block cipher cryptanalysis ii block cipher cryptanalysis
play

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear - PowerPoint PPT Presentation

Dec 29, 2022 •349 likes •659 views

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

  1. Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC

  2. Outline Outline • Distribution of Correlation • Data Complexity • Linear Hulls • Zero Correlation Linear Cryptanalysis • Related ‐ Key Linear Cryptanalysis Related Key Linear Cryptanalysis

  3. Linear Cryptanalysis: Basics I Action of an n ‐ bit block cipher on plaintext P : Action of an n bit block cipher on plaintext P : Input and output linear masks: , Linear approximation : Probability of linear approximation: Correlation of linear approximation: Correlation of linear approximation:

  4. Linear Cryptanalysis: Basics II • Since probability varies from 0 to 1, the correlation p y , varies from ‐ 1 to 1 • For probability 1/2, one gets correlation 0 • Of course, there is much more behind the notion of correlation – correlation matrices [D94]

  5. Linear Cryptanalysis: Distribution of Correlation I • Fix a non ‐ trivial approximation • Randomly choose an n ‐ bit permutation • What is the probability for to have a particular value? [O94] particular value? [O94] • Normal approximation [DR07]:

  6. Linear Cryptanalysis: Distribution of Correlation I • Fix an n ‐ bit permutation Fi bi i • What is the probability for to have a particular value? [BT11, work in progress] i l l ? [BT11 k i ] • Normal approximation: • The distribution holds already for just a single randomly picked permutation with n=8 y p p (experiments)

  7. Linear Cryptanalysis: Distribution of Correlation II • Which correlations are in basic linear cryptanalysis exploitable? – Very roughly speaking, those with – About 68.5% of linear approximations do not fulfill that • In basic linear attacks, this has to hold for (at least) a large part of the key space, once the linear approximation is fixed – Not the case for a randomly picked block cipher y p p • The average proportion of linear approximations with e.g. with e.g. is still relatively high is still relatively high

  8. Linear Cryptanalysis: Distribution of Correlation III • Two more observations: – Zero is the most frequent single correlation value – For a randomly drawn permutation, a non ‐ trivial linear approximation is unlikely to have correlation linear approximation is unlikely to have correlation significantly deviating from 0 • For permutations with structure however non ‐ trivial • For permutations with structure, however, non ‐ trivial linear approximations with high deviation of correlation might exist for each key correlation might exist for each key

  9. Linear Cryptanalysis: Procedure [M93] • Let a linear approximation be over all but L li i i b ll b last round of an iterative block cipher last round all but last round with key k • N PC ‐ pairs given for right key k 0 • For each key guess of the last round k i , partially decrypt from C to V in each PC ‐ pair and count the number of times T i the approximation is satisfied ti fi d • We want T 0 (corresponding to right key k 0 ) to deviate f from N/2 significantly N/2 i ifi tl

  10. Linear Cryptanalysis: Advantage [S08] • For instance, we want T 0 be among the top counters T i for p>1/2 • Say, we guess m bits in the last round key, i.e. there are candidates • Advantage a is m – r , i.e., the number of bits gained

  11. Linear Cryptanalysis: Data Complexity [S08] • If (essential assumptions) – Counters T i are independent – For wrong key guesses, approximation has correlation 0 has correlation 0 – N and m are sufficiently large • Then for s ccess probabilit P • Then for success probability P S

  12. Linear Cryptanalysis: Linear Hulls I • Iterative structure of a block cipher: • Correlation of a linear approximation over one round one round : : Linear trail Linear trail : …

  13. Linear Cryptanalysis: Linear Hulls II [N94], [D94], [DR02] • Linear hull = linear approximation of an iterative block cipher • Linear hull contains many linear trails U • Each U has its correlation contribution C U Each U has its correlation contribution C U • Correlation of linear hull

  14. Linear Cryptanalysis: Linear Hulls III Rounds in a key ‐ alternating block cipher look like: S S S S S S S S S S S S S S S S Key schedule map Linear diffusion S S S S S S S S Key schedule map Key schedule map Linear diffusion

  15. Linear Cryptanalysis: Linear Hulls IV [D94], [DR02] • The correlation of a linear hull in a key ‐ alternating block cipher can be computed as – d U is the sign of correlation contribution for key 0 – K is the expanded key K is the expanded key – The sum is over all compatible linear trails • Thus the correlation value varies due to the key only • Thus, the correlation value varies due to the key only

  16. Linear Cryptanalysis: Linear Hulls V [L11], [O09] • For vast classes of keys, the correlation value can deviate greatly from the average over all keys • Correlation amplification [O09] for PRESENT

  17. Linear Cryptanalysis: Some Extensions • Zero correlation linear cryptanalysis yp y – Linear approximations with probability 1/2 • Related ‐ key linear cryptanalysis – Equal correlations under different keys – For key ‐ alternating ciphers with simple key For key alternating ciphers with simple key schedule

  18. Linear Cryptanalysis: Zero Correlation I [BR11] • Standard linear cryptanalysis tries to make use of S d d li l i i k f linear approximations with highly nonzero correlation values correlation values • Zero correlation linear cryptanalysis uses linear Z l i li l i li approximations with correlation exactly zero • It is the counterpart of impossible differential cryptanalysis in the domain of linear cryptanalysis t l i i th d i f li t l i • Cf. [ER10], [CS11], [RN11]

