attacks against filter generators exploiting monomial
play

Attacks against Filter Generators Exploiting Monomial Mappings Anne - PowerPoint PPT Presentation

Nov 24, 2023 •21 likes •581 views

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella GT BaC, 20 October 2017 Inria - SECRET, Paris, France 1 Summary Introduction : Stream ciphers Linear Feedback Shift Registers Monomial

  1. Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut & Yann Rotella GT BaC, 20 October 2017 Inria - SECRET, Paris, France 1

  2. Summary

  3. Introduction : Stream ciphers Linear Feedback Shift Registers Monomial equivalence between filtered LFSR Univariate correlation attacks Impact on Boolean functions Conclusions 2

  4. Stream ciphers

  5. Stream ciphers • Symetric cryptography, � = block ciphers • Based on Vernam cipher (one-time pad) • PRNG Key IV s t : keystream PRNG plaintext ciphertext 3

  6. Stream ciphers • Block cipher modes of operations (OFB, Counter) • Specific design (LFSR, NLFSR) • Internal state • Large period • A5/1 - A5/2, SNOW 4

  7. Stream ciphers • Block cipher modes of operations (OFB, Counter) • Specific design (LFSR, NLFSR) • Internal state • Large period • A5/1 - A5/2, SNOW Interests • Small latency • No padding • No error propagation • Cheap 4

  8. Generic attacks • Key recovering Φ X f 5

  9. Generic attacks • Key recovering Φ • Initial state recovering X f 5

  10. Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f 5

  11. Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f • distinguishing s t from a random sequence 5

  12. Generic attacks • Key recovering Φ • Initial state recovering X • Next-bit prediction f • distinguishing s t from a random sequence Always take an internal state twice bigger as the security level (i.e. key size) 5

  13. LFSR

  14. Linear feedback shift Register (LFSR) Definition Fibonacci representation st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn 6

  15. Linear feedback shift Register (LFSR) Definition Fibonacci representation st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Definition Gallois representation st + n − 1 st + n − 2 st + 1 st cn cn − 1 cn − 2 c 1 6

  16. Classical properties of LFSR • Nice statistical properties • Linear • s t + L = ∑ n i = 1 c i s t + n − i , ∀ t ≤ 0 • P ( X ) = 1 − ∑ n i = 1 c i X i • P ∗ ( X ) = X n P ( 1 / X ) • We wil take P primitive 7

  17. Filtered LFSR s t f f LFSR X Φ s t = f ( u t + γ 1 , ··· , u t + γ n ) 8

  18. Filtered LFSR s t f f LFSR X Φ s t = f ( u t + γ 1 , ··· , u t + γ n ) Algebraic Normal Form n f ( x 1 , x 2 , ··· , x n ) = ∑ x u i ∏ a u i u ∈ F n i = 1 2 = a 0 + a 1 x 1 + a 2 x 2 + ··· + a 3 x 1 x 2 + ··· + a 2 n − 1 x 1 ··· x n 8

  19. Monomial equivalence

  20. LFSR over a Finite Field • α : root of the primitive characteristic polynomial in F 2 n • Identify the n -bit words with elements of F 2 n with the dual basis of { 1 , α , α 2 , ··· , α n − 1 } st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Proposition The state of the LFSR at time ( t + 1 ) is the state of the LFSR at time t multiplied by α . 9

  21. LFSR over a Finite Field • α : root of the primitive characteristic polynomial in F 2 n • Identify the n -bit words with elements of F 2 n with the dual basis of { 1 , α , α 2 , ··· , α n − 1 } st + n − 1 st + n − 2 st + 1 st c 1 c 2 cn − 1 cn Proposition The state of the LFSR at time ( t + 1 ) is the state of the LFSR at time t multiplied by α . For all t , X t = X 0 α t 9

  22. Boolean functions Proposition (Univariate representation) 2 n − 1 A i X i ∑ F ( X ) = i = 0 with A i ∈ F 2 n given by the discrete Fourier Transform of F 10

  23. Boolean functions Proposition (Univariate representation) 2 n − 1 A i X i ∑ F ( X ) = i = 0 with A i ∈ F 2 n given by the discrete Fourier Transform of F For all t , s t = F ( X 0 α t ) 10

  24. Monomial equivalence [Rønjom - Cid 2010] s t F X 0 ( P , α ) n For all t , s t = F ( X 0 α t ) 11

  25. Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 11

  26. Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) 11

  27. Monomial equivalence [Rønjom - Cid 2010] s ′ t G Y 0 ( Q , β ) n β = α k with gcd ( k , 2 n − 1 ) = 1 s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) If G ( x ) = F ( x r ) with rk ≡ 1 mod ( 2 n − 1 ) Then s ′ t = F ( Y r 0 α t ) 11

