two ways of building round functions for block ciphers
play

Two ways of building round functions for block ciphers Joan Daemen - PowerPoint PPT Presentation

Aug 03, 2023 •30 likes •620 views

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

  1. Two ways of building round functions for block ciphers Joan Daemen Radboud University Šibenik summer school 2016 1 / 44

  2. Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 2 / 44

  3. Block ciphers and statistical attacks Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 3 / 44

  4. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  5. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  6. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  7. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  8. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  9. Block ciphers and statistical attacks Iterated block ciphers [DES and later] 5 / 44

  10. Block ciphers and statistical attacks offline: guess k a Statistical attacks Basic attacks Many variants … Two phases: 6 / 44 Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) K P Wrong guess destroys Ω Key Data sched. path DC: requires 1 / DP couples rounds rounds LC: requires 1 / C 2 couples C

  11. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P Wrong guess destroys Ω Distinguisher DC: requires 1 / DP couples LC: requires 1 / C 2 couples a k a C

  12. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P ∆ p Wrong guess destroys Ω DP( ∆ p, ∆ a ) DC: requires 1 / DP couples LC: requires 1 / C 2 couples ∆ a a k a C

  13. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P u p Wrong guess destroys Ω C 2 ( u p, u a ) DC: requires 1 / DP couples LC: requires 1 / C 2 couples u a a k a C

  14. Block ciphers and statistical attacks Distinguisher: difference propagation 7 / 44 Differential trail: DP ( Q ) ≈ ∏ i DP ( Sbox i ) and w ( Q ) = ∑ i w ( Sbox i ) Differential: DP ( ∆ p , ∆ a ) = ∑ ∆ p → Q → ∆ a DP ( Q )

  15. Block ciphers and statistical attacks Distinguisher: difference propagation 7 / 44 Differential trail: DP ( Q ) ≈ ∏ i DP ( Sbox i ) and w ( Q ) = ∑ i w ( Sbox i ) Differential: DP ( ∆ p , ∆ a ) = ∑ ∆ p → Q → ∆ a DP ( Q )

  16. Correlation basics Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 8 / 44

  17. Correlation basics 0 1 0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 1 1 1 1 0 1 1 1 1 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 1 0 0 0 0 Boolean function x 4 0 0 1 0 0 0 0 y x 3 1 x 2 x 1 y x 4 x 3 x 2 x 1 Algebraic expression: Mapping from GF(2 n ) to GF(2) 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 0 9 / 44 Input is a vector x = ( x 1 , x 2 , . . . x n ) y = x 1 x 2 + x 1 x 3 x 4 + x 2 x 4 + 1 Truth table: 2 n bit array or vector :

  18. Correlation basics We define an inner product: The correlation now becomes Correlation between two Boolean functions x 10 / 44 Real-valued counterpart of a Boolean function: C ( f , g ) = 2Pr ( f ( x ) = g ( x )) − 1 f ( x ) = ( − 1 ) f ( x ) ˆ g > = ∑ < ˆ ˆ f , ˆ f ( x ) ˆ g ( x ) √ …and norm || ˆ < ˆ f , ˆ f || = f > C ( f , g ) = < ˆ f , ˆ g > || ˆ f || · || ˆ g ||

  19. Correlation basics Correlation between Boolean functions geometrically g f 11 / 44 ✕ ✁ ✁ ˆ C ( f , g ) = cos α ✁ ✁ ✁ ✁ ✯ ✟ ✟✟✟✟✟✟✟✟✟✟✟ ✁ ✁ ✁ α ˆ ✁ ✁ ✁ Vector space: R 2 n

  20. Correlation basics Linear functions and selection vectors x 8 x 1 w T x : 0 0 0 1 0 0 1 1 0 0 1 0 w : x 3 Linear Boolean function with mask w : w T x x : x 0 x 2 x 1 x 4 x 5 x 6 x 7 x 8 x 9 12 / 44 If u ̸ = v : < ( − 1 ) u T x , ( − 1 ) v T x > = 0 Linear functions form an orthogonal basis of R 2 n x 10 x 11 + x 4 + x 5 +

  21. Correlation basics w x Spectrum of a Boolean function with coordinates given by: 13 / 44 We can represent ˆ f ( x ) with respect to the basis of linear functions: ˆ f ( x ) = ∑ F ( w )( − 1 ) w T x F ( w ) = 2 − n ∑ ˆ f ( x )( − 1 ) w T x This is called the Walsh-Hadamard transform F ( w ) = W ( f ( x )) So simply: F ( w ) = C ( f ( x ) , w T x ) Orthogonal transformation in R 2 n Consequence: Parseval’s Theorem ∑ F ( w ) 2 = 1

