boomerang switch in multiple rounds
play

Boomerang Switch in Multiple Rounds Application to AES Variants and - PowerPoint PPT Presentation

Feb 24, 2023 •292 likes •594 views

Boomerang Switch in Multiple Rounds Application to AES Variants and Deoxys Haoyang Wang, Thomas Peyrin School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore FSE 2019, Paris March 26, 2019 Outline

  1. Boomerang Switch in Multiple Rounds Application to AES Variants and Deoxys Haoyang Wang, Thomas Peyrin School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore FSE 2019, Paris March 26, 2019

  2. Outline • Background • Boomerang Switch • Attack on 10-round AES-256 • Application to Full-round AES-192 and reduced-round Deoxys-BC 2 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  3. Background 3 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  4. Background Boomerang Attack P 1 P 3 α α E 0 E 0 Boomerang attack P 2 P 4 • A cipher E is divided into two sub-ciphers: γ E = E 1 ◦ E 0 E 0 E 0 E 1 E 1 • E 0 : P [ α → β ] = p β β γ • E 1 : P [ γ → δ ] = q • The two trails are assumed to be independent. C 1 C 3 δ E 1 E 1 • Distinguish probability: Pr [ E − 1 ( E ( x ) ⊕ δ ) ⊕ E − 1 ( E ( x ⊕ α ) ⊕ δ ) = α ] = p 2 q 2 C 2 δ C 4 4 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  5. Background Dependency Between the Two Sub-Ciphers • At the boundary of the two trails, dependency may exist. Negative effect Positive effect • Middle round S-box trick [BDD03] • Imcompatibility [Mer09] • Ladder switch [BK09] • S-box switch [BK09] • Feistel switch [BK09] 5 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  6. Background Sandwich Attack P 1 P 3 α α E 0 E 0 P 2 P 4 Sandwich attack x 1 x 3 • E is further divided into three sub-ciphers: E 0 E 0 β β E m E m E = E 1 ◦ E m ◦ E 0 x 2 x 4 y 1 y 3 γ • E m contains the dependent parts of the two trails, E m E m with probability r E 1 E 1 y 2 y 4 • r = Pr [ E − 1 m ( E m ( x ) ⊕ γ ) ⊕ E − 1 m ( E m ( x ⊕ β ) ⊕ γ ) = β ] γ • Distinguish probability: p 2 q 2 r . C 1 δ C 3 E 1 E 1 C 2 C 4 δ 6 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  7. Background View of Boomerang Switch in Sandwich Attack x 1 (= x 4 ) x 1 (= x 3 ) ∆ 0 ∆ 0 x 2 (= x 3 ) x 2 (= x 4 ) S S S ∇ 0 S y 1 (= y 4 ) y 1 (= y 3 ) ∆ 1 ∇ 0 ∇ 0 y 2 (= y 3 ) y 2 (= y 4 ) Ladder switch Sbox switch 1 ∇ 0 = 0 1 ∇ 0 = ∆ 1 2 y 3 = y 1 and y 4 = y 2 2 y 4 = y 1 , y 3 = y 2 3 x 3 = x 1 and x 4 = x 2 3 x 4 = x 1 and x 3 = x 2 Sbox 4 r = 1 4 r = pr [∆ 0 − − − → ∆ 1 ] 7 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  8. Background Boomerang Connectivity Table (BCT) x 1 x 3 ∆ 0 ∆ 0 S S x 2 x 4 y 1 y 3 ∇ 0 S S ∆ 1 ∆ 1 y 2 ∇ 0 y 4 Construction • Focus on a single S-box layer. • ∆ 0 and ∇ 0 are taken into consideration. • The entry for (∆ 0 , ∇ 0 ) is computed by # { x ∈ { 0 , 1 } n | S − 1 ( S ( x ) ⊕ ∇ 0 ) ⊕ S − 1 ( S ( x ⊕ ∆ 0 ) ⊕ ∇ 0 ) } . 8 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  9. Background Boomerang Connectivity Table (BCT) x 1 x 3 ∆ 0 ∆ 0 S S x 2 x 4 y 1 y 3 ∇ 0 S S ∆ 1 ∆ 1 y 2 ∇ 0 y 4 Advantages • It covers the switching effect of ladder switch, S-box switch and incompatibility. • New switching effect: Compared to S-box switch where ∇ 0 = ∆ 1 , BCT does not require the value of ∆ 1 , which could lead to a higher switching probability. 8 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  10. Background Motivation Questions • Can we extend E m to multiple rounds? • If yes, can current switching techniques be applied to the multiple-round case? 9 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  11. Boomerang Switch 10 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  12. Boomerang Switch Determining the Number of Rounds in E m SB,SR ARK,SB MC Uppertrail SB,SR ARK,SB MC Lowertrail Figure: Parallel operations of truncated 2-round AES The idea of ladder switch The round function of a cipher can be divided into two independent parts, which can operate in parallel. Extension In E m , if the forward diffusion of the active cells in the upper trail has no interaction with the backward diffusion of the active cells in the lower trail, a right quartet of E m can be generated with probability 1. 11 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  13. Boomerang Switch Determining the Number of Rounds in E m β R R R SubCells R R R SubCells γ Figure: A 4-round E m of SKINNY with probability 1 Observation • For SKINNY [BJK+16], E m can be at most four rounds with probability r = 1 . • E m contains more rounds for those ciphers with slower diffusion layer. 