new slide attacks on almost self similar ciphers
play

New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, - PowerPoint PPT Presentation

Feb 28, 2024 •415 likes •819 views

Intro SelfSimilar New Summary New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi Shamir Eurocrypt 2020 Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 1/ 28 Intro SelfSimilar

  1. Intro SelfSimilar New Summary New Slide Attacks on Almost Self-Similar Ciphers Orr Dunkelman, Nathan Keller, Noam Lasry, Adi Shamir Eurocrypt 2020 Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 1/ 28

  2. Intro SelfSimilar New Summary Outline 1 Introduction Slide Attacks Generating Slid Pairs Several Applications of Slide Attacks 2 Attacking Self-Similar SPNs Attacking 1K-AES The Problem of Sliding an SPN The Problem of Sliding AES (and others) 3 New Techniques for Slide Attacks Slid Sets Hypercube of Slid Pairs Suggestive Plaintext Structures Substitution Slide Attack 4 Summary and Conclusions Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 2/ 28

  3. Intro SelfSimilar New Summary Slide Pairs Applications Slide Attacks [BW99] K P Q K k f Q ◮ Adaptation of Related-Key Attacks = f k k f [B93,K92] to the case where the key is self-related. = f k k f ◮ Can be applied to ciphers with the = f k k f same keyed permutation. . . . . . . . . . ◮ Independent in the number of rounds of the cipher. = f k k f C C f k D Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 3/ 28

  4. Intro SelfSimilar New Summary Slide Pairs Applications Slide Attacks [BW99] (cont.) ◮ Slid pair satisfies � Q = f k ( P ) , (1) D = f k ( C ) , ◮ Slide attacks are composed of two main steps: ◮ Find such a slid pair, ◮ Use slid pair to extract key. ◮ Actually, in many attacks the way to verify that a given pair is a slid pair, is to verify that it suggested the correct key. Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 4/ 28

  5. Intro SelfSimilar New Summary Slide Pairs Applications Generating Slid Pairs ◮ At random (pick 2 n / 2 known plaintexts for n -bit block), ◮ For Feistels of different types, one can find pairs: ◮ 1K-DES — in 2 n / 4 chosen plaintexts [BW99], ◮ 2K-DES — in 2 n / 4 chosen plaintexts or 2 n / 4 chosen ciphertexts [BW00], ◮ 4K-DES — in 2 n / 4 chosen plaintexts and ciphertexts [BW00]. Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 5/ 28

  6. Intro SelfSimilar New Summary Slide Pairs Applications Generating Slid Pairs — Chains [F01] ◮ Given a slid pair ( P , Q ), their ciphertexts ( C , D ) are also a slid pair! ◮ Actually, if ( P , Q ) are slid pairs, so does ( E ℓ k ( P ) , E ℓ k ( Q )) for any ℓ . ◮ This is useful when the attack of f ( · ) requires more than a single slid pair. Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 6/ 28

  7. Intro SelfSimilar New Summary Slide Pairs Applications Other Extensions and Generalizations ◮ Slide detection using cycles [BDK07] ◮ Reflection attacks [K08] ◮ Slidex [DKS12] ◮ Quantum slide attacks [B+18] Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 7/ 28

  8. Intro SelfSimilar New Summary Slide Pairs Applications Several Applications of Slide Attacks ◮ 1K-DES, 2K-DES, 4K-DES ([BW99,BW00]) ◮ 3K-DES ([B+18]) ◮ 1K-AES ([B+18]) ◮ Misty1 ([DK15]) ◮ KeeLoq ([I+08,C+08,. . . ]) ◮ FF3 ([DV17,HMT19]) Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 8/ 28

  9. Intro SelfSimilar New Summary 1K-AES Problem Problem2 A Generic SPN (1K-AES) ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❦ ❦ ❦ ❦ ❦ ❦ ❦ ❦ ❦ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ ▲ P ❙ ❆ ❙ ❆ ❙ ❆ ❙ ❙ ❙ ❆ ❆ ❆ ❈ ❈ ❈ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ◮ If ( P , Q ) are a slid pair, then Q = A ( S ( K ( P ))) = A ( S ( P ⊕ k )) which can be re-written as P ⊕ k = S − 1 ( A − 1 ( Q )) ◮ As S and A are unkeyed, we can easily compute Q ′ = S − 1 ( A − 1 ( Q )). Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 9/ 28

