a framework for automated biclique cryptanalysis of block
play

A Framework for Automated Biclique Cryptanalysis of Block Ciphers - PowerPoint PPT Presentation

Nov 29, 2023 •318 likes •633 views

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

  1. Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit¨ at Weimar FSE 2013, Singapore 13.03.2013 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 1 / 20

  2. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis Biclique = complete bipartite graph, connecting each in a set of starting states S with each in a set of ending states C over a sub-cipher Introduced by Khovratovich, Rechberger, and Savelieva [KRS11] as formalization of initial structures in splice-and-cut MitM attacks First used for preimage attacks on round-reduced SHA-2, Skein and their compression functions Adapted for key-recovery attacks on the AES by Bogdanov, Khovratovich and Rechberger [BKR11] F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 2 / 20

  3. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis Many more key-recovery attacks followed since then on SQUARE by Mala [Mal11] on ARIA-256 by Chen and Xue [CX12] on Piccolo by Wang et al. [WWY12] on IDEA by Khovratovich, Leurent, and Rechberger [KLR12] HIGHT [HKK11], TWINE by C ¸oban et al. [cKOB12], L-Block by Wang et al. [WWYZ12], PRESENT and LED by Jeong et al. [JKL + 12], KLEIN-64 by Ahmadian et al. [ASA13] Several approaches and improvements Independent and long bicliques [KRS11, BKR11], probabilistic bicliques [KLR12], bicliques for permutations [Kho12] F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 3 / 20

  4. Motivation Biclique Cryptanalysis Our Framework Results Motivation Initial aim to completely understand the attacks by Bogdanov et al. Small framework to help the cryptanalyst to find independent bicliques of maximal length Consider independent bicliques: generic, independency of differentials = formalized criterion to test F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 4 / 20

  5. Motivation Biclique Cryptanalysis Our Framework Results Agenda 1 Motivation 2 Biclique Cryptanalysis 3 Our Framework 4 Results F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 5 / 20

  6. Motivation Biclique Cryptanalysis Our Framework Results Biclique Cryptanalysis – Brief Recall F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 6 / 20

  7. Motivation Biclique Cryptanalysis Our Framework Results Given a primitive E , define splitting as in splice-and-cut attack, e.g., E = B ◦ E 2 ◦ E 1 Construct biclique around starting state, here over B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  8. Motivation Biclique Cryptanalysis Our Framework Results Choose a base computation { S 0 , K [ 0 , 0 ] , C 0 } : K [ 0 , 0 ] − − − → S 0 C 0 B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  9. Motivation Biclique Cryptanalysis Our Framework Results Find 2 d good (forward) ∆ i -differentials, and compute 2 d times: K [ 0 , 0 ] ⊕ ∆ K K [ i , 0 ] i S 0 − − − → C i ≡ S 0 − − − − − − − → C 0 ⊕ ∆ i B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  10. Motivation Biclique Cryptanalysis Our Framework Results Find 2 d good (backward) ∇ j -differentials, and compute 2 d times: K [ 0 , 0 ] ⊕∇ K K [ 0 , j ] j S j ← − − − C 0 ≡ S 0 ⊕ ∇ j ← − − − − − − − C 0 B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  11. Motivation Biclique Cryptanalysis Our Framework Results If the trails are independent (do not share active non-linear operations), it applies ∀ i , j ∈ { 0 , . . . , 2 d − 1 } : K [ 0 , 0 ] ⊕ ∆ K i ⊕∇ K K [ i , j ] j S j − − − → C i ≡ S 0 ⊕ ∇ j − − − − − − − − − − → C 0 ⊕ ∆ i B B F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  12. Motivation Biclique Cryptanalysis Our Framework Results Test 2 2 d keys with only 2 · 2 d computations in the biclique F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  13. Motivation Biclique Cryptanalysis Our Framework Results For 2 d ciphertexts C i , request the corresponding plaintexts P i from an oracle F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  14. Motivation Biclique Cryptanalysis Our Framework Results Compute and store 2 d values v i , 0 in forward direction Compute and store 2 d values v 0 , j in backward direction − → ← − K [ i , 0 ] K [ 0 , j ] ∀ i : − − − → and ∀ j : ← − − − P i v i , 0 v 0 , j S j . E − 1 E 1 2 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  15. Motivation Biclique Cryptanalysis Our Framework Results For remaining 2 2 d − 2 · 2 d key candidates K [ i , j ] , only recompute the parts, where the trails with K [ i , j ] differ from those with K [ i , 0 ] or K [ 0 , j ] K [ i , j ] − → ← − K [ i , j ] ∀ i , j � = 0 : − − − → and ← − − − P i v i , j v i , j S j . E − 1 E 1 2 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 7 / 20

  16. Motivation Biclique Cryptanalysis Our Framework Results Relevance Low computational advantage if using exhaustive matching-with-precomputations, usually factor of 2-16 “Bruteforce-like cryptanalysis is not able to conclude that a particular target has a cryptanalytic weakness” (Jia, Rechberger, and Wang [JRW11]) More general, to derive a lower computational bound for individiual ciphers F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 8 / 20

