automatic search of attacks on round reduced aes and
play

Automatic Search of Attacks on round-reduced AES and Applications - PowerPoint PPT Presentation

Oct 02, 2023 •172 likes •576 views

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

  1. Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011

  2. Introduction Algebraic Structure Automated Tools Conclusion Block-Cipher Cryptanalysis The Object: a Block Cipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n � �� � � �� � � �� � key plaintext ciphertext often k = n , but not always (e.g. AES-256: n = 128 and k = 256) The Subject: an Attacker ◮ Objective: recover the secret key (or maybe distinguish from random) ◮ Resources: ◮ Time: less than 2 k encryptions ◮ Data: less than 2 n plaintext/ciphertext pairs Total Breaks of widely-used block ciphers are relatively rare (in comparison with hash functions/stream ciphers)

  3. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 1 : ◮ First weaken it ◮ Then break it Plaintext k 0 Round k 1 Round k 2 Round Key Schedule K k r Round Ciphertext

  4. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 1 : ◮ First weaken it (reduce number of rounds) ◮ Then break it Plaintext k 0 Round k 1 Round k 2 Round Key Schedule K k 3 Round Ciphertext

  5. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger ◮ Then break it

  6. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger (chosen ciphertexts, ) ◮ Then break it

  7. Introduction Algebraic Structure Automated Tools Conclusion What to do when block ciphers are too strong for us? ◮ Solution # 2 : ◮ First we get stronger (chosen ciphertexts, related keys, etc.) ◮ Then break it

  8. Introduction Algebraic Structure Automated Tools Conclusion Solution #3: Play Another Game In this talk: Low Data Complexity Attacks ◮ Has to be faster than exhaustive search ◮ Only very few plaintext/ciphertext pairs available Why ? ◮ Rather unexplored territory ◮ What is harder in practice? ◮ performing 2 50 elementary operations? ◮ or acquiring 50 Plaintext/Ciphertext pairs? ◮ LDC attacks can sometimes be recycled, and used as sub-components in other attacks ◮ e.g. attack on GOST uses a 2-plaintext attack on 8 rounds

  9. Introduction Algebraic Structure Automated Tools Conclusion Target Block Cipher: the Advanced Encryption Standard ◮ Designed by Rijmen and Daemen for AES competition ◮ Selected as the AES in 2001 ◮ One of the most widely used encryption primitive ◮ AES basic structures : ◮ Substitution-Permutation network ◮ Block size: 16-bytes (128 bits) ◮ key lengths: 128 , 192 or 256 bits ◮ 10 rounds for the 128-bit version

  10. Introduction Algebraic Structure Automated Tools Conclusion Description of the AES z i w i 0 4 8 12 ARK � 1 5 9 13 SB SR MC 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns

  11. Introduction Algebraic Structure Automated Tools Conclusion Description of the AES z i w i 0 4 8 12 ARK � 1 5 9 13 SB SR MC 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns ◮ Single-key attacks up to : ◮ 8 rounds on AES-128 ◮ 9 rounds on AES-192/256 ◮ Related-subkey attacks on the full AES-256/AES-192 ◮ Complexities just slightly less than the naturals bounds

  12. Introduction Algebraic Structure Automated Tools Conclusion Techniques for Low Data Complexity Attacks The problem with“Usual”attack techniques ◮ Statistical attacks ( e.g. , differential, impossible,linear) ◮ “Golden-plaintext”attacks ( e.g. , reflexion, slide) They require (VERY) LARGE QUANTITY of data What’s left? ◮ Algebraic Attacks/SAT-solvers ? ◮ Guess-and-Determine attacks ◮ Meet-in-the-Middle attacks

  13. Introduction Algebraic Structure Automated Tools Conclusion Techniques for Low Data Complexity Attacks The problem with“Usual”attack techniques ◮ Statistical attacks ( e.g. , differential, impossible,linear) ◮ “Golden-plaintext”attacks ( e.g. , reflexion, slide) They require (VERY) LARGE QUANTITY of data What’s left? ◮ Algebraic Attacks/SAT-solvers ◮ Guess-and-Determine attacks ◮ Meet-in-the-Middle attacks

  14. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2

  15. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table

  16. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table ◮ For all k 2 , look-up AES − 1 k 2 ( C ) in the hash table

  17. Introduction Algebraic Structure Automated Tools Conclusion Meet-in-the-Middle Attacks A very bad way to build an AES with 256-bit keys k 1 k 2 AES AES P M C E k 1 , k 2 = AES k 1 ◦ AES k 2 ◮ For all k 1 , store AES k 1 ( P ) → k 1 in a hash table ◮ For all k 2 , look-up AES − 1 k 2 ( C ) in the hash table ◮ We expect ≈ 1 value of k 1 per value of k 2 Time complexity ≈ 2 128 encryptions, with 256-bit keys!

