algebraic analysis of aes
play

Algebraic Analysis of AES Carlos Cid Information Security Group, - PowerPoint PPT Presentation

Nov 11, 2023 •323 likes •558 views

Algebraic Analysis of AES Carlos Cid Information Security Group, Royal Holloway, University of London ECRYPT II AES Day 18 Oct 2012 Algebraic Analysis of AES Carlos Cid Algebraic Analysis of AES AES is an algorithm with a simple and very

  1. Algebraic Analysis of AES Carlos Cid Information Security Group, Royal Holloway, University of London ECRYPT II AES Day 18 Oct 2012 Algebraic Analysis of AES Carlos Cid

  2. Algebraic Analysis of AES AES is an algorithm with a simple and very elegant design. it has been designed to offer strong resistance against known attacks, in particular differential and linear cryptanalysis, while enabling efficient implementation on different platforms. given its careful design criteria, it has always seemed unlikely that its security can be affected by conventional methods of cryptanalysis. Algebraic Analysis of AES Carlos Cid

  3. Algebraic Analysis of AES The AES has also a highly algebraic structure. Fundamental component: byte as element of K = GF(2 8 ). SubBytes: inversion + linearised polynomial in K [ x ] + addition in K . ShiftRows + MixColumns: linear operation in K 16 . AddRoundKey: addition in K . The selection of AES led to a growing interest in the study of algebraic properties of block ciphers, and applications in cryptanalysis. Algebraic Analysis of AES Carlos Cid

  4. Algebraic Techniques in Cryptanalysis Algebra is the default tool in the analysis of asymmetric cryptosystems (RSA, ECC, Lattice-based, MPKC, etc). For symmetric cryptography (block and stream ciphers), the most commonly used techniques are statistical in nature: block ciphers: in linear and differential cryptanalysis (and variants), the attacker attempts to construct statistical patterns through many interactions of the cipher. stream ciphers: linear/differential, correlation attacks, distinguishing attacks, etc. The selection of AES (and proposal of algebraic attacks against stream ciphers) led to an increasing interest in the use of algebraic techniques in the analysis of symmetric cryptosystems in the past 10 years. Algebraic Analysis of AES Carlos Cid

  5. Algebraic Structure of AES The algebraic properties of Rijndael were not really explored in detail during the AES selection process. focus mostly on the proposal of dedicated attacks, eg square and bottleneck attacks. There were however some early observations, eg: moving F 2 -affine S-Box operation into augmented linear layer (and key schedule). (Murphy and Robshaw) description of AES encryption using a form of continued fractions (fully expanded expression for the full 10-round AES encryption would have around 2 50 terms). (Ferguson et al.) Algebraic Analysis of AES Carlos Cid

  6. Big Encryption System - BES Due to Murphy and Robshaw (2002), BES operated on 128-byte blocks with 128-byte keys, with very simple algebraic structure: S-Box Layer: inversion in GF(2 8 ); Linear Diffusion Layer: GF(2 8 )-linear transformation; Subkey Layer : addition of round subkey. The AES can be embedded into the BES via a vector conjugate mapping φ ( a ) = ( a , a 2 , a 4 , . . . , a 128 ) BES restricted to a subspace provides an alternative description of AES. Algebraic Analysis of AES Carlos Cid

  7. Polynomial Representation In principle, one can always attempt to represent a cipher as a system of polynomial equations (over F 2 ), and study its security based on the properties of this system. we can therefore consider polynomial system solving as a cryptanalytic technique. this has recently become an increasingly common technique to try to analyse symmetric-key encryption algorithms. Algebraic Analysis of AES Carlos Cid

  8. Polynomial System Solving in Symmetric-Key Cryptanalysis In the context of (symmetric-key) cryptanalysis, solving systems of polynomial equations is typically associated with the technique called Algebraic Attacks . Algebraic Attacks: set up and solve a system of equations arising from a stream cipher or block cipher, to recover the encryption key (or other secret information, eg stream cipher secret state). More generally, Algebraic Cryptanalysis : study algebraic systems to obtain some non-trivial insight into the algorithm. A form of analysis with several attractive features. Algebraic Analysis of AES Carlos Cid

  9. Algebraic Cryptanalysis Two well-defined tasks/challenges for the cryptanalyst: 1 How to construct the system of equations. 2 How to solve the resulting system (or obtain some insight into the cipher). Both areas have attracted much attention of researchers. Algebraic Analysis of AES Carlos Cid

