a unified approach to related key attacks
play

A Unified Approach to Related-Key Attacks Orr Dunkelman - PowerPoint PPT Presentation

Mar 06, 2024 •132 likes •600 views

A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46 Outline of the Talk Previous Results: Original

  1. A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46

  2. Outline of the Talk Previous Results: Original Related-Key Attacks Slide Attacks The ''Newer'' Related-Key Attacks The Unified Approach Attack on 4r-round IDEA Summary 2/46

  3. Related-Key Attacks Presented by Biham [B93] and independently by Knudsen [K93] Useful when the key schedule algorithm is very simple And when the round function is ''weak'' 3/46

  4. Related-Key Attack on modified DES Consider the Data Encryption Standard (DES): Feistel block cipher 64-bit block, 56-bit key 16 rounds Subkeys are permutated subsets of the original supplied key 4/46

  5. Related-Key Attack on modified DES (cont.) Key K Plaintext P PC-1 D C K 1 PC-2 ROL2 ROL2 F D C K 2 PC-2 ROL2 ROL2 F D C K r PC-2 ROL2 ROL2 F D C K 16 PC-2 F Ciphertext C 5/46

  6. Related-Key Attack on modified DES (cont.) Consider two keys such that for the derived subkeys Assume we find two plaintexts such that The corresponding ciphertexts satisfy We call this pair a related-key plaintext pair (RKPP) 6/46

  7. Related-Key Attack on modified DES (cont.) Having two input/output pairs to the round function of DES is sufficient to retrieve the key Even if the number of rounds is increased, the attack still works! 7/46

  8. The Slide Attack [BW99] Sometimes, the need for two keys can be reduced Assume that all subkeys are the same, i.e., Then, the encryption process is 8/46

  9. The Slide Attack (cont.) Assume you find two plaintexts such that Such a pair is called a slid pair, and it satisfies P 2 P 1 C 1 f k f k f k f k f k C 1 P 2 C 2 f k f k f k f k f k 9/46

  10. The Slide Attack (cont.) If is simple enough, then again it can be broken using one slid pair Open questions (applicable to related-key plaintext pairs as well): How to generate slid pairs? How to identify slid pairs? What to do with not so weak functions? 10/46

  11. Generating & Identifying Slid Pairs For a general round function, best approach is birthday paradox: Take 2 n/2 known plaintexts Try all 2 n possible pairs as a candidate slid pair, and apply the attack If the attack succeeds – the right key is found, and the slid pair is identified 11/46

  12. Making the ''Simple'' More Complex In [BW00] some advanced slide techniques were presented Most interesting property observed: If is a slid pair, then so does Hence, finding one slid pair gives many slid pairs ... 12/46

  13. Making the ''Simple'' More Complex (cont.) This allows applying known plaintext attacks on If the attack requires m known plaintexts, then for each plaintext P , ask for its encryptions For each candidate slid pair apply the attack on using the suggested set of slid pairs 13/46

  14. Related-Key Differential Attack [KSW96] Adaptation of the differential cryptanalysis into the related-key model The probability of a regular differential is For a related-key differential the probability is 14/46

  15. Related-Key Differential Attacks The key difference (or relation) is chosen such that the subkey differences are known If the key does not mixes well enough, it is easy to predict all subkey differences These difference can be used to cancel difference that enter nonlinear parts of the cipher 15/46

  16. The Example of TEA TEA (Tiny Encryption Algorithm) is a 64-bit block cipher, with 128-bit key TEA is a Feistel cipher with 64 rounds The figure was taken from wikipedia 16/46

  17. The Example of TEA Consider a plaintext difference and a key difference In each round, the subkey differnece are canceled, and the zero difference between the encryptions remain This happens with probability 1 17/46

  18. Several More Related-Key Attacks Related-Key Square attack [F+00] Related-Key Impossible Differential attack [JD03,BDK06,ZZF06] Related-Key Rectangle attack [K+04,K+05,BDK05] Related-Key linear attacks [BDK06] ... 18/46

  19. The Downside of Related- Key Differential Attacks Related-Key differential attacks (usually) lose their efficiency when the number of rounds is increased: More rounds -> lower probability More rounds -> less chance for the subkey differences to be predicted correctly 19/46

  20. Comparison Between Related-Key Attacks Original Related-Key Related-Key Differential (Type A) (Type B) Independent in Usually dependent in number of rounds number of rounds Assume weak Very useful when the ''rounds'' round is ''strong'' Require a really Require a simple key simple key schedule schedule 20/46

  21. The Unified Approach We suggest using a Type A attack to be independent in number of rounds While using Type B attack on the round function. Result: independent in the number of rounds, even when the round function is very strong! 21/46

  22. 1 st Mission – Finding Many Related-Key Plaintext Pairs Let be RKPP with respect to the keys , i.e., Then, to continue the encryption and obtain another RKPP, we need for which This starts to become complicated ... 22/46

  23. Finding Multiple Related-Key Plaintext Pairs The solution to the problem is to use chains of related-keys. Let be a key that satisfied the previous relation If satisfies Then is a RKPP under 23/46

