basic idea guess and determine
play

Basic Idea Guess And Determine Determine partial internal state by - PowerPoint PPT Presentation

Jan 27, 2024 •176 likes •634 views

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

  1. Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India { dhimans,skakarla,smandava,drc } @cse.iitkgp.ernet.in SPACE 2016 Hyderabad, India

  2. Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce state space of some other part ◮ Exploits limited diffusion ◮ Build upon guessing strategy to mount key-recovery or forgery ◮ Our motivation: Use this strategy on Authenticated Encryption Schemes ◮ Demonstrated by Boura et al. in FSE 2016 on π − cipher We look at CAESAR submission PAEQ

  3. Authenticated Encryption Confidentiality + Authenticity Two at the cost of One!

  4. Preliminaries Authenticated Encryption ◮ Conventionally, ◮ Encryption scheme → confidentiality ◮ Message Authentication Code (MAC) → authentication and message integrity Authenticated Cipher Tries to merge both these primitives preferably at the cost of one. ◮ Many attempts to build AE schemes ◮ Serious attacks on OpenSSL and TLS exploiting AE!!! ◮ Lack of proper understanding of the problem ◮ Inspired CAESAR competition

  5. Preliminaries CAESAR CAESAR Competition for Authenticated Encryption: Security, Applicability, and Robustness ◮ A multi-year competition announced in 2014 ◮ Select final portfolio of AE schemes ◮ Possible standardization ◮ Benchmark: AES-GCM ◮ 57 accepted submissions ◮ Round 2 → 30 Candidates ◮ Round 3 → 15 Candidates (On-going) PAEQ was a Round 2 candidate at the time of this work

  6. PAEQ Bio PAEQ ↔ Parallelizable Authenticated Encryption based on Quadrupled AES ◮ Introduced by Biryukov and Khovratovich in ISC 2014 ◮ Along with a new generic mode of operation PPAE ◮ Parallelizable Permutation-based Authenticated Encryption ◮ And an AES based permutation AESQ ◮ Security level up to 128 bits & higher, equal to the key length ◮ Third-party Cryptanalysis ◮ Fault Attack - Saha and Roy Chowdhury (CHES 2016) ◮ Rebound attack - Bagheri et al. (ACISP 2016)

  7. Different PAEQ variants PAEQ | Key | | Nonce | | Tag | Security Extra Features 64 64 64 64-bit paeq-64 Primary paeq-80 80 80 80 80-bit sets paeq-128 128 96 128 128-bit Quick 64 64 512 64-bit paeq-64-t Tag Update Nonce-misuse + 64 128 512 64-bit paeq-64-tnm Tag Update Quick Secondary paeq-128-t 128 128 512 128-bit Tag Update sets Nonce-misuse + 128 256 512 128-bit paeq-128-tnm Tag Update 192 128 128 128-bit paeq-192 160 128 160 160-bit paeq-160 256 128 128 128-bit paeq-256

  8. PAEQ Focus of Current Attack PAEQ | Key | | Nonce | | Tag | Security Extra Features 64 64 64 64-bit paeq-64 Primary 80 80 80 80-bit paeq-80 sets PAEQ 128 96 128 128-bit paeq-128 Quick 64 64 512 64-bit paeq-64-t Tag Update paeq-64 Nonce-misuse + 64 128 512 64-bit paeq-64-tnm Tag Update paeq-80 Quick Secondary 128 128 512 128-bit paeq-128-t Tag Update paeq-128 sets Nonce-misuse + 128 256 512 128-bit paeq-128-tnm Tag Update 192 128 128 128-bit paeq-192 paeq-64-t 160 128 160 160-bit paeq-160 256 128 128 128-bit paeq-256

  9. AESQ The Internal Permutation ◮ Internal state size of 512 bits ◮ Comprises of 4 sub-states of 128 bits each ◮ Sub-states correspond to AES state matrix

