new observations on impossible differential cryptanalysis
play

New Observations on Impossible Differential Cryptanalysis of - PowerPoint PPT Presentation

Sep 12, 2022 •209 likes •472 views

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

  1. New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3. Tsinghua University, 4.Donghua University FSE 2012 M ar. 19 , 2012

  2. Outline Shanghai Jiao Tong University Impossible Differential Cryptanalysis The Block Cipher Camellia Our Results • 7-Round Impossible Differentials of Camellia for Weak Keys and Their Applications ( By Leibo Li, Xiaoyun Wang, Jiazhe Chen ) • 8-Round Impossible Differentials of Camellia and Their Applications ( By Ya Liu, Dawu Gu, Zhiqiang Liu, Wei Li ) Conclusion http://LoCCS.sjtu.edu.cn

  3. Impossible Differential Cryptanalysis (1/2) Shanghai Jiao Tong University Impossible differential attack was independently proposed by Knudsen and Biham. • L.R. Knudsen: DEAL – A 128-bit Block Cipher , AES Proposal, 1998 • E. Biham, A. Biryukov and A. Shamir: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials (EUROCRYPT 99) http://LoCCS.sjtu.edu.cn

  4. Impossible Differential Cryptanalysis (2/2) Shanghai Jiao Tong University Basic ideas: Impossible 1 differential attack uses differentials that hold with p =1 probability zero to derive the r right key by discarding the wrong keys which lead to the Contradiction impossible differential. Some block ciphers were r+1 analyzed by using impossible q =1 differentials: ARIA, AES, CLEFIA, MISTY1 … 2r http://LoCCS.sjtu.edu.cn

  5. Camellia (1/3) Shanghai Jiao Tong University K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, T. Tokita. Camellia: A 128-bit Block Cipher Suitable for Multiple Platforms-Design and Analysis (SAC 2000) In 2002, Camellia was selected an e-government recommended cipher by CRYPTREC . In 2003, Camellia was recommended in NESSIE block cipher portfolio. In 2005, Camellia was adopted as an ISO/IEC international standard. Basic Information • Block Size: 128 bits • Key Sizes: 128/192/256 (Camellia-128/192/256) • The Number of Rounds: 18/24 • Structure: Feistel structure with some key-dependent functions FL/FL -1 inserted every 6 rounds. http://LoCCS.sjtu.edu.cn

  6. Encryption Procedure of Camellia(2/3) Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  7. Property of FL/FL -1 (3/3) Shanghai Jiao Tong University Key-dependent Functions: FL/FL -1 http://LoCCS.sjtu.edu.cn

  8. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University 75% http://LoCCS.sjtu.edu.cn

  9. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University (0|0|0|0|0|0|0|0, a |0|0|0| c |0|0|0) ↛ (0|0|0|0| d |0|0|0,0|0|0|0|0|0|0|0) (9) =0 or KL R (8) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0| a |0|0|0| c |0|0) ↛ (0|0|0|0|0| d |0|0,0|0|0|0|0|0|0|0) (17) =0 or KL R (16) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0|0| a |0|0|0| c |0) ↛ (0|0|0|0|0|0| d |0,0|0|0|0|0|0|0|0) (25) =0 or KL R (24) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0|0|0| a |0|0|0| c ) ↛ (0|0|0|0|0|0|0| d ,0|0|0|0|0|0|0|0) (1) =0 or KL R (32) =1, and d (1) =0. with conditions KL L 5+2 WKID http://LoCCS.sjtu.edu.cn

  10. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University (0|0|0|0| d |0|0|0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0, a |0|0|0| c |0|0|0) with conditions KL’ L (9) =0 or KL’ R (8) =1, and d (1) =0. (0|0|0|0|0| d |0|0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0| a |0|0|0| c |0|0) with conditions KL’ L (17) =0 or KL’ R (16) =1, and d (1) =0. (0|0|0|0|0|0| d |0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0|0| a |0|0|0| c |0) with conditions KL’ L (25) =0 or KL’ R (24) =1, and d (1) =0. (0|0|0|0|0|0|0| d ,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0|0|0| a |0|0|0| c ) with conditions KL’ L (1) =0 or KL’ R (32) =1, and d (1) =0. 2+5 WKID http://LoCCS.sjtu.edu.cn

  11. Impossible Differential Attack on10- Round Camellia-128 for Weak Keys Shanghai Jiao Tong University Data Collections: 2 n Structures, 2 n+63 × 2 -64 =2 n-1 pairs Key Recovery: K 1,{1,5} , K 10,8 , K 10,{2,3,4,6,7} , K 10,{1,5} , K 9,5 𝜁 = 2 80 × (1 − 2 −8 ) 2 𝑜−66 = 1 ⇒ 𝑜 = 79.8 Time Complexity: 2 111.8 encryptions; Data Complexity: 2 111.8 CP; Memory Complexity: 2 84.8 Bytes. http://LoCCS.sjtu.edu.cn

