improved key recovery attacks on reduced round aes on
play

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round - PowerPoint PPT Presentation

Dec 29, 2023 •276 likes •863 views

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

  1. Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir

  2. AES • AES is the best known and most widely used secret key cryptosystem • Almost all secure connections on the Internet use AES • Almost all secure connections on the Internet use AES • Its security had been analyzed for more than 20 years • AES has either 10, 12, or 14 rounds depending on the key size (128, 192, 256 bits) 256 bits) • To date there is no known attack on full AES which is significantly faster than exhaustive search

  3. Analyzing reduced round AES • Interesting as a platform for analyzing the remaining • Interesting as a platform for analyzing the remaining security margins • Several Light Weight Cryptosystems and Hash functions use 4 or 5 rounds AES as a building block functions use 4 or 5 rounds AES as a building block • 4-Round AES: ZORRO, LED and AEZ • 5-Round AES: WEM, Hound and ELmD

  4. Analyzing reduced round AES • There are 3 relevant parameters: • There are 3 relevant parameters: Time (T), Memory (M) and Data (D) • To combine these 3 complexity measures it is common to summarize them as a single number common to summarize them as a single number max(T,M,D) defined as their Total Complexity max(T,M,D) defined as their Total Complexity

  5. Best attacks on 5 round AES • Only a few techniques led to successful attacks against 5-round AES Technique Complexity Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 2 32 Imp. Differential Imp. Differential 2017 2 32 Yoyo

  6. Recent attacks on 5 rounds AES • In 2017 a new technique (the multiple-of-8 attack [GRR, EC’17]) was proposed, and in 2018 Grassi applied a special EC’17]) was proposed, and in 2018 Grassi applied a special version of it (the mixture-differentials attack) to 5 round AES • However, its complexity was not better than previous attacks attacks • In this work we improve the 20 year old record to 2 22

  7. Recent attacks on 5 rounds AES • In 2017 a new technique (the multiple-of-8 attack • In 2017 a new technique (the multiple-of-8 attack [GRR, EC’17]) was proposed, and in 2018 Grassi had applied a special version of it (the mixture- differentials attack) to 5 round AES • However, its complexity was not better than previous • However, its complexity was not better than previous attacks

  8. Best attacks on 5 round AES - updated Complexity Technique Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 Imp. Differential Imp. Differential 2 2017 2 32 Yoyo 2 32 Grassi 2018

  9. Our new result • Breaking the 20 years old 2 32 barrier by a factor of 1000: Technique Complexity Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 Imp. Differential Imp. Differential 2 2017 2 32 Yoyo 2 32 Grassi 2018 2 22 Our new result 2018

  10. AES structure • 10, 12, or 14 rounds, where each round of AES consists of: • Extra ARK operation before the first round • No Mix Column in the last round

  11. SB – SubBytes Operation By User:Matt Crypto - Own work , Public Domain, https://commons.wikimedia.org/w/index.php?curid= 1118913

  12. SR – ShiftRows Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118782

  13. MC – MixColumn Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118874

  14. ARK – Add Round Key Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118831

  15. The notation of mixtures (Grassi et. al 2017) • What is a mixture of an AES state pair (x,y)? X Y A1 A2 v B1 B2 Equal C1 C2 A Specific Value D1 D2 4 values Xor to 0 Z Z W W Arbitrary Value A1 A2 B2 B1 C1 C2 D2 D1

  16. The evolution of mixtures under AES • Consider the following 4 inputs to round i X Y A1 A2 B1 B2 Equal C1 C2 A Specific Value D1 D2 4 values Xor to 0 Z Z W W Arbitrary Value A1 A2 B2 B1 C1 C2 D2 D1

  17. The evolution of mixtures under AES • Round i after Sub Byte X Y A1* A2* B1* B2* Equal C1* C2* A Specific Value D1* D2* 4 values Xor to 0 Z Z W W Arbitrary Value A1* A2* B2* B1* C1* C2* D2* D1*

  18. The evolution of mixtures under AES • Round i after Shift Rows X Y A1* A2* B1* B2* C1* C2* Equal D1* D2* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1* A2* B2* B1* C1* C2* D2* D1*

  19. The evolution of mixtures under AES • Round i after Mix Column X Y A1c D1c C1c B1c A2c D2c C2c B2c Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c D2c C1c B2c A2c D1c C2c B1c

