automatic cryptanalysis of block ciphers with cp
play

Automatic Cryptanalysis of Block Ciphers with CP A case study: - PowerPoint PPT Presentation

Nov 08, 2023 •185 likes •455 views

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

  1. Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siwei Sun, Qianqian Yang, Yosuke Todo, Kexin Qiao, Lei Hu Summer school on Real Wolrd Crypto David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 1 / 21

  2. Block Ciphers K Hi Sibenik E X C Keyed permutation E : { 0 , 1 } K × { 0 , 1 } P → { 0 , 1 } P . Generally simple function iterated n times. Expected Property Indistinguishable from a random permutation if K is unknown David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 2 / 21

  3. Attacking a block cipher Chosen f K plaintext X Oracle C ? f = E or random permutation π ? Distinguishing from π ≡ recovering K The attacker can encrypt messages of his choice and tries to recover the hidden key K . David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 3 / 21

  4. Related Key Model Chosen f K ⊕ δ K plaintext X Oracle C The attacker choses δ K (but K remains hidden) Allowed by certain protocol/real life applications A block cipher should be secure in the related key model The best published attacks against AES are related key David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 4 / 21

  5. Related Key Attack f K X C δ C ? X ′ = f K ⊕ δ K C ′ X ⊕ δ X Distribution of δ C for chosen δ X , δ K and random X and K ... If f = π ? If f = E ? David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 5 / 21

  6. Related Key Attack f K X C δ C ? X ′ = f K ⊕ δ K C ′ X ⊕ δ X Distribution of δ C for chosen δ X , δ K and random X and K ... If f = π ? Uniform If f = E ? Not uniform! Distinguishing attack The attacker requires many encryptions with input difference δ X , δ K and observes whether there is a bias in the distribution of δ C David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 5 / 21

  7. Differential characteristics The higher the bias Pr [( δ X , δ K ) → δ C ] , the better the attack! δ K δ C δ X SB SR MC ARK 0 δ e δ f δ a δ b δ c δ d Differential characteristics ( i.e. propagation patterns ( δ X , δ K ) → δ C ) with optimal probability are needed, but difficult to find! Fix δ X , δ K Apply known propagation rules to obtain the most likely δ C David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 6 / 21

  8. We did it! With CP CONVERT TO MODEL PROBLEM CSP FEED TO A SOVER ONE SOLUTION SOLVER ALL SOLUTIONS OPTIMAL SOLUTION Holy Grail “Constraint programming represents one of the closest approaches computer science has yet made to the holy grail of programming: the user states the problem, the computer solves it.” (E. Freuder) David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 7 / 21

  9. CSP Variables Define variables on given domains [23..42] x bool y array [1..N,1..M] of floats δ . . . Constraints Define relations between these variables as constraints x + y < 5 sum ( AllVariables ) = 10 Table: list of allowed tuples ( a , b , c ) ∈ { (2 , 3 , 4) , (1 , 7 , 2) } Objective function (optional) Define an objective function to optimize Maximize(Sum( δ )) Feed it to the solver, and let the magic happen... David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 8 / 21

  10. Why another automatic tool? Other automatic tools exist SAT Mixed Integer Linear Programming (MILP) . . . Question: Why yet another one? David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 9 / 21

  11. Why another automatic tool? Other automatic tools exist SAT Boolean variables Mixed Integer Linear Programming (MILP) Linear inequalities . . . Question: Why yet another one? Response: Generalization! CP No limitations on variables nor constraints Uses algorithms from the other methods There exist tools translating from CP to the others David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 9 / 21

  12. Related Work & Contributions: AES Standard since 2000 Problem Finding optimal RK differential characteristics on AES-128, AES-192 and AES-256 Previous work Biryukov et al., 2010 : Branch & Bound → Several hours (AES-128), several weeks (AES-192) Fouque et al., 2013 : Graph traversal → 30 minutes, 60 Gb memory, 12 cores (AES-128) David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 10 / 21

  13. Related Work & Contributions: AES Standard since 2000 Problem Finding optimal RK differential characteristics on AES-128, AES-192 and AES-256 Previous work Biryukov et al., 2010 : Branch & Bound → Several hours (AES-128), several weeks (AES-192) Fouque et al., 2013 : Graph traversal → 30 minutes, 60 Gb memory, 12 cores (AES-128) Our results 25 minutes (AES-128), 24 hours (AES-192), 30 minutes (AES-256) New (better) differential characteristics on all versions Disproved incorrect one found in previous work David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 10 / 21

  14. Related Work & Contributions: Midori Lightweigh block cipher, 2015 Problem Finding optimal RK differential characteristics on Midori-64 and Midori-128 Previous work Midori-64: Dong, 2016 : Custom algorithm → 14 rounds (out of 16), 2 116 operations Midori-128: Not done David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 11 / 21