  12. Impossible Differential Attack on 10-Round Camellia-128 for the Whole Key Space Shanghai Jiao Tong University Phases 1 to 4 : Perform an impossible differential attack on 10- round Camellia-128 by using each of 5+2 WKID: (0|0|0|0|0|0|0|0,a|0|0|0|c|0|0|0) ↛ (0|0|0|0|d|0|0|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|a|0|0|0|c|0|0) ↛ (0|0|0|0|0|d|0|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|0|a|0|0|0|c|0) ↛ (0|0|0|0|0|0|d|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|0|0|a|0|0|0|c) ↛ (0|0|0|0|0|0|0|d,0|0|0|0|0|0|0|0) Phase 5 : If the attacks above all fail, then we obtain the key information as following: Guess the remaining keys. DC: 2 113.8 CP; TC: 2 120 encryptions; MC:2 84.8 Bytes. http://LoCCS.sjtu.edu.cn

  13. The Applications of 7-Round Impossible Differentials of Camellia with Weak Keys Shanghai Jiao Tong University We attack 10-round Camellia-128 with 2 113.8 chosen plaintexts and 2 120 encryptions, 11-round Camellia-192 with 2 114.64 chosen plaintexts and 2 184 encryptions and 12-round Camellia-256 with 2 116.17 chosen plaintexts and 2 240 encryptions, which start from the first round. We attack 12-round Camellia-192 with 2 120.1 chosen plaintexts and 2 184 encryptions and 14-round Camellia-256 with 2 120 chosen plaintexts and 2 250.5 encryptions, which include two FL/FL -1 layers. http://LoCCS.sjtu.edu.cn

  14. 8-Round Impossible Differentials of Camellia without the Keyed Layers Shanghai Jiao Tong University Insert key-dependent functions FL/FL -1 Insert key-dependent functions FL/FL -1 http://LoCCS.sjtu.edu.cn

  15. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) http://LoCCS.sjtu.edu.cn

  16. Property of FL Shanghai Jiao Tong University Proposition 7. If the input difference of FL is ( a ,0,0,0, a’, 0,0,0), where a (1) = a ’ (8) =0 and then the output difference of FL is ( a ,0,0,0,0,0,0,0). http://LoCCS.sjtu.edu.cn

  17. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University Proposition 8. • the input difference of the 1st round: (0,0,0,0,0,0,0,0, a ,0,0,0, a′, 0,0,0) ; • the output difference of the 8th round: ( b ,0,0,0, b ′,0,0,0,0,0,0,0,0,0,0,0) ; • a , b ≠0, and a (1) = b (1) = a′ (8) = b′ (8) = 0. • where four subkeys kl i ( i = 1, · · · , 4) are used in two FL/FL −1 layers. ⇒ (0|0|0|0|0|0|0|0| a |0|0|0| a’ |0|0|0) ↛ 𝟗 ( b |0|0|0| b’ |0|0|0|0|0|0|0|0|0|0|0) is an 8-round impossible differential of Camellia with two FL/FL −1 layers. ∆ i denotes the corresponding 8-round differential for each different (2~7) | kl 4 (2~7) . key values of kl 1 A = { Δ 𝑗 0 ≤ 𝑗 ≤ 2 14 − 1 ≜ {𝜀 𝑘 |1 ≤ 𝑘 ≤ 𝑢} , where 𝑢 ≤ 2 14 . http://LoCCS.sjtu.edu.cn

  18. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  19. Attack Strategy Shanghai Jiao Tong University S elect 𝜀 𝑗 ∈ 𝐵 , perform an impossible differential attack. • If one subkey is remained, we recover the secret key by the key schedule and verify whether it is correct by some plaintext-ciphertext pairs. • If success, end this attack. • Otherwise, try another differential δ j (j≠i) of A and perform a new impossible differential attack. • If no one subkey or more than one subkeys are left, select 𝜀 𝑘 ( j≠i ) ∈ A to execute a new impossible differential attack. http://LoCCS.sjtu.edu.cn

  20. Impossible Differential Attack on 13-Round Camellia-256 Shanghai Jiao Tong University (0|0|0|0|0|0|0|0| a |0|0|0| a ’ |0|0|0) ↛ 𝟗 ( b |0|0|0| b’ |0|0|0|0|0|0|0|0|0|0|0) Case 1. a′=b′=0. Case 2. a′=0 and b′≠0, or a′ ≠0 and b′=0. Case 3. a′≠0 and b′≠ 0. http://LoCCS.sjtu.edu.cn

  21. Impossible Differential Attack on 13-Round Camellia-256 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  22. The Applications of 8-Round Impossible Differentials of Camellia Shanghai Jiao Tong University We construct 8-round impossible differentials of Camellia with two FL/FL -1 layers, the length of which is the same as the length of the known best impossible differential of Camellia without the FL/FL -1 layers. The key-dependent layers cannot resist impossible differential attack effectively. We attack 12-round Camellia-192 with 2 123 chosen plaintexts and 2 187.2 encryptions and 13-round Camellia-256 with 2 123 chosen plaintexts and 2 251.1 encryptions, which include the whitening and FL/FL -1 layers. http://LoCCS.sjtu.edu.cn

  23. Summary of the attacks on Camellia Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

Recommend

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Concept of Differentials Propagation Ratio The

471 views • 15 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

617 views • 32 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Jolle Rou ESC 2015, Clervaux,

540 views • 30 slides
Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 , Henri Gilbert 2 , Mara Naya-Plasencia 1 , Jean-Ren Reinhard 2 1 INRIA, France 2 ANSSI, France FSE 2014 - March 5, 2014 Canteaut, Fuhr, Gilbert,

507 views • 35 slides

More recommend