shengbao wu 1 3 hongjun wu 2 tao huang 2 mingsheng
play

Shengbao Wu 1,3 , Hongjun Wu 2 , Tao Huang 2 , Mingsheng Wang 4 , and - PowerPoint PPT Presentation

Jan 04, 2023 •106 likes •469 views

Shengbao Wu 1,3 , Hongjun Wu 2 , Tao Huang 2 , Mingsheng Wang 4 , and Wenling Wu 1 1 Institute of Software, Chinese Academy of Sciences, China 2 Nanyang Technological University, Singapore, 3 Graduate School of Chinese Academy of Sciences, China 4

  1. Shengbao Wu 1,3 , Hongjun Wu 2 , Tao Huang 2 , Mingsheng Wang 4 , and Wenling Wu 1 1 Institute of Software, Chinese Academy of Sciences, China 2 Nanyang Technological University, Singapore, 3 Graduate School of Chinese Academy of Sciences, China 4 Institute of Information Engineering, Chinese Academy of Sciences, China

  2. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  Optimized Attack  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  3. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  Optimized Attack  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  4. Introduction: Authenticated Encryption  Authenticated Encryption: Composition of encryption and message authentication  Encrypt-then-MAC (IPsec)  MAC-then-Encrypt (TLS)  Encrypt-and-MAC  Examples of authenticated encryption schemes  OCB, CCM, GCM, EAX, McOE , ALE,…

  5. Introduction: Authenticated Encryption Algorithm ALE  ALE ( A uthenticated L ightweight E ncryption)  Designed by Andrey Bogdanov et al. (FSE 2013)  Based on AES-128  Combine the ideas of LEX and Pelican MAC  Lightweight: 2579 GE  For low-cost embedded systems  Efficient with AES-NI

  6. Introduction: ALE Encryption and Authentication Processing of associated data and the last partial block are omitted

  7. Introduction: LEX Leak for ALE Encryption  Processing one plaintext block A whitening key is Leaked keystream Four-round AES- XORed with the is XORed with 128 encryption data state plaintext block 5 round keys are used!  Positions of the leaked bytes

  8. Introduction: ALE Security Claims  Claim 1. State recovery: State recovery with complexity = t data blocks succeeds with prob. at most t . 2 -128 .  Claim 2. Key recovery: Key recovery with complexity = t data blocks succeeds with prob. at most t . 2 -128 , even if state recovered.  Claim 3. Forgery w/o state recovery: forgery not involving key/state recovery succeeds with prob. at most 2 -128 .

  9. Introduction: Cryptanalysis of ALE  Khovratovich and Rechberger’s attack (SAC 2013)  Forgery attack  Bytes are leaked after SubByte – a variant of ALE. The actual leak in ALE is before SubByte  Complexity is from 2 102 to 2 119 depending on the amount of data  State recovery attack  Requires 2 120 forgery attempts of 48 byte messages

  10. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  The main idea of the attack  Finding a differential characteristic  Launching the forgery attack  Optimized Attack  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  11. Basic Attack: The Main Idea of the Attack Property 1 • For an active S-box, if the values of an input and the input/output difference are known, the output/input difference is known with probability 1.  In ALE, 4 state bytes are leaked at the end of every round  It is possible to bypass some active S-boxes with probability 1!

  12. Basic Attack: An example of 1-4-16-4 differential characteristic

  13. Basic Attack: An example of 1-4-16-4 differential characteristic  Input difference:  Δ 0 0 0 0 0 0 0 0 0 0 0 0 0 96 0 0 ( , , , ; , , , ; , , , ; , , , ) in  Output difference:   1 6 6 0 0 0 0 8 5 82 55 0 0 0 0 (B ,DE, F, F; , , , ; B , C, , ; , , , ) out  Keystream difference:  Δ 0 0 3 59 37 6 2 0 81 6 0 0 0 0 0 ( , ,E,F ; , , E,F ; , , C, ; , , , ) s