  24. Finding Multiple Related-Key Plaintext Pairs (cont.) If for some t: we can find another RKPP for the keys Conditions: t should be small, should have cycles that contain the original keys 24/46

  25. Study Case: IDEA IDEA's key schedule is very simple. The 128-bit key is used as the first 8 subkeys Then the key is rotated to the left by 25, and used as the following 8 subkeys Again, and again... 25/46

  26. Study Case: IDEA (cont.) Each round uses six subkeys. Thus, after four rounds, the key is used from the ''correct'' spot, but rotated 75 bits to the left. If IDEA had 8 rounds (and not 8.5), then let be 4-round IDEA, then 26/46

  27. Study Case: IDEA (cont.) Thus, if then We conclude that if is a RKPP, then so does (both with respect to the function ) 27/46

  28. Unifying the Related-Key Framework In case there was a good 4-round attack on IDEA, we could have stopped here. There isn't. But there is a good related-key attack (type B) on 4-round IDEA 28/46

  29. Unifying the Related-Key Framework (cont.) Assume there is a related-key attack of type B on 4-round IDEA Let the key difference be Then it is possible to generate two chains of RKPP – one for and one for 29/46

  30. Unifying the Related-Key Framework (cont.) The main problem is now we have to identify the RKPP twice! Standard approach – try all possible pairs as RKPP Finding it twice (or more) is very time consuming 30/46

  31. IDEA 64-bit block, 128-bit key block cipher Presented by Lai and Massey in 1991 Widely used in many applications 31/46

  32. IDEA (cont.) i i p q i s i i u t 32/46

  33. IDEA (cont.) 33/46

  34. IDEA (cont.) 34/46

  35. A 4-Round Related-Key Truncated Differential of IDEA Key difference: Input difference: Additional condition: First round: prob. ½ Second round: prob. 2 -16 Third round: prob. 1 Fourth round: prob. 1 35/46

  36. The Keys Involved in the Attack The unknown key - The key for obtaining RKPP - The related-key (type B) - Its related key (type A) - 36/46

  37. The Chains of Plaintexts 37/46

  38. Basic Idea Behind the Attack Find one RKPP (=> we found many RKPPs!) Use the differential to find an RKPP (=> again, many RKPPs!) Use the pairs in a related-key differential attack on 4-round IDEA 38/46

  39. Naive Implementation Fix , for any candidate : Check whether is a RKPP Main problem: There are 2 32 (a,b) combinations + Prob. of success is only 2 -17 39/46

  40. Improved Implementation Locate a set of 2 36 plaintext pairs satisfying that the fourth word is 1 Find the list of such that For each store in a hash table 40/46

  41. Improved Implementation (cont.) For each candidate check whether appears in the table (up to the difference) If so, assume that are all RKPP Apply the RK attack on 4-round IDEA with two input/output pairs 41/46

  42. Complexity of the Attack The attack uses 4 chains, each contains the entire code book, encrypted under 64 keys = 2 72 plaintexts (256 keys) Time complexity - 2 100 42/46

  43. So What?!? Our attack can be used when the number of rounds is increased Only changes – the way the chains are generated (sometimes less keys would be used => lower data complexity) If a better 4-round attack on IDEA is found – just plug it into our model 43/46

  44. Summary Unification of the two related-key attacks A way to generate many RKPP A way to use a RK attack of any type (including type B) in a type A RK attack First attack on a widely used cipher which continues to work when number of rounds is increased 44/46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted C. Cheng, Howard Chu, Matthew Hardin Symas Corporation Outline Evolution of Related Technologies Unified AAA Architecture Provisioning AAA

396 views • 27 slides
Streamlining & Adapting: A Unified Approach A Unified Approach G. Scott Weese IT

Streamlining & Adapting: A Unified Approach A Unified Approach G. Scott Weese IT

conference & convention enabling the next generation of networks & services Streamlining & Adapting: A Unified Approach A Unified Approach G. Scott Weese IT International Telecom conference & convention enabling the next

287 views • 15 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Slide Statistical RK Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of Mathematics and Computer Science Weizmann Institute of Science June 2nd, 2011 Orr Dunkelman

441 views • 42 slides
A unified continuum mechanical approach for the computer age About the course Hans Petter

A unified continuum mechanical approach for the computer age About the course Hans Petter

Mathematical Modeling of Flow, Heat Transfer, and Deformation A unified continuum mechanical approach for the computer age About the course Hans Petter Langtangen Simula Research Laboratory and Dept. of Informatics University of Oslo

1.05k views • 82 slides
Classical Sabermetrics vs. Formal Statistical Inference: Towards a Unified Approach to

Classical Sabermetrics vs. Formal Statistical Inference: Towards a Unified Approach to

Classical Sabermetrics vs. Formal Statistical Inference: Towards a Unified Approach to Quantitative Baseball Research Patrick Kilgo, Brian Schmotzer, Hillary Superak, Paul Weiss, Jeff Switchenko, Lisa Elon, Jason Lee, and Lance Waller

632 views • 48 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of

AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of

AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of Computer Science University of California, Los Angeles TLDI January 25, 2011 Some attackers dont play fair. playFor: (s: Song) (p: prin )