12 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  14. Boomerang Switch Incompatibility in Multiple Rounds β DDT( df , f1 )=2 df f1 f9 SR,MC f1 SB BCT( f9 , c6 )=2 AK f1 08 DDT( f9 , c6 )=2 a9 f9 c6 70 SR,MC SB BCT( df , a9 )=2 b9 AK 99 γ Figure: An incompatible 2-round E m of AES Deficiency of BCT • BCT detects incompatibility while the entry is zero. • The two trails are valid with probability 2 − 7 respectively: DDT( df,f1)=2 , DDT( f9,c6)=2 . • For the two active S-boxes, the entries of BCT are non-zero: BCT( df,a9)=2 , BCT( f9,c6)=2 . • However, this example is incompatible: BCT( df,a9) and DDT( df,f1) cannot be non-zero simultaneously. 13 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  15. Boomerang Switch Observation on S-box in the Boomerang Switch x 1 x 3 ∇ 1 ∆ 0 ∆ 0 S S x 2 x 4 ∇ 1 y 1 y 3 ∇ 0 S S ∆ 1 ∆ 1 ∇ 0 y 2 y 4 Lemma1 For any fixed ∆ 0 and ∆ 1 , for which the DDT entry is 2 l , l being a nonzero integer, the maximum number of nontrivial values of ∇ 0 , for which a right quartet could be generated, is � l � 2 +1 . 2 Lemma2 For any fixed ∆ 0 and ∇ 0 , for which the BCT entry is 2 l and the DDT entry is 2 l ′ , l and l ′ being nonzero integers, the maximum number of choices of ∆ 1 , for which a right quartet could be generated, is 1 + (2 l − 2 l ′ ) / 4 . 14 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  16. Boomerang Switch Boomerang Difference Table (BDT) x 1 x 3 ∇ 1 ∆ 0 ∆ 0 S S x 2 x 4 ∇ 1 y 1 y 3 ∇ 0 S S ∆ 1 ∆ 1 y 2 ∇ 0 y 4 Construction • A combination of BCT and DDT. • The entry for ( ∆ 0 , ∆ 1 , ∇ 0 ) is defined by: # { x ∈ { 0 , 1 } n | S − 1 ( S ( x ) ⊕ ∇ 0 ) ⊕ S − 1 ( S ( x ⊕ ∆ 0 ) ⊕ ∇ 0 ) = ∆ 0 , S ( x ) ⊕ S ( x ⊕ ∆ 0 ) = ∆ 1 } , n is the S-box size. • The time complexity for the construction is O (2 2 n ) . 15 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  17. Boomerang Switch Boomerang Difference Table (BDT) x 1 x 3 ∇ 1 ∆ 0 ∆ 0 S S x 2 x 4 ∇ 1 y 1 y 3 ∇ 0 S S ∆ 1 ∆ 1 y 2 ∇ 0 y 4 Properties • DDT (∆ 0 , ∆ 1 ) = BDT (∆ 0 , ∆ 1 , 0) = BDT (∆ 0 , ∆ 1 , ∆ 1 ) • BCT (∆ 0 , ∇ 0 ) = � 2 n ∆ 1 =0 BDT (∆ 0 , ∆ 1 , ∇ 0 ) • BDT (0 , 0 , ∇ 0 ) = 2 n • ( ∆ 0 , ∆ 1 , ∇ 0 ) is incompatible when the corresponding entry in BDT is 0. 15 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  18. Attack on 10-round AES-256 16 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  19. Attack on 10-round AES-256 Attack model Related-key attack • The adversary chooses a relation between several keys, e.g., K 2 = K 1 ⊕ C and is given access to encryption/decryption oracles with these keys. Related-subkey attack • The adversary chooses a relation between subkeys, e.g., K 2 = F − 1 ( F ( K 1 ) ⊕ C ) , where F represents the round function of key schedule. • Advantage: easier to obtain a desired related-subkey difference in non-linear key schedule. • Disadvantages: complex key access scheme, less practical and even too contrived for academic interest. 17 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  20. Attack on 10-round AES-256 Overview of the Attack Idea • We stick to the related-key attack. Since the key schedule of AES is non-linear, a related-key differential path is used for the upper trial while a single-key differential path is used for the lower trail. • The local collision strategy is used for constructing the upper trail. • Apply the boomerang switch in two rounds. 18 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  21. Attack on 10-round AES-256 The 10-round Attack 19 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  22. Attack on 10-round AES-256 The 2-round E m ∆ ′ ∆ 0 ∆ 1 0 SB SR MC β 8 9 ∇ ′ ∇ ′ ∇ 0 1 0 SR AK SB MC γ Analysis • β and γ are fixed. • For the S-box at (0,0) in round 8: • A fixed value ∆ 1 is chosen so that there is no overlapped active cell in round 9. • With the fixed ∆ 0 and ∆ 1 , choose the values of ∇ 0 so that the BDT entries are non-zero, and the switching probability is obtained accordingly. • For the S-box at (0,0) in round 9: • ∇ ′ 1 is uniquely determined by ∇ 0 . • Since ∆ ′ 0 = 0 , the switching probability can be evaluated by DDT with entry ( ∇ ′ 1 , ∇ ′ 0 ) 20 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  23. Attack on 10-round AES-256 Result Scenario # keys Time Data Result Reference 2 172 2 114 Key Diff. 64/256 Full key [KHP07]/[BDK05] 2 45 (2 221 ) 2 44 Subkey Diff. 2 35 subkey bits (full key) [BDK+10] 2 75 2 75 Key Diff. 2 Full key this paper 21 NTU Boomerang Switch in Multiple Rounds 26.3.2019

