practical cryptanalysis of armadillo 2
play

Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and - PowerPoint PPT Presentation

Dec 28, 2022 •394 likes •846 views

The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological

  1. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar´ ıa Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological University - Singapore FSE 2012 Washington - March 19, 2012

  2. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  3. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  4. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion What is ARMADILLO-2 ? • ARMADILLO-2 is a lightweight , multi-purpose cryptographic primitive published by Badel et al. at CHES 2010 • in the original article, ARMADILLO-1 is proposed but the authors identified a security issue and advised to use ARMADILLO-2 • ARMADILLO-2 is • a FIL-MAC • a stream-cipher • a hash function • they are all based on an internal function that uses data-dependent bit transpositions • 5 different parameters sizes defined

  5. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state Q A ( B ) A B

  6. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 Q A ( B ) A 1 − → apply σ 1 and xor B

  7. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 Q A ( B ) A 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  8. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  9. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  10. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 1010 · · · 10 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 1 − → apply σ 1 and xor 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  11. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A 1010 · · · 10 • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 1010 · · · 10 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  12. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The ARMADILLO-2 compression function C ′ • two inputs: - the chaining variable C - the message block M Y • one output: - the chaining variable C ′ Q X ( C || M ) X Q M ( C || M ) M C M C M

  13. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The ARMADILLO-2 compression function k c m C ′ 128 80 48 192 128 64 Y 240 160 80 288 192 96 384 256 128 Q X ( C || M ) X Q M ( C || M ) M C M C M

  14. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Cryptanalysis of ARMADILLO-2 Abdelraheem et al. (ASIACRYPT 2011): • key recovery attack on the FIL-MAC • key recovery attack on the stream cipher • (second)-preimage attack on the hash function ... but computation and memory complexity is very high , often close to the generic complexity (example 256-bit preimage with 2 208 computations and 2 205 memory or 2 249 computations and 2 45 memory) We provide very practical attacks (only a few operations): • distinguisher and related-key recovery on the stream cipher • free-start collision on the compression function (chosen-related IVs) • semi-free-start collision on the compression/hash function (chosen IV)

  15. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion First tools For two random k -bit words A and B of Hamming weight a and b respectively, the probability that HAM ( A ∧ B ) = i is � a �� k − a � b �� k − b � � i b − i i a − i P and ( k , a , b , i ) = = . � k � k � � b a For two random k -bit words A and B of Hamming weight a and b respectively, the probability that HAM ( A ⊕ B ) = i is P and ( k , a , b , a + b − i � ) for ( a + b − i ) even 2 P xor ( k , a , b , i ) = 0 for ( a + b − i ) odd

  16. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  17. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side C ′ Y Q X ( C || M ) X Q M ( C || M ) M C M C M

  18. b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side M ∆ M = 0 C M HAM (∆ C ) = 1 ∆ M = 0

  19. b b b b b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side HAM (∆ X ) = 1 M ∆ M = 0 C M HAM (∆ C ) = 1 ∆ M = 0 We have HAM (∆ X ) = 1 with probability 1

  20. b b b b b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side ∆ X = 0 . . . 01 ∆ M = 0 M C M HAM (∆ C ) = 1 ∆ M = 0 We have ∆ X = 0 . . . 01 with probability P X = 1 k

  21. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - left side C ′ Y Q X ( C || M ) X Q M ( C || M ) M C M C M

  22. b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - left side C ′ Y X ∆ X = 0 . . . 01 C M HAM (∆ C ) = 1 ∆ M = 0

Recommend

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales long claws for digging, and a long black tail. The nine-banded armadillo prefers to build burrows in moist soil near the creeks, streams, and

231 views • 7 slides
Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider

Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider

Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider Sweeper Overview Armadillo 9XR Created for the toughest applications An extremely robust machine with excellent sweeping power even under the

508 views • 15 slides
Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2

Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2

Context Our Contribution Conclusion Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2 Jean-S Mehdi Tibouchi 2 Ralf Philipp Weinmann 1 1 Universit e du Luxembourg 2 Ecole normale sup erieure

1.13k views • 73 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction

Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction

Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction Libraries comparison Features History API Structural Representation Functionality overview Evaluation Conclusion 2 Armadillo by

418 views • 18 slides
CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope, Technology, and Future of CrypTool 1.4.xx Prof. Bernhard Esslinger and the CrypTool Team www.cryptool.org (Updated: 19 September 2017, with release CT

1.22k views • 121 slides
Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing

Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing

Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps Today Motivation Accelerate Framework BLAS & LAPACK Armadillo Library Algorithm Software Architecture

942 views • 47 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides

More recommend