better than brute force
play

Better than Brute-Force Optimized Hardware Architecture for - PowerPoint PPT Presentation

Jan 07, 2024 •245 likes •467 views

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

  1. Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, *** DTU, Denmark

  2. Overview • Meet-in-the-Middle with Bicliques • Low Data Complexity Biclique Cryptanalysis of AES-128 • Optimized Brute Force Attack on AES-128 – on FPGA – on ASIC • Biclique Attack on AES-128 – on FPGA – on ASIC • Conclusion

  3. MITM with Bicliques plaintexts {P} ciphertexts {C} K 2 K K 1 K 2 m all key bits encryption oracle • Allow all key bits affect a part of the cipher • Stick to a structure to enable efficient enumeration of keys and states in this part • Structure = biclique!

  4. MITM with Bicliques

  5. Low Data Complexity Biclique Cryptanalysis of AES-128 • Start modifications in the first round of AES-128 • Divide entire space of 2 128 keys into of 2 124 non-overlapping groups of 2 4 keys • Fix a base key and enumerate all other keys in the key group x = (x 0 x 1 x 2 x 3 x 4 x 5 00) 2 a = (000000a 1 a 0 ) 2 y = (y 0 y 1 y 2 y 3 y 4 y 5 00) 2 b = (000000b 1 b 0 ) 2 • Modify base key at two byte positions independently (in 2 2 ways each) • Follow propagation of modifications forwards and backwards

  6. Low Data Complexity Biclique Cryptanalysis of AES-128

  7. Low Data Complexity Biclique Cryptanalysis of AES-128 Recomputation at matching

  8. Low Data Complexity Biclique Cryptanalysis of AES-128 Complexities: • Computational complexity to precompute all states S a and S b in each key group: 0.3 AES-128 runs (first step). • About 7.12 AES-128 runs to test all 16 keys in the key group (second step). • Negligible computation complexity (2 -32 ) for false positives • Overall computation complexity: 2 124 (0.3 + 7.12) = 2 126.89 AES executions. • Data complexity: Only 16 chosen plaintexts!!

  9. Implementation • FPGA target platform: RIVYERA Computing Cluster � 128 Xilinx Spartan3 XC3S500 high performance FPGAs � Equivalent computing power of 640 million system gates • ASIC target technology: NANGATE � 45 nm Generic Library

  10. Optimized Brute-Force Attack on AES-128 Key Gen Fixed Output Plaintext • Highly pipelined architecture for Round-1 highest possible speed (11-stage K 1 S 1 pipeline within each AES round) Round-2 K 2 S 2 • Composite field inverters over ORACLE GF((2 2 ) 2 ) 2 for s-boxes K 8 S 8 Round-9 • Register based (RAMless) design K 9 S 9 Round-10 – suitable for both FPGA and S 10 ASIC implementation Byte Match = FF ?

  11. Optimized Brute-Force Attack on AES-128 Key Gen Fixed Output Plaintext • Design implemented in two favors: Round-1 K 1 S 1 � All identical rounds (for a fair Round-2 comparison with respect to the K 2 S 2 ORACLE original biclique advantage figures) K 8 S 8 � Partial matching in the last three Round-9 rounds (for better area utilization – K 9 S 9 Round-10 makes no difference for FPGA) S 10 • Smaller and faster than the Byte Match reported fastest design (362 KGE vs 660 KGE and 2.5 GHz vs 2 GHz ) = FF ?

  12. Optimized Brute-Force Attack on AES-128 * Pipeline register cost negligible for FPGA implementation – already part of the slice!

  13. Optimized Brute-Force Attack on AES-128 GF(2 2 ) 2 [7:4] [7:4] Multiplier Input GF(2 2 ) 2 GF(2 2 ) 2 [3:0] Multiplier Inverter Output GF(2 2 ) 2 GF(2 2 ) 2 [3:0] Multiplier Multiplier P

  14. Optimized Brute-Force Attack on AES-128 FPGA Performance Slice % FPGA Maximum Freq Keys tested/sec/FPGA Utilization Utilization (MHz) 526 x 10 6 26949 / 33278 80.98 263.16 ASIC Performance Maximum Freq Average Power Core Area (GE) Keys tested/mW (MHz) (mW) 3.98 x 10 6 362181 2480 622.937

  15. Biclique Attack on AES-128 Plaintext + Key MixColumns Starting Point: Conceptual design S • One-to-one maps theory to implementation Key Key State State RAM(s) RAM(s) RAM(s) RAM(s) 0 1 0 1 • Based on precomputation of all K 3 S 3 Round-4 base and biclique states K 4 S 4 Round-5 Plaintext Regular • Not feasible for hardware (Full) K 5 S 5 Memory Rounds Round-6 K 6 S 6 implementation ORACLE Round-7 K 7 S 7 � Requires too many RAMs Round-8 K 8 S 8 � Interconnection and control logic Partial Round-9 Rounds K 9 S 9 too complex to allow an area and Round-10 speed efficient design S 10 Match

  16. Biclique Attack on AES-128 Key Ptxt Gen New Approach: Recomputation K P Round-1 • On the fly calculation of base K 1 S 1 Biclique Round-2 Rounds and biclique states K 2 S 2 Round-3 • Pipeline registers act as state K 3 S 3 Round-4 K 4 S 4 storage media Round-5 Regular (Full) K 5 S 5 ORACLE � No additional RAMs/registers Rounds Round-6 required – virtual storage K 6 S 6 Round-7 • Similar to optimized brute force K 7 S 7 Round-8 K 8 S 8 attack in structure Partial Round-9 Rounds K 9 S 9 � simpler control logic and Round-10 interconnections S 10 Match