  10. Inside AESQ SB SRMC SB SRMC SB SRMC SB SRMC ◮ Composition of 20 round 1 2 3 4 functions SB SRMC SB SRMC SB SRMC SB SRMC 5 6 7 8 ◮ Shuffle operation after every 2 rounds ◮ Basically a Column permutation SB SRMC SB SRMC SB SRMC SB SRMC 9 10 11 12 SB SRMC SB SRMC SB SRMC SB SRMC 13 14 15 16 ◮ Round function almost similar to AES ◮ SubBytes ◮ ShiftRows ◮ MixColumns ◮ AddRoundConstants 4 Rounds of AESQ Fig. Source: PAEQ submission document

  11. PAEQ Encryption

  12. PAEQ Authentication

  13. PAEQ Handling Associated Data

  14. PAEQ Final Tag Generation

  15. PAEQ Focus of This Work

  16. PAEQ Encryption ( i th Branch) Input/Output of f ◮ Look at input of permutation ◮ 3 out of 4 inputs known ◮ Also P i ⊕ C i gives partial output of f Note: We have to deal with partially specified states Our Intuition Can we guess part of f output to recover the internal state?

  17. Handling Partial States Byte-Entropy Notion of Byte-Entropy ( E ) The number of unknown bytes in the state/sub-state ◮ Byte-Entropy ◮ Unchanged under SubBytes ( β ), ShiftRows ( ρ ), AddRoundConstants ( α ) ◮ Might increase under Mixcolumns ( µ )

  18. Some Observations on PAEQ

  19. Observation 1 Look at first two rounds of AESQ

  20. Observation 1 Limited Key Diffusion ◮ Recall: Round function works on individual substates ◮ Propagate permutation inputs forward for 2 Rounds ◮ Key diffusion limited to fourth substate

  21. Observation 2 How far can we go forward from the input?

  22. Propagate forward input of i th branch Observation 2

  23. Observation 2 Apply Shuffle

  24. Observation 2 Apply SubBytes, ShiftRows

  25. Observation 2 Three-Fourth Rule Three-Fourth Rule Three-fourth of every column known before Mix-Columns of Round 3

  26. Observation 3 How far can one invert if one of the substates is known?

  27. Observation 3 Propagate Backward Assumption Attacker has knowledge of single substate after R n

  28. Observation 3 Invert R n , R n − 1 Assumption Attacker has knowledge of single substate after R n

  29. Observation 3 Apply Inverse Shuffle Assumption Attacker has knowledge of single substate after R n

  30. Observation 3 Invert R n − 2 and α n − 3 Assumption Attacker has knowledge of single substate after R n

  31. Observation 3 One-Fourth Inversion Implication Using one substate one can invert up to the state after R n − 3 Mix-Columns One-Fourth Inversion One-Fourth of every column known after inversion

  32. Meet-in-the-middle When do Observations 2 and 3 converge?

  33. Meet-in-the-middle Theorem (Meet-in-the-middle) For n = 6 , the Three-fourth Rule and One-Fourth Inversion strategy converge at the input and output of µ 3 respectively which results in a unique solution for input of µ 3 . ◮ Main result used in all attacks here

  34. Gain − (G)uess (A)nd (In)vert Key Recovery Attacks

  35. Gain Primary Aim How can we make the assumption in One-Fourth Inversion true from the observable part of output? ◮ Recall: At least one substate in output of Round 6 must be known/determined Strategy ◮ Identify which bytes to guess ◮ Combine Guess-and-Invert steps

  36. Note What Attacker Actually Observes

  37. 6 - Round Attack Just Guess and Invert

  38. Guess and Invert Gain - 6 Rounds ◮ Guess substate with minimum Byte-Entropy ◮ Invert and apply MITM Theorem ◮ Recover internal state = ⇒ Key Recovery ◮ Complexity?

  39. 7 - Round Attack Invert last round first

  40. Invert-Guess-Invert Gain - 7 Rounds ◮ Invert last round first ◮ Note: Uniform Byte-Entropy for each PAEQ variant ◮ Next apply 6 round attack ◮ Complexity?

  41. 8 - Round Attack Guess, invert and repeat

  42. Guess-Invert-Guess-Invert Gain - 8 Rounds ◮ Note: Last Shuffle has to be dropped for this to work ◮ Guess first then invert ◮ We get same Byte-Entropy for all PAEQ variants ◮ Next apply 6 round attack ◮ Complexity?

