mars attacks revisited
play

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS - PowerPoint PPT Presentation

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,


  1. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT’11 Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Bauhaus-University Weimar, Germany Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 1 / 27

  2. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation What is MARS? • block cipher with 128 bit block size • developed 1998 by a team from IBM as a candidate for the Advanced Encryption Standard (AES) • one of five finalists in the AES competition 2001 • no attacks from 2001 till 2009 Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 2 / 27

  3. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  4. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  5. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES • MARS structure differs from other ciphers (mixing rounds) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  6. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES • MARS structure differs from other ciphers (mixing rounds) • key scheduler much stronger/ more complex than key scheduler of AES Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  7. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion What we did We propose two attacks: • extend 11-round distinguisher by Kelsey et al to 12 core rounds Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 4 / 27

  8. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion What we did We propose two attacks: • extend 11-round distinguisher by Kelsey et al to 12 core rounds • establish first key recovery attack on the MARS key schedule, using the distinguisher to recover the secret key Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 4 / 27

  9. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Outline MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 5 / 27

  10. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion MARS Plaintext A i− B i− C i− D i− 1 1 1 1 Whitening Rounds • 128 bit block size Core • internal state: 4 × 32 bit words Core ( A , B , C , D ) Whitening Rounds Ciphertext A i B i C i D i Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 6 / 27

  11. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion MARS - Structure of the Core Rounds 8 x forward round 8 x backward round A <<< 13 <<< 13 E E B C D Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 7 / 27

  12. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery Exploits differential properties of the MARS core • 3-round differential characteristic with probability 1 (0 , 0 , 0 , α ) → ( β, 0 , 0 , 0) • distinguisher uses the 3-rounds characteristic twice, for rounds 4 - 6 and 7 - 9 • differences, if multiplied with a constant, propagate only in the most significant bits (used in round 10) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 8 / 27

  13. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K + K 6 E E E (0 , a , b , 0) K 5 K* K 7 K* K* K 9 B C D (0,0,c,d) (0,a,b,0) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  14. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K + K 6 E E E (0 , a , b , 0) K* K 5 K* K 7 K 9 K* 2. partially decrypt B (0 , a , b , 0) to reach ( A , B , C , D ) C D (0,0,c,d) (0,a,b,0) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  15. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K 6 K + E E E (0 , a , b , 0) K* K 5 K 7 K* K 9 K* 2. partially decrypt B (0 , a , b , 0) to reach ( A , B , C , D ) C 3. create 2 56 batches D with 302 texts each (0,0,c,d) (0,a,b,0) with difference ( A , B , C , D ) between batches Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  16. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 5. partially decrypt all <<< 13 <<< 13 <<< 13 ciphertexts with each of the 2 32 subkey K + E E K 26 E K 27 K* candidates for Round 12 and extract the bit “ a ” for each ciphertext ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 10 / 27

  17. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 5. partially decrypt all <<< 13 <<< 13 <<< 13 ciphertexts with each of the 2 32 subkey K + E E K 26 E K 27 K* candidates for Round 12 and extract the bit “ a ” for each ciphertext 6. build 2 56 strings of ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) 302 “ a ” bits for each batch Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 10 / 27

  18. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 7. store and sort the <<< 13 <<< 13 <<< 13 resulting bit strings K + E E K 26 E in order of the K 27 K* chosen plaintexts ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 11 / 27

Recommend


More recommend