  17. Motivation Biclique Cryptanalysis Our Framework Results Our Framework F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 9 / 20

  18. Motivation Biclique Cryptanalysis Our Framework Results Structure <<system>> Framework for Independent-Biclique Cryptanalysis <<component>> Common Components Biclique Search <<interface>> <<class>> <<class>> <<class>> RoundBased- Differential- BicliqueFinder- BicliqueFinder SymmetricCipher Builder Context <<interface>> <<class>> <<class>> Differential- DeltaThread NablaThread Comparator <<component>> <<component>> Matching Rendering <<class>> <<class>> <<class>> <<class>> MatchingDiffe- MatchingPhase- MatchingContext BicliqueRenderer rentialBuilder Renderer <<class>> <<interface>> <<interface>> Complexity- Differential- StateRenderer Calculator Renderer F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 10 / 20

  19. Motivation Biclique Cryptanalysis Our Framework Results Biclique Search Forward differential Backward differential Combined S j S 0 S 0 Round 8 Round 8 Round 8 $8 $8 $8 Round 9 Round 9 Round 9 $9 $9 $9 Round 10 Round 10 Round 10 $10 $10 $10 C C C i i 0 Finding a pair of differentials (∆ i , ∇ j ) , which share no active components in non-linear operations F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 11 / 20

  20. Motivation Biclique Cryptanalysis Our Framework Results Biclique Search (cont’d) Number of possible differentials Example: for a key size k = 128 bits and a biclique dimension d = 8, one could test � � � � k k ! 128 ≈ 1 . 43 · 10 12 = d !( k − d )! = 8 d Reduce time and memory complexity by considering nibble- or byte-wise operating primitives Nibble-wise primitives: � ⌈ k / 4 ⌉ = � 32 � � = 496 ⌈ d / 4 ⌉ 2 Byte-wise primitives: � ⌈ k / 8 ⌉ = � 16 � � = 16 ⌈ d / 8 ⌉ 1 F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 12 / 20

  21. Motivation Biclique Cryptanalysis Our Framework Results How to Insert Key Differences ∆ i K C i ∆ i S j ∆ j K ∆ j Affect as little parts of the state as possible ⇒ inject sub-key differences with least possible hamming weight at the beginning of ∆ - and at the end of ∇ -differentials If | k | > n , regard k consecutive sub-key bits as starting key difference F. Abed, C. Forler, E. List, S. Lucks, J. Wenzel Bauhaus-Universit¨ at Weimar Automated Biclique Cryptanalysis 13 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I &amp; II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

1.27k views • 77 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
By Paul Lamey 1. Unnecessary Divisions Interfere with the Focus of Discipleship (vv. 38 41) 1.

By Paul Lamey 1. Unnecessary Divisions Interfere with the Focus of Discipleship (vv. 38 41) 1.

Mark 9:38 50 By Paul Lamey 1. Unnecessary Divisions Interfere with the Focus of Discipleship (vv. 38 41) 1. Unnecessary Divisions Interfere with the Focus of Discipleship (vv. 38 41) 2. Unmortified Temptations Interfere with the Purity

603 views • 5 slides
Devsigners Chimeras of the Web Wait, you know how to do that? Probably works as a

Devsigners Chimeras of the Web Wait, you know how to do that? Probably works as a

Devsigners and Unicorns Work, satisfaction, burnout and hero culture Chris Strahl, CEO, Basalt Digital agency focused on front-end development and design systems Chris Strahl CEO @chrisstrahl (pretty much everywhere) Builder Track

481 views • 25 slides
THE ISLAMIC WORLD, TANG CHINA, THE MAYA Title : Islamic world; Tang China and east Asia; the Maya

THE ISLAMIC WORLD, TANG CHINA, THE MAYA Title : Islamic world; Tang China and east Asia; the Maya

THE ISLAMIC WORLD, TANG CHINA, THE MAYA Title : Islamic world; Tang China and east Asia; the Maya of Central America Source : OUP Medium : map Date : 600-800 Note: Ti e only part of Europe in this group of lectures is Iberia... Islam spread

496 views • 20 slides
Building Complex Queries in Conversational Search Xiaoni Cai Advisor: Johannes Kiesel Referees:

Building Complex Queries in Conversational Search Xiaoni Cai Advisor: Johannes Kiesel Referees:

Bachelor Thesis Defense: Building Complex Queries in Conversational Search Xiaoni Cai Advisor: Johannes Kiesel Referees: Prof. Benno Stein, Jr. Prof. Jan Ehlers Bauhaus-Universitt Weimar, 12 October 2020 1 Build Queries Traditional Search

312 views • 18 slides
Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universitt Weimar DIAC 2014 Santa Barbara, CA

642 views • 62 slides
Consolidating software variants into software product lines: a research outline Rainer Koschke

Consolidating software variants into software product lines: a research outline Rainer Koschke

Consolidating software variants into software product lines: a research outline Rainer Koschke University of Bremen, Germany Working Conference on Reverse Engineering 10th of October 2005 Motivation software product lines grow out of

129 views • 9 slides
Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universitt Weimar March 3, 2014 London, UK Cisco

895 views • 50 slides

More recommend