block cipher invariants
play

Block cipher invariants as eigenvectors of correlation matrices Tim - PowerPoint PPT Presentation

Apr 20, 2023 •267 likes •614 views

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC Joan Daemen 2 Joan Daemen 2 Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak

  1. Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC

  2. Joan Daemen 2

  3. Joan Daemen 2

  4. Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak key 3 F n F n 2 2 a + V a + V

  5. Invariant subspaces and nonlinear invariants y y S x S [Todo et al., 2016] or x S S 4 F n F n 2 2 E K 1 F n F n 2 2 E K 2

  6. Three problems 1. Improve understanding (theory) 2. Invariants which are not invariant under the round function 3. Attacks based on invariants that work for all round constants cf. [Beierle et al., 2017] 5

  7. Representing the state x p x 6 x p ( x )   F 4 0 2   1/2   ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ }   1/2 0

  8. Representing the state x x 6 p ( x )   F 4 0 2   1/2   ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ }   1/2 0 p ( x )   F 4 − 1/4 2   1/4   ← → ← → { (0 , 1) ⊤ , (1 , 0) ⊤ }   1/4 − 1/4

  9. Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1

  10. Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1

  11. Operations on the state x v u y 7 � 0 0 1 0 � � 0 � � 1 � · 1 = 1 0 0 0 1 1 0 1 0 0 0 2 1 2 0 0 1 0 0 0 1 p ( x ) q ( y ) y = x + c F F (1 , 0) ⊤ � p ( u ) � q ( v ) � 1 0 0 �� � � 1 � 0 1 0 1 0 0 0 0 = 0 0 − 1 0 0 0 − 1 0 0 0 − 1 1

  12. Operations on the state x F F Correlation matrix q p C F v u y 8        =    p  q  T F p ( x ) q ( y ) F F y = F ( G ( x )) y = F ( x ) � p ( u ) � q ( v )         �  = � 

  13. Operations on the state x Correlation matrix q p C F C G v u y 8          p  =  q  T F T G p ( x ) q ( y ) F ◦ G F F y = F ( G ( x )) y = F ( x ) � p ( u ) � q ( v ) F ◦ G         �  = � 

  14. The invariants of a block cipher E K are the eigenvectors of C E K . Eigenvectors of correlation matrices E K p p C E K or 9 u u u C E K � p ( u ) � p ( u ) C E K � p ( u )

  15. Eigenvectors of correlation matrices E K p p u or C E K u u 9 C E K � p ( u ) � p ( u ) C E K � p ( u )         �  = λ �  The invariants of a block cipher E K are the eigenvectors of C E K .

  16. Rank one states in Midori-64 Midori-64 state p i or p i Equivalently: Independence: 10 ∈ R 2 64 ∼ = ( R 2 4 ) ⊗ 16 16 � p ( x 1 , x 2 , . . . , x 16 ) = p i ( x i ) x 1 x 5 x 9 x 13 i =1 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 16 16 � � p = � p = � x 4 x 8 x 12 x 16 i =1 i =1

  17. Overview of Midori-64 R 15 P 11 K 0 + K 1 K 0 + K 1 K 0 K 1 K 0 . . . S R 1 R 2 K 1 S M γ 2

  18. Overview of Midori-64 R 15 P 11 K 0 + K 1 K 0 + K 1 K 0 K 1 K 0 . . . S R 1 R 2 K 1 S M γ 2

  19. Key addition . n . . ... . . . . . . 12 Correlation matrix for addition of K = ( k 1 , k 2 , . . . , k n ) ∈ F n 2 :   1 0 · · · 0 � 1 �   0 ( − 1) k 1 0 � · · · 0    =    0 ( − 1) k i i =1 � n 0 0 ( − 1) · · · i =1 k i

  20. Boxed mappings p i 13 q 1 = C S � � p 1 x 1 x 5 x 9 x 13 C S = ( C S ) ⊗ 16 x 2 x 6 x 10 x 14 C M = ( C M ) ⊗ 4 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 q i = C M � � ⊗ 16 ⊗ 16 i =13 � i =13 �

  21. Three problems eigenvectors of correlation matrices 2. Invariants which are not invariant under the round function 14 1. Improve understanding (theory) 3. Attacks based on invariants that work for all round constants

  22. Invariants in the intersection of eigenspaces 15 ◮ We want to solve C E K v = λ v ◮ To simplify things, let’s assume v = w ⊗ 16 ◮ Require invariance under S , M and key addition: ( C S ) ⊗ 16 w ⊗ 16 = λ 1 w ⊗ 16 ( C M ) ⊗ 4 w ⊗ 16 = λ 2 w ⊗ 16 C K i + γ i w ⊗ 16 = λ 3 w ⊗ 16 → Invariants from [Guo et al., 2016, Todo et al., 2016].

