a new structural differential property of 5 round aes
play

A New Structural-Differential Property of 5-Round AES Lorenzo - PowerPoint PPT Presentation

Sep 08, 2023 •166 likes •603 views

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom May, 2017 www.iaik.tugraz.at Introduction AES is probably the most widely studied and used block cipher. So far, non-random

  1. A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom May, 2017

  2. www.iaik.tugraz.at Introduction AES is probably the most widely studied and used block cipher. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. We propose a new structural property for up to 5 rounds of AES which is independent of the secret key. 1 / 30

  3. www.iaik.tugraz.at Table of Contents 1 Secret-Key Distinguisher up to 5 Rounds of AES 2 A Formal Description 3 Sketch of the Proof 4 Open Problems 2 / 30

  4. www.iaik.tugraz.at Part I Secret-Key Distinguisher up to 5 Rounds of AES

  5. www.iaik.tugraz.at AES High-level description of AES: block cipher based on a design principle known as substitution-permutation network ; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits; 10/12/14 rounds: R i ( x ) = k i ⊕ MC ◦ SR ◦ S-Box ( x ) . 3 / 30

  6. www.iaik.tugraz.at Secret-Key Distinguisher Secret-Key Distinguisher: one of the weakest cryptographic attack. Setting: Two Oracles : one simulates the block cipher for which the cryptography key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. Secret-Key Distinguishers are usually starting points for Key-Recovery Attacks . 4 / 30

  7. www.iaik.tugraz.at Secret-Key Distinguisher up to 4-round AES Up to 4-round AES, Secret-Key Distinguisher exploits one of the following property: Truncated Differential; Integral/Zero Sum; Impossible Differential. They are all independent of the secret key. 5 / 30

  8. www.iaik.tugraz.at Secret-Key Distinguisher on 4-round AES - Details Secret-Key Distinguisher on 4-round AES: Integral Property [ DKR97 ] Impossible Differential Property [ BK00 ]. Consider a set of 2 32 plaintexts with one active diagonal:  A C C C  C A C C    .   C C A C  C C C A 6 / 30

  9. www.iaik.tugraz.at Impossible Differential Distinguisher [ BK00 ] 7 / 30

  10. www.iaik.tugraz.at Balance/Zero-Sum Property [ DKR97 ]  A C C C   B B B B  → ? C A C C R 4 ( · ) B B B B R ( · )     − − − → − −     C C A C B B B B     C C C A B B B B Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES? 8 / 30

  11. www.iaik.tugraz.at Balance/Zero-Sum Property [ DKR97 ]  A C C C   B B B B  → ? C A C C R 4 ( · ) B B B B R ( · )     − − − → − −     C C A C B B B B     C C C A B B B B Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES? 8 / 30

  12. www.iaik.tugraz.at Related Work on 5 rounds of AES Key-Recovery Attack can be used as Secret-Key Distinguisher: the knowledge of the entire key is (usually) necessary to distinguish the block cipher from the random permutation. At CRYPTO 2016, Sun, Liu, Gou, Qu and Rijmen [ SMG+16 ] proposed a Zero-Sum Distinguisher for 5-round AES that depends on one byte - not all - of the secret key to distinguish 5-round AES from the random permutation; is independent of the S-Box but not of the MixColumns matrix; requires the full codebook. 9 / 30

  13. www.iaik.tugraz.at Structural Property for 5 Rounds of AES Assume 5-round AES without the final MixColumns operation. Theorem Consider a set of 2 32 chosen plaintexts with one active diagonal. Let n the number of different pairs of ciphertexts which are equal in one (fixed) anti-diagonal. The number n is a multiple of 8 with probability 1, i.e. ∃ n ′ ∈ N s.t. n = 8 · n ′ , independently of the secret key, of the details of S-Box and of MixColumns matrix (assuming branch number equal to 5). A similar result holds also in decryption direction (i.e. using chosen ciphertexts instead of plaintexts). 10 / 30

  14. www.iaik.tugraz.at Distinguisher on 5-round of AES (1/2) Goal: Distinguish 5-round of AES from random permutation. Consider 2 32 plaintexts with one active diagonal. Count the number n of pairs of ciphertexts (after 5 rounds) which are equal in one (fixed) anti-diagonal. If n mod 8 � = 0, then the permutation is a random one. 11 / 30

