algebraic aspects of symmetric key cryptography
play

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid - PowerPoint PPT Presentation

Oct 31, 2022 •49 likes •659 views

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques in Cryptanalysis Algebra is the

  1. Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1

  2. Algebraic Techniques in Cryptanalysis � Algebra is the default tool in the analysis of asymmetric cryptosystems (RSA, ECC, Lattice-based, HFE, etc) � For symmetric cryptography (block and stream ciphers, hash functions), the most commonly used techniques are statistical in nature: � Block Ciphers: in linear and differential cryptanalysis (and variants), the attacker attempts to construct statistical patterns through many interactions of the cipher. � Stream Ciphers: linear/differential, correlation attacks, distinguishing attacks, etc. � Hash Functions: differential attacks, etc. 04.May.2007 ECRYPT Summer School 2

  3. Algebraic Techniques in Cryptanalysis � However there has been recently an increase in interest in the use of algebraic techniques in the analysis of symmetric cryptosystems: � The choice of Rijndael as the AES (Rijndael has a rich algebraic structure); � Cipher representations (dual, embeddings); � The proposal of algebraic attacks against stream ciphers (and block ciphers); � Parallel developments in asymmetric cryptography (multivariate cryptosystems: HFE, sFLASH, etc). � In this presentation will give an overview of algebraic cryptanalysis of block and stream ciphers (background and possible future directions…) 04.May.2007 ECRYPT Summer School 3

  4. Algebraic Attacks against Block Ciphers � Algebraic (rather than statistical) in nature: � exploit the intrinsic algebraic structure of the algorithm. � The idea: polynomial description of block ciphers. � In theory, most block ciphers afford a polynomial representation of the encryption. � Early attempts to analyse ciphers with a somewhat simple algebraic structure date back to the early/mid 90s. � Interpolation attack: � Proposed by Jakobsen and Knudsen in 96. 04.May.2007 ECRYPT Summer School 4

  5. Interpolation Attacks � Suppose a cipher can be expressed by a polynomial with total degree not too large. � By using n known plaintext/ciphertext pairs ( x i , y i ), one can construct an algorithm equivalent to the cipher (using the Lagrange Interpolation Formula ). � The polynomial f ( x ) coincides with the encryption: f ( x i ) = y i � Representing a cipher as a polynomial may allow encryption/decryption without knowledge of the key. 04.May.2007 ECRYPT Summer School 5

  6. Interpolation Attacks � However, for most ciphers the degree of such polynomial is just too high (too many unknown coefficients), perhaps approaching or exceeding the codebook. � Thus this should not offer any cryptanalytic benefit. � However it was applied against (a variant of) of SHARK ( SBox( x ) = x -1 ). � Yet, the proposal of Interpolation Attacks ultimately shows some of the dangers of using operations with a very simple algebraic structure as component of an iterative cipher � even if these components were extremely good against conventional cryptanalysis, e.g. differential and linear cryptanalysis. 04.May.2007 ECRYPT Summer School 6

  7. Algebraic Attacks against Block Ciphers � An alternative, perhaps more promising approach, is to express the encryption operation as a system of polynomial equations. � While in theory most modern block ciphers can be fully described by a system of multivariate polynomials over a finite field, for the majority of the cases such systems prove to be just too complex for any practical purpose. � Yet there are a number of ciphers that present a highly algebraic structure, and could therefore be more vulnerable to algebraic attacks (e.g. the AES). 04.May.2007 ECRYPT Summer School 7

  8. Algebraic Attacks against Block Ciphers � “Algebraic Attack”: typically refers to the technique of expressing the whole cryptosystem as a large system of multivariate polynomial equations. � In principle applicable to both block ciphers and stream ciphers. � Two steps: � Obtain a representation of the cipher as a system of equations. � Consider methods for solving the system. 04.May.2007 ECRYPT Summer School 8

  9. Polynomial System from Block Ciphers � Polynomial System from Block Ciphers: � Linear Equations from the diffusion layer and key addition. � Non-linear equations from the substitution layer. � Key Schedule Equations. � Field Equations. 04.May.2007 ECRYPT Summer School 9

  10. Polynomial System from Block Ciphers � For the non-linear equations, we distinct two cases: � Explicit equations : equations of the form y i = f i ( x 0 , x 1 , … , x n -1 ). � Implicit equations : equations of the form g( x 0 ,…, x n -1 ; y 0 ,…, y m -1 ) = 0. � One may consider algebraic attacks when these equations have small degree. 04.May.2007 ECRYPT Summer School 10

  11. Polynomial System from Block Ciphers � When mounting an algebraic attack, for each non-linear component of the cipher, one attempts to obtain as many low-degree, linearly independent equations as possible. � The more relations, the best. � it is well-known that overdefined systems are generally easier to solve . 04.May.2007 ECRYPT Summer School 11

  12. Polynomial System from Block Ciphers � Field Equations: � We are only interested in the solutions in the ground field (e.g. GF(2) or GF(2 8 )). � However the method of solution may yield solutions in the algebraic closure. � So we also add to the system the so-called field equations x q – x = 0 for all variables in the system (over GF( q )). � This ensures that all solutions found are in GF( q ). � Also in computations of the solution (say of its GB), all q – x i . monomials are reduced by x i 04.May.2007 ECRYPT Summer School 12