841 views • 83 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
Specialization Is for Insects Polymorphous Architectures: A Unified Approach for Extracting

Specialization Is for Insects Polymorphous Architectures: A Unified Approach for Extracting

Specialization Is for Insects Polymorphous Architectures: A Unified Approach for Extracting Concurrency of Different Granularities Karu Sankaralingam Computer Architecture and Technology Laboratory Department of Computer Sciences The

512 views • 49 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
ECMs and Institutional Repositories: The Case for a Unified Enterprise Approach to Content

ECMs and Institutional Repositories: The Case for a Unified Enterprise Approach to Content

ECMs and Institutional Repositories: The Case for a Unified Enterprise Approach to Content Management Malcolm Wolski (Presenter) Associate Director (eResearch and Academic Resource Development Services), Information Services Joanna

696 views • 15 slides
GATE Identification San Diego Unified School District Special Education Division Related and Low

GATE Identification San Diego Unified School District Special Education Division Related and Low

GATE Identification San Diego Unified School District Special Education Division Related and Low Incidence Services Presented to GATE District Advisory Committee by Carrie Rea, Program Manager Kristin Makena, Senior School Psychologist

326 views • 11 slides
Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research (and my travel!) sponsored by current Intellectual Property owners of Hummingbird-2. Fast Software Encryption 2013 Singapore, Singapore 13 March

719 views • 25 slides
Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape

Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape

Ministry of Science, People First, Performance Now Technology and Innovation Enterprise GRC Framework p Unified Approach to Address Silo Cyber Security Landscape Ramaguru Ramasubbu and Rahul Moondra 7 th November 2012 h Ministry of

404 views • 37 slides
Housing Obstacles and Racial Justice in NJ Elizabeth Weill-Greenberg Communications Director New

Housing Obstacles and Racial Justice in NJ Elizabeth Weill-Greenberg Communications Director New

Housing Obstacles and Racial Justice in NJ Elizabeth Weill-Greenberg Communications Director New Jersey Institute for Social Justice www.njisj.org ewgreenberg@njisj.org "I was at work and the guy called me and told me to come pick up my

211 views • 18 slides
Introduction Budget reductions in the Department of Corrections (DOC) have reduced the

Introduction Budget reductions in the Department of Corrections (DOC) have reduced the

Introduction Budget reductions in the Department of Corrections (DOC) have reduced the number of secure beds as well as substance abuse residential treatment capacity. As a result, the backlog of out-of-compliance state-

725 views • 24 slides
VISUAL UPDATE June 2017 DISCLAIMER IMPORTANT: You must read the following before continuing. The

VISUAL UPDATE June 2017 DISCLAIMER IMPORTANT: You must read the following before continuing. The

VISUAL UPDATE June 2017 DISCLAIMER IMPORTANT: You must read the following before continuing. The term NSA as used in this Presentation refers to Net Sellable/Leasable Area. NSA Russia. The Companys securities have not been and will not

147 views • 13 slides
H1-2020 Financial Results 27 August 2020 Cautionary Statement This proprietary presentation

H1-2020 Financial Results 27 August 2020 Cautionary Statement This proprietary presentation

H1-2020 Financial Results 27 August 2020 Cautionary Statement This proprietary presentation (including any accompanying oral presentation, question and answer session and any other document or materials distributed at or in connection with this

439 views • 11 slides
Securing and Governing Hybrid, Cloud, and On-premises Big Data Deployments, Step By Step Your

Securing and Governing Hybrid, Cloud, and On-premises Big Data Deployments, Step By Step Your

Securing and Governing Hybrid, Cloud, and On-premises Big Data Deployments, Step By Step Your Speakers Camila Hiskey, Senior Sales Engineer, Cloudera Ifi Derekli, Senior Sales Engineer, Cloudera Mark Donsky, Senior Director of

1.41k views • 116 slides
concert somewhere in the world Forward-Looking Statements Certain statements in this presentation

concert somewhere in the world Forward-Looking Statements Certain statements in this presentation

Every 16 minutes there is a Live Nation concert somewhere in the world Forward-Looking Statements Certain statements in this presentation may constitute forward - looking statements within the meaning of the Private Securities Litigation

706 views • 21 slides
Special Event: Clean Up the Ocean Concert 2015 May 11, 2015 Recommendation THAT the Board

Special Event: Clean Up the Ocean Concert 2015 May 11, 2015 Recommendation THAT the Board

Special Event: Clean Up the Ocean Concert 2015 May 11, 2015 Recommendation THAT the Board approve a request from Upcycle the Gyres Society, organizers of the Clean Up the Ocean initiative, for an 800 person concert at Prospect Point Picnic

332 views • 9 slides
Successor Liability in Bankruptcy Asset Sales Navigating the Limitations on "Free and

Successor Liability in Bankruptcy Asset Sales Navigating the Limitations on "Free and

Presenting a 90-Minute Encore Presentation of the Teleconference with Email Q&A Successor Liability in Bankruptcy Asset Sales Navigating the Limitations on "Free and Clear" in Section 363 Sales TUESDAY, JUNE 19, 2012 1pm Eastern

517 views • 30 slides

More recommend