Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, - PowerPoint PPT Presentation

Introduction on Block cipher Yoyo Game Application on AES Conclusion Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Outline Introduction on Block cipher 1 Yoyo Game 2 Application on AES 3 Conclusion 4 2 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Classical Model of Symmetric Cryptography Classical Model of Symmetric Cryptography Alice and Bob exchange the secret key through a secure channel. 3 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Block Cipher Block Cipher A block of plaintext p encrypt to a block of ciphertext c under the action of the key k : E : { 0 , 1 } n × { 0 , 1 } κ → { 0 , 1 } n ( p , k ) → E ( p , k ) = c k p c E 4 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Block Cipher Block Cipher(cont.) Each key induces a permutation between the plaintexts and the ciphertexts P 1 C 1 P 1 C 1 P 2 C 2 P 2 C 2 P 3 C 3 P 3 C 3 P 4 C 4 P 4 C 4 P 5 C 5 P 5 C 5 P 2 n C 2 n P 2 n C 2 n Under key K 1 Under key K 2 5 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Iterated Block Cipher Iterated Block Cipher Iterate a round function f several times: Master Key Key Schedule k 1 k r k 2 ... p c F F F 6 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Round Function How to build the round function? Two typical approaches: Feistel Network Substitution Permutation Network (SPN) 7 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Substitution Permutation Network (SPN) Substitution Permutation Network (SPN) Plaintext k 0 Substitution Permutation k 1 Substitution Permutation k 2 . . . . . . . . . Substitution Permutation k r Ciphertext 8 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Substitution Permutation Network (SPN) Substitution Permutation Network (SPN) 9 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Cryptanalysis of block ciphers Cryptanalysis of block ciphers In symmetric key cryptography, security proofs are partial and insufficient An algorithm is secure as long there is no attack against it Make it secure against all known attacks. The more an algorithm is analysed without being broken, the more reliable it is. What is a broken cipher? If a block cipher encrypts messages with a k-bit key, no attack with time complexity less than 2 k should be known Otherwise, the cipher is considered as broken (even if the complexity of the attack is not practical). 10 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Distinguisher Attack Distinguisher Attack of the weakest cryptographic attack. one simulates the block cipher for which the cryptography key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. 11 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Yoyo Game Introduction The Yoyo game was introduced by Biham et al. against Skipjack (Feistel block cipher) Yoyo Game: Suppose a plaintext pair has (or has not) a specific property. It is possible to generate other plaintext pairs that has (or has not) the same property by exchanging a specific word of their ciphertexts and decrypt new ciphertext pair. Open problem: How to do this for SPN ciphers and in particular for AES 12 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Generic block cipher Generic SPN block cipher Let α = ( α 0 , α 1 , . . . , α n − 1 ) ∈ F n q denote the state of a block cipher. Let q = 2 k and let s ( x ) be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n − 1 )) Let L be a linear layer in the block cipher We consider SPNs of the form: two rounds: S ◦ L ◦ S 13 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion The yoyo operation The yoyo operation Definition For a vector c ∈ F n 2 and a pair of states α, β ∈ F n q define a new state ρ c ( α, β ) by � if c i = 1 , α i ρ c ( α, β ) i = β i if c i = 0 . Example Let c = ( 0110 ) and α = ( α 0 , α 1 , α 2 , α 3 ) and β = ( β 0 , β 1 , β 2 , β 3 ) . Then ′ = ρ ( 0110 ) ( α, β ) = ( β 0 , α 1 , α 2 , β 3 ) α and ′ = ρ ( 0110 ) ( β, α ) = ( α 0 , β 1 , β 2 , α 3 ) β Call ( α ′ , β ′ ) = ( ρ c ( α, β ) , ρ c ( β, α )) a yoyo pair. 14 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Properties of the yoyo operation Properties of the yoyo operation Lemma Let α ′ = ρ c ( α, β ) and β ′ = ρ c ( β, α ) . a) α ′ ⊕ β ′ = α ⊕ β b) S ( α ′ ) ⊕ S ( β ′ ) = S ( α ) ⊕ S ( β ) c) L ( S ( α ′ )) ⊕ L ( S ( β ′ )) = L ( S ( α )) ⊕ L ( S ( β )) Proof. a) � α i ⊕ β i if c i = 1 , ρ c ( α, β ) i ⊕ ρ c ( β, α ) i = β i ⊕ α i if c i = 0 b) � s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α, β ) i ) ⊕ s ( ρ c ( β, α ) i ) = s ( β i ) ⊕ s ( α i ) if c i = 0 c) the result follows from the linearity of L . 15 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion The zero difference pattern The zero difference pattern Definition (Zero difference pattern) Let α = ( α 0 , α 1 , . . . , α n − 1 ) ∈ F n q . Define ν ( α ) = ( z 0 , z 1 , . . . , z n − 1 ) ∈ F n 2 where � 1 if α i is zero , z i = 0 otherwise . Example Let α = ( α 0 , α 1 , 0 , α 3 ) . Then ν ( α ) = ( 0 , 0 , 1 , 0 ) Lemma Let α ′ = ρ c ( α, β ) and β ′ = ρ c ( β, α ) . a) ν ( α ⊕ β ) = ν ( S ( α ) ⊕ S ( β )) 16 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Typical use of yoyo operation Typical use of yoyo operation p 0 p 1 ν p 0 ′ p 1 ′ = ⊕ ⊕ S − 1 ⇓ S ⇓ ⇑ ⇑ S ( p 0 ) S ( p 1 ) L − 1 ( S − 1 ( c 0 ′ )) L − 1 ( S − 1 ( c 1 ′ )) = ⊕ ⊕ L − 1 ⇓ L ⇓ ⇑ ⇑ L ( S ( p 0 )) L ( S ( p 1 )) S − 1 ( c 0 ′ ) S − 1 ( c 1 ′ ) = ⊕ ⊕ S − 1 ⇓ S ⇓ ⇑ ⇑ ρ c c 0 c 1 c 0 ′ c 1 ′ ⊕ ⇒ ⊕ Adaptive a) Pick two plaintexts p 0 and p 1 with a zero difference ν ( p 0 ⊕ p 1 ) . b) Encrypt p 0 and p 1 to c 0 and c 1 . c) Make two new ciphertexts c 0 ′ = ρ c ( c 0 , c 1 ) and c 1 ′ = ρ c ( c 1 , c 2 ) . d) Decrypt c 0 ′ and c 1 ′ . e) ν ( p 0 ⊕ p 1 ) = ν ( p 0 ′ ⊕ p 1 ′ ) 17 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion AES Advanced Encryption Standard (AES) Byte-oriented Substitution-Permutation Network. Block size of 128 bits, key size of 128, 192, 256 bits. Number of rounds depend on key size 10, 12, 14 rounds resp. 128 bits of block size, seen as a 4 × 4 matrix of bytes. 18 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion AES An round of AES Each round is a composition of four byte-oriented transformations: SubBytes ShiftRows MixColumns AddRoundKey 19 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion SubBytes SubBytes y i = s ( x i ) SB 20 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion ShiftRows ShiftRows SR 21 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion MixColumns MixColumns C ← M × C MC  x x + 1 1 1  1 x x + 1 1   M =   1 1 x x + 1   x + 1 1 1 x 22 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion AddRoundKey AddRoundKey 23 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Super-box representation of 2 rounds of AES Super-box representation of 2 rounds of AES R 2 = AK ◦ MC ◦ SR ◦ SB ◦ AK ◦ MC ◦ SR ◦ SB . Rewrite the operations : R 2 = AK ◦ MC ◦ SR ◦ ( SB ◦ AK ◦ MC ◦ SB ) ◦ SR . Then: Super-box = SB ◦ AK ◦ MC ◦ SB SB SB SB SB MC MC MC MC SB SB SB SB Figure: Super-box of AES 24 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion 4 Rounds of AES Four Rounds of AES SB SB SB SB MC MC MC MC SB SB SB SB MC MC MC MC SB SB SB SB MC MC MC MC SB SB SB SB Figure: S ◦ L ◦ S in AES 25 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. p 0 ⊕ p 1 Select p 0 ⊕ p 1 that differ in only one word 1 ask for encryption c 0 and c 1 of p 0 and p 1 2 S L S c 0 ⊕ c 1 26 / 33

Introduction on Block cipher Yoyo Game Application on AES Conclusion Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. p 0 ⊕ p 1 Select p 0 ⊕ p 1 that differ in only one word 1 ask for encryption c 0 and c 1 of p 0 and p 1 2 construct c 3 = ρ c ( c 0 , c 1 ) , c 4 = ρ c ( c 1 , c 0 ) 3 S L S ρ c ( c i , c i + 1 ( mod 2 ) ) c 0 ⊕ c 1 c 3 ⊕ c 4 27 / 33