  10. Block Ciphers For m-bit blocks and n-bits keys, we can describe a block cipher as F m × F n F m E : → ( P , K ) �→ C Block cipher encryption gives rise to a natural polynomial system: for known ( P , C ), the encryption C = E ( P , K ) provides at the bit level m equations over n variables (the key bits). furthermore, we can add more equations to our system by using other plaintext-ciphertext pairs. as the encryption operation is by design a complex function, we expect these polynomials to be very dense and of very high degree. This form of attack is obviously impractical, and was never really considered a threat. Algebraic Analysis of AES Carlos Cid

  11. Block Cipher Structure However block ciphers are in practice designed with a very particular structure: most block ciphers present an iterated structure. they are built in blocks, using low-cost simple operations, which are repeated for several rounds. this allows more efficient implementation and better study of the security of the cipher. Algebraic Analysis of AES Carlos Cid

  12. Algebraic Attack against Block Ciphers: second attempt We can consider a different way to generate a system of equations for a block cipher. rather than one very complex equation for each ciphertext bit, we obtain simpler polynomials (low degree and sparse) for the round/layer functions. This approach gives rise to very large systems. we need to add new variables for the intermediate unknown values. encrypting more data does not seem to help (more equations, but more variables). Algebraic Analysis of AES Carlos Cid

  13. Algebraic Attack against AES This approach was proposed in 2003 against the AES (Courtois and Piepryzk), and attracted a lot of attention from the cryptographic community. The system for the AES was presented, together with a dedicated method for solving the system. the AES S-box (the only provider of non-linearity) gives rise to several quadratic equations. instead of y = x 254 , use xy = 1, x 2 y = x and xy 2 = y . it was claimed that this was a particularly bad feature, and the proposed methods could exploit this fact. Algebraic Analysis of AES Carlos Cid

  14. Algebraic Analysis of AES Two tasks: 1 How to construct the system of equations. over GF(2): 8000 equations and 1600 variables. over GF(2 8 ): 8576 equations, 4288 variables (derived from BES). 2 How to solve the resulting system (or obtain some insight into the cipher). XSL (eXtended Sparse Linearisation): based on linearization, but attempting to exploit the sparsity and specific structure of the equation system. Gr¨ obner Basis algorithms, SAT-solvers, etc. Algebraic Analysis of AES Carlos Cid

  15. XSL against AES The claim was that with XSL one could: mount a (at least theoretical) successful attack against the AES with 256-bit keys (using the system over GF(2)); mount a (at least theoretical) successful attack against the AES with 128-bit keys (using the system over GF(2 8 )). This initial work spurred frantic activity (and much speculation) in the area of algebraic cryptanalysis of block ciphers (and AES in particular). Algebraic Analysis of AES Carlos Cid

  16. AES news (Crypto-Gram Newsletter - Sep 15, 2002) AES may have been broken. Serpent, too. Or maybe not. In either case, there’s no need to panic. Yet. But there might be soon. Maybe. ... Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. ... There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.). ... These are amazing results. ... There was some buzz about the paper in the academic community, but it quickly died down. I believe the problem was that the paper was dense and hard to understand. The attack technique, something called XSL, was brand new. ... In any case, there’s no cause for alarm yet. These attacks can be no more implemented in the field than they can be tested in a lab....There’s so much security margin in these ciphers that the attacks are irrelevant. But there is call for worry. If the attack really works, it can only get better. My fear is that we could see optimizations of the XSL attack breaking AES with a 2 80 -ish complexity, in which case things starts to get dicey about ten years from now... The work is fascinating... ... We’re starting to see the new attack tools that work against some of the AES finalists. It’s an open question as to how long the tools will remain theoretical. But many cryptographers who previously felt good about AES are having second thoughts. Algebraic Analysis of AES Carlos Cid

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reachability Analysis for High-Index Linear Differential Algebraic Equations (DAEs)

Reachability Analysis for High-Index Linear Differential Algebraic Equations (DAEs)

Institute for Software Integrated Systems Vanderbilt University Reachability Analysis for High-Index Linear Differential Algebraic Equations (DAEs) https://github.com/verivital/daev/ 17 th International Conference on Formal Modeling and Analysis

502 views • 33 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
Principal Component Analysis in a Linear Algebraic View by Anna Orosz under the mentorship of

Principal Component Analysis in a Linear Algebraic View by Anna Orosz under the mentorship of

Principal Component Analysis in a Linear Algebraic View by Anna Orosz under the mentorship of Jakob Hansen Directed Reading Program at the University of Pennsylvania April 30th, 2020 Principal Component Analysis as a Transformation invented

455 views • 9 slides
Cyclic pregroups and natural language: a computational algebraic analysis C. Casadio and M.

