known key distinguisher on full present
play

Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas - PowerPoint PPT Presentation

Dec 02, 2023 •113 likes •434 views

Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao

  1. Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C´ 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao Tong University, China CRYPTO 2015 Presented by Pierre Karpman Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  2. Introduction New Distinguisher Application to PRESENT Conclusion Outlook � Introduction � Our Known-Key Distinguisher � Application to PRESENT � Conclusion Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  3. Introduction New Distinguisher Application to PRESENT Conclusion Block Cipher Definition A block cipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is a family of efficiently invertible permutations on n -bit values, whose index is a k -bit key value. Applications in Cryptography: a fundamental primitive ◮ Encryption Scheme: ECB, CBC, CFB, OFB, CTR ◮ Message Authentication Code: EMAC, CMAC, PMAC ◮ Authenticated Encryption: GCM, OCB, EAX, CCM ◮ Hash Function: PGV schemes, MDC-2, MJH, Hirose Scheme Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  4. Introduction New Distinguisher Application to PRESENT Conclusion Security Requirement on Block Cipher A classical security notion: the indistinguishability from an ideal block cipher. Ideal Block Cipher Each permutation indexed by a key value is a random permutation. Moreover, any two permutations indexed by distinct key values are completely independent. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  5. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher Secret-key Model Open-Key Model ◮ Secret key value ◮ Public key value ◮ Impact to Encryption, MAC ◮ Impact to Hash Function ◮ Single-key attack ◮ Known-key attack ◮ Related-key attack ◮ Chosen-key attack Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  6. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher • Open-key model is more generous to adversary. • More rounds are expected to be attacked in open-key model. • For AES-128 as an example, the number of attacked rounds is Secret-key model: 7 rounds [DFJ13]; Open-key model: 10 (full) rounds [Gilbert14]. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  7. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher • Open-key model is more generous to adversary. • More rounds are expected to be attacked in open-key model. • For AES-128 as an example, the number of attacked rounds is Secret-key model: 7 rounds [DFJ13]; Open-key model: 10 (full) rounds [Gilbert14]. Interestingly the situation for standardized lightweight block cipher PRESENT is rather different, which motivates this research. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  8. Introduction New Distinguisher Application to PRESENT Conclusion PRESENT Cipher • ISO/IEC standard lightweight block cipher • Block size is 64 bits; Key size is 80 bits (referred to as PRESENT -80) or 128 bits (referred to as PRESENT -128). • Composed of 31 rounds: Each round consists of a round-key XOR, an Sbox layer and a simple linear bit permutation layer ⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕ S 15 S 14 S 13 S 12 S 11 S 10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Figure: One round of PRESENT Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  9. Introduction New Distinguisher Application to PRESENT Conclusion Previous Analysis Results on PRESENT • Most scrutinized lightweight cipher. • Multidimensional linear attack is the most powerful one: easy-to-trace linear trails with large correlations • Link between differential property and linear correlation in [BN14]: A multidimensional linear distinguisher can be converted to a truncated differential distinguisher. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  10. Introduction New Distinguisher Application to PRESENT Conclusion Previous Analysis Results on PRESENT # rounds Version Attack Reference 16 80 differential [Wang08] 19 128 algebraic differential [AC09] 19 128 multiple differential [BN13] Secret-key Model 25 128 linear [NSZ+09] 26 80 multidimensional linear [Cho10] 26 80 truncated differential [BN14] 18 80 differential rebound [KS+12] Open-key Model 26 80 linear [LR15] 27 128 linear [LR15] Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  11. Introduction New Distinguisher Application to PRESENT Conclusion Our Results on PRESENT # rounds Version Attack Reference 16 80 differential [Wang08] 19 128 algebraic differential [AC09] 19 128 multiple differential [BN13] Secret-key Model 25 128 linear [NSZ+09] 26 80 multidimensional linear [Cho10] 26 80 truncated differential [BN14] 18 80 differential rebound [KS+12] Open-key Model 26 80 linear [LR15] 27 128 linear [LR15] 31 (full) 80/128 truncated differential Ours Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  12. Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher • Key is known to the distinguisher • Improve estimation of the security margin of block cipher • Encompass the scenario of block cipher-based hash function • The goal for an attacker: generate input/output pairs with a certain property, such that the complexity for the target block cipher is lower than the generic complexity when dealing with an ideal block cipher − target block cipher: open access to internal states to exploit structural weakness; − ideal block cipher: black-box access to encryption and decryption oracles Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  13. Introduction New Distinguisher Application to PRESENT Conclusion Our Known-Key Distinguisher Distinguishing property Find a set of N plaintexts, such that they all have the same value on s pre-determined bits and such that there is a bias on the number of collisions observed on q pre-determined bits of corresponding ciphertexts ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Block Cipher E ∗∗∗∗∗∗∗∗∗∗ 0 ∗∗∗∗∗ Figure: Our distinguisher model Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  14. Introduction New Distinguisher Application to PRESENT Conclusion Our Known-Key Distinguisher Distinguishing property Find a set of N plaintexts, such that they all have the same value on s pre-determined bits and such that there is a bias on the number of collisions observed on q pre-determined bits of corresponding ciphertexts Generic attack on an ideal block cipher: 1. Pick N random plaintexts having ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ the same values on s pre-determined bit positions Block Cipher E 2. Query them, and count the number of collisions on the q ∗∗∗∗∗∗∗∗∗∗ 0 ∗∗∗∗∗ pre-determined bit positions of corresponding ciphertexts Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  15. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  16. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] We decided to base our distinguisher on truncated differential attacks, because • it can reach the maximum number of attacked rounds • it is easier to handle than multidimensional linear attack in the known-key setting Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  17. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] We decided to base our distinguisher on truncated differential attacks, because • it can reach the maximum number of attacked rounds • it is easier to handle than multidimensional linear attack in the known-key setting On the other hand, • its statistical bias is small, and a large number of plaintexts is necessary • pre- and post-adding extra differential characteristics cannot work well, since they reduce #available plaintexts. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  18. Introduction New Distinguisher Application to PRESENT Conclusion Overview of Our Distinguisher on PRESENT It consists of ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Λ Extension using r 0 = 7 • Meet-in-the-middle layer a MitM layer ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ • Truncated differential layer ∆ Strong truncated r 1 ≤ 24 differential distinguisher ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Γ Figure: Overview of our distinguisher Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

