Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints Danping Shi 1 Siwei Sun 1 Patrick Derbez 2 Yosuke Todo 3 Bing Sun 4 Lei Hu 1 1 Institute of Information Engineering, Chinese Academy of Sciences, China 2 Univ Rennes, CNRS, IRISA, France 3 NTT Secure Platform Laboratories, Japan 4 College of Liberal Arts and Sciences, National University of Defense Technology, China Asiacrypt 2018 2018.12.4 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 1 / 31
Outlines Introduction 1 Modelling the MITM attack 2 Applications in Design 3 Conclusion 4 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 2 / 31
Introduction Outline Introduction 1 Description of Demirci-Selc ¸uk MITM Modelling the MITM attack 2 Applications in Design 3 Conclusion 4 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 3 / 31
Introduction Description of Demirci-Selc ¸uk MITM Demirci-Selc ¸uk MITM Attack Demirci-Selc ¸uk MITM , FSE 2008 [DS08]. Various Creative Techniques: Differential Enumeration, Key Bridging, Key Dependent Sieve, . . . , [DKS10, DFJ13, DF13, DF16, LJ16] General Model, Dedicated Search Algorithm [LWWZ13, DF13, DF16] Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 3 / 31
Introduction Description of Demirci-Selc ¸uk MITM Automatic Searching methods MILP ,CP ,SAT,SMT Differential, Linear, Integral, 3-subset MITM . . . [KLT15, SHW + 14, ST17, CJF + 16, XZBL16, GMS16, Sas18] Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 4 / 31
Introduction Description of Demirci-Selc ¸uk MITM MITM Distinguisher E
Introduction Description of Demirci-Selc ¸uk MITM MITM Distinguisher δ ( A ) -set: { P 0 , P 1 , . . . , P N − 1 } A E
Introduction Description of Demirci-Selc ¸uk MITM MITM Distinguisher δ ( A ) -set: { P 0 , P 1 , . . . , P N − 1 } A E B { C 0 , C 1 , . . . , C N − 1 }
Introduction Description of Demirci-Selc ¸uk MITM MITM Distinguisher δ ( A ) -set: { P 0 , P 1 , . . . , P N − 1 } A E B { C 0 , C 1 , . . . , C N − 1 } ∆ E ( A , B ) : { C 0 [ B ] ⊕ C 1 [ B ] , C 0 [ B ] ⊕ C 2 [ B ] , . . . , C 0 [ B ] ⊕ C N − 1 [ B ] } Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 5 / 31
Introduction Description of Demirci-Selc ¸uk MITM Distinguisher of MITM A E B Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31
Introduction Description of Demirci-Selc ¸uk MITM Distinguisher of MITM Random: N R A E B Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31
Introduction Description of Demirci-Selc ¸uk MITM Distinguisher of MITM Random: N R A Block Cipher : N E (saved into a hash table) E B
Introduction Description of Demirci-Selc ¸uk MITM Distinguisher of MITM Random: N R A Block Cipher : N E (saved into a hash table) E N R Condition N E < N R N E B
Introduction Description of Demirci-Selc ¸uk MITM Distinguisher of MITM Random: N R A Block Cipher : N E (saved into a hash table) E N R Condition N E < N R N E B Distinguisher: ( A , B , N E ) Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 6 / 31
Introduction Description of Demirci-Selc ¸uk MITM Key Recovery Attack of MITM A cipher is divided in three keyed permutations: E 0 , E 1 , E 2 Construct distinguisher ( A , B , N E ) at E 1 state 0 state 0 E 0 state 2 r 0 A E 1 state 2( r 0+ r 1) B E 2 state 2( r 0+ r 1+ r 2) Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 7 / 31
Modelling the MITM attack Outline Introduction 1 2 Modelling the MITM attack Modelling the Distinguisher Modelling the Key-Recovery Process Applications in Design 3 Conclusion 4 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 8 / 31
Modelling the MITM attack Modelling the Distinguisher Variables state 0 state 0 M E 0 state 2 r 0 X, Y, Z, M E 1 X, Y, Z state 2( r 0+ r 1) X, Y, Z, W E 2 W state 2( r 0+ r 1+ r 2) Var(X) describe the forward differential Var(Y) describe the backward determination Var(Z) model the relation between Var(X) and Var(Y) Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 8 / 31