  10. Intro SelfSimilar New Summary 1K-AES Problem Problem2 A Slide Attack on 1K-AES [B+18] ◮ Take 2 n / 2 known plaintexts. ◮ A slid pair ( P , Q ) (and corresponding ciphertext ( C , D )) satisfies: � Q = A ( S ( P ⊕ k )) (2) D = A ( S ( C )) ⊕ k ◮ Or in other words: P ⊕ Q ′ = k = D ⊕ A ( S ( C )) ◮ Which allows immediate identification (as P ⊕ A ( S ( C )) = Q ′ ⊕ D ). Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 10/ 28

  11. Intro SelfSimilar New Summary 1K-AES Problem Problem2 The Basic Assumption of Slide Attacks ◮ All the round functions are the same, Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 11/ 28

  12. Intro SelfSimilar New Summary 1K-AES Problem Problem2 The Basic Assumption of Slide Attacks ◮ All the round functions are the same, ◮ It is possible to generate chains (because of the previous assumption). Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 11/ 28

  13. Intro SelfSimilar New Summary 1K-AES Problem Problem2 The Basic Assumption of Slide Attacks ◮ All the round functions are the same, ◮ It is possible to generate chains (because of the previous assumption). Problem: in SPNs the last round is different! Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 11/ 28

  14. Intro SelfSimilar New Summary 1K-AES Problem Problem2 Last Round Function ⇒ No Slid Chains k k k � � A ( S ( X )) � P : X C C S A S A K K X � = K k k k Q : X � � D (= k ⊕ A ( S ( X ⊕ k ))) � S A D S A K K Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 12/ 28

  15. Intro SelfSimilar New Summary 1K-AES Problem Problem2 Not All SPNs are the Same ◮ Many SPNs have a different last round, Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 13/ 28

  16. Intro SelfSimilar New Summary 1K-AES Problem Problem2 Not All SPNs are the Same ◮ Many SPNs have a different last round, ◮ For example, AES has no MixColumns in the last round. ◮ This complicates things even more — the relation between the ciphertexts of the slid pair is more complicated! Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 13/ 28

  17. Intro SelfSimilar New Summary 1K-AES Problem Problem2 Not All SPNs are the Same ◮ Many SPNs have a different last round, ◮ For example, AES has no MixColumns in the last round. ◮ This complicates things even more — the relation between the ciphertexts of the slid pair is more complicated! ◮ Consider 1K-AES with the last round without MixColumns. Then  Q = ARK ( MC ( SR ( SB ( P ))))  

  18. Intro SelfSimilar New Summary 1K-AES Problem Problem2 Not All SPNs are the Same ◮ Many SPNs have a different last round, ◮ For example, AES has no MixColumns in the last round. ◮ This complicates things even more — the relation between the ciphertexts of the slid pair is more complicated! ◮ Consider 1K-AES with the last round without MixColumns. Then  Q = ARK ( MC ( SR ( SB ( P ))))  ⇒ (3) D = ARK ( SR ( SB ( ARK ( MC ( ARK ( C ))))))  Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 13/ 28

  19. Intro SelfSimilar New Summary SlidSets Hypercube Suggestive Substitution Slid Sets ◮ A slid set is composed of two λ -structures {P} and {Q} such that f k ( {P} ) = {Q} ◮ In other words, we obtain 2 s ( s -bit S-boxes) slid pairs from each such set. ◮ This increases the signal that can be used for detecting slid sets! Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 14/ 28

  20. Intro SelfSimilar New Summary SlidSets Hypercube Suggestive Substitution Slid Sets for Attacking 2K-AES ◮ Take λ -set of plaintexts {P} i (e.g., saturate the input of S-box 0). ◮ Ask for their encryption to obtain {C} i . ◮ Construct the sets {Q} j (such that S − 1 ( A − 1 ( {Q} j )) is a λ -set). ◮ Ask for their encryption to obtain {D} j . ◮ Try to match the slid set ( {C} i , {D} j ). Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 15/ 28