  14. Basic Attack: Launching the Forgery Attack  Determine possible values of leaked bytes. Store the values in a table T      Example: For , , the values are or 0xf 0xfc 0xf3 0xc6 in out  Find a keystream block s i which falls into one of the possible values of table T          Modify ciphertext blocks: , c ' c c ' c   i 1 i 1 in i i out s  Send the modified ciphertext for decryption/verification

  15. Basic Attack: Launching the Forgery Attack  In decryption/verification:         1   , because ( ) ( ' ' ) s 0 m c s c s       i 1 1 1 1 1 i i i i i in  '             , because c c ( ) ( ' ' ) m c s c s i i out s i i i i i out   when is introduced to the data state, after four m  i 1  rounds, will cancel the difference in the state m i  Complexity of the Attack  Before considering the leaked bytes: 2 -6×16+(-7) ×9 =2 -159  8 active leaked bytes: 5 with prob. 2 -7 , 3 with prob. 2 -6  Overall probability: 2 -159 ×2 7×5 ×2 6×3 =2 -106  Number of known plaintext blocks: 128/2 6×8 =2 -41

  16. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  Optimized Attack  Improving the differential probability  Reducing the number of known plaintext blocks  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  17. Improving the Differential Probability Lemma 1 • The number of active S-boxes of any two-round AES differential characteristic is lower bounded by 5N, where N is the number of active columns in the first round.  Use the Mixed-Integer Linear Programming (MILP) technique [Mouha, Wang, Gu, Preneel ’ 11] to study the smallest number of effective active S-boxes

  18. Improving the Differential Probability  Let be the input state of round , be the -th byte   of We introduce a function such that if χ ( x ) ( x ) 1     and if . 0 ( ) 0 0 x x x  The objective function is to minimize:

  19. Improving the Differential Probability  Constraints from Property 1: where and

  20. Improving the Differential Probability  Additional Constraints  Avoid trivial solution:  when number of active leaked byte is or ≤

  21. Improving the Differential Probability ≤ 2, 3,…, 8  Use Maple to solve 11 MILP problems when and 9, 10, 11, 12 . Minimum number of effective active S-boxes is:  At least 16 effective active S-boxes in a differential char.  Four possible types, “2 -3-12- 8”, “2 -8-12- 4”, “2 -8-12- 3” and “4 -6-9- 6”, can reach this lower bound.

  22. Improving the Differential Probability  The differential characteristic with best probability is of the type “2 -8-12- 4”.

  23. Improving the Differential Probability  Complexity of the attack  16 effective active S-boxes, 15 with prob. 2 -6 , 1 with prob. 2 -7 . Hence, prob. of the differential characteristic is 2 -97 .  The prob. of random keystream block satisfying the requirement is 2 -56 . If each key is restricted to protect 2 48 message bits (2 41 message blocks), we need to observe 2 15 keys to launch the attack.

  24. Reducing the number of known plaintext blocks  Relaxing conditions on effective active S-boxes  Relax the prob. of some effective active S-boxes from 2 -6 to 2 -7 – more choices for differential characteristics.  Reducing the number of active leaked bytes in the first two rounds  Only the active leaked bytes in the first two rounds are considered to satisfy the conditions.  The differential characteristic “6 -4-9- 6” needs 2 8.4 blocks to find one vulnerable keystream block and the success rate is 2 -102

  25. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  Optimized Attack  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  26. Effect of Removing the Whitening Key Layer  When the whitening key layer is removed, additional four bytes before the first S-box layer are known.  Objective function is changed to:  Constraint on number of active leaked byte is changed to:

  27. Effect of Removing the Whitening Key Layer  Minimum number of effective active is reduced to 15.  12 cases of differential characteristics.  For case #1 to #4, with average prob. of 2 -94.1 , a class of 1020 differential characteristics always can be constructed.  For case #5 to #12, with average prob. of 2 -93.1 , two plaintext blocks are enough to launch a forgery attack

  28. Outline  Introduction  A Basic Leaked-State-Forgery Attack on ALE  Optimized Attack  Effect of Removing the Whitening Key Layer  Experiments on a Reduced Version of ALE  Conclusion