  43. Complexities Gain Gain Complexities PAEQ Variant Security Level 6-Rounds 7-Rounds 8-Rounds 2 24 2 48 64-bit 1 paeq-64 2 16 2 32 2 48 80-bit paeq-80 2 32 2 40 2 48 128-bit paeq-128

  44. Epilogue Gain ◮ Made some interesting observations on PAEQ ◮ Developed a meet-in-the-middle scenario using them ◮ Devised guess-and-determine strategies to satisfy the scenario ◮ Got Key-Recovery for up to 8 out of 20 rounds ◮ Practical complexities ◮ Current strategy cannot be extended beyond 8 rounds ◮ No other key-recovery attacks known News: 15th Aug 2016 PAEQ did not make it to Round 3!!!

  45. Thanks! Queries crypto@dhimans.in

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1

Computational Complexity Lecture 9 Alternation (Continued) 1 ATM Guess 0 Guess 1 Guess 0 Guess 1 Guess 0 Guess 1 2 ATM Alternating Turing Machine Guess 0 Guess 1 Guess 0 Guess 1

1.35k views • 120 slides
Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine Cryptographic Attacks Artem Pavlenko, Maxim Buzdalov, Vladimir Ulyantsev GECCO 2019, July 16 Symmetric cryptography Alice wants to send a secret

715 views • 44 slides
by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc(

by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc(

Deriving Generic Functions by Example (+10 years) Neil Mitchell http://ndmitchell.com Guess the function Input: aBc( (cBa bCd) ABC( aaBBcc(( ac Basic idea f :: A B I pick: a A You pick f, give me b (where b

318 views • 27 slides
CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get!

CS70: Lecture 33. Lets Guess! Dollar or not with equal probability? Guess how much you get! Guess a 1/2! The expected value. Win X, 100 times. How much will you win the 101st. Guess average! Lets Guess! How much does random person

410 views • 27 slides
INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE

MATHEMATICAL PERSEVERANCE: INSTILLING A DESIRE TO STRUGGLE IN PROBLEM SOLVING CAN YOU GUESS THE RULE? CAN YOU GUESS THE RULE? 4, 6, 8 10, 12, 14 Guess the rule that applies to both sequences OR You can guess a set of three numbers you

544 views • 25 slides
Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320

Financial Literacy CFA Society of Buffalo Introduction 1 Guess ss their net worth: $320 Million Guess ss their net worth: $440 Million Guess ss their net worth: $3.2 Billion https://www.youtube.com/watch?v=ib-0_N9G0Lo Guess ss their

1.71k views • 145 slides
Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling

Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling

Lei Zhao F&ES Yale University Outline Basic Idea Algorithm Results: modeling vs. observation Discussion Basic Idea Surface Energy Balance Equation Diagnostic form: Heat capacity of ground zero ; ground heat

581 views • 57 slides
Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial

Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial

Local search Han Hoogeveen April 28, 2015 Basic recipe Initialisation 0. Determine initial solution x Iteration 1. Determine neighbor y of x by changing x a little 2. Decide to reject or accept y as your current solution 3. Go to Step 1,

505 views • 23 slides
Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner? HOSPITALITY Jesus the Lover and Host Passover The Lords Supper (Eucharist) The Marriage Feast of the Lamb Jesus the Stranger and Guest

274 views • 10 slides
Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is

Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is

Top-down Definite Clause Proof Procedure Idea: search backward from a query to determine if it is a logical consequence of KB . An answer clause is of the form: yes a 1 a 2 . . . a m The SLD Resolution of this answer clause on atom

389 views • 7 slides
Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical

Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical

Top-down Ground Proof Procedure Idea: search backward from a query to determine if it is a logical consequence of KB . An answer clause is of the form: yes a 1 a 2 . . . a m The SLD Resolution of this answer clause on atom a i with

291 views • 7 slides
Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location

Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location

Extending Place Lab to 3-D Tyler Robison Alan Liu Basic concept Want to determine location inside a building Sample applications: Position-aware reminders Location-aware buddy list Guidance for the cognitively impaired