  24. Application to Full-round AES-192 and reduced-round Deoxys-BC 22 NTU Boomerang Switch in Multiple Rounds 26.3.2019

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic Jansma njansma@akamai.com @nicj Why are we here today? Boomerang: an open-source Real User Monitoring (RUM) third-party library

645 views • 41 slides
Name Disambiguation via Multiple Rounds of Reduction Stephen Carley, Alan Porter and Jan Youtie

Name Disambiguation via Multiple Rounds of Reduction Stephen Carley, Alan Porter and Jan Youtie

Name Disambiguation via Multiple Rounds of Reduction Stephen Carley, Alan Porter and Jan Youtie Why does it matter? To measure the impact of a given author we need a way to build a dataset of scholarship unique to this individual For

335 views • 20 slides
Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang

Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang

Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang Technological University, Singapore 2. Institute of Information Engineering, CAS, China 3. Shandong University, China FSE 2019 @ Paris Boomerang Attacks

483 views • 37 slides
AP Physics C Inductance Multiple Choice Slide 2 / 21 1 At time = 0, the switch is closed in

AP Physics C Inductance Multiple Choice Slide 2 / 21 1 At time = 0, the switch is closed in

Slide 1 / 21 AP Physics C Inductance Multiple Choice Slide 2 / 21 1 At time = 0, the switch is closed in the circuit shown below. Which of the following graphs best desribed the potential difference V, across the resistance as a function of

356 views • 7 slides
On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University