Modelling the MITM attack Modelling the Distinguisher Forward differential Variables Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. state 0 A NL state 1 Round 0 L k 0 state 2 Var(X) for state 0 NL state 3 X 0 [ j ] = 1 iff j in A . Round 1 L k 1 X r propagate to X r + 1 with probability 1 state 4 NL state 5 Round 2 L k 2 state 6
Modelling the MITM attack Modelling the Distinguisher Forward differential Variables Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. state 0 A NL state 1 Round 0 L k 0 state 2 Var(X) for state 0 NL state 3 X 0 [ j ] = 1 iff j in A . Round 1 L k 1 X r propagate to X r + 1 with probability 1 state 4 NL state 5 Round 2 L k 2 state 6
Modelling the MITM attack Modelling the Distinguisher Forward differential Variables Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. state 0 A NL state 1 Round 0 L k 0 state 2 Var(X) for state 0 NL state 3 X 0 [ j ] = 1 iff j in A . Round 1 L k 1 X r propagate to X r + 1 with probability 1 state 4 NL state 5 Round 2 L k 2 state 6
Modelling the MITM attack Modelling the Distinguisher Forward differential Variables Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. state 0 A NL state 1 Round 0 L k 0 state 2 Var(X) for state 0 NL state 3 X 0 [ j ] = 1 iff j in A . Round 1 L k 1 X r propagate to X r + 1 with probability 1 state 4 NL state 5 Round 2 L k 2 state 6 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 9 / 31
Modelling the MITM attack Modelling the Distinguisher Property of forward differential state 0 A NL state 1 values of P 0 at the yellow states Round 0 L k 0 state 2 NL ⇓ state 3 Round 1 L k 1 P 0 6 ⊕ P i 6 , ∀ i ∈ { 1 , 2 , . . . , N − 1 } state 4 NL state 5 Round 2 L k 2 state 6 { P 0 [ A 2 r ] } r ∈ 1 , 2 determine P 0 6 ⊕ P i 6
Modelling the MITM attack Modelling the Distinguisher Property of forward differential state 0 A NL state 1 values of P 0 at the yellow states Round 0 L k 0 state 2 NL ⇓ state 3 Round 1 L k 1 P 0 6 ⊕ P i 6 , ∀ i ∈ { 1 , 2 , . . . , N − 1 } state 4 NL state 5 Round 2 L k 2 state 6 { P 0 [ A 2 r ] } r ∈ 1 , 2 determine P 0 6 ⊕ P i 6
Modelling the MITM attack Modelling the Distinguisher Property of forward differential state 0 A NL state 1 values of P 0 at the yellow states Round 0 L k 0 state 2 NL ⇓ state 3 Round 1 L k 1 P 0 6 ⊕ P i 6 , ∀ i ∈ { 1 , 2 , . . . , N − 1 } state 4 NL state 5 Round 2 L k 2 state 6 { P 0 [ A 2 r ] } r ∈ 1 , 2 determine P 0 6 ⊕ P i 6 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 10 / 31
Modelling the MITM attack Modelling the Distinguisher Forward Differential Examples for Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. x 0 x 1 x 2 x 3 Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31
Modelling the MITM attack Modelling the Distinguisher Forward Differential Examples for Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. x 0 x 1 x 2 x 3 x 2 = x 0 x 0 + x 1 2 x 3 ≥ x 3 x 0 + x 1 ≤
Modelling the MITM attack Modelling the Distinguisher Forward Differential Examples for Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. x 0 x 1 x 2 x 3 S S S x 2 = x 0 x 0 + x 1 2 x 3 ≥ x 3 x 0 + x 1 ≤ Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31
Modelling the MITM attack Modelling the Distinguisher Forward Differential Examples for Var(X) X r [ j ] = 0 iff P 0 r [ j ] ⊕ P i r [ j ] = 0, ∀ i ∈ 1 , . . . , N − 1. x 0 x 1 x 2 x 3 S S S x 2 = x 0 x 0 + x 1 2 x 3 ≥ x 3 x 0 + x 1 ≤ Danping Shi, Siwei Sun, Patrick Derbez, Yosuke Todo, Bing Sun, Lei HuProgramming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints 11 / 31
Recommend
More recommend