  13. Algebraic Attacks against Block Ciphers � In its general form, an algebraic attack is mounted by expressing the full cipher operation as a system of low-degree multivariate equations: involving the (known) plaintext and ciphertext values, the secret key and a � large number of intermediate variables arising in the cipher operation. The field equations are often also included. � Results on very, very large systems (typically over GF(2)). � � Attack usually requires only one single plaintext/ciphertext pair. � Solution = key recovery!! � Efficient algorithms for solving algebraic systems: � the essential ingredients of algebraic attacks and have recently started receiving special attention from the cryptographic community. 04.May.2007 ECRYPT Summer School 13

  14. Methods of Solution of Polynomial Systems � Solving multivariate polynomial systems is a typical problem studied in Algebraic Geometry and Computational Algebra. � Computer Algebra has recently become an important tool in cryptography. � Methods (used in cryptology): � Linearisation principle; � XL and variants; � Groebner Basis algorithms (Buchberger, F 4 , F 5 ). 04.May.2007 ECRYPT Summer School 14

  15. Solution of Polynomial Systems – The Problem � Let k be a field and f 1 , … , f m be polynomials in n variables with coefficients in k , and K an algebraic extension of k . � The problem is : � find ( x 1 ,…, x n ) ∈ K n such that f i ( x 1 ,…, x n ) = 0 . � This problem is often studied in the context of abstract algebra: � let I ⊆ k [ X 1 ,…, X n ] be the ideal generated by f 1 , … , f m and V ( I ) = { ( x 1 , …, x n ) ∈ K n ; f i ( x 1 , …, x n ) = 0 } the variety over K associated to I . The problem is then to find V ( I ) . 04.May.2007 ECRYPT Summer School 15

  16. Linearisation � The method of linearisation is a well-known technique for solving large systems of multivariate polynomial equations: � Consider all monomials in the system as independent variables and solve the system using linear algebra techniques (i.e. Gaussian reduction). 04.May.2007 ECRYPT Summer School 16

  17. Linearisation � The effectiveness of the method clearly depends of the number of linearly independent polynomials in the system. � In the case of Boolean functions, the total number of monomials of degree · d is : � Complexity: O ( N 3 ) , where N is the size of M (i.e. O ( n 3d )). In fact we may theoretically write O ( N ω ) , where ω ≈ 2 + ε , if the matrix is sparse. 04.May.2007 ECRYPT Summer School 17

  18. Linearisation � Linearisation has been considered in the cryptanalysis of some LFSR-based stream ciphers. � Each new bit of the key stream gives rise to a new equation on the key bits, and by using a large number of bits from the key stream, one should have in theory enough equations to directly apply linearization. � Note however that the problem of estimating the rank of the linearised system is very difficult. 04.May.2007 ECRYPT Summer School 18

  19. Linearisation � In order to apply the linearization method, the number of LI equations in the system needs to be approximately the same as the number of monomials in the system. � When this is not the case, a number of techniques have been proposed that attempt to generate enough LI equations. � The most prominent is the XL algorithm. 04.May.2007 ECRYPT Summer School 19

  20. XL ( eXtended Linearisation ) Courtois, Klimov, Patarin, Shamir, 2000 � The XL algorithm aims at introducing new rows to the matrix M by multiplication of the original equations by monomials of prescribed degree (i.e. deg( X β f j ) · D , where D is the parameter of the algorithm). 04.May.2007 ECRYPT Summer School 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

794 views • 62 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric Cryptosystems Course Technicalities Renate Scheidler 1 Department of Mathematics & Statistics Overview of Cryptography 2 Department of Computer

222 views • 9 slides
HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome &

HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome &

HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome & Introductions Giles Slinger, James Gardner, Min Bhogaita HR CIPD Workshop 2 Introductions Giles Slinger James Gardner Min Bhogaita Director, OrgVue

1.39k views • 102 slides
XSS & CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS & CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS & CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and

Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and

Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and Information Processing Group Computer Laboratory University of Cambridge do242@cam.ac.uk Translation and the Digital 25 April 2014 Introduction

426 views • 10 slides
35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video

35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video

35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video Download: https://drive.google.com/file/d/1Esm3TR7TbwnFkoRQ52cv8LfhZy7ulrd3/view?usp=sharing Welcome Speech SLTC Gary Ow, Head IFC Mission To

622 views • 28 slides
Green Security How Can AI Help in Protecting Forests, Fish and Wildlife MILIND TAMBE Helen N.

Green Security How Can AI Help in Protecting Forests, Fish and Wildlife MILIND TAMBE Helen N.

Green Security How Can AI Help in Protecting Forests, Fish and Wildlife MILIND TAMBE Helen N. & Emmett H. Jones Professor in Engineering University of Southern California WHAT MIGHT WE LOSE? Murchison Falls National Park, Uganda 2/23

665 views • 27 slides
NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda

NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda

Moreno Baricevic CNR-IOM DEMOCRITOS Trieste, ITALY INTRO TO INTRO TO NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda Agenda Network Interfaces Network Interfaces LINUX command line utilities

612 views • 46 slides
Highway to the Danger Drone BLACK HAT USA 2016 LAS VEGAS, NV Presen sented ed b by:

Highway to the Danger Drone BLACK HAT USA 2016 LAS VEGAS, NV Presen sented ed b by:

Highway to the Danger Drone BLACK HAT USA 2016 LAS VEGAS, NV Presen sented ed b by: Francis tastic Brown David Latimer Dan altf4 Petro Bishop Fox, LLC August 03, 2016 www.bishopfox.com Agenda OVERVIEW 1.

723 views • 35 slides

More recommend