Recommend

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident

Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident

Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident ial and are being made only to, and are No st atement in this present ation is intended as a profit forecast or profit estimate only directed at ,

763 views • 30 slides
Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza

Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza

Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza ,Universit di Roma Bertinoro, June 18 th , 2014 Overview Absolute vs Relative Expressiveness (encodings) PAST Full abstraction:

664 views • 21 slides
This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit is built I will start with the main components. This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

412 views • 17 slides
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie Gauthier 1 , Ayoub Otmani 1 and Jean-Pierre Tillich 2 Val GREYC - Universit e de Caen - Ensicaen SECRET Project - INRIA Rocquencourt

624 views • 43 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides
A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

734 views • 35 slides
Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of

Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of

Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of services and study objectives t Present basic costing methodology and approach t Discuss a summary of findings and results t Questions Scope of Services t

434 views • 25 slides
Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum Interactive Proofs for NP Interactive Proof (GMR85, Babai85) ? , P V accept Security Against Malicious

515 views • 35 slides
Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of

Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of

Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of experts? I have joined LIXI with fresh eyes Opportunity to review LIXIs practices This is not a deeply technical presentation We speak

137 views • 11 slides
Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad

Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad

Institute for Applied Information Processing and Communications (IAIK) Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad Institute for Applied Information Processing and Communications (IAIK) Graz

741 views • 73 slides
full year results full year results full year results full full year results full year results full

full year results full year results full year results full full year results full year results full

AMP results presentation FULL YEAR RESULTS 2010 full year results full year results full year results full full year results full year results full year results full 2010 full year results Craig Dunn Chief Executive Officer Paul Leaming Chief

