain suggestions for K 1 -K 4 given ( I ,Y) in time 2 64 • Independently obtain suggestions for K 5 -K 8 given (Y,O) • Store the suggestions in two lists of size 2 128-64 =2 64 • Perform a basic MITM attack on ( I *,O*) using the keys stored in the lists • Time 2 64 ·2 64 =2 128 , memory 2 64

  18. A More Efficient MITM attack The 4-Round Attack I K 1 -K 4 Y K 5 -K 8 O • Given ( I ,Y) perform a basic MITM attack to obtain 2 64 suggestions for K 1 -K 4 • Repeat independently for K 5 -K 8

  19. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  20. The Low Memory Attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 128-bit value of K 5 -K 8 • Partially decrypt O and O* and obtain two 4-round input- output pairs ( I ,Y) and ( I *,Y*) • Execute a 4- round “Guess and Determine” routine to obtain suggestions for the (expected number of) 2 128-128 =1 key

  21. The 4- Round “Guess and Determine” Routine • Exploits the slow diffusion of the key into the state • Traverse a layered tree of partial guesses for K 1 -K 4 • The nodes in each layer specify guesses for a certain subset of the key bits • The nodes of the last layer contain guesses for K 1 -K 4

  22. The 4-Round “Guess and Determine” Routine • Expand a node by guessing the values of a small number of additional key bits • Calculate intermediate encryption bits from both sides of the block cipher • Discard nodes for which the values do not match

  23. The Size of the Tree • The time complexity is proportional to the number of nodes • Minimize the number of nodes by guessing the smallest number of bits in each layer • Use DFS to minimize memory complexity

  24. The “Guess and Determine” Routine S-GOST S1 • A simplified version of GOST • The layer procedure: work on 4- 12 bit chunks K 1 • Discard wrong key guesses by evaluating 4 state bits from both sides • The procedure of each layer is S4 12 basically the same and is called an K 2 iteration • 8 iterations to recover the key

  25. The “Guess and Determine” Procedure Real GOST S1 • Guess additional carry and state S2 bits • The iterations are performed in K 1 their natural order • Guess carries only in the first iteration • In the remaining iterations they are S4 S5 known K 2 • We pay for state bit guesses only in the first iteration

  26. The Low Memory Attack Complexity Analysis • The “Guess and Determine” routine • Time 2 12 , memory 2 19 (using tables computed once and for all) • The low memory attack • Time 2 128 · 2 12 =2 140 , memory 2 19

  27. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  28. The 2-Dimensional Meet-in-the- Middle Attack (2DMITM) I I * K 1 -K 4 (top part) Y Y* K 5 -K 8 (bottom part) O O* • Exploit slow avalanche of state bits • Do not guess K 5 -K 8 in advance • Run 4 out of 8 iterations of the “Guess and Determine" attack with knowledge of 82 out of 128 bit of Y and Y*

  29. The 2-Dimensional Meet-in-the- Middle Attack Top MITM K 1 -K 4 Y,Y* K 5 -K 8 Bottom MITM • Split each “Guess and Determine" attack into two partial 4-round attacks • Run each attack for all possible values of Y and Y* it requires (2 82 times) • Run MITM attacks to combine the suggestions of the partial attacks to suggestions for the 4-round keys

  30. The 2-Dimensional Meet-in-the- Middle Attack Top MITM K 1 -K 4 Y,Y* Joint MITM K 5 -K 8 Bottom MITM • Join the values suggested by the top and bottom parts to obtain suggestions for the full key using a final MITM attack • We did not filter any keys in the top and bottom 4- round attacks • The attack requires 2 128 memory • The partial 4-round attacks take at most 2 18 time and are executed 2 82 times

Recommend

and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

The Slavic guest and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020 RUSSIAN ACADEMY OF SCIENCES PSl. * gost- - (m.) OCS, ORuss. gost, Bulg. gost, B/C/S gst , Gen. gsta , Slov. gst ,

520 views • 36 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128

365 views • 35 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni Camurati*, Aurlien Francillon*, Franois-Xavier Standaert** *EURECOM, **Universit catholique de Louvain Who am I? Giovanni Camurati Ph.D. Student at

1.27k views • 94 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch Abstract Follow-up of

506 views • 16 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

991 views • 56 slides
Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating

Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating

1 Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating profit improved by 26% year-on-year. Loss after tax improved as a result of increased revenues, improved impairment to revenue, reduced cost of

446 views • 20 slides
Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Introduction Results ECHO Grstl Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas Peyrin CRYPTO 2010 Santa Barbara - November 19, 2010 Introduction Results ECHO Grstl Outline

382 views • 23 slides
Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research (and my travel!) sponsored by current Intellectual Property owners of Hummingbird-2. Fast Software Encryption 2013 Singapore, Singapore 13 March

719 views • 25 slides
An improved full reconstruction tool utilizing NeuroBayes Physics In Collision 2010, Poster

An improved full reconstruction tool utilizing NeuroBayes Physics In Collision 2010, Poster

An improved full reconstruction tool utilizing NeuroBayes Physics In Collision 2010, Poster Session M. Feindt, M. Kreps, T. Kuhr, F. Keller, S. Neubauer, D. Zander, A. Zupanc | September 3rd, 2010 I NSTITUT F UR EXPERIMENTELLE K ERNPHYSIK , K

244 views • 7 slides
IMPROVED PROFITABILITY WITH EBITDAMARGIN OF 13% Q1/2020 Samu Konttinen, President &amp; CEO 1

IMPROVED PROFITABILITY WITH EBITDAMARGIN OF 13% Q1/2020 Samu Konttinen, President &amp; CEO 1

IMPROVED PROFITABILITY WITH EBITDAMARGIN OF 13% Q1/2020 Samu Konttinen, President &amp; CEO 1 KEY TAKEAWAYS FROM Q1-2020 Improved profitability with EBITDA margin of 13% F-Secure has ensured full business continuity to the customers

377 views • 14 slides
On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

Motivation Previous Work Improved Filter Conclusion On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg Early Symmetric Crypto 2015

533 views • 37 slides
THE NODE.JS HIGHWAY: ATTACKS AT FULL THROTTLE Susan St.Clair, Solutions Architect Checkmarx

THE NODE.JS HIGHWAY: ATTACKS AT FULL THROTTLE Susan St.Clair, Solutions Architect Checkmarx

THE NODE.JS HIGHWAY: ATTACKS AT FULL THROTTLE Susan St.Clair, Solutions Architect Checkmarx Agenda Agenda Architecture DoS Weak Crypto JSON SQLi Re-DoS App Re-Routing Single Thread Architecture - Event Loop

674 views • 33 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides

More recommend