  17. Biclique Attack on AES-128 First “Biclique” Round: • Serial AES implementation • 8-bit (!) datapath • Single S-Box

  18. Biclique Attack on AES-128 Second “Biclique” Round: • Slightly modified serial AES implementation • Still 8-bit (!) datapath • Two S-Boxes • Limited additional storage (shift registers) for biclique states

  19. Biclique Attack on AES-128 Third “Biclique” Round:

  20. Biclique Attack on AES-128 Third “Biclique” Round: • Serial AES implementation on 4 separate paths • Still 8-bit (!) datapath (on each path) • Four S-Boxes • Slightly more complex control logic • More registers for double-buffering of biclique states (still shift registers with minimal cost • Only covers the “SubBytes” stage of a full AES round – the rest implemented as in a regular round

  21. Optimized brute-force attack on AES-128 FPGA Performance Slice % FPGA Maximum Freq* Keys tested/sec/FPGA Utilization Utilization (MHz) 945 x 10 6 30720 / 33278 92.31 236.22 ASIC Performance Maximum Freq Average Power Core Area (GE) Keys tested/mW (MHz) (mW) 7.32 x 10 6 163912 1548 211.545 * Slower than the brute-force attack due to reduced number of pipeline stages

  22. Conclusion • The fastest brute-force attack implementation on AES-128 • The first biclique attack implementation on AES-128 � Almost a factor of 2 speed and cost gain � Only 16 chosen plaintexts (w.r.t. 288 in the original biclique attack paper) • Suitable for both FPGA and ASIC implementation • Applicable to AES-192 and AES-256 as well

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions

MA/CSSE 473 Day 13 Brute Force Divide and Conquer MA/CSSE 473 Day 13 Student Questions Brute force algorithms Divide and Conquer What is the brute force approach to Calculate the n th Fibonacci number? 1. Compute the n th power

387 views • 14 slides
Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of

Theorems, Algorithms and Brute Force: Building a Census of 3-Manifolds Benjamin Burton School of Mathematical and Geospatial Sciences RMIT University Melbourne, Australia Benjamin Burton (RMIT) Theorems, Algorithms and Brute Force November

444 views • 21 slides
MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE

MA/CSSE 473 Day 11 Knuth interview Amortization (growable Array) Brute Force Examples MA/CSSE 473 Day 11 Questions? Donald Knuth Interview Amortization Brute force (if time) Decrease and conquer intro Q1 2 1 Donald

511 views • 11 slides
Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and

One-Slide Summary Banburismus Banburismus British codebreakers used cribs (guesses), brute force, and the and the and analysis to break the Lorenz cipher. Guessed wheel settings were likely to be correct if they resulted in a Story So Far

112 views • 9 slides
Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of

Complete Search (aka Brute Force) Section 3.13.2 Dr. Mayfield and Dr. Lam Department of Computer Science James Madison University Oct 16, 2015 CS: Just do it! Complete search = try every possibility Should never give you Wrong Answer

399 views • 15 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein

Understanding brute force Cryptanalyst wants to find secret 128-bit AES key , D. J. Bernstein (0). given AES Thanks to: He builds an attack machine. University of Illinois at Chicago NSF CCR9983950 Machine 1: His

428 views • 11 slides
1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

1 Problem with Brute force Nave Bayes ( ) ( ) ( ) It cannot generalize to unseen

Outline Bayes theorem Discrete Bayesian classifiers Maximum likelihood classification Brute force Bayesian learning Nave Bayes Lecture 5 Bayesian Belief Networks Bayes theorem Maximum likelihood ( ) ( ) ( ) P x

72 views • 4 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that

[Week 9] Dynamic programming Topics for this week: - backtracking revisited: a brute-force technique that finds a solution by trying all possibilities (usually VERY SLOW) - sometimes can be remedied by storing pre-computed values: called

116 views • 7 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force,

MA/CSSE 473 Day 25 Student questions String search Horspool Boyer Moore intro Brute Force, Horspool, Boyer Moore STRING SEARCH 1 Brute Force String Search Example The problem: Search for the first occurrence of a pattern of length m in a

326 views • 10 slides
Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all

[Week 3] Topics for this week Backtracking: - a brute-force technique that finds a solution by trying all possibilities - related data structures - pruning to eliminate certain possibilities from the search - time complexity: usually really

662 views • 6 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force Part III: Symbolic Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ... Binary Decision Diagrams -

1k views • 61 slides
Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II:

UNIVERSITY OF TWENTE. Formal Methods & Tools. Scalable Multi-core Model Checking: Technology & Applications of Brute Force part II: Liveness & Timed Systems Jaco van de Pol 30, 31 October 2014 VTSA 2014, Luxembourg ...

861 views • 45 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions?

DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions?

DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions? Roll Call Today: affine ciphers Sherlock Holmes, The Adventure of the Dancing Men (1898) Who got it? In a letter: 2 weeks later: 2 mornings

494 views • 13 slides
Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll Francisco Jess Monserrat Coll RedIRIS / Red.es RedIRIS / Red.es Jornadas de Seguridad Jornadas de Seguridad Buenos Aires, 4 de Octubre de 2005

1.04k views • 37 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

529 views • 34 slides
Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

641 views • 24 slides
What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera , Paul van Oorschot 1 Secure Shell (SSH) Protocol to enable remote logins and network services over an unsecured network. Typically used for

537 views • 27 slides
SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

500 views • 17 slides
k k text text The same key is used to encrypt the document before sending and decrypt it at

k k text text The same key is used to encrypt the document before sending and decrypt it at

Cryptographic methods: Why use cryptography? Can offer genuinely secure solutions to Brian Candler important security problems Updated by Hervey Allen Some governments forbid it Confidentiality Can I be sure no-one else can see my

845 views • 11 slides

More recommend