  28. Monomial equivalence [Rønjom - Cid 2010] s t s ′ t F G X 0 ( P , α ) Y 0 ( Q , β ) n n β = α k with gcd ( k , 2 n − 1 ) = 1 For all t , s t = F ( X 0 α t ) s ′ t = G ( Y 0 β t ) = G ( Y 0 α kt ) If G ( x ) = F ( x r ) with rk ≡ 1 mod ( 2 n − 1 ) Then s ′ t = F ( Y r 0 α t ) For all t , s ′ t = s t if Y 0 = X k 0 11

  29. Example F ( x ) = Tr ( x r ) , with gcd ( r , 2 n − 1 ) = 1 : Let k be such that rk ≡ 1 mod ( 2 n − 1 ) . s t Tr ( x r ) s t ( Q , β = α k ) n ( P , α ) n = ⇒ The initial generator is equivalent to a plain LFSR of the same size. 12

  30. Consequence The security level of a filtered LFSR is the minimal security level for a generator of its equivalence class. 13

  31. Consequence The security level of a filtered LFSR is the minimal security level for a generator of its equivalence class. • Algebraic attacks • Correlation attacks 13

  32. Algebraic attacks Λ : Linear complexity Proposition (Massey-Serconek 94) Let an LFSR of size n filtered by a Boolean function F: 2 n − 1 A i X i ∑ F ( X ) = i = 0 Then Λ = # { 0 ≤ i ≤ 2 n − 2 : A i � = 0 } 14

  33. Algebraic attacks Λ : Linear complexity Proposition (Massey-Serconek 94) Let an LFSR of size n filtered by a Boolean function F: 2 n − 1 A i X i ∑ F ( X ) = i = 0 Then Λ = # { 0 ≤ i ≤ 2 n − 2 : A i � = 0 } The monomial equivalence does not affect the complexity of algebraic attacks [Gong et al. 11] 14

  34. Univariate correlation attacks

  35. Correlation attack [Siegenthaler 85] LFSR 1 LFSR i LFSR 2 σ t s t Compare f LFSR k − 1 LFSR k 15

  36. Criterion The criterion besides the correlation attack is the resiliency . 16

  37. Fast correlation attack [Meier - Staffelbach 88] Tr ( Ax ) X 0 P α σ t Compare s t X 0 P α F 17

  38. Criterion The criterion besides the fast correlation attack is the non-linearity . 18

  39. Generalized fast correlation attacks G ( x ) = Tr ( Ax k ) X 0 P α P α k G σ t σ t X k 0 Compare Compare s t s t X 0 P α X 0 P α F F 19

  40. Generalized non-linearity [Gong & Youssef 01] Relevant security criterion: Generalized non-linearity GNL ( f ) = d ( f , { Tr ( λ x k , λ ∈ F 2 n , gcd ( k , 2 n − 1 ) = 1 } ) 20

  41. Generalized non-linearity [Gong & Youssef 01] Relevant security criterion: Generalized non-linearity GNL ( f ) = d ( f , { Tr ( λ x k , λ ∈ F 2 n , gcd ( k , 2 n − 1 ) = 1 } ) And if k is not coprime to 2 n − 1 ? 20

  42. A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F 21

  43. A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F • Number of states of the small generator: τ k = ord ( α k ) . 21

  44. A more efficient correlation attack When gcd ( k , 2 n − 1 ) > 1 and F correlated to G ( X ) = H ( X k ) . X k X 0 P α P α k G H 0 σ t σ t Compare Compare s t s t X 0 P α X 0 P α F F • Number of states of the small generator: τ k = ord ( α k ) . 0 : Time = τ k log ( τ k ) • Exhaustive search on X k ε 2 21

  45. Recovering the remaining bits of the initial state Property We get log 2 ( τ k ) bits of information on X 0 where τ k = ord ( α k ) : 22

  46. Recovering the remaining bits of the initial state Property We get log 2 ( τ k ) bits of information on X 0 where τ k = ord ( α k ) : If we perform two distinct correlation attacks with k 1 et k 2 , then we get log 2 ( lcm ( τ k 1 , τ k 2 )) bits of information. 22

  47. First improvement The complexity Time = τ k log ( τ k ) ε 2 can be reduced to Time = τ k log τ k + 2log ( τ k ) . ε 2 with a fast Fourier transform [Canteaut - Naya-Plasencia 2012] 23

  48. Second improvement G ( X ) = H ( X k ) when H is linear: X 0 P α P α k G σ t σ t X k 0 Compare Compare s t s t X 0 P α X 0 P α F F • Size of the small LFSR: L ( k ) = ord ( 2 ) mod τ k . • If L ( k ) < n and H is linear − → fast correlation attack. 24

  49. What we really do • Split the state on the multiplicative subgroups • recover independantly the information • gather information 25

  50. Impact on Boolean functions

  51. New criterion Definition (Multiplicative subgroup resiliency ?) Let F be a Boolean function with n variables, let k dividing 2 n − 1 , and τ the multiplicative order of α k and d = gcd ( k , τ ) , we say that F is k - MS resilient if and only if G ( x )= H ( x k ) ε ( F ( x ) , G ( x )) = τ d 2 − n max Question Is it possible to reach the value of τ / d for every possible τ ? 26

