improved division property based cube attacks exploiting
play

Improved Division Property Based Cube Attacks Exploiting Algebraic - PowerPoint PPT Presentation

Oct 17, 2022 •108 likes •577 views

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

  1. Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of Cryptology, Beijing, CN 3 NTT Secure Platform Laboratories, JP 4 imec-COSIC, KU Leuven, BE 5 University of Hyogo, JP 6 FHNW, CH August 20, 2018

  2. Outline 1 Introduction 2 Motivations: TodoIHM17 and Its Limitations 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 1 / 29

  3. Introduction Outline 1 Introduction Stream Ciphers Cube Attacks 2 Motivations: TodoIHM17 and Its Limitations 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 1 / 29

  4. Introduction Why Stream Ciphers? Fast in software - RC4, Chacha Efficient in hardware - Grain, Trivium Low multiplications - Trivium, Kreyvium, FLIP, Rasta Used as authenticated encryptions - Acorn Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 2 / 29

  5. Introduction Stream Ciphers Stream Ciphers - n -bit secret variables (key) ⃗ x = ( x 1 , x 2 , · · · , x n ) - m -bit public variables (iv) v = ( v 1 , v 2 , · · · , v m ) ⃗ - s i + 1 = Upd ( s i ) , 0 ≤ i ≤ r − 1, where s 0 = ( ⃗ x , ⃗ v ) . - z is the first bit of the key stream. z = f ( ⃗ x , ⃗ v ) ∑︂ 𝛽 f v ⃗ u , = u ⃗ ⃗ u ∈ F m ⃗ 2 u = ∏︁ m i = 1 v u i v ⃗ where ⃗ i Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 3 / 29

  6. Introduction Cube Attacks The Idea of the Classical Cube Attacks Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

  7. Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

  8. Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Attackers can recover secret information of ⃗ x by analyzing p I . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

  9. Introduction Cube Attacks The Idea of the Classical Cube Attacks - I = { i 1 , i 2 , · · · i | I | } is the indices set of active bits of iv. - C I is the set of all 2 | I | values of v i where i ∈ I . - z = f ( ⃗ v ) = t I · p I ( ⃗ v ) + q I ( ⃗ v ) , x , ⃗ x , ⃗ x , ⃗ q I has at least one term in t I missing. - ⨁︁ v ∈ C I z = p I ( ⃗ v ) is called superpoly of C I . x , ⃗ Attackers can recover secret information of ⃗ x by analyzing p I . We cannot decompose f in real since stream ciphers are complicated. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 4 / 29

  10. Introduction Cube Attacks Experimental Approach for Classical Cube Attacks Stream cipher is regarded as a black box. How to recover the ANF of p I ( ⃗ x , ⃗ v ) : 1 Compute ⨁︁ v ∈ C I f ( ⃗ v ) = p I ( ⃗ v ) for a randomly chosen ⃗ x . x , ⃗ x , ⃗ ⃗ 2 Linearity tests are executed many times to see whether v ) ⊕ p I ( ⃗ x ⊕ ⃗ p I ( ⃗ v ) = p I ( ⃗ v ) . x , ⃗ x ′ , ⃗ x ′ , ⃗ 3 If the test is passed, the ANF of the superpoly can be recovered. Drawbacks of this approach: The size of cube is limited to experimental range: ≤ 40. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 5 / 29

  11. Introduction Cube Attacks Contributions of TodoIHM17 Introduce division property to cube attacks for the first time: analyze the ANF of the superpoly. The first theoretical attack: exploit very large cubes: e.g. 72 for 832-round Trivium. Provide upper bounds to recover the ANF of the superpoly. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 6 / 29

  12. Motivations: TodoIHM17 and Its Limitations Outline 1 Introduction 2 Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails Cube Attacks Based on Division Property Limitations of TodoIHM17 3 Our Approach 4 Applications 5 Conclusions and Future Works Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 6 / 29

  13. Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails (Bit-Based) Division Property, Todo Eurocrypt’15 2 be a multiset, and K = { ⃗ k | ⃗ Let X ∈ F n k ∈ F n 2 } . When X has the division property 𝒠 n K , it fulfills {︄ if there exist ⃗ u ⪰ ⃗ unknown k ∈ K s.t. ⃗ k , u = ⨁︂ x ⃗ ⃗ 0 otherwise , x ∈ X ⃗ u ⪰ ⃗ where ⃗ k if u i ≥ k i for all i . Division Trail, Xiang et al. Asiacrypt’16 Assume the initial division property of a cipher be K 0 � 𝒠 K 0 , and the division property after the i -th round function R is K i � 𝒠 K i . We have a trail of r rounds division property propagations R R R − → K 1 − → · · · − → K r . K 0 For ( ⃗ k 0 , ⃗ k 1 , · · · , ⃗ k r ) ∈ ( K 0 , K 1 , · · · , K r ) , if ⃗ k i → ⃗ k i + 1 , for all 0 ≤ i ≤ r − 1, then ( ⃗ k 0 , ⃗ k 1 , · · · ⃗ k r ) is called an r -round division trail. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 7 / 29

