a key recovery attack on 855 round trivium
play

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, - PowerPoint PPT Presentation

Jan 25, 2023 •125 likes •382 views

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018 Introduction to Trivium Outline Introduction to Trivium 1 Related

  1. A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018

  2. Introduction to Trivium Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 2 / 24

  3. Introduction to Trivium Trivium Initialization: ( s 1 , s 2 , . . . , s 93 ) ← ( K 0 , . . . , K 79 , 0 , . . . , 0) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 0 , . . . , IV 79 , 0 , . . . , 0) ( s 178 , s 179 , . . . , s 288 ) ← (0 , . . . , 0 , 1 , 1 , 1) . for i ← 1 : 4 · 288 do t 1 ← s 66 + s 91 · s 92 + s 93 + s 171 t 2 ← s 162 + s 175 · s 176 + s 177 + s 264 t 3 ← s 243 + s 286 · s 287 + s 288 + s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) end for X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 3 / 24

  4. Introduction to Trivium Trivium Generate the keystreams: for i ← N do t 1 ← s 66 + s 91 · s 92 + s 93 + s 171 t 2 ← s 162 + s 175 · s 176 + s 177 + s 264 t 3 ← s 243 + s 286 · s 287 + s 288 + s 69 o i ← s 66 + s 93 + s 162 + s 177 + s 243 + s 288 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 179 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) end for X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 4 / 24

  5. Introduction to Trivium Trivium Iterative expression: let s r w ( 0 ≤ w ≤ 2 ) denote s 1 , s 94 and s 178 at round r . = s r − 66 + s r − 109 s r − 110 + s r − 111 + s r − 69 s r , 0 2 2 2 2 0 = s r − 66 + s r − 91 s r − 92 + s r − 93 + s r − 78 s r , (1) 1 0 0 0 0 1 = s r − 69 + s r − 82 s r − 83 + s r − 84 + s r − 87 s r . 2 1 1 1 1 2 Output: z r = s r − 65 + s r − 92 + s r − 68 + s r − 83 + s r − 65 + s r − 110 0 0 1 1 2 2 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 5 / 24

  6. Related Works Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 6 / 24

  7. Related Works Cube-like Attack ANF: The output bit or state bit for a stream cipher over m IV bits and n key bits is � � � s = v i k j . (2) I,J i ∈ I j ∈ J IV term: t I = � i ∈ I v i Coefficient function: g I ( k ) = � j ∈ J k j Theorem 1 Cube sum of s over set I is g I ( k ) , i.e., � s = g I ( k ) , (3) i ∈ I where the IV bits v k ( k / ∈ I ) are fixed. 1 g I ( k ) is linear or of low degree over partial key bits (key-recovery) 2 g I ( k ) = 0 : t I ( k ) is a missing IV term (distinguisher) X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 7 / 24

  8. Basic Ideas Outline Introduction to Trivium 1 Related Works 2 Basic Ideas 3 Attack on 855-round Trivium 4 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 8 / 24

  9. Basic Ideas A new polynomial reduction technique Lemma 2 Suppose z is the output polynomial of a cipher, and z = P 1 P 2 + P 3 . (4) Then the polynomial can be reduced to a simpler one (1 + P 1 ) z = (1 + P 1 ) P 3 by multiplying 1 + P 1 in both sides of Eq. (4) if deg( P 1 P 2 ) > deg((1 + P 1 ) P 3 ) . How to distinguish right and wrong key guesses 1 Right guess: (1 + P 1 ) z = (1 + P 1 ) P 3 2 Wrong guesses: (1 + P ′ 1 ) z = (1 + P ′ 1 ) P 1 P 2 + (1 + P ′ 1 ) P 3 X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 9 / 24