  29. Experiments on a Reduced Version of ALE  Attack a reduced ALE construction based on an AES-like light-weight block cipher LED [Guo, Peyrin ’ 11].  The settings:  Four ordered operations in the round function  SubCells, ShiftRows, MixColumns, AddRoundKeys  LED S-box is used in SubCells , and random round keys are used instead of deriving them from the key schedule  Only consider two-block input message without considering the initialization, padding and the associated data  The initial state is randomly generate

Recommend

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Correlation Autoencoder Hashing for Supervised Cross-Modal Search . . . Yue Cao, Mingsheng

Correlation Autoencoder Hashing for Supervised Cross-Modal Search . . . Yue Cao, Mingsheng

. Correlation Autoencoder Hashing for Supervised Cross-Modal Search . . . Yue Cao, Mingsheng Long, Jianmin Wang, and Han Zhu School of Software Tsinghua University The Annual ACM International Conference on Multimedia Retrieval ICMR 2016

423 views • 23 slides
Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 ,

Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 ,

Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 , Jianmin Wang 1 , and Michael I. Jordan 2 1 KLiss, MOE; School of Software, Tsinghua University, China 1 National Engineering Laboratory for Big Data

422 views • 16 slides
Deep Quantization Network for Efficient Image Retrieval . . . Yue Cao, Mingsheng Long, Jianmin

Deep Quantization Network for Efficient Image Retrieval . . . Yue Cao, Mingsheng Long, Jianmin

. Deep Quantization Network for Efficient Image Retrieval . . . Yue Cao, Mingsheng Long, Jianmin Wang, Han Zhu, and Qingfu Wen School of Software Tsinghua University The Thirtieth AAAI Conference on Artificial Intelligence, 2016 . . . .

448 views • 18 slides
Learning Transferable Features with Deep Adaptation Networks Mingsheng Long 12 , Yue Cao 1 ,

Learning Transferable Features with Deep Adaptation Networks Mingsheng Long 12 , Yue Cao 1 ,

Learning Transferable Features with Deep Adaptation Networks Mingsheng Long 12 , Yue Cao 1 , Jianmin Wang 1 , and Michael I. Jordan 2 1 School of Software, Institute for Data Science Tsinghua University 2 Department of EECS, Department of

732 views • 15 slides
Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1

Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1

Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1 , Jianmin Wang 1 , and Philip S. Yu 12 1 School of Sofware Tsinghua University 2 Department of Computer Science University of Illinois, Chicago ACM

414 views • 28 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu, Yongqiang Li, Mingsheng Wang

Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu, Yongqiang Li, Mingsheng Wang

Optimal Differential Trails in SIMON-like Ciphers Zhengbin Liu, Yongqiang Li, Mingsheng Wang State Key Laboratory of Information Security, Institute of Information Engineering, CAS; University of Chinese Academy of Science FSE 2017, Tokyo,

632 views • 26 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i

Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i

2/11/2008 Motivation Recall unmanaged code Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i = 0; i < M*N; i++) { A[i] = i; CS 215, Spring 2008 } } Whats wrong? memory leak:

443 views • 5 slides
Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and Tsinghua

Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and Tsinghua

Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and Tsinghua University SamsonFest, May 28-30,2013 Abramsky Conjecture: For every n > 2, every n partite entangled state is logically non-local Happy

977 views • 78 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

524 views • 18 slides
Swift for TensorFlow: Graph Program Extraction Mingsheng Hong <hongm@google.com> Chris

Swift for TensorFlow: Graph Program Extraction Mingsheng Hong <hongm@google.com> Chris

Swift for TensorFlow: Graph Program Extraction Mingsheng Hong <hongm@google.com> Chris Lattner <clattner@google.com> Presenting the work of many people! Abstract (https://llvm.org/devmtg/2018-10/talk-abstracts.html#talk15) Swift

547 views • 42 slides
ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC

ACORN v3 A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2016 ACORN 1 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN ) DIAC 2016 ACORN 2

358 views • 15 slides
HiTune: Dataflow-Based Performance Analysis for Big Data Cloud Jinquan Dai, Jie Huang, Shengsheng

HiTune: Dataflow-Based Performance Analysis for Big Data Cloud Jinquan Dai, Jie Huang, Shengsheng