  14. Motivations: TodoIHM17 and Its Limitations Division Property and Division Trails Evaluation of Division Trials Ask for CP-based solver’s help (Xiang et al., Asiacrypt’16) Create a MILP model ℳ for the propagation of division property. - MILP, SAT/SMT, constraint programming etc. Upd Upd Upd Upd ⃗ → · · · ⃗ ⃗ → ⃗ − − − − → − − → · · · − − k 0 k i k i + 1 k r . - Entries of ⃗ k 0 , · · · , ⃗ k r are binary variables of ℳ . var . - Upd ( · ) is described by some constraints ℳ . con . Solvers can efficiently evaluate the feasibility of division trails. If ⃗ k 0 → ⃗ e j is infeasible, the j th bit is balanced (the sum is always 0). Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 8 / 29

  15. Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Evaluate ANF Coefficients of Superpoly by Division Property k ) ? k = t I . v ⃗ e j , ⃗ e j , ⃗ k ) ∈ F n 2 × F m Check division trail ( ⃗ → 1, where ( ⃗ − 2 and ⃗ e j , ⃗ If no division trail ( ⃗ k ) → 1 ⇒ x j is not involved in superpoly. Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 9 / 29

  16. Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Evaluate ANF Coefficients of Superpoly by Division Property k ) ? k = t I . v ⃗ e j , ⃗ e j , ⃗ k ) ∈ F n 2 × F m Check division trail ( ⃗ − → 1, where ( ⃗ 2 and ⃗ e j , ⃗ If no division trail ( ⃗ k ) → 1 ⇒ x j is not involved in superpoly. By repeating this procedure, all the secret variables of ⃗ x involved in the superpoly can be determined and denoted as J = { x j 1 , x j 2 , · · · , x j | J | } . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 9 / 29

  17. Motivations: TodoIHM17 and Its Limitations Cube Attacks Based on Division Property Overview of Attack Strategy in TodoIHM17 1 Evaluation phase. - Construct a random set I . - Determine the key bits J involved in the corresponding superpoly p I . This phase is feasible: several hours by using Gurobi. 2 Off-line phase. - Sum the output over the given cube ( C I ) and construct the whole truth table of the superpoly p I . This phase is not practical, but time & memory complexity is bounded by 2 | I | + | J | and 2 | J | . 3 On-line phase. - Query encryption oracle to attain the exact value of the superpoly. - Check the precomputed truth table and recover secret variables. Time & data complexity is 2 | I | . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 10 / 29

  18. Motivations: TodoIHM17 and Its Limitations Limitations of TodoIHM17 Limitation 1: Finding Proper ⃗ IV s May Require Multiple Trials In The 2nd Phase. x , ⃗ Assumptions on the existence of IVs that can guarantee p I ( ⃗ IV ) ̸≡ 0 are proposed. When | I | + | J | is small, practical experiments can be executed to find a specific IV. The rationality of assumptions is hard to be proved, especially when | I | + | J | is close to n . Wang, Hao, Todo, Li, Isobe, Meier Improved Division Property Based Cube Attacks August 20, 2018 11 / 29

Recommend

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Formalising Luck Improved Probabilistic Semantics for Property-Based Generators Diane

Formalising Luck Improved Probabilistic Semantics for Property-Based Generators Diane

Context Choice-recording semantics Integrating backtracking strategies Conclusion Formalising Luck Improved Probabilistic Semantics for Property-Based Generators Diane Gallois-Wong supervised by C at alin Hrit cu, INRIA Paris

586 views • 22 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources

A Kernel-Based Approach to Exploiting Interaction-Networks in Heterogeneous Information Sources for Improved Recommender Systems Oluwasanmi (Sanmi) Koyejo Joydeep Ghosh ECE Dept., University of Texas at Austin HetRec 11, October 27, 2011,

574 views • 43 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn

Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn

Presented by: Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn Harding, Assistant Director Bryan Kinsey, AAS, Assistant Director Overview of Division of Property Assessments The Property Tax Process

533 views • 37 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella GT BaC, 20 October 2017 Inria - SECRET, Paris, France 1 Summary Introduction : Stream ciphers Linear Feedback Shift Registers Monomial

581 views • 56 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski

The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski

The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski Cardnial Stefan Wyszy nski University Warsaw, Poland Introduction Theorem (Bolzano 1817) If a continuous f : [ a , b ] R and f ( a ) f ( b

700 views • 38 slides
Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

1.5k views • 74 slides
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine

S C I E N C E P A S S I O N T E C H N O L O G Y DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine Maurice, Michael Schwarz, Stefan Mangard IAIK, Graz

842 views • 32 slides
Texas Association of Property Tax Professionals Property Tax Assistance Division Update Sep. 23,

Texas Association of Property Tax Professionals Property Tax Assistance Division Update Sep. 23,

Texas Comptroller of Public Accounts Presentation to the Texas Association of Property Tax Professionals Property Tax Assistance Division Update Sep. 23, 2016 Presented by: Mike Esparza, Director Property Tax Assistance Division Texas

537 views • 7 slides
ALIMONY vs. PROPERTY SETTLEMENT Pros and Cons by Gregory D. Golden DIVISION OF PROPERTY How is

ALIMONY vs. PROPERTY SETTLEMENT Pros and Cons by Gregory D. Golden DIVISION OF PROPERTY How is

ALIMONY vs. PROPERTY SETTLEMENT Pros and Cons by Gregory D. Golden DIVISION OF PROPERTY How is marital property equitably divided? Unique issues surrounding equitable division of property Issues to consider in determining an equitable

658 views • 19 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides

More recommend