  23. Somewhat more general invariants Most important solution: (Perfect linear approximation) v u 16 u ⊗ 16 v ⊗ 16 u ⊗ 16 �→ �→ · · · · · · M ◦ P ◦ S M ◦ P ◦ S K 1 ⊕ γ i − 1 K 0 ⊕ γ i K 1 ⊕ γ i +1 C S u = v C M u ⊗ 4 = u ⊗ 4 , C M v ⊗ 4 = v ⊗ 4

  24. Somewhat more general invariants Most important solution: (Perfect linear approximation) 16 u ⊗ 16 v ⊗ 16 u ⊗ 16 �→ �→ · · · · · · M ◦ P ◦ S M ◦ P ◦ S K 1 ⊕ γ i − 1 K 0 ⊕ γ i K 1 ⊕ γ i +1 C S u = v C M u ⊗ 4 = u ⊗ 4 , C M v ⊗ 4 = v ⊗ 4 u = (0 , 0 , 0 , 0 , 0 , 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0) ⊤ v = (0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , − 1 , − 1 , 0 , 0 , 1 , − 1) ⊤ /2

  25. Midori-64 round constants Midori-64 0001 0101 1011 0011 0111 1000 1100 0000 1010 0100 0011 0101 0110 0010 0001 0011 0001 0000 0100 1111 1101 0001 0111 0000 0000 0010 0110 0110 0000 1011 1100 1100 1001 0100 1000 0001 0100 0000 1011 1000 17 · · · → 2 64 weak keys

  26. Midori-64 round constants Midori-64 0800 0000 8088 8000 8008 0800 8000 0008 0000 8088 8800 8800 0000 0080 0880 0880 8808 0008 0888 0000 0008 0000 0800 8888 0880 0080 0008 0088 8080 0800 0088 0808 0888 8000 8800 0000 0008 0808 8088 0088 “Almost” Midori-64 0100 0000 1011 1000 1001 0100 1000 0001 0000 1011 1100 1100 0000 0010 0110 0110 1101 0001 0111 0000 0001 0000 0100 1111 0110 0010 0001 0011 1010 0100 0011 0101 0111 1000 1100 0000 0001 0101 1011 0011 17 · · · · · · → 2 64 weak keys → 2 96 . 02 weak keys

  27. Midori-64 round constants Midori-64 0a64 c6cf ee81 14a4 0aa0 a088 0088 2a22 410d 5161 db17 8b17 8028 a888 0aa2 a202 6182 5031 b4ed 0c0d 0a80 822a 80a2 0a82 a374 8d6a dd67 62eb 0280 880a a22a 8a2a 01cc 510f 2b77 349a 082a 2888 028a 0a80 “Almost” Midori-64 0100 0000 1011 1000 1001 0100 1000 0001 0000 1011 1100 1100 0000 0010 0110 0110 1101 0001 0111 0000 0001 0000 0100 1111 0110 0010 0001 0011 1010 0100 0011 0101 0111 1000 1100 0000 0001 0101 1011 0011 17 · · · · · · → 2 64 weak keys → 2 96 weak keys

  28. Three problems eigenvectors of correlation matrices 2. Invariants which are not invariant under the round function real-world example: modifjed Midori-64 3. Attacks based on invariants that work for all round constants 18 1. Improve understanding (theory)

  29. Both attacks: Attacks on Midori-64 and MANTIS block cipher calls, but bits of the key almost for free Guess the remaining bits (no optimizations) 19 ◮ Independent of the round constants ◮ 10 rounds of Midori-64 ◮ 2 96 (out of 2 128 ) weak keys ◮ ∼ 1 . 25 · 2 21 chosen plaintexts ◮ MANTIS -4 ◮ 2 32 (out of 2 64 ) weak tweaks ◮ ∼ 640 chosen plaintexts

  30. Attacks on Midori-64 and MANTIS 19 ◮ Independent of the round constants ◮ 10 rounds of Midori-64 ◮ 2 96 (out of 2 128 ) weak keys ◮ ∼ 1 . 25 · 2 21 chosen plaintexts ◮ MANTIS -4 ◮ 2 32 (out of 2 64 ) weak tweaks ◮ ∼ 640 chosen plaintexts ◮ Both attacks: 2 56 block cipher calls, but ◮ 40 + 32 bits of the key almost for free ◮ Guess the remaining 56 bits (no optimizations)