  21. Intro SelfSimilar New Summary SlidSets Hypercube Suggestive Substitution Matching the Slid Sets ◮ Apply A ( S ( {C} i )) to obtain { ˜ C} i . ◮ “Swap” the order of K and A in {D} j . ◮ For a slid set A − 1 {D} j = S ( ˜ {C} i ⊕ k )) ⊕ A ( k ) . ◮ This actually “breaks” the last two rounds into several independent S-boxes. Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 16/ 28

  22. Intro SelfSimilar New Summary SlidSets Hypercube Suggestive Substitution Matching the Slid Sets ◮ Apply A ( S ( {C} i )) to obtain { ˜ C} i . ◮ “Swap” the order of K and A in {D} j . ◮ For a slid set A − 1 {D} j = S ( ˜ {C} i ⊕ k )) ⊕ A ( k ) . ◮ This actually “breaks” the last two rounds into several independent S-boxes. ◮ We just need to link the sets without guessing the key k . ◮ Luckily, we can count multiplicities of different values in each S-box [DKS10]. Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 16/ 28

  23. Intro SelfSimilar New Summary SlidSets Hypercube Suggestive Substitution Hypercube of Slid Pairs ◮ Consider a slid pair ( P , Q ). ◮ Change the input of P to some S-box (e.g., 0). ◮ The change in the value after one round is inside an affine space of size 2 s . ◮ So, from a slid pair ( P , Q ), we can “generate” a second pair ( P i ⊕ a , Q j ⊕ A ( a ′ )). † Orr Dunkelman New Slide Attacks on Almost Self-Similar Ciphers 17/ 28

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der

Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der

Feasibility of attacks against weak SSL/TLS ciphers Kim van Erkelens Supervisors: Jeroen van der Ham & Marc Smeets Master System and Network Engineering University of Amsterdam 2 July 2014 Introduction Motivation Ciphers like DES and

544 views • 18 slides
Slide 4 / 252 Throughout this unit, the Standards for Mathematical Practice are used. MP1:

Slide 4 / 252 Throughout this unit, the Standards for Mathematical Practice are used. MP1:

Slide 1 / 252 Slide 2 / 252 Geometry Similar Triangles & Trigonometry 2015-10-22 www.njctl.org Slide 3 / 252 Table of Contents click on the topic to go to that section Problem Solving with Similar Triangles Similar Triangles and

1.83k views • 131 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
Problem Solving with Similar and Right Triangles Triangles Three basic approaches to real world

Problem Solving with Similar and Right Triangles Triangles Three basic approaches to real world

Slide 1 / 252 Slide 2 / 252 Geometry Similar Triangles & Trigonometry 2015-10-22 www.njctl.org Slide 3 / 252 Slide 4 / 252 Table of Contents Throughout this unit, the Standards for Mathematical Practice are used. click on the topic to

906 views • 42 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems, School of ICT, KTH - Royal Institute of Technology, Stockholm Email:{shsm,dubrova}@kth.se

457 views • 17 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in First Asian Workshop on Symmetric Key Cryptography ASK 2011, 30th August 2011 isilogo Palash

1.76k views • 148 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

716 views • 49 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
ISC09, Pisa, Italy Outline Outline Contributions 2 Attacks Target Ciphers: RC6, ERC6 and

ISC09, Pisa, Italy Outline Outline Contributions 2 Attacks Target Ciphers: RC6, ERC6 and

A New Approach to 2 Cryptanalysis of Block Ciphers Jorge Nakahara Jr 1 , Daniel Santana de Freitas 2 , Gautham Sekar 4 , 5 , Chang Chiann 3 , Ramon Hugo de Souza 2 , Bart Preneel 4 , 5 1 EPFL, Lausanne, Switzerland jorge.nakahara@epfl.ch 2

556 views • 18 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides

More recommend