  22. Correlation basics Adding Boolean functions in GF(2) Spectrum of sum equals convolution of spectra Special cases: 14 / 44 Let h ( x ) = f ( x ) + g ( x ) From ˆ h ( x ) = ˆ f ( x ) ˆ g ( x ) follows H ( w ) = ∑ v F ( v + w ) G ( v ) Constant function: g ( x ) = 1 : H ( w ) = − F ( w ) Linear function: g ( x ) = u T x : H ( w ) = F ( w + u ) Disjunct functions f and g : H ( v + w ) = F ( v ) G ( w )

  23. Correlation basics 2 From this it follows Multiplying Boolean functions in GF(2) 15 / 44 Let h ( x ) = f ( x ) g ( x ) . Then: ( ) ˆ 1 + ˆ g ( x ) − ˆ h ( x ) = 1 f ( x ) + ˆ f ( x ) ˆ g ( x ) W ( fg ) = 1 2 ( δ ( w ) + W ( f ) + W ( g ) + W ( f + g )) with δ ( w ) = 1 iff w = 0

  24. Correlation basics x T h Correlation matrices [Daemen 1994] 16 / 44 Homomorphism: Correlation matrix C h : m -bit vector Boolean function: h ( x ) = ( h 1 ( x ) , h 2 ( x ) . . . h m ( x )) 2 m rows and 2 n columns element at row u , column v : C ( u T h ( x ) , v T x ) ✲ y = h ( x ) ⇕ L ⇕ L C ( h ) ✲ X with X u = ( − 1 ) x T u Y = C ( h ) X − 1 = ( C ( h ) ) If h is permutation: C ( h − 1 ) = ( C ( h ) )

  25. Correlation basics Correlation matrices of special functions i 17 / 44 Adding a constant: f ( x ) = x + k C u , u = ( − 1 ) u T k and C u , v ̸ = u = 0 Linear function: f ( x ) = Mx C u , w = 1 iff M T u = w and 0 otherwise Parallel composition: b = ( b 1 , b 2 , . . . ) = ( h 1 ( a 1 ) , h 2 ( a 2 ) , . . . ) = h ( a ) C ( h ) u , w = ∏ C ( h i ) u ( i ) , w ( i ) If w i = 0 then C ( h i ) u ( i ) , w ( i ) = 1 C ( h ) u , w is product of correlation over active S-boxes

  26. Correlation basics f w g Correlation matrices: serial composition 18 / 44 a A ✲ ✲ f ( a ) g ( f ( a )) ⇕ L ⇕ L ⇕ L C ( f ) C ( g ) ✲ ✲ C ( f ) A C ( g ) C ( f ) A C ( g ◦ f ) ( u , v ) = ∑ C ( g ) ( u , w ) C ( f ) ( w , v )

  27. Correlation basics Linear trails and correlation 19 / 44 Linear trail: C p ( Q ) = ∏ i C ( Sbox i ) Correlation: C ( u T β ( a ) , w T a ) = ∑ w → Q → u C p ( Q )

  28. Wide trail strategy: strongly-aligned flavor Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 20 / 44

  29. Wide trail strategy: strongly-aligned flavor Replacing the permutation in SPN by a mixing layer 21 / 44

  30. Wide trail strategy: strongly-aligned flavor Replacing the permutation in SPN by a mixing layer 21 / 44

  31. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  32. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  33. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  34. Wide trail strategy: strongly-aligned flavor Mixing layer and error-correcting codes 23 / 44

  35. Wide trail strategy: strongly-aligned flavor Mixing layer and error-correcting codes 23 / 44

  36. Wide trail strategy: strongly-aligned flavor 24 / 44 B active S-boxes in each sequence of 2 rounds

  37. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  38. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  39. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  40. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  41. Wide trail strategy: strongly-aligned flavor Rijndael [Daemen, Rijmen 1998] Trails: 25 active S-boxes per 4 rounds Clustering of trails but not alarming Costly S-box and mixing Byte-alignment leads to structural properties 26 / 44

  42. Wide trail strategy: weakly-aligned flavor Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 27 / 44

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1 M 4 pad Hash function

800 views • 79 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides

More recommend