  31. Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C C C Integral property 20 C f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 A 3 C A 4

  32. Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C 20 C C C Integral property f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 � ⇒ g ( x ) = 0 A 3 C x ∈ E K ( I 1 ) A 4

  33. Attack on 10 rounds of Midori-64 A C C C C A A A A A A C A A A A A A A A A C 20 C C C Integral property f ( x ) = � 16 i =1 f i ( x 4 i − 3 , x 4 i − 2 , x 4 i − 1 , x 4 i ) with f i balanced K 0 + K 1 K 0 ≃ γ 7 K 0 + K 1 S R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 g ( x ) = � 16 i =1 g i ( x 4 i − 3 , . . . , x 4 i ) I 1 I 2 � A 1 C f ( x ) = 0 A 2 C x ∈I 2 � ⇒ g ( x + K 0 + K 1 ) = 0 A 3 C x ∈ E K ( I 1 ) A 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
15 GHz Monitoring of Gamma-ray Blazars with the OVRO 40 Meter Telescope in Support of Fermi

15 GHz Monitoring of Gamma-ray Blazars with the OVRO 40 Meter Telescope in Support of Fermi

15 GHz Monitoring of Gamma-ray Blazars with the OVRO 40 Meter Telescope in Support of Fermi Joseph L. Richards, W. Max-Moerbeck, V. Pavlidou, T. J. Pearson, A. C. S. Readhead, M. A. Stevenson California Institute of Technology, Owens Valley

289 views • 17 slides
Computational Linguistics: Evaluation Methods Raffaella Bernardi University of Trento Contents

Computational Linguistics: Evaluation Methods Raffaella Bernardi University of Trento Contents

Computational Linguistics: Evaluation Methods Raffaella Bernardi University of Trento Contents First Last Prev Next 1. Admin Perusall sends email reminders to students 3, 2, and 1 day before the deadline of an assignment. Only

477 views • 34 slides
Correlation Learning Objectives At the end of this lecture, the student should be able to:

Correlation Learning Objectives At the end of this lecture, the student should be able to:

Chapter 4.1 Scatter Diagrams and Linear Correlation Learning Objectives At the end of this lecture, the student should be able to: Explain what a scattergram is and how to make one State what strength and direction mean with

865 views • 51 slides
Note This slide was added after the presentation at the Stata User Group Meeting in London. As of

Note This slide was added after the presentation at the Stata User Group Meeting in London. As of

piecewise ginireg 1 Piecewise Gini Regressions in Stata Jan Ditzen 1 Shlomo Yitzhaki 2 1 Heriot-Watt University, Edinburgh, UK Center for Energy Economics Research and Policy (CEERP) 2 The Hebrew University and Hadassah Academic College,

956 views • 24 slides
Unsupervised learning General introduction to unsupervised learning PCA Special directions

Unsupervised learning General introduction to unsupervised learning PCA Special directions

Unsupervised learning General introduction to unsupervised learning PCA Special directions These are special directions we will try to find. Best direction u : |u| 2 = 1 2 1. Minimize : d i X i T u is the projection length x i u d i T

1.01k views • 29 slides
Introduction to Mobile Robotics SLAM: Simultaneous Localization and Mapping Wolfram Burgard,

Introduction to Mobile Robotics SLAM: Simultaneous Localization and Mapping Wolfram Burgard,

Introduction to Mobile Robotics SLAM: Simultaneous Localization and Mapping Wolfram Burgard, Michael Ruhnke, Bastian Steder What is SLAM? Estimate the pose of a robot and the map of the environment at the same time SLAM is hard,

743 views • 49 slides
SEPARATING THE WHEAT FROM THE CHAFF Tips on how to identify and characterize essential movements

SEPARATING THE WHEAT FROM THE CHAFF Tips on how to identify and characterize essential movements

Juliana Palma - ICTP Conference - Trieste, March 2017. SEPARATING THE WHEAT FROM THE CHAFF Tips on how to identify and characterize essential movements in frantically shaking proteins Juliana Palma - ICTP Conference - Trieste, March 2017. Why

642 views • 53 slides
Time-varying signals: cross- and auto-correla5on,

Time-varying signals: cross- and auto-correla5on,

Time-varying signals: cross- and auto-correla5on, correlograms NEU 466M Instructor: Professor Ila R. Fiete Spring 2016 Sta5s5cal measures We

447 views • 40 slides

More recommend