probabilistic slide cryptanalysis and its applications to
play

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and - PowerPoint PPT Presentation

Nov 15, 2022 •213 likes •712 views

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

  1. Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21

  2. Outline Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 2 / 21

  3. Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 3 / 21

  4. Iterated Block Cipher Block cipher: E K ( P ) : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n Iterated block cipher: · · · R k n − 1 R k 1 R k 2 R k 3 R k 4 R k n P C C = R k n ◦ · · · ◦ R k 2 ◦ R k 1 ( P ) 4 / 21

  5. Iterated Block Cipher with Periodic Subkeys R k 1 · · · R k m R k 1 · · · R k m · · · R k 1 · · · R k m P C 5 / 21

  6. Iterated Block Cipher with Periodic Subkeys R k 1 · · · R k m R k 1 · · · R k m · · · R k 1 · · · R k m P C { { { F k F k F k ◮ The cipher can be presented as a cascade of identical functions F k . 5 / 21

  7. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ 6 / 21

  8. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) 6 / 21

  9. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ 6 / 21

  10. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = 6 / 21

  11. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = Typical countermeasures: Key-schedule or round constants. 6 / 21

  12. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = Typical countermeasures: Key-schedule or round constants. This Work: Probabilistic technique to overcome round constants in block ciphers based on the Even-Mansour scheme with a single key. 6 / 21

  13. Even-Mansour Scheme with a Single Key K K K K K K · · · · · · F 1 F i F s P C 7 / 21

  14. Even-Mansour Scheme with a Single Key K K K K K K · · · · · · F 1 F i F s P C R RC j R RC j + 1 R RC j + m · · · Known as Step ◮ Block ciphers like LED-64, PRINCE core , Zorro and PRINTcipher. 7 / 21

  15. LED-64 AddConstants SubCells ShiftRows MixColumns ⊕ ⊕ S S S S ⊕ ⊕ S S S S ⊕ ⊕ S S S S ⊕ ⊕ S S S S ◮ Presented at CHES 2011 [Guo et al 11] ◮ 64-bit block cipher and supports 64-bit key ◮ 6 steps ◮ Each step consists of four rounds. 8 / 21

  16. Zorro SubCells AddConstants ShiftRows MixColumns S S S S ⊕ ⊕ ⊕ ⊕ ◮ Presented at CHES 2013 [G´ erard et al 13] ◮ 128-bit block cipher and supports 128-bit key ◮ 6 steps ◮ Each step consists of four rounds 9 / 21

  17. Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 10 / 21

  18. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. 11 / 21

  19. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. 11 / 21

  20. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . 11 / 21

  21. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. 11 / 21

  22. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . 11 / 21

  23. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. 11 / 21

  24. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . 11 / 21

  25. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . ◮ But its application is limited to involutional block ciphers. 11 / 21

  26. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . ◮ But its application is limited to involutional block ciphers. This Work Exploit previous ideas to take advantage of the positive properties and overcome the negative aspects! 11 / 21

  27. Probabilistic Slide Distinguisher K K K K K K F 1 F 2 · · · F s − 1 F s P C ∆ 0 ∆ 1 ∆ s-2 ∆ s-1 K P ′ F 1 F 2 · · · F s − 1 F s C ′ K K K K K ◮ Assume there exists a sequence of differences D = { ∆ 0 , . . . , ∆ s − 1 } such that Pr [ F r ( x ) ⊕ F r − 1 ( x ⊕ ∆ r − 2 ) = ∆ r − 1 ] = 2 − p r − 1 where 0 ≤ p r . ◮ A differential-type characteristic with input difference ∆ in = ∆ 0 and output difference ∆ out = ∆ s − 1 can be obtained with probability 2 − p = Π s − 1 r = 1 2 − p r . 12 / 21

  28. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in 12 / 21

  29. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K probability 2 − p P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ( C ′ ⊕ K ) = ∆ out C ⊕ F − 1 = ⇒ s 12 / 21