Cyclic pregroups and natural language: a computational algebraic analysis C. Casadio and M.

Cyclic pregroups and natural language: a computational algebraic analysis C. Casadio and M. Sadrzadeh Dip. Studi Classici, Univ. Gabriele DAnnunzio, Chieti, Italy Dept. of Computer Science, Oxford University, UK CILC - 26-esimo

647 views • 33 slides
Higher-Order Fourier Analysis: Applications to Algebraic Property Testing Yuichi Yoshida

Higher-Order Fourier Analysis: Applications to Algebraic Property Testing Yuichi Yoshida

Higher-Order Fourier Analysis: Applications to Algebraic Property Testing Yuichi Yoshida National Institute of Informatics, and Preferred Infrastructure, Inc October 18, 2014 Yuichi Yoshida (NII and PFI) Applications to algebraic property

600 views • 59 slides
Challenges in Analysis of Algebraic Iterative Solvers Jrg Liesen Technical University of

Challenges in Analysis of Algebraic Iterative Solvers Jrg Liesen Technical University of

Challenges in Analysis of Algebraic Iterative Solvers Jrg Liesen Technical University of Berlin and Zden ek Strako Charles University in Prague and Czech Academy of Sciences http://www.karlin.mff.cuni.cz/strakos Workshop in honor of

571 views • 32 slides
An Algebraic Approach to the Analysis of Constrained Workflow Systems Workshop on Foundations of

An Algebraic Approach to the Analysis of Constrained Workflow Systems Workshop on Foundations of

An Algebraic Approach to the Analysis of Constrained Workflow Systems Workshop on Foundations of Computer Security, 12 July 2004 Jason Crampton Information Security Group, Royal Holloway, University of London What is a workflow system? A

638 views • 25 slides
Introduction to the Summer School Algebra, Algorithms and Algebraic Analysis Viktor Levandovskyy,

Introduction to the Summer School Algebra, Algorithms and Algebraic Analysis Viktor Levandovskyy,

Operator algebras, partial classification More general framework: G -algebras Systems, modules, solutions Introduction to the Summer School Algebra, Algorithms and Algebraic Analysis Viktor Levandovskyy, Daniel Andres Lehrstuhl D f ur

1.09k views • 79 slides
Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with

Algebraic and holomorphic flows in the bi-algebraic context Emmanuel Ullmo, IHES joint work with Andrei Yafaev. Cetraro, July 14, 2017. Hermitian Locally Symmetric Spaces-bi-Algebraic point of view. The following transcendental maps relates

368 views • 21 slides
PMAF : AN ALGEBRAIC FRAMEWORK FOR STATIC ANALYSIS OF PROBABILISTIC PROGRAMS Di Wang 1 , Jan

PMAF : AN ALGEBRAIC FRAMEWORK FOR STATIC ANALYSIS OF PROBABILISTIC PROGRAMS Di Wang 1 , Jan

PMAF : AN ALGEBRAIC FRAMEWORK FOR STATIC ANALYSIS OF PROBABILISTIC PROGRAMS Di Wang 1 , Jan Hoffmann 1 , Thomas Reps 2 1 Carnegie Mellon University 2 University of Wisconsin; GrammaTech, Inc. PROBABILISTIC PROGRAMS Draw random data from

969 views • 79 slides
Algebraic Security Analysis of Key Generation with Physical Unclonable Functions Matthias Hiller 1

Algebraic Security Analysis of Key Generation with Physical Unclonable Functions Matthias Hiller 1

Algebraic Security Analysis of Key Generation with Physical Unclonable Functions Matthias Hiller 1 , Michael Pehl 1 , Gerhard Kramer 2 and Georg Sigl 1,3 1 Chair of Security in Information Technology 2 Chair of Communications Engineering 2

963 views • 19 slides
Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer Science McGill University July 22, 2019 Hamed Hatami (McGill Universities) Higher order Fourier analysis and algebraic property testing July 22,

824 views • 78 slides
Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings

Some Algebraic Structures Here are some algebraic structures we will study this year : Rings Fields Groups Vector Spaces (in more details) Modules Rings Perhaps the most familiar algebraic structure is rings . Rings have two

243 views • 8 slides
What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking

What Does Algebraic Thinking Mean to You? padlet.com/mcanham1/CMC Integrating Algebraic Thinking In Elementary Math: The Power of a Routine Melissa Canham @Melissa_Canham Glenda Martinez @GCMartinez23 Common Components of CGI / CCS-M

962 views • 47 slides
SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a

SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a

ECE 552 Numerical Circuit Analysis Chapter Three SOLUTION OF LINEAR ALGEBRAIC EQUATIONS I. Hajj 2017 Linear Equation Solution Methods Consider a set of n linear algebraic equations Ax = b where A is a real or complex n x n nonsingular matrix.