  15. www.iaik.tugraz.at Distinguisher on 5-round of AES (2/2) To distinguish 5-round AES from a random permutation with probability of success higher than 99.5%: data cost: 2 32 chosen plaintexts/ciphertexts; computational cost: 2 35 . 6 table look-ups on table of size 2 36 bytes. Practically verified https://github.com/Krypto-iaik/AES_5round_SKdistinguisher 12 / 30

  16. www.iaik.tugraz.at Part II A Formal Description

  17. www.iaik.tugraz.at Subspace Trails for AES [ GRR16 ] (FSE 2017) We define the following subspaces: column space C I ; diagonal space D I ; inverse-diagonal space ID I ; mixed space M I . 13 / 30

  18. www.iaik.tugraz.at The Diagonal Space Definition The diagonal spaces D i for i ∈ { 0 , 1 , 2 , 3 } are defined as D i = � e 0 , i , e 1 , ( i + 1 ) , e 2 , ( i + 2 ) , e 3 , ( i + 3 ) � . E.g. D 0 corresponds to symbolic matrix  x 1 0 0 0  0 x 2 0 0   D 0 ≡   0 0 x 3 0   0 0 0 x 4 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 14 / 30

  19. www.iaik.tugraz.at Meaning of “ p 1 ⊕ p 2 ∈ D i ” Texts p 1 and p 2 belong in D i ⊕ a (i.e. a coset of D i ) p 1 , p 2 ∈ D i ⊕ a ≡ { x ⊕ a | ∀ x ∈ D i } if and only if p 1 ⊕ p 2 ∈ D i , that is p 1 and p 2 are equal in all bytes expect for ones in the i -th diagonal. E.g. p 1 , p 2 ∈ D 0 ⊕ a iff p 1 ⊕ p 2 ∈ D 0 iff  ? 0 0 0  0 ? 0 0 p 1 ⊕ p 2 ≡     0 0 ? 0   0 0 0 ? 15 / 30

  20. www.iaik.tugraz.at The Inverse-Diagonal Space Definition The inverse-diagonal spaces ID i for i ∈ { 0 , 1 , 2 , 3 } are defined as ID i = � e 0 , i , e 1 , ( i − 1 ) , e 2 , ( i − 2 ) , e 3 , ( i − 3 ) � . E.g. ID 0 corresponds to symbolic matrix  x 1 0 0 0  0 0 0 x 2   ID 0 ≡   0 0 x 3 0   0 x 4 0 0 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 16 / 30

  21. www.iaik.tugraz.at The Mixed Space Definition The i-th mixed spaces M i for i ∈ { 0 , 1 , 2 , 3 } are defined as M i = MC ( ID i ) . E.g. M 0 corresponds to symbolic matrix   0x02 · x 1 x 4 x 3 0x03 · x 2 x 1 x 4 0x03 · x 3 0x02 · x 2   M 0 ≡   x 1 0x03 · x 4 0x02 · x 3 x 2   0x03 · x 1 0x02 · x 4 x 3 x 2 for all x 1 , x 2 , x 3 , x 4 ∈ F 2 8 . 17 / 30

  22. www.iaik.tugraz.at Subspace Trail for AES For I ⊆ { 0 , 1 , 2 , 3 } , let D I , ID I and M I defined as: � � � D I = D i , ID I = ID i , M I = M i . i ∈ I i ∈ I i ∈ I Theorem For each a ∈ D I , there exists (unique) b ∈ M I s.t. R 2 ( D I ⊕ a ) = M I ⊕ b . Equivalently, for each x , y: Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . 18 / 30

  23. www.iaik.tugraz.at Subspace Trail for AES For I ⊆ { 0 , 1 , 2 , 3 } , let D I , ID I and M I defined as: � � � D I = D i , ID I = ID i , M I = M i . i ∈ I i ∈ I i ∈ I Theorem For each a ∈ D I , there exists (unique) b ∈ M I s.t. R 2 ( D I ⊕ a ) = M I ⊕ b . Equivalently, for each x , y: Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . 18 / 30

