statistics in cryptanalysis
play

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical - PowerPoint PPT Presentation

May 07, 2023 •405 likes •1.52k views

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

  1. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H 18/35

  2. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . 18/35

  3. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . Example: H 0 : µ = 2 , σ 2 = 0 . 1. 18/35

  4. Hypothesis Testing Null vs. Alternate Hypothesis 19/35

  5. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . 19/35

  6. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . Alternate Hypothesis Sometimes, it so happens that we know for certain that either ○ ∈ ω 0 or ○ ∈ ω A , where ω 0 and ω A are two disjoint point sets H H in P k and it remains for us to decide between the two by means of a test. Now, we have priory reasons to be more inclined to believe in the first hypothesis, then we set up the null hypothesis ○ ∈ ω 0 to be tested against the alternative hypothesis H 0 : H H 1 : ○ ∈ ω A , hoping that the null hypothesis will be accepted by H the test and thereby confirm our belief. Then H 1 : ○ ∈ ω A is H called the alternate hypothesis . 19/35

  7. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . 20/35

  8. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. 20/35

  9. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. The mathematical formulation of this evidence is known as a test of the hypothesis H 0 . 20/35

  10. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . 21/35

  11. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ 21/35

  12. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ W is called the rejection region or the critical region and W c is the acceptance region of the test. 21/35

  13. Hypothesis Testing Error Probabilities x ∈ W c ˜ x ∈ W ˜ H 0 True Type-I Error Accept H 1 True Reject Type-II Error Type-I Error Probability: Pr[ ˜ X ∈ W | H 0 holds] . Type-II Error Probability: X ∈ W c | H 1 holds] Pr[ ˜ 1 − Pr[ ˜ X ∈ W | H 1 holds] = = 1 − β ( W ) , 22/35

  14. Linear Cryptanalysis Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 22/35

  15. Linear Cryptanalysis Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 23/35

  16. Linear Cryptanalysis Substitution-Permutation Network (SPN) . . . . . . P 1 Plaintext P 16 Sub-key k (1) Mixing S 11 S 12 S 13 S 14 Round 1 Sub-key k (2) Mixing S 21 S 22 S 23 S 24 Round 2 Sub-key k (3) Mixing S 31 S 32 S 33 S 34 Round 3 Sub-key k (4) Mixing Round 4 S 41 S 42 S 43 S 44 Sub-key k (5) Mixing . . . . . . C 1 Ciphertext C 16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial). 24/35

  17. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. 25/35

  18. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. 25/35

  19. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . 25/35

  20. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . 25/35

  21. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . 25/35

  22. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) 25/35

  23. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) E (1) K (1) = R (0) k (0) ; E ( i ) K ( i ) = R ( i − 1) k ( i − 1) ◦ · · · ◦ R (0) k (0) = R ( i − 1) k ( i − 1) ◦ E ( i − 1) K ( i − 1) , i ≥ 1 . 25/35

  24. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. 26/35

  25. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . 26/35

  26. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . 26/35

  27. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). 26/35

  28. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). Goal: Obtain the secret key. 26/35

  29. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: 27/35

  30. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. 27/35

  31. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. 27/35

  32. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: 27/35

  33. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities: - N: data complexity. - P S : (lower bound on the) success probability. - a : the (expected) number of false alarms is (at most) a fraction 2 − a of the number of all the 2 m possible choices of the target sub-key. 27/35

  34. Linear Cryptanalysis Linear Cryptanalysis n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  35. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  36. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  37. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  38. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C 28/35

  39. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C Source of Randomness: P 1 , . . . , P N . 28/35

  40. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. 29/35

  41. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. 29/35

  42. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; 29/35

  43. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. 29/35

  44. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. W κ follows a Binomial which can be approximated by a normal distribution. - κ incorrect: T κ approximately follows half normal. - κ correct: T κ approximately follows folded normal. 29/35

  45. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. 30/35

  46. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); 30/35

  47. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . 30/35

  48. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . Test statistics: For a particular choice κ ∈ { 0 , 1 } m of the target sub-key, T κ ≡ | W κ | . where the mean and variances of W κ are given by - µ 0 = E [ W κ ∗ ] = Np and µ 1 = E [ W κ | H 1 ] = N / 2. - σ 2 0 = Var ( W κ ∗ ) = Np (1 − p ) and σ 2 1 = Var ( W κ | H 1 ) = N / 4. 30/35

  49. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . 31/35

  50. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . 31/35

  51. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . 31/35

  52. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N 31/35

  53. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N Goal: Express N in terms “ a ” and P S . 31/35

  54. Linear Cryptanalysis Key Recovery via Hypothesis Testing Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2 m hypothesis tests of which 2 m − 1 are with incorrect κ . So, the expected number of false positives is β (2 m − 1) ≈ β 2 m . Advantage a implies that the size of false alarm list is 2 m − a . Equating to β 2 m gives β = 2 − a . 32/35

  55. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . 33/35

  56. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . The other case can be handled similarly. 33/35

Recommend

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway Department of Informatics, University of Bergen, Bergen, Norway Boolean

377 views • 16 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto

Distribution Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University School of Science kaisa.nyberg@aalto.fi June 11, 2013 Introduction Piling-Up Lemma Multidimensional Linear Cryptanalysis SSA Link

962 views • 48 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides

More recommend