501 views • 13 slides
Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h)

Chapter 6: Numerical Methods 6.1 Euler Method Basic Idea y ODE: y = f ( t, y ) y(t+h) truncation Assume y ( t ) is known error y ap (t+h) For small h approximate tangent line y ( t + h ) y ( t ) y(t) y ( t ) h

246 views • 6 slides
Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the

Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the

Freelisting Eliciting the members of a domain Free Listing Basic idea: Tell me all the <category name> you can think of Typically loosely timed, no questions allowed An example of Spradleys grand tour question

269 views • 24 slides
The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea

The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea

The Radiative Return at - and B -Meson Factories J.H. K UHN, TTP, KARLSRUHE I Basic Idea II Monte Carlo Generators: Status & Perspectives III Charge Asymmetry and Radiative -Decays IV Nucleon Form Factors at B-Factories Pion

594 views • 32 slides
Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and

Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and

Zero, and some other infinitesimal levels of a cohesive topos M. Menni Conicet and Universidad Nacional de La Plata 1/29 A quotation The basic idea is simply to identify dimensions with levels and then try to determine what the

1.3k views • 90 slides
Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud

Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud

Invertible Residual Networks Jens Behrmann * Will Grathwohl* Ricky T. Q. Chen David Duvenaud Jrn-Henrik Jacobsen* (*equal contribution) What are Invertible Neural Networks? Non-invertible Invertible Invertible Neural Networks (INNs) are

330 views • 30 slides
Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne Networ orks David Rolnick and

Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne Networ orks David Rolnick and

Re Reverse-Eng Engine neeri ring ng De Deep Re ReLU Ne Networ orks David Rolnick and Konrad Krding University of Pennsylvania International Conference on Machine Learning (ICML) 2020 Reverse-engineering a neural network Problem:

315 views • 20 slides
Matrix Mechanism and Data Dependent algorithms CompSci 590.03

Matrix Mechanism and Data Dependent algorithms CompSci 590.03

Matrix Mechanism and Data Dependent algorithms CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 9 : 590.03 Fall 16 1 Recap: Constrained Inference

834 views • 34 slides
1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A

Statistical Modeling and Analysis of Neural Data (NEU 560) Princeton University, Spring 2018 Jonathan Pillow Lecture 2 notes: SVD 1 Singular Value Decomposition The singular vector decomposition allows us to write any matrix A as A = USV ,

157 views • 4 slides
A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria

A comparison of pairing-friendly curves at the 192-bit security level Aurore Guillevic Inria Nancy, Caramba team 17/04/2019 WRACH workshop, Roscoff Joint work with Shashank Singh, IISER Bhopal, India 1/43 Plan Introduction: Discrete

924 views • 64 slides
Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log

Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log

Lecture 7 Spring 2020 Shafi Goldwasser Today: Search for one-way functions 1. Discrete Log Problems in Cyclic Groups 2. Elliptic Logs over Elliptic Curves Recall: One Way Function easy x f(x) hard on average Definition: f: {0,1}*

468 views • 46 slides
Deep Generative models for Inverse Problems Alex Dimakis joint work with Ashish Bora, Dave Van

Deep Generative models for Inverse Problems Alex Dimakis joint work with Ashish Bora, Dave Van

Deep Generative models for Inverse Problems Alex Dimakis joint work with Ashish Bora, Dave Van Veen and Ajil Jalal, Sriram Vishwanath and Eric Price, UT Austin Outline Generative Models Using generative models for Inverse

1.17k views • 101 slides
Path-based Inductive Synthesis for Program Inversion Saurabh Srivastava (a) Sumit Gulwani (b)

Path-based Inductive Synthesis for Program Inversion Saurabh Srivastava (a) Sumit Gulwani (b)

Path-based Inductive Synthesis for Program Inversion Saurabh Srivastava (a) Sumit Gulwani (b) Swarat Chaudhuri (c) Jeffrey S. Foster (d) (a) University of California, Berkeley (b) Microsoft Research, Redmond (c) Rice University (d) University of

1.24k views • 58 slides

More recommend