Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , - PowerPoint PPT Presentation

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China 2 Department of Computer Science and Technology, Tsinghua University, China 3 Institute for Advanced Study, Tsinghua University,China Fast Software Encryption 2014

Improved Single-Key Attacks on 9-Round AES-192/256 Outline Preliminaries A Brief Description of AES Related Works The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 The Key Recovery Attack on 9-Round AES-192 The Attack on 9-round AES-192 from the Third Round Reducing the Memory Complexity with Weak-Key Attacks Reducing the Memory Complexities of the Attacks on AES-192 Reducing the Memory Complexity of the Attack on AES-256 Conclusion

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries A Brief Description of AES Outline Preliminaries A Brief Description of AES Related Works The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 The Key Recovery Attack on 9-Round AES-192 The Attack on 9-round AES-192 from the Third Round Reducing the Memory Complexity with Weak-Key Attacks Reducing the Memory Complexities of the Attacks on AES-192 Reducing the Memory Complexity of the Attack on AES-256 Conclusion

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries A Brief Description of AES A Brief Description of AES ◮ Designed by Daemen and Rijmen in 1997 ◮ Selected as the Advanced Encryption Standard (AES) in 2001 by NIST ◮ AES is a 128-bit block cipher with SPN structure ◮ Rounds: 10 rounds for AES-128, 12 rounds for AES-192, 14 rounds for AES-256 ◮ The round function: SubBytes MixColumns K i 0 4 8 12 SB MC SR 1 5 9 13 2 6 10 14 ARK 3 7 11 15 15 3 7 11 3 7 11 15 column 0 1 2 3 ShiftRows

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries A Brief Description of AES A Brief Description of AES The key schedule of AES: ◮ For i = N k to 4 × N r + 3 do the following: ◮ If i ≡ 0 mod N k , then w [ i ] = w [ i − N k ] ⊕ SB ( w [ i − 1] ≪ 8) ⊕ Rcon [ i / N k ], ◮ else if N k = 8 and i ≡ 4 mod 8, then w [ i ] = w [ i − N k ] ⊕ SB ( w [ i − 1]), ◮ Otherwise w [ i ] = w [ i − N k ] ⊕ w [ i − 1] . N r is the number of rounds. N k is the number of the words for master key, for AES-192, N k = 6. s s s s AES  AES  AES  128 192 256

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works Outline Preliminaries A Brief Description of AES Related Works The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 The Key Recovery Attack on 9-Round AES-192 The Attack on 9-round AES-192 from the Third Round Reducing the Memory Complexity with Weak-Key Attacks Reducing the Memory Complexities of the Attacks on AES-192 Reducing the Memory Complexity of the Attack on AES-256 Conclusion

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works MITM Attacks on AES ◮ The MITM attack on AES introduced by Demirci and Sel¸ cuk at FSE 2008 to improve the collision attack proposed by Gilbert and Minier. ◮ Dunkelman, Keller and Shamir exploited the differential enumeration and multiset ideas to reduce the high memory complexity at ASIACRYPT 2010. ◮ Derbez and Fouque give a way to automatically model SPN block cipher and meet-in-the-middle attacks on AES at FSE 2013. ◮ Derbez, Fouque and Jean further improved Dunkelman et al.’s attack using the rebound-like idea to reduce the complexity at EUROCRYPT 2013.

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works Demirci and Sel¸ cuk attack (FSE 2008) K 2 ◦ E m ◦ E 1 Divide the cipher E as E K = E 2 K 1 Built a distinguisher in E m ◮ Let X 1 [0] be the input variable and the output X 5 [0] are determined by 200-bit variable X 2 [0 , 1 , 2 , 3] � X 3 [0 , · · · , 15] � X 4 [0 , 5 , 10 , 15] � X 5 [0] . ◮ For X 1 , construct a δ − set, where X 1 [0] is the active bytes. ◮ There are 2 200 values for 2048-bit sequence E m ( X 0 )[5] � · · · � E m ( X 255 )[5] X 1 Z 1 X 2 X 3 Y 3 X 4 Z 4 X 5 SB MC SB SR , SB SR SB MC ARK SR ARK MC ARK , MC ARK , SR δ − set =( X 0 , · · · , X 255 ), where there is a bytes traversing all values ( active byte ) and the other bytes are the same.

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works Demirci and Sel¸ cuk attack (FSE 2008) The attack procedure: 1. Precomputation phase: compute all 2 200 values E m ( X 0 )[5] � · · · � E m ( X 255 )[5], and store them in a hash table. 2. Online phase: 2.1 Guess values of the related subkeys in E 1 , and construct a δ -set. Then partially decrypt to get the corresponding 256 plaintexts. 2.2 Obtain the corresponding plaintext-ciphertext pairs from the collection data. Then guess the related subkeys in E 2 , and partially decrypt the ciphertexts to get the corresponding 256-byte value of the output sequence of E m . 2.3 If a sequence value lies in the precomputation table, the guessed related subkeys in E 1 and E 2 may be right key. E 4-Round Distinguisher(E ) E 1 m 2