  19. Linear Cryptanalysis: Zero Correlation II [BR11] • Zero correlation linear hulls exist in many popular cipher constructions • Feistel networks CAST256 Balanced Feistel Skipjack CLEFIA

  20. Linear Cryptanalysis: Zero Correlation III [BR11]

  21. Linear Cryptanalysis: Zero Correlation IV [BR11] • For each subkey guess: – Partially decrypt the ciphertext and encrypt the plaintext up to the boundaries of the zero correlation linear hull – Evaluate the correlation value C – If C=0 , the subkey guess survives the test • Low probability that a wrong key exhibits zero correlation • Exact evaluation of correlation needed for this • Exact evaluation of correlation needed for this distinguisher

  22. Linear Cryptanalysis: Zero Correlation V [BR11] • Round ‐ reduced AES ‐ 192 and AES ‐ 256: Round reduced AES 192 and AES 256:

  23. Linear Cryptanalysis: Related ‐ Key I [BR11] • The attack uses the properties of linear hulls for key ‐ Th k h i f li h ll f k alternating block ciphers • Differential related ‐ key model: – Adversary supplies two unknown keys with a specified known difference • Distinguisher is based on the equality for correlations C=C’ under two distinct keys K and K’ C=C under two distinct keys K and K • Cf. [K06], [BDK07], [ZWZF06] Cf [K06] [BDK07] [ZWZF06]

  24. Linear Cryptanalysis: Related ‐ Key II [BR11] • For two randomly drawn permutations and a fixed linear hull, their correlations are equal C=C’ with a probability of about • Now, if we choose a relation between keys K and K’ in a way that C C’ deterministically we have a in a way that C=C’ deterministically, we have a distinguisher based on correlation evaluation

  25. Linear Cryptanalysis: Related ‐ Key III [BR11] • Correlation for a key ‐ alternating cipher under two expanded keys: • The difference of two correlations:

  26. Linear Cryptanalysis: Related ‐ Key IV [BR11] A way to turn the sum to 0 is to make each summand 0: with ith Th Thus, if for each linear trail in the hull, then if f h li t il i th h ll th

  27. Linear Cryptanalysis: Related ‐ Key V [BR11] • 5 rounds of AES ‐ 256 are distinguishable using this fact, since AES ‐ 256 is a key ‐ alternating block cipher with relatively sparse key schedule • Key difference • Input/output masks /

  28. Linear Cryptanalysis: Related ‐ Key VI [BR11] • 5 rounds of AES ‐ 256 • This exhibits C=C’ for every pair of keys with the specified difference • To distinguish, exact evaluation of C and C’ is needed g ,

  29. Linear Cryptanalysis: Selected Further Topics • Linear cryptanalysis with multiple linear approximations [HCN08], [HCN09], [GT09], pp [ ] [ ] [ ] [HN10] • Equivalence to some saturation attacks [L11] • Equivalence to some saturation attacks [L11] • Related ‐ key differential ‐ linear attacks [BDK06], [K06] • Experiments with linear approximations • Experiments with linear approximations [CSQ08], [CS10]

  30. Linear Cryptanalysis: Selected Open Problems • Provable bounds on ELP for real ‐ world ciphers • Linear hull effect for real ‐ world ciphers Linear hull effect for real world ciphers • Reduction of data requirements for zero correlation linear cryptanalysis l i li l i • More linear techniques in related ‐ key attacks q y • More precise models for attack complexity estimations in linear attacks ti ti i li tt k

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University

DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3

757 views • 42 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext

1 / 22 Introduction SAC 2012 Cryptanalysis of the Kindle Cipher A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the Kindle Cipher Conclusion Ciphertext only key-recovery Known-plaintext key-recovery PC1 . . . . . . .

556 views • 29 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Some Number Theory Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

Some Number Theory Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh summer 2005 Some Number

546 views • 10 slides
Dictionaries Application Collection of student records in this class. Collection of

Dictionaries Application Collection of student records in this class. Collection of

Dictionaries Application Collection of student records in this class. Collection of pairs. (key, element) = (student name, linear list of assignment and exam scores) (key, element) All keys are distinct. Pairs have

423 views • 7 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie & Francois le Faucheur Outline Background: peering peer-to-peer providers CDN Interconnect Motivation CDNI Technical Issues Discussion Why is this a

876 views • 19 slides
Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent Handles: Recap Persistent Handles: Samba dbwrap approach ctdb approach Persistent Handles: implementation (with dbwrap) VFS approach Outlook The

586 views • 43 slides
Pairs Design Pattern map(docID a, doc d) for all term w in doc d do for all term u NEAR w do w

Pairs Design Pattern map(docID a, doc d) for all term w in doc d do for all term u NEAR w do w

10/14/2011 Pairs Design Pattern map(docID a, doc d) for all term w in doc d do for all term u NEAR w do w v u Emit(pair (w, u), count 1) w reduce (pair p, counts [c1, c2,]) v sum = 0 for all count c in counts do u sum += c Emit(pair

441 views • 14 slides
Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . .

Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . .

. . . . . . . . . . . . . . . . . Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . . . . . . . . . . . . . . . . . . November 27, 2019 . . . . . . . . . . .

1.31k views • 77 slides
Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is

Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is

I404B NoSQL Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Objectives

952 views • 61 slides

More recommend