HiTune: Dataflow-Based Performance Analysis for Big Data Cloud Jinquan Dai, Jie Huang, Shengsheng Huang, Bo Huang, Yan Liu Intel Asia-Pacific Research and Development Ltd Shanghai, P.R.China, 200241 {jason.dai, jie.huang, shengsheng.huang,

268 views • 14 slides
Spatiotemporal Pyramid Network for Video Action Recognition Yunbo Wang Mingsheng Long Jianmin

Spatiotemporal Pyramid Network for Video Action Recognition Yunbo Wang Mingsheng Long Jianmin

Spatiotemporal Pyramid Network for Video Action Recognition Yunbo Wang Mingsheng Long Jianmin Wang Philip S. Yu Tsinghua University China https://github.com/thuml/stpyramid Paper with the same name to appear in CVPR 2017 Main idea

397 views • 25 slides
Deep Transfer Learning with Joint Adaptation Networks Mingsheng Long 1 , Han Zhu 1 , Jianmin Wang

Deep Transfer Learning with Joint Adaptation Networks Mingsheng Long 1 , Han Zhu 1 , Jianmin Wang

Deep Transfer Learning with Joint Adaptation Networks Mingsheng Long 1 , Han Zhu 1 , Jianmin Wang 1 Michael I. Jordan 2 1 School of Software, Institute for Data Science Tsinghua University 2 Department of EECS, Department of Statistics University

576 views • 25 slides
Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long

Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long

Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long Michael I. Jordan School of Software, Tsinghua University National Engineering Lab for Big Data Software University of California, Berkeley 36th

421 views • 30 slides
Major Scientific and Technological Infrastructure Hongjun GAO representing Chunli BAI, President of

Major Scientific and Technological Infrastructure Hongjun GAO representing Chunli BAI, President of

An Introduction to CASs National Major Scientific and Technological Infrastructure Hongjun GAO representing Chunli BAI, President of CAS Sept. 12, 2018 1 Introduction to CAS 2 Planning of National S&T Infrastructure 3 Introduction to

568 views • 18 slides
Anticipated and Repeated Shocks in Liquid Markets Dong Lou, LSE Hongjun Yan, Yale Jinfan Zhang,

Anticipated and Repeated Shocks in Liquid Markets Dong Lou, LSE Hongjun Yan, Yale Jinfan Zhang,

Anticipated and Repeated Shocks in Liquid Markets Dong Lou, LSE Hongjun Yan, Yale Jinfan Zhang, Yale Motivation How does a financial system absorb supply shocks? when capital mobility is imperfect Anticipated Repeated Liquid

282 views • 25 slides
ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014

ACORN A Lightweight Authenticated Cipher Hongjun Wu Nanyang Technological University DIAC 2014 ACORN 1 ACORN DIAC 2014 ACORN 2 Different Design Approaches: AES-NI (AEGIS) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated ( ACORN

1.06k views • 13 slides
Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and

Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and

Floyd-Hoare Logic for Quantum Programs Mingsheng Ying University of Technology, Sydney and Tsinghua University Outline Introduction Syntax of Quantum Programs Operational Semantics Denotational Semantics Correctness Formulas Proof System

1.02k views • 79 slides
Quantum Recursion and Second Quantisation Basic Ideas and Examples Mingsheng Ying University of

Quantum Recursion and Second Quantisation Basic Ideas and Examples Mingsheng Ying University of

Quantum Recursion and Second Quantisation Basic Ideas and Examples Mingsheng Ying University of Technology, Sydney, Australia and Tsinghua University, China Happy Birthday Prakash! Happy Birthday Prakash! Im very grateful to Prakash for

1.23k views • 88 slides
Model checking quantum Markov chains Yuan Feng, Nengkun Yu, and Mingsheng Ying University of

Model checking quantum Markov chains Yuan Feng, Nengkun Yu, and Mingsheng Ying University of

Model checking quantum Markov chains Yuan Feng, Nengkun Yu, and Mingsheng Ying University of Technology Sydney, Australia, Tsinghua University, China Model checking quantum Markov chains. Journal of Computer and System Sciences 79, 1181-1198,

903 views • 47 slides

More recommend