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works Dunkelman et al. ’s Attack (Asiacrypt 2010) The number of the values of parameter V is reduced to 2 128 1. Use the multiset of ∆ X 5 [1] to replace the ordered sequence. X 5 [1] is not used for the multiset: { E m ( X 0 )[5] ⊕ E m ( X 0 )[5] , E m ( X 0 )[5] ⊕ E m ( X 1 )[5] , · · · , E m ( X 0 )[5] ⊕ E m ( X 255 )[5] } 2. Apply the differential enumeration technique to fix some values of intermediate parameters. ◮ 2 64 values for X 3 [0 , .. · · · , 15] A step to find a pair satisfying the truncated differential is added, and the δ − set is constructed only for such pair. 1 1 2 3 3 4 4 5 SR SB MC SB SR , SB SB MC ARK MC ARK , MC ARK , SR ARK SR 64 2

Improved Single-Key Attacks on 9-Round AES-192/256 Preliminaries Related Works Derbez et al. ’s Attack (Eurocrypt 2013) ◮ When ∆ X 1 [1] � = 0 , ∆ X 1 [ j ] = 0 , j = 2 , . . . , 15. ∆ X 5 [1] is determined by 10-byte variable ∆ Z 1 [0] � X 2 [0 , 1 , 2 , 3] � ∆ X 5 [0] � Z 4 [0 , 1 , 2 , 3] . X 1 Z 1 X 2 X 3 Y 3 X 4 Z 4 X 5 SB MC SB SR , SB SR SB MC ARK SR ARK MC ARK , MC ARK , SR ◮ They proposed to use a 5-round distinguisher to attack 9-round AES-256, where the value of multiset is determined by 26-byte parameters (2 208 values). u 2 k 3 k 4 X 1 Z 1 X 2 X 3 X 4 X 5 Z 5 X 6 SB MC SB MC SB SR , SB SR , SB MC ARK SR MC SR ARK SR MC

Improved Single-Key Attacks on 9-Round AES-192/256 The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 Outline Preliminaries A Brief Description of AES Related Works The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 The Key Recovery Attack on 9-Round AES-192 The Attack on 9-round AES-192 from the Third Round Reducing the Memory Complexity with Weak-Key Attacks Reducing the Memory Complexities of the Attacks on AES-192 Reducing the Memory Complexity of the Attack on AES-256 Conclusion

Improved Single-Key Attacks on 9-Round AES-192/256 The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 Key-Dependent Sieve ◮ Apply key relationship to filter the wrong states of multiset. ◮ u 2 [0 , 7 , 10 , 13] � k 3 [0 , · · · , 15] � k 4 [0 , 5 , 10 , 15] is deduced for every sequence. ◮ u 2 [0] = MC − 1 (( S ( k 3 [4 ∼ 7]) ≪ 8) ⊕ k 3 [8 ∼ 11] ⊕ Rcon )[0]. ◮ u 2 [7] = MC − 1 ( k 3 [8 , 9 , 10 , 11] ⊕ k 3 [12 , 13 , 14 , 15])[7]. ◮ For AES-192, there are only about 2 192 ( 2 208 2 16 ) values of multiset. 2 3 4 1 1 2 3 4 5 5 6 SB MC SB MC SB SR , SB SR , SB MC ARK SR MC SR ARK SR MC

Improved Single-Key Attacks on 9-Round AES-192/256 The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 5-Round Distinguisher of AES-192 The truncated differential characteristic of our distinguisher. W 0 Round 0 u k X 1 Y 1 Z 1 W 1 0 0 SB MC MC SR Round 1 ARK u k X 2 Y 2 Z 2 W 2 1 1 SB MC MC SR Round 2 ARK u k X 3 Y 3 Z 3 W 3 2 2 SB MC SR MC Round 3 ARK u k X 4 Y 4 Z 4 W 4 3 3 SB MC SR MC Round 4 ARK u k X 5 Y 5 Z 5 W 5 4 4 SB MC SR MC Round 5 ARK u k X 6 Y 6 5 5 SB MC ARK

Improved Single-Key Attacks on 9-Round AES-192/256 The Improved Attacks on 9-Round AES-192 Key-Dependent Sieve and 5-Round Distinguisher of AES-192 5-Round Distinguisher of AES-192 Proposition 1. Consider the encryption of the first 2 5 values ( W 0 0 , · · · , W 31 0 ) of the δ − set through 5-round AES-192, in the case of that a message pair ( W 0 , W ′ 0 ) of the δ − set conforms to the truncated differential characteristic outlined in Fig. 3, then the corresponding 256-bit ordered sequence Y 0 6 [6] � · · · � Y 31 6 [6] only takes about 2 192 values (out of 2 256 theoretically value). Our improvements: ◮ Propose a 5-round distinguisher for AES-192. ◮ Deduce more information of subkeys: k 0 [12] , k 1 [12 , 13 , 14 , 15] , u 2 [3 , 6 , 9 , 12] , k 3 [0 , · · · , 15] , k 4 [3 , 4 , 9 , 14] , k 5 [6] . ◮ Use an ordered sequence instead of the multiset.