  20. The evolution of mixtures under AES • Round i after Add Round Key X Y A1c* D1c* C1c* B1c* A2c* D2c* C2c* B2c* Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c* D2c* C1c* B2c* A2c* D1c* C2c* B1c*

  21. The evolution of mixtures under AES • Input to round i+1 X Y A1c* D1c* C1c* B1c* A2c* D2c* C2c* B2c* Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c* D2c* C1c* B2c* A2c* D1c* C2c* B1c*

  22. The evolution of mixtures under AES • Round i+1 after Sub Byte X Y A1c’ D1c’ C1c’ B1c’ A2c’ D2c’ C2c’ B2c’ Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c’ D2c’ C1c’ B2c’ A2c’ D1c’ C2c’ B1c’

  23. The evolution of mixtures under AES • Implies weaker property in round i+1 after Sub Byte X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  24. The evolution of mixtures under AES • Round i+1 after Shift Row, Mix Column and ARK X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  25. The evolution of mixtures under AES • Input to round i+2 X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  26. Extending this property to 4 rounds • Assume states (X,Y) are equal in one of their diagonals X Y A A B B C C Equal D D A Specific Value 4 values Xor to 0 • Then: • Then: Z Z W W Arbitrary Value A’ A’ B’ B’ C’ C’ D’ D’

  27. Extending this property to 4 rounds • Round i+2 after Sub Byte X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’* A’* B’* B’* C’* C’* D’* D’*

  28. Extending this property to 4 rounds • Round i+2 after Shift rows X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A'* A'* B'* B'* C'* C'* D'* D'*

  29. Extending this property to 4 rounds • Round i+2 after Mix Column X Y A° A° B° B° C° C° Equal D° D° A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A°’ A°’ B°’ B°’ C°’ C°’ D°’ D°’

  30. Extending this property to 4 rounds • Round i+2 after Add Round Key X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A*’ A*’ B*’ B*’ C*’ C*’ D*’ D*’

  31. Extending this property to 4 rounds • Then in the input to round i+3 we get X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A*’ A*’ B*’ B*’ C*’ C*’ D*’ D*’

  32. Extending this property to 4 rounds • Round i+3 after sub byte X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A^’ A^’ B^’ B^’ C^’ C^’ D^’ D^’

  33. Extending this property to 4 rounds • Round i+3 after Shift Rows and before Mix Column X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’^ A’^ B’^ B’^ C’^ C’^ D’^ D’^

  34. AES 4 Round Distinguisher • Last round of AES has no Mix Column X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’^ A’^ B’^ B’^ C’^ C’^ D’^ D’^

  35. A 5 Round AES Attack (Grassi 18) • Precede the 4 round distinguisher with an extra round before it • We encrypt all possible values of A,B,C,D • We encrypt all possible values of A,B,C,D A B C Equal D A Specific Value 4 values Xor to 0 • Then as input to round 1 we get: • Then as input to round 1 we get: Arbitrary Value A’ B’ A’, B’, C’, and D’ is a permutation of A, B, C, D C’ which depends only on 4 key bytes D’

  36. A 5 Round AES Attack [Grassi 18] • We look for a “good ciphertext pair”, and get the plaintext X ciphertext Y ciphertext A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 X plaintext X plaintext Y plaintext Y plaintext Arbitrary Value A A’ B B’ C C’ D D’

  37. A 5 Round AES Attack [Grassi 18] • For all 2 32 possible key bytes: partially encrypt (AKR, SB, SR, MC) X partial round encryption Y partial round encryption A* A’* B* B’* C* C’* Equal D* D’* A Specific Value 4 values Xor to 0 X plaintext X plaintext Y plaintext Y plaintext Arbitrary Value A A’ B B’ C C’ D D’

Recommend

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

412 views • 25 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods,

IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods,

IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods, chiefly reservoir drive mechanisms and enhanced recovery techniques, designed to improve the flow of hydrocarbons from the reservoir to the wellbore to

176 views • 13 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Rehabilitation of Groundwater Recovery Wells Improved Treatment Technology Recovery

Rehabilitation of Groundwater Recovery Wells Improved Treatment Technology Recovery

Rehabilitation of Groundwater Recovery Wells Improved Treatment Technology Recovery Well Rehabilitation Outline Perspective Well Rehabilitation Basics New Technology Case Histories Application - Special Case -

971 views • 41 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for

433 views • 11 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi Meier Indocrypt 2011 1 / 28 Overview Sponge construction and K ECCAK Previous analysis results Differentials in K ECCAK Differential

311 views • 28 slides

More recommend