  18. Introduction Algebraic Structure Automated Tools Conclusion Cryptanalytic Tools We want to find Guess-n-determine/Meet-in-the-middle attacks Problems ◮ We are lazy ◮ It is delicate and complicated, and nearly made us crazy Standard Solution: build a tool to do the job for you! We are not alone! E.g. , Tools to find differential paths : DES [Matsui, 93], SHA-1 [de Canni` ere et. al, 06], Grindhal [Peyrin et al., 07], RadioGat` un [Fuhr et al., 09], MD4/MD5 [Leurent et al., 07], AES [Biryukov et al., 10], etc.

  19. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Is it a Problem? ◮ Concerns about the AES’s algebraic simplicity have been expressed several times ◮ But so far, no attack directly exploited this property... ...Until now

  20. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Round Function z i w i 0 4 8 12 ARK SB SR MC � 1 5 9 13 2 6 10 14 3 7 11 15 3 7 11 15 15 3 7 11 k i x i y i ShiftRows MixColumns y i [ ℓ ] = S ( x i [ ℓ ])     02 03 01 01 y i [0] y i [4] y i [8] y i [12] 01 02 03 01 y i [5] y i [9] y i [13] y i [1]     x i +1 =  ×  + k i     01 01 02 03 y i [10] y i [14] y i [2] y i [6]   03 01 01 02 y i [15] y i [3] y i [7] y i [11]

  21. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i k i +1

  22. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i + S k i +1

  23. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) + S k i +1

  24. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + S k i +1

  25. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + S ◮ k i +1 [3] = k i [3] + S ( k i [12]) k i +1

  26. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + ◮ k i +1 [3] = k i [3] + S ( k i [12]) ◮ k i +1 [4 .. 7] = k i +1 [4 .. 7] + k i [0 .. 3] k i +1

  27. Introduction Algebraic Structure Automated Tools Conclusion The AES Has a Clean Description over F 256 Key-Schedule ◮ k 0 = K (the master-key) k i ◮ k i +1 [0] = k i [0] + S ( k i [13]) + RCON i ◮ k i +1 [1] = k i [1] + S ( k i [14]) ◮ k i +1 [2] = k i [2] + S ( k i [15]) + ◮ k i +1 [3] = k i [3] + S ( k i [12]) ◮ k i +1 [4 .. 7] = k i +1 [4 .. 7] + k i [0 .. 3] k i +1 ◮ k i +1 [8 .. 11] = k i +1 [8 .. 11] + k i [4 .. 7]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems

Automatic Generation of Minimal and Reduced Models for Structured Parametric Dynamical Systems Igor Pontes Duff Joint work with Peter Benner (MPI, Magdeburg) Pawan Goyal (MPI, Magdeburg) ICERM Workshop - Mathematics of Reduced Order Models

1.46k views • 108 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the

BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the

EUROPEAN BPM ROUND TABLE Successful Valorization of Business Process Management Re- search Through the European BPM Round Table The European BPM Round Table is a lenges that urgently need to be ad- federation of 21 national BPM round dressed by

182 views • 4 slides
Cache-Access Pattern Attack on Disaligned AES T-Tables Raphael Spreitzer and Thomas Plos

Cache-Access Pattern Attack on Disaligned AES T-Tables Raphael Spreitzer and Thomas Plos

Institute for Applied Information Processing and Communications (IAIK) Cache-Access Pattern Attack on Disaligned AES T-Tables Raphael Spreitzer and Thomas Plos Institute for Applied Information Processing and Communications (IAIK) Graz

433 views • 21 slides
Confidentiality CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Confidentiality CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Confidentiality CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate

541 views • 40 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5,

A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5,

A Simple Power Analysis Attack on the TwoFish Key Schedule Jose Javier Gonzalez Ortiz May 5, 2016 University of Michigan Introduction Cryptography Basics securely communicate Cryptography allows us to information with other parties.

543 views • 29 slides
Benefits of Cryptography Basic Cryptographic Scheme Improvement not a Solution! original

Benefits of Cryptography Basic Cryptographic Scheme Improvement not a Solution! original

Summary Substitution ciphers Permutations Making good ciphers Data Encryption Standard (DES)

454 views • 13 slides
Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

CSC 4103 - Operating Systems Spring 2008 Lecture - XX Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The Security Problem Security must consider external environment of the system, and

236 views • 7 slides
Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If

Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If

Cryptography basics for embedded developers Embedded Linux Conference, San Diego, 2016 "If you think cryptography is the solution to your problem, then you don't understand your problem " - Roger Needham Cryptography basics are

417 views • 25 slides
Svetlin A. Manavski Presented by: Gareth Ferneyhough CS 791V UNR, Fall 2011 Outline

Svetlin A. Manavski Presented by: Gareth Ferneyhough CS 791V UNR, Fall 2011 Outline

CUDA COMPATIBLE GPU AS AN EFFICIENT HARDWARE ACCELERATOR FOR AES CRYPTOGRAPHY Svetlin A. Manavski Presented by: Gareth Ferneyhough CS 791V UNR, Fall 2011 Outline Cryptography and AES Overview Previous GPU implementation of AES

358 views • 22 slides

More recommend