  24. www.iaik.tugraz.at Structural Property for 5 Rounds of AES Given D I ⊕ a (i.e. a coset of D I ), consider all the 2 32 ·| I | plaintexts and the corresponding ciphertexts after 5 rounds, i.e. ( p i , c i ≡ R 5 ( p i )) for i = 0 , ..., 2 32 ·| I | − 1 where p i ∈ D I ⊕ a . Theorem For a fixed J ⊆ { 0 , 1 , 2 , 3 } , let n the number of different pairs of ciphertexts ( c i , c j ) for i � = j such that c i ⊕ c j ∈ M J n := |{ ( p i , c i ) , ( p j , c j ) | ∀ p i , p j ∈ D I ⊕ a , p i < p j and c i ⊕ c j ∈ M J }| . The number n is a multiple of 8 , i.e. ∃ n ′ ∈ N s.t. n = 8 · n ′ , independently of the secret key, of the details of S-Box and of MixColumns matrix (assuming branch number equal to 5). 19 / 30

  25. www.iaik.tugraz.at Part III Sketch of the Proof

  26. www.iaik.tugraz.at Reduction to a Single Round (1/2) Remember: R 2 ( D I ⊕ a ) = M I ⊕ b and for each x , y : Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . Since R 2 ( · ) R 2 ( · ) R ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ , D I ⊕ a − prob. 1 M I ⊕ b − − − → − − − − − − → we can focus only on the middle round! 20 / 30

  27. www.iaik.tugraz.at Reduction to a Single Round (1/2) Remember: R 2 ( D I ⊕ a ) = M I ⊕ b and for each x , y : Prob ( R 2 ( x ) ⊕ R 2 ( y ) ∈ M I | x ⊕ y ∈ D I ) = 1 . Since R 2 ( · ) R 2 ( · ) R ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ , D I ⊕ a − prob. 1 M I ⊕ b − − − → − − − − − − → we can focus only on the middle round! 20 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Structural Matrices in MDOF Systems Evaluation of Structural Matrices Choice of Property

Structural Matrices in MDOF Systems Evaluation of Structural Matrices Choice of Property

Structural Matrices Giacomo Boffi Introductory Remarks Structural Matrices Structural Matrices in MDOF Systems Evaluation of Structural Matrices Choice of Property Formulation Giacomo Boffi Dipartimento di Ingegneria Civile e

812 views • 77 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Structural Funds preparations for next round Mullingar, 12.12.2012 1 Content s

Structural Funds preparations for next round Mullingar, 12.12.2012 1 Content s

PMC HCIOP Structural Funds preparations for next round Mullingar, 12.12.2012 1 Content s Commission Position Paper Contents A. Context B. Challenges and Priorities relevant to Funds C. Success Factors for Effective Delivery D.

413 views • 29 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Structural isomer Background. Structural isomerism Structural isomerism at nanoscale.

Structural isomer Background. Structural isomerism Structural isomerism at nanoscale.

Structural isomer Background. Structural isomerism Structural isomerism at nanoscale. Resolving structure reveals structure property correlation and guidance for synthesizing functional material. Au 24 (SCH2Ph-tBu) 20 and Au 24

369 views • 11 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Structural Studies for Rv0352 and Rv3715c By Brian Chiu Differential Scanning Fluorimetry

Structural Studies for Rv0352 and Rv3715c By Brian Chiu Differential Scanning Fluorimetry

Structural Studies for Rv0352 and Rv3715c By Brian Chiu Differential Scanning Fluorimetry Experiments Purpose: to assess the ability of chemical additives to stabilize target protein Mainly used for proteins that are soluble but

595 views • 18 slides
-Liftings for Differential Privacy and f -Divergences Gilles Barthe, Thomas Espitau, Justin

-Liftings for Differential Privacy and f -Divergences Gilles Barthe, Thomas Espitau, Justin

-Liftings for Differential Privacy and f -Divergences Gilles Barthe, Thomas Espitau, Justin Hsu, Tetsuya Sato, Pierre-Yves Strub 1 Differential privacy: probabilistic program property 2 Differential privacy: probabilistic program property

668 views • 48 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 &quot; 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef Pieprzyk and Ron Steinfeld Joint work between Macquarie University , Qualcomm Inc. Australia and Monash University CANS 2013, Paraty, Brazil Outline

429 views • 30 slides
Structural Matrices in MDOF Systems Structural Matrices Evaluation of Structural Giacomo Boffi