1.18k views • 96 slides
Properties of Eigenvalues and Eigenvectors Algebraic Multiplicity Defn. The algebraic

Properties of Eigenvalues and Eigenvectors Algebraic Multiplicity Defn. The algebraic

Properties of Eigenvalues and Eigenvectors Algebraic Multiplicity Defn. The algebraic multiplicity of eigen- value is its multiplicity as a root of the charac- teristic polynomial. Fact. The dimension of the eigenspace of is at most its

337 views • 11 slides
Directed flow in heavy-ion collisions as a probe of the first order phase transition Akira Ohnishi

Directed flow in heavy-ion collisions as a probe of the first order phase transition Akira Ohnishi

Directed flow in heavy-ion collisions as a probe of the first order phase transition Akira Ohnishi 1 in collaboration with Yasushi Nara 2,3 , Harri Niemi 4 , Horst Stoecker 3,4,5 1. YITP, Kyoto U., 2. Akita Int. U., 3. FIAS, 4. Frankfurt U., 5.

499 views • 26 slides
FROM ( e + e had ) JK, Steinhauser, Sturm NPB JK, Steinhauser, Teubner PRD l a c

FROM ( e + e had ) JK, Steinhauser, Sturm NPB JK, Steinhauser, Teubner PRD l a c

QUARK MASSES AND s FROM ( e + e had ) JK, Steinhauser, Sturm NPB JK, Steinhauser, Teubner PRD l a c i s t c e i s r o y h e h P T e l l B a c i n t Universit at Karlsruhe (TH) r o a AC i P t a

716 views • 26 slides
Radiative corrections to e + e + Szymon Tracz Institute of Physics,

Radiative corrections to e + e + Szymon Tracz Institute of Physics,

Motivation NLO corrections to pion pair production Results Conclusions and outlook Radiative corrections to e + e + Szymon Tracz Institute of Physics, University of Silesia Katowice June 20, 2018 Szymon Tracz Radiative

401 views • 19 slides
Block Products for Algebras over Countable words and Applications to Logic Saptarshi Sarkar, IIT

Block Products for Algebras over Countable words and Applications to Logic Saptarshi Sarkar, IIT

Block Products for Algebras over Countable words and Applications to Logic Saptarshi Sarkar, IIT Bombay Joint work with: Bharat Adsul, IIT Bombay & A.V. Sreejith, IIT Goa LICS 2019 This talk is in the setting of Countable Linear Orderings

1.37k views • 136 slides
Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis

Robust Evidence Synthesis Ullrika Sahlin Thursday 9.00-12.30 1 Evidence-based Meta-analysis Statistical technique to combine results from multiple independent studies Consider differences in quality in studies Experi Meta-analysis Observ

611 views • 40 slides
Highlights from Highlights from the STAR experiment the STAR experiment Hanna Zbroszczyk for the

Highlights from Highlights from the STAR experiment the STAR experiment Hanna Zbroszczyk for the

Highlights from Highlights from the STAR experiment the STAR experiment Hanna Zbroszczyk for the STAR Collaboration for the STAR Collaboration Faculty of Physics, Warsaw University of Technology supported by National Science Centre, Poland

701 views • 54 slides
What is the Best Way to Towards Selecting the . . . Explicit Solution: . . . Distribute Efforts

What is the Best Way to Towards Selecting the . . . Explicit Solution: . . . Distribute Efforts

Deciding Which . . . How Techniques Are . . . Towards Selecting the . . . What is the Best Way to Towards Selecting the . . . Explicit Solution: . . . Distribute Efforts Among Need to Take . . . Students: Towards Case of Interval . . .

139 views • 13 slides
9 Adverse Selection This is designed for one 75-minute lecture using Games and Information .

9 Adverse Selection This is designed for one 75-minute lecture using Games and Information .

9 Adverse Selection This is designed for one 75-minute lecture using Games and Information . Probably I have more material than I will end up covering. This is just for sections 9.1 and 9.6. October 7, 2006 1 Production Game VI: Adverse

591 views • 21 slides

More recommend