  30. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K probability 2 − p P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ( C ′ ⊕ K ) = ∆ out C ⊕ F − 1 = ⇒ s Pr [ P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ] = 2 − n ( C ′ ⊕ K ) = ∆ out , P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ] = 2 − n − p Pr [ C ⊕ F − 1 s ⇒ 2 ( n + p ) pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a right slid pair = 12 / 21

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems Itai Dinur 1 , Orr Dunkelman 1,2 , Nathan Keller 3 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute,

345 views • 33 slides
Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing, cryptocurrencies, and white-box cryptography Alex Biryukov Dmitry Khovratovich Johann Groschaedl University of Luxembourg 1 Introduction Passwords

2.82k views • 132 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP

Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP

Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP Applications Slide 4 TMS320C6701 Evaluation Module (EVM) Slide 5 TMS320C6701 EVM Features Slide 6 EVM Stereo Codec Interface Slide 7 TMS320C6701

917 views • 23 slides
On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

1.32k views • 108 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Graphical models Why All probabilistic inference and learning amount at repeated applications

Graphical models Why All probabilistic inference and learning amount at repeated applications

Graphical models Why All probabilistic inference and learning amount at repeated applications of the sum and product rules Probabilistic graphical models are graphical representations of the qualitative aspects of probability distribu-

551 views • 23 slides
AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

Slide 1 / 139 Slide 2 / 139 AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide 3 / 139 Slide 4 / 139 Table of Contents Click on the topic to go to that section Introduction Sliding Blocks

745 views • 24 slides
Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika

Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika

Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika Kimmig The Turing, London, September 11, 2017 1 A key question in AI: Dealing with uncertainty Reasoning with relational data ? Learning 2

2.19k views • 188 slides
Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP

Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP

Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP Applications Slide 1-4 TMS320C6713 DSP Starter Kit (DSK) Slide 1-5 TMS320C6713 DSK Features Slide 1-6 TMS320C6713 Architecture Slide 1-7 Main

538 views • 27 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den Broeck University of California, Los Angeles based on joint AAAI-2020 and UAI-2019 tutorials with Antonio Vergari YooJung Choi University of

2.07k views • 177 slides
Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 20/2/2012 Learning a Parallelepiped: Bar-Ilan University Dept. of Computer Science Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv

422 views • 29 slides
AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

Slide 1 / 139 Slide 2 / 139 AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide 3 / 139 Table of Contents Click on the topic to go to that section Introduction Sliding Blocks Fixed

695 views • 47 slides
Computing the throughput of probabilistic and replicated streaming applications Anne Benoit,

Computing the throughput of probabilistic and replicated streaming applications Anne Benoit,

Intro Framework TEGs Computing Comparison Conclusion Computing the throughput of probabilistic and replicated streaming applications Anne Benoit, Fanny Dufoss e, Matthieu Gallet, Bruno Gaujal and Yves Robert Laboratoire de

1.09k views • 96 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Probabilistic Context-Free Grammars Zipfs Law Informatics 2A: Lecture 19 2 Probabilistic

Probabilistic Context-Free Grammars Zipfs Law Informatics 2A: Lecture 19 2 Probabilistic

Motivation Motivation Probabilistic Context-Free Grammars Probabilistic Context-Free Grammars Applications Applications 1 Motivation Ambiguity Coverage Probabilistic Context-Free Grammars Zipfs Law Informatics 2A: Lecture 19 2

178 views • 7 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
PRAMEA Probabilistic risk assessment method development and applications Presentation at the

PRAMEA Probabilistic risk assessment method development and applications Presentation at the

PRAMEA Probabilistic risk assessment method development and applications Presentation at the SAFIR2018 research programme final seminar, Hanasaari 21.3.2019 1 25.3.2019 VTT beyond the obvious HRA and advanced control rooms

341 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides

More recommend