  15. Related Work & Contributions: Midori Lightweigh block cipher, 2015 Problem Finding optimal RK differential characteristics on Midori-64 and Midori-128 Previous work Midori-64: Dong, 2016 : Custom algorithm → 14 rounds (out of 16), 2 116 operations Midori-128: Not done Our results (Indocrypt 2016) Few hours Full round for both versions Practical attacks: Midori-64: 2 35 Midori-128: 2 43 David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 11 / 21

  16. Other directions: FSE2017 Problem Searching for integral, zero-correlation linear, and impossible differential distinguisher on various block ciphers Results PRESENT, HIGHT, SKINNY Reproduced results from the litterature New distinguisher on SKINNY David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 12 / 21

  17. Conclusion and future challenges CP is readable and easy to use It is less error prone than custom code It performs better than other approaches It generalizes MILP and SAT Use CP! David Gerault (LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siw Automatic Cryptanalysis of Block Ciphers with CP Summer school on Real Wolrd Crypto 13 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

1.27k views • 77 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I &amp; II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
CP Violation in Bs Oscillations at ATLAS,CMS and Tevatron in B s J/ James Walder

CP Violation in Bs Oscillations at ATLAS,CMS and Tevatron in B s J/ James Walder

CP Violation in Bs Oscillations at ATLAS,CMS and Tevatron in B s J/ James Walder Lancaster University On behalf of the ATLAS, CDF, CMS and D0 Collaborations Outline Introduction B s J/ overview of analyses from:

437 views • 39 slides
High precision polarimetry Sources with stable linear and circular polarization in the GHz regime

High precision polarimetry Sources with stable linear and circular polarization in the GHz regime

High precision polarimetry Sources with stable linear and circular polarization in the GHz regime Ioannis Myserlis, E. Angelakis &amp; J. A. Zensus Max Planck Institute fr Radioastronomie I. Myserlis, E. Angelakis, A. Kraus, C. Liontas, N.

307 views • 11 slides
Probing heavy neutrino oscillation and associated CP violation at future hadron colliders

Probing heavy neutrino oscillation and associated CP violation at future hadron colliders

Probing heavy neutrino oscillation and associated CP violation at future hadron colliders Yongchao Zhang ( [ ) Washington University in St. Louis July 26, 2019 Flasy 2019, Hefei based on P. S. B. Dev, R. N. Mohapatra &amp; YCZ,

491 views • 26 slides
Constraint Solving via Fractional Edge Covers D aniel Marx Joint work with Martin Grohe

Constraint Solving via Fractional Edge Covers D aniel Marx Joint work with Martin Grohe

Constraint Solving via Fractional Edge Covers D aniel Marx Joint work with Martin Grohe Humboldt-Universit at zu Berlin Institut f ur Informatik MathCSP Workshop March 22, 2006, Oxford Constraint Solving via Fractional Edge Covers

963 views • 48 slides
A CP violatjon measurement of B s mesons at ATLAS and the LHC Adam Barton ATLAS Collaboration

A CP violatjon measurement of B s mesons at ATLAS and the LHC Adam Barton ATLAS Collaboration

A CP violatjon measurement of B s mesons at ATLAS and the LHC Adam Barton ATLAS Collaboration The LHC The large hadron collider is the world's largest and highest energy synchrotron collider in the world. It is built and run by CERN (the

564 views • 38 slides
Motivations Numerous CP modeling languages and platforms have been developed (OPL, SICStus

Motivations Numerous CP modeling languages and platforms have been developed (OPL, SICStus

On T esting C onstraint P rograms Nadjib LAZAAR* , Arnaud GOTLIEB*, Yahia LEBBAH** *INRIA Rennes Bretagne Atlantique ** Universit d'Oran Es-Senia CP2010 St -Andrews, Scotland 08 september 1 /21 Motivations Numerous CP modeling

1.09k views • 75 slides
An Emergent Solution to the Strong CP Problem (with Dark Matter!) Tim M.P . Tait University

An Emergent Solution to the Strong CP Problem (with Dark Matter!) Tim M.P . Tait University

An Emergent Solution to the Strong CP Problem (with Dark Matter!) Tim M.P . Tait University of California, Irvine Villa Gioello In collaboration with: August 28, 2019 Jason Arakawa &amp; Arvind Rajaraman arXiv:1905.08820 Could Dark

333 views • 12 slides
Using noncommutative polynomial optimization for matrix factorization ranks Sander Gribling

Using noncommutative polynomial optimization for matrix factorization ranks Sander Gribling

Using noncommutative polynomial optimization for matrix factorization ranks Sander Gribling (CWI/QuSoft) David de Laat (CWI/QuSoft) Monique Laurent (CWI/Tilburg/QuSoft) SIAM Conference on Optimization, 25 May 2017, Vancouver Symmetric matrix

1.08k views • 93 slides

More recommend