691 views • 24 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil & Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not

Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not

Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not possible, be sure to arrive at least 10 minutes before you present. Follow the schedule; I do not announce who is next (who should be coming to the front

169 views • 3 slides
Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

| 2018 Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate Marketing 2002 - Present SEM / Ads 2003 to Present Current Jenga Digital LLC 2013 - Present Personal Born in

385 views • 20 slides
Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches

Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches

Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches Their Full Potential Connecting and being present with your kids starts with you being connected and present with yourself: Important to cultivate

68 views • 5 slides
ACCESS FULL LIBRARY FROM YOUR HOME THE WHOLE PICTURE Our Company Description This template is

ACCESS FULL LIBRARY FROM YOUR HOME THE WHOLE PICTURE Our Company Description This template is

ACCESS FULL LIBRARY FROM YOUR HOME THE WHOLE PICTURE Our Company Description This template is absolutely amazing, great design, a very smart and good layout with an unbelievable messages. This is good for present business presentation, and

471 views • 25 slides
QA/QC/Test plan F. Pietropaolo CERN / INFN Padova Present and planned QA Program Incorporate

QA/QC/Test plan F. Pietropaolo CERN / INFN Padova Present and planned QA Program Incorporate

QA/QC/Test plan F. Pietropaolo CERN / INFN Padova Present and planned QA Program Incorporate lessons learned into design (ICARUS, MicroBooNE, 35 ton, ...) Mechanics Perform comprehensive stress analysis from component level to full

919 views • 44 slides
Transhumanism My God, its full of stars. -2001 a Space Odyssey Spencer Barck What is

Transhumanism My God, its full of stars. -2001 a Space Odyssey Spencer Barck What is

Transhumanism My God, its full of stars. -2001 a Space Odyssey Spencer Barck What is Transhumanism Man is something that shall be overcome -Friedrich Nietzche Act 1 The next stage Past Act 2 Present Future Act 3 3

824 views • 26 slides
2015 Full Year Results Transatlantic Healthcare Technology Group Focused on value creation

2015 Full Year Results Transatlantic Healthcare Technology Group Focused on value creation

2015 Full Year Results Transatlantic Healthcare Technology Group Focused on value creation through execution Franois R Martelet, M.D. Chief Executive Officer Mark Nanovich Interim CFO 7 April 2016 Disclaimer This present at ion is not an

402 views • 36 slides
2010 Full Year Result 2010 Full Year Result 23 February 2011 2010 Full Year Result 2010 Full

2010 Full Year Result 2010 Full Year Result 23 February 2011 2010 Full Year Result 2010 Full

2010 Full Year Result 2010 Full Year Result 23 February 2011 2010 Full Year Result 2010 Full Year Result Terry Davis Group Managing Director Highlights of 2010 Result Strong operational performances Australian beverages EBIT up 7.3% and

565 views • 21 slides
Present Yourself Like a Pro! Present Like a PRO WSIC and WIFM? Crowded, cluttered world

Present Yourself Like a Pro! Present Like a PRO WSIC and WIFM? Crowded, cluttered world

Present Yourself Like a Pro! Present Like a PRO WSIC and WIFM? Crowded, cluttered world ADD Sensory overload Instant gratification Everyones got an MBA and a great story The bottom line Harder than ever to get

336 views • 16 slides
Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full Year 2012 1 Results presentation Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman Nightingale Woods,Wendover Full Year 2012 3 Mark Clare Group Chief Executive Newberry Corner, Churchinford Full

928 views • 60 slides
AA Full Year Results Year Ended 31 st January 2014 Date 27 th May 2014 1 looking statements that

AA Full Year Results Year Ended 31 st January 2014 Date 27 th May 2014 1 looking statements that

AA Full Year Results Year Ended 31 st January 2014 Date 27 th May 2014 1 looking statements that reflect managements current views with respect to future events as to historical facts or present facts or circumstances. The words aim,

350 views • 10 slides

More recommend