a model for structure attacks with applications to
play

A Model for Structure Attacks, with Applications to PRESENT and - PowerPoint PPT Presentation

Apr 10, 2024 •163 likes •636 views

A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18 Outline

  1. A Model for Structure Attacks, with Applications to PRESENT and Serpent Meiqin Wang 1 , Yue Sun 2 , Elmar Tischhauser 3 and Bart Preneel 3 1 Shandong University, 2 Tsinghua University, 3 KU Leuven and IBBT FSE 2012 March 19, 2012 1 / 18

  2. Outline 1. Motivation 2. Modeling structure attacks 3. Attacking PRESENT and Serpent 4. Conclusions and outlook 2 / 18

  3. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  4. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  5. Motivation: How to leverage multiple differentials? Using multiple differentials has advantages ◮ More likely to hit right pair ⇒ decrease data complexity ◮ Unlike linear cryptanalysis: always constructive ◮ Success stories: DES, Serpent Caveats ◮ Too many differentials can increase complexity ◮ Multiple input, multiple output, both? ◮ How many active bits/S-boxes at input/output? = ⇒ General model needed for evaluation Motivation 3 / 18

  6. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  7. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  8. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  9. State of the art: What we know Historical introduction ◮ Biham and Shamir 1990: Quartets, Octets, etc. ◮ . . . widespread informal use . . . ◮ Blondeau and G´ erard, FSE 2011: Comprehensive framework for multiple differentials What’s left to do then? ◮ Model of FSE’11: Analysis requires fairly restrictive condition on differentials ◮ Can this be avoided? ◮ Some small technical problems with the attack on 18-round PRESENT Motivation 4 / 18

  10. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  11. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  12. Structure attacks Structure attacks ◮ Use multiple input, single output differences ◮ Proper subclass of multiple differential cryptanalysis ◮ Allow avoiding the condition of [Blondeau and G´ erard, FSE’11] Structures ◮ Consider set { ∆ 1 0 , . . . , ∆ t 0 } of input differences ◮ Structure: collection of plaintexts of the form � ∆ ∈ span { ∆ 1 � 0 , . . . , ∆ t � { x ⊕ ∆ 0 }} x Here: focus on SPNs Modeling structure attacks 5 / 18

  13. Modeling structure attacks: The setting Notation ◮ m -bit block cipher, k bit key ◮ Attack on R rounds with r -round differentials ◮ Set ∆ 0 of input differences, one output difference ∆ r Modeling structure attacks 6 / 18

  14. Modeling structure attacks: The setting N p bits active S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 r rounds S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 N c bits not active R rounds Modeling structure attacks 6 / 18

  15. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Modeling structure attacks 7 / 18

  16. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Modeling structure attacks 7 / 18

  17. Structure of the structures In each structure: ◮ m − N p bits fixed, ◮ N p bits take on all N p -bit values Structure 1: r 0 0 r r r 10 r r r r r r r 0 r 0 15 12 11 9 8 7 6 5 4 3 1 r F F r r r 10 r r r r r r r F r F F 12 11 9 8 7 6 5 4 3 1 Structure 2: s 0 0 s s s 10 s s s s s s s 0 s 0 15 12 11 9 8 7 6 5 4 3 1 s F F s s s 10 s s s s s s s F s F F 12 11 9 8 7 6 5 4 3 1 and so on Modeling structure attacks 7 / 18

  18. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  19. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

  20. Anatomy of a structure attack 1. For each of the N st structures: (a) Insert ciphertexts into hash table indexed S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 by N c (b) For each entry: Check if input difference matches ∆ 0 (c) If yes: For each pair, filter by output S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 difference in active S-boxes in round R (d) If pair survives filter: Guess n k subkey r rounds bits, decrypt to round r , maintain S S S S S S 10 S S S S S S S S S S 15 14 13 12 11 9 8 7 6 5 4 3 2 1 0 counters. 2. Search through the ℓ best key candidates, R rounds find master key. Modeling structure attacks 8 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in

Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in

Memoization Attacks and Memoization Attacks and Copy Protection in Copy Protection in Partitioned Applications Partitioned Applications Charles W. ODonnell 1 , G. Edward Suh 2 Marten van Dijk 1 , Srinivas Devadas 1 1 Massachusetts Institute

336 views • 32 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

685 views • 19 slides
Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Large-scale electronic structure methods Introduction Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications Outlook Taisuke Ozaki (ISSP, Univ. of Tokyo) The Summer School on DFT: Theories and

689 views • 55 slides
Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries,

Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries,

Learning' Probabilis2c' Graphical' BN'Structure' Models' Structure' Learning' Daphne Koller Why Structure Learning To learn model for new queries, when domain expertise is not perfect For structure discovery, when inferring network

752 views • 61 slides
The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category

The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category

The Constructive KanQuillen Model Structure Karol Szumi lo University of Leeds Category Theory 2019 1/11 The classical KanQuillen model structure Theorem The category of simplicial sets carries a proper cartesian model structure

731 views • 34 slides
Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are

TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are

TESTING MODELS The Assumptions are valid Model Structure is sound Model Parameters are believable Model Predictions match observation Important to remember that the model is an approximation - ignore less important features,

593 views • 26 slides
Not Killer Applications but perhaps Killer Solutions. Model Model Results Results

Not Killer Applications but perhaps Killer Solutions. Model Model Results Results

Problem Problem Not Killer Applications but perhaps Killer Solutions. Model Model Results Results Conclusions Conclusions Success Factors for Mobile Computing Applications and Business Models: An Empirical Study. Hans Juergen Ott The

258 views • 4 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web

3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web

Gerti Kappel c03.tex V2 - March 31, 2006 4:34 P.M. Page 39 39 3 Modeling Web Applications Wieland Schwinger, Nora Koch It is not (yet) common to model Web applications in practice. This is unfortunate as a model- based approach provides a

506 views • 26 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
The Core of Our Existence God chose to create Man in His own image why? God then looked at Man

The Core of Our Existence God chose to create Man in His own image why? God then looked at Man

The Core of Our Existence God chose to create Man in His own image why? God then looked at Man and said It is not good for Man to be alone; I will make him a partner. why? There is something within our nature that compels us to

671 views • 24 slides

Haran died before his father Terah in the land of his birth, in Ur of the Chaldeans. Abram and Nahor took wives; the name of Abram's wife was

509 views • 13 slides
Genesis Series Lesson #071 October 20, 2004 Dean Bible Ministries www.deanbibleministries.org

Genesis Series Lesson #071 October 20, 2004 Dean Bible Ministries www.deanbibleministries.org

Genesis Series Lesson #071 October 20, 2004 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Time Line of the Patriarchs Temple 2166 BC Dedication Abram born 966 BC 1876 BC Jacob enters Egypt 480 430 2066 BC 1446

162 views • 14 slides
r trs s rsts t

r trs s rsts t

r trs s rsts t tr sttsts r rss tr r ss

882 views • 48 slides
Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago

Software benchmarking http://bench.cr.yp.to D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Selecting cryptographic primitives NISTs final AES report, 2001: Security was

686 views • 50 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for

DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for

DASP Top 10 (Smart Contract Vulns) Reca ecall ll Bitcoin Scripting language intended for handling transfers of digital stores of value (i.e. cash) Limited functionality to validate conditions for transactions to occur Reasonable

648 views • 10 slides
Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT /

Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT /

Nuclear Energy Research in Cambridge Dr Eugene Shwageraus Department of Engineering SERPENT / Multi-physics Workshop, LPSC Grenoble 26-27 February 2015 Nuclear Energy Education in Cambridge Undergraduate Introduction to NE, Nuclear

511 views • 17 slides

More recommend