  10. Basic Ideas Outline of our attack Preprocess phase 1 Determine P 1 and obtain the reduced polynomial (1 + P 1 ) P 3 . There are 3 criteria for choice of P 1 : (1) the frequency of P 1 in high degree state terms is high; (2) the degree of P 1 is low; (3) the equivalent key guesses in P 1 are minimized. 2 Compute the degree bound of (1 + P 1 ) P 3 as d , then d + 1 -dimensional cubes can serve as distinguishers. Online attack phase Guess the partial key bits in P 1 and compute the sum of (1 + P 1 ) z over d + 1 cubes: 1 For right guess, the result is always 0. 2 For wrong guesses, the results are 0-1 balanced. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 10 / 24

  11. Basic Ideas The preprocessing phase Internal Internal State bits State bits Forward  discarding ( ,..., , ,..., ) j j  k k v v s (1 ) s P P 1 80 1 80  monomials i 1 3 i IV Representation Step 1 Step 3 Step 2 1 Compute the state bits s j i ( j ∈ [0 , 2] ) for i ∈ [0 , 340] over key and IV bits. 2 Decompose the output bit and obtain (1 + P 1 ) P 3 over state bits at rounds less than 450 . 3 ”Meet-in-the-middle”: decomposition & IV representation X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 11 / 24

  12. Basic Ideas Key techniques In Step 2 and Step 3 , repeated-term removing algorithm and fast discarding techniques are used during decomposition, including degree evaluation and degree reduction techniques, set a bound d : 1 if the evaluated degree of a state term deg T i , then T i can be deleted; 2 if deg( T i ) − d t ( T i ) < d , then T i can be deleted, where d t ( T i ) is the degree reduction of T i . X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 12 / 24

  13. Basic Ideas Repeated-(state)term Removing Algorithm Algorithm 1 Repeated-(state)term Removing Algorithm Input: The vector � T with n terms, i.e., T 1 , T 2 , . . . , T n . Output: Updated � T with m terms, where m ≤ n . 1: Initialize an empty Hash Set H . 2: for i ← 1 : n do Compute the Hash value of T i , i.e., H ( T i ) 3: if H.contains ( T i ) is true then 4: H.delete ( T i ) 5: else 6: H.insert ( T i ) 7: end if 8: 9: end for The complexity of Algorithm 1 is O ( n ) for processing n state terms. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 13 / 24

  14. Basic Ideas Degree evaluation algorithm Algorithm 2 Degree Evaluation Algorithm ( DEG ) of State Bit Input: The value t and r which indicates the state bit s r t . Output: DEG ( s r t )= d . 1: Initialize the degree bound d similar to the above Step 2. , the end point end . 2: len ← 0 3: while len = 0 do t using state bits s j 4: Iteratively express s r i , where 0 ≤ j ≤ 2 and 0 ≤ j < end . During each expression, discard the state terms of degree lower than d . Let len be the number of remaining state terms. 5: if len = 0 then 6: d ← d − 1 7: end if 8: end while 9: return d Where end = ⌊ r 32 ⌋ × 32 − 128 in the cryptanalysis of Trivium. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 14 / 24

  15. Basic Ideas Degree evaluation: example Degree evaluation of s 341 ( end = ⌊ r 32 ⌋ × 32 − 128 = 192 ): 1 Step 1. First, we decompose s 341 = s 272 + s 259 s 258 + s 257 + s 254 . 2 1 1 1 1 2 Step 2. Let d = max { deg( s 272 ) , deg( s 259 )+deg( s 258 ) , deg( s 257 ) , deg( s 254 } = 10 . 1 1 1 1 2 Step 3. Discarding the state terms of degree lower than 10 , we get s 341 ∗ = s 259 s 258 . Decompose and discard again, there is no state 2 1 1 term surviving. Reset d = d − 1 = 9 and repeat the above process. We can get the result s 341 ∗∗ = s 166 s 167 s 193 + s 167 s 168 s 192 + ... . 2 0 0 0 0 0 0 Step 4. Continue to decompose and discard, and we get: s 341 ∗∗∗ = s 56 2 s 57 2 s 83 2 s 84 2 s 101 + s 57 2 s 58 2 s 83 2 s 84 2 s 100 + ... (5) 2 2 2 Step 5. The decomposition ends and there are still state terms surviving. d = 9 is the estimated degree of s 341 . 2 Step 6. Note that, if there is no state item in s 341 ∗∗∗ surviving, 2 which means the degree must be less than 9. We reset d = 8 and continue the above steps 3-5. X Fu ( Tsinghua University, Beijing, China FHNW, Windisch, Switzerland ) A Key-recovery Attack on 855-Round Trivium June 6,2018 15 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented

A Meet-in-the-Middle Attack on 8-Round AES H useyin Demirci Ali Aydn Sel cuk presented by Orhun Kara 1 Outline The AES A 5-round distinguisher Attack on 7-round AES-192, AES-256 and 8-round AES-256 Some optimizations

504 views • 19 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

381 views • 26 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an

Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an

Porgera Mine Explosion 2 nd August 1994 Background On the morning of the 2 nd August 1994 an explosion occurred at the Dyno Westfarmers explosives plant at the Porgera Gold Mine in Papua New Guinea. Background It was unknown at that time if

491 views • 25 slides
HAMS: Hardware-Aware Model Scheduling on Heterogeneous Platforms Haofeng Kou - Baidu Research

HAMS: Hardware-Aware Model Scheduling on Heterogeneous Platforms Haofeng Kou - Baidu Research

HAMS: Hardware-Aware Model Scheduling on Heterogeneous Platforms Haofeng Kou - Baidu Research Institute * Yongtao Yao - Wayne State University * Sidi Lu - Wayne State University Yueqiang Cheng - Baidu Research Institute Weijia Shang - Santa

651 views • 15 slides
effusive Hawaii; Etna; Iceland; Erta Image: S. Marshak Earth, Portrait of a Planet Ale,

effusive Hawaii; Etna; Iceland; Erta Image: S. Marshak Earth, Portrait of a Planet Ale,

Mauna Kea, Hawaii effusive Hawaii; Etna; Iceland; Erta Image: S. Marshak Earth, Portrait of a Planet Ale, Nyamuragira/Africa Mt. Mayon, Philippines explosive Fuji; Vesuvius; St. Helens; Pinatubo; Popocatepetl SIO15-15: Volcanoes: The

437 views • 5 slides
Trust Region Policy Optimization John Schulman, Sergey Levine, Philipp Moritz, Michael I. Jordan,

Trust Region Policy Optimization John Schulman, Sergey Levine, Philipp Moritz, Michael I. Jordan,

Trust Region Policy Optimization John Schulman, Sergey Levine, Philipp Moritz, Michael I. Jordan, Pieter Abbeel @ICML 2015 Presenter: Shivam Kalra Shivam.kalra@uwaterloo.ca CS 885 (Reinforcement Learning) Prof. Pascal Poupart June 20 th 2018

1.19k views • 25 slides
Wentworth Institute of Technology College of Engineering and Technology COMP201 Computer

Wentworth Institute of Technology College of Engineering and Technology COMP201 Computer

Wentworth Institute of Technology College of Engineering and Technology COMP201 Computer Science II Spring 2015 Instructor Nate Derbinsky Office Dobbs 140 Monday 2PM-3PM, Wednesday 11AM-12PM, Thursday 2PM-3PM Contact (617) 989-4287

650 views • 5 slides
Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael

Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael

Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael Baileys ECE 422 About Me Research area: Computer Security Some prior research Voting machine security (change votes) Automotive

505 views • 29 slides
Probabilistic Models of Human Sentence Experiment 1: Entropy and Sentence Length 2 Processing

Probabilistic Models of Human Sentence Experiment 1: Entropy and Sentence Length 2 Processing

From Sentence to Text From Sentence to Text Experiment 1: Entropy and Sentence Length Experiment 1: Entropy and Sentence Length Experiment 2: Entropy in Context Experiment 2: Entropy in Context Experiment 3: Entropy out of Context Experiment

231 views • 7 slides

More recommend