Structural Matrices in MDOF Systems Structural Matrices Evaluation of Structural Giacomo Boffi

Structural Matrices Giacomo Boffi Introductory Remarks Structural Matrices in MDOF Systems Structural Matrices Evaluation of Structural Giacomo Boffi Matrices Choice of Property http://intranet.dica.polimi.it/people/boffi-giacomo

949 views • 76 slides
Modeling Physics with Differential-Algebraic Equations Lecture 2 Structural Analysis: Index

Modeling Physics with Differential-Algebraic Equations Lecture 2 Structural Analysis: Index

Modeling Physics with Differential-Algebraic Equations Lecture 2 Structural Analysis: Index Reduction COMASIC (M2) Khalil Ghorbal k halil.ghorbal@inria.fr K. Ghorbal (INRIA) 1 COMASIC M2 1 / 23 Summary lecture 1 1 Ordinary Differential

923 views • 41 slides
I NCLUSI VE CI TI ES ROUND TABLE ON PRO-POOR PROPERTY RATI NG POLI CI ES How can municipal rates

I NCLUSI VE CI TI ES ROUND TABLE ON PRO-POOR PROPERTY RATI NG POLI CI ES How can municipal rates

I NCLUSI VE CI TI ES ROUND TABLE ON PRO-POOR PROPERTY RATI NG POLI CI ES How can municipal rates policies promote access by the poor to urban land markets? Presentation of research on property rates policies and the urban poor Alison Hickey

998 views • 58 slides
Deep Neural Networks and Partial Differential Equations: Approximation Theory and Structural

Deep Neural Networks and Partial Differential Equations: Approximation Theory and Structural

Deep Neural Networks and Partial Differential Equations: Approximation Theory and Structural Properties Philipp Christian Petersen Joint work Joint work with: Helmut B olcskei (ETH Z urich) Philipp Grohs (University of Vienna)

933 views • 49 slides
Integrated Data at Stats NZ Stats NZ Stats NZ is the public service department of New

Integrated Data at Stats NZ Stats NZ Stats NZ is the public service department of New

Integrated Data at Stats NZ Stats NZ Stats NZ is the public service department of New Zealand charged with the collection of statistics related to the economy, population and society of New Zealand. Stats NZ manages the IDI and the LBD

897 views • 41 slides
On the identification of points by Borel semiflows David McClendon Northwestern University

On the identification of points by Borel semiflows David McClendon Northwestern University

On the identification of points by Borel semiflows David McClendon Northwestern University dmm@math.northwestern.edu http://www.math.northwestern.edu/ dmm Universal models We say ( X, T ) (where X is some set and T is some action on that

257 views • 11 slides
Aharonov-Bohm superselection sectors Cortona 2018 AQFT: Where Operator Algebra meets Microlocal

Aharonov-Bohm superselection sectors Cortona 2018 AQFT: Where Operator Algebra meets Microlocal

Aharonov-Bohm superselection sectors Cortona 2018 AQFT: Where Operator Algebra meets Microlocal Analysis Ezio Vasselli Roma ezio.vasselli@gmail.com Work in progress with C. Dappiaggi and G.Ruzzi Contents Geometry of the Aharonov-Bohm

469 views • 15 slides
Abbrevia(ons in Swedish Clinical Text - use by three professions

Abbrevia(ons in Swedish Clinical Text - use by three professions

Abbrevia(ons in Swedish Clinical Text - use by three professions Elin LVESTAM a, , Sumithra VELUPILLAI b and Maria KVIST b, c a Dept. of Food, Nutrition and Dietetics, Uppsala university, Uppsala, Sweden b Dept.

404 views • 16 slides
Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline

Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline

1 Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline Well-founded and Admits-Induction Hylomorphisms F -well-founded and F -inductive (Some) rules for reductivity Conclusions 3 Well-Founded,

394 views • 13 slides
Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science,

Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science,

Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science, Swansea University, UK BCTCS 2020, 8 April 2020 In Living Memory of Erik Palmgren Anton Setzer Erik Palmgren and Hilberts Program? 1/ 30 Erik

662 views • 30 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides
Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen

Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen

Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen Wouldnt it be great if control flow data flow provenance proof analysis causality were all instances of a one theory? 2 / 15

418 views • 31 slides

More recommend