  52. When H is linear Question What is the value of G ( x )= Tr ( λ x k ) ε ( F ( x ) , G ( x )) min max f 27

  53. Conclusions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
STUFF FILTER POPULARITY FILTER PERSONALITY FILTER TALENT FILTER GODS FILTER WE HAVE THE

STUFF FILTER POPULARITY FILTER PERSONALITY FILTER TALENT FILTER GODS FILTER WE HAVE THE

STUFF FILTER POPULARITY FILTER PERSONALITY FILTER TALENT FILTER GODS FILTER WE HAVE THE MESSAGE TO MOVE PEOPLE FROM CURSED TO BLESSED. BLESSING DEUTERONOMY 28:1 AND IF YOU FAITHFULLY OBEY THE VOICE OF THE LORD YOUR GOD, BEING

538 views • 34 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Ping Li and Leslie Roberts, Queens University, Kingston, Ontario with suggestions from Dilip

Ping Li and Leslie Roberts, Queens University, Kingston, Ontario with suggestions from Dilip

Projective Monomial Curves in P 3 Ping Li and Leslie Roberts, Queens University, Kingston, Ontario with suggestions from Dilip Patil and Les Reid. Reference: D.P. Patil P. Li and L. Roberts, Bases and ideal generators for projective monomial

471 views • 19 slides
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine

S C I E N C E P A S S I O N T E C H N O L O G Y DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine Maurice, Michael Schwarz, Stefan Mangard IAIK, Graz

842 views • 32 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Kalman filter Kalman Filter Kalman filter is used to filter true system states from noisy

Kalman filter Kalman Filter Kalman filter is used to filter true system states from noisy

Kalman filter Kalman Filter Kalman filter is used to filter true system states from noisy measurements T o apply the filter, we have to have good model of a system Common use cases: localization of robots, spaceships, ... radar

500 views • 11 slides
Incident Response to Social Engineering Attacks: Domain Hijacking Ramses Martinez Director of

Incident Response to Social Engineering Attacks: Domain Hijacking Ramses Martinez Director of

Incident Response to Social Engineering Attacks: Domain Hijacking Ramses Martinez Director of Information Security Date: June 22, 2010 Background More and more attacks are exploiting business logic using social engineering attacks. Low

425 views • 15 slides
Series R FILTER www.rpesrl.it Series R FILTER 2 Rpe presents the Filter R series for an

Series R FILTER www.rpesrl.it Series R FILTER 2 Rpe presents the Filter R series for an

RPE Srl Leader in Fluid Management Control Series R FILTER www.rpesrl.it Series R FILTER 2 Rpe presents the Filter R series for an effective protection from particles and impurities in the water. Save the high quality and reliability of

143 views • 11 slides
Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR YADID ERAN YAHAV Technion,

Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR YADID ERAN YAHAV Technion,

Exploiting Social Navigation MEITAL BEN SINAI NIMROD PARTUSH SHIR YADID ERAN YAHAV Technion, Israel Outline Intro Goals &amp; Motivation Attacks (+Demos (^o^) ) Defense Summary &amp; Conclusions Exploiting Social

373 views • 35 slides
Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

441 views • 31 slides
NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher Samsung Pay Exploiting Mag-stripe info with Bluetooth audio Co-founder of Women in Tech Fund @Netxing (WomenInTechFund.org) Content

1.07k views • 73 slides
2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no browser is safe 2011 300% increase in cyber attacks Who they are Why they do it Who are the targets Our filter processes 3 billion

407 views • 17 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of

538 views • 29 slides
Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3

Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3

The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of

1.01k views • 35 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR

H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR

H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR Alessandro Da Rold, on behalf of the CMS Collaboration Interpreting the LHC Run 2 data and Beyond Trieste, 27 - 31 May 2019 O VERVIEW Run 2 H

192 views • 15 slides
Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen

LinuxDay/Cagliari 2005: Practical Office Automation Practical Office Automation or How to Hack the OpenOffice.org File Format Jacob Sparre Andersen &lt;sparre@crs4.it&gt; Questions are welcome at any time during the talk. p. 1

435 views • 17 slides
Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning

IAB Workshop on Smart Object Security Paris, March 2012 Access Control for Smart Objects Access Control for Smart Objects Jan Janak, Hyunwoo Nam, Henning Schulzrinne I R T Columbia University Internet Real-Time Laboratory This work is

57 views • 5 slides
Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group

Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group

Pervasive Computing: Opportunities and Challenges Dimitris Kalofonos Pervasive Computing Group (PCG) Nokia Research Center, Boston 1 ASWN04 Panel Discussion, August 10, 2004, Dimitris Kalofonos The Vision for Pervasive Computing (PC)

128 views • 9 slides

More recommend