On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University

On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University of Versailles, France Inria Paris, France FSE 2019, Paris Boomerang attacks [Wagner 99] Combine differentials for two sub-ciphers: a E 0 d

634 views • 19 slides
Switch Implementation and Performance Simple switch - general purpose workstation with

Switch Implementation and Performance Simple switch - general purpose workstation with

Switch Implementation and Performance Simple switch - general purpose workstation with multiple network adapters I/O Bus Network Interface 1 CPU Network Interface 2 Main Bus Network Interface 3 Main Memory Oct. 12. 2005 CS 440

993 views • 13 slides
ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design:

Switch to Etravirine from PI-Based Regimen ETRA-SWITCH STUDY Switch to Etravirine from PI-Based Regimen ETRA-SWITCH: Design Study Design: ETRA-SWITCH Background : Open label, randomized phase 3b trial that enrolled patients with suppressed

188 views • 7 slides
CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH

SWITCH DESIGN CHAPTER II CHAPTER II-1 SWITCH DESIGN CHAPTER II SWITCH NETWORKS AND SWITCH DESIGN R.M. Dansereau; v.1.0 SWITCH NETWORKS SWITCH DESIGN SWITCH NETWORKS CHAPTER II-2 BASIC IDEAL SWITCH SWITCH DESIGN Simplest

348 views • 24 slides
Sclerosis Corinne Bohling & Lexie Williams Grand Rounds Presentation MS STEP UP

Sclerosis Corinne Bohling & Lexie Williams Grand Rounds Presentation MS STEP UP

Multiple Sclerosis Corinne Bohling & Lexie Williams Grand Rounds Presentation MS STEP UP Introduction Chronic, progressive, neurodegenerative disease of CNS Immune-mediated Body attacks myelindemyelination forms scar tissue

610 views • 44 slides
TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk

TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk

TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk October 2018 TAINTED GIFTS GIFT OR BOOMERANG? The role of Tainted Gifts in the confiscation system What is a gift? It looks

659 views • 30 slides
1 Switch: frame filtering/forwarding Switch: self-learning Source: A Dest: A When frame

1 Switch: frame filtering/forwarding Switch: self-learning Source: A Dest: A When frame

The Data Link Layer Addressing Last time Our goals: different address scheme in different link layer services understand principles layers error detection, correction behind data link layer services: multiple access

441 views • 9 slides
SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and

SDG 12.1 Reporting for SWITCH-Asia Countries Connecting the dots between actions and reporting Luz Fernandez, PhD luz.fernandezgarcia@un.org Programme Officer, RPAC SWITCH Asia What is SWITCH-Asia? SWITCH Asia I - 2007-2014 SWITCH Asia II

125 views • 10 slides
A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch

A Genetic Toggle Switch Using DNA Recombinases Michigan Synthetic Biology Team 2012 Switch Design and Modeling Mike Contemporary Bistable Switch Disadvantages The state is actively maintained Sensitive Complexity Lou et al.,

792 views • 52 slides
Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University

Switch-a-roo: engineering a photoresponsive E.colight switch Team Macquarie University Sydney, Australia What are the elements of switch -a- roo? Phytochrome Protein that binds chromophore Chromophore PDB 1ZTU

422 views • 18 slides
So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration

So Trendy, So Smart, So Switch ON ! WHO ARE WE ? S ince 1995, Switch Vibration accompanies you in the organization and animation of your events. With these many years of experience, the company, in constant evolution, has developed

504 views • 12 slides
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia

1.1k views • 51 slides
ARXtools: A toolkit for ARX analysis . . . . . . . . . . . . . . . . . . . . . . Gatan

ARXtools: A toolkit for ARX analysis . . . . . . . . . . . . . . . . . . . . . . Gatan

1 / 26 Introduction Third NIST SHA-3 conference S-system Analysis ARXtools: A toolkit for ARX analysis Differential characteristics G. Leurent (pres: P.-A. Fouque) Application ARXtools: A toolkit for ARX analysis . . . . . . . . . . . . .

721 views • 38 slides
Quantifying the incompatibility of Quantifying the incompatibility of quantum measurements

Quantifying the incompatibility of Quantifying the incompatibility of quantum measurements

Quantifying the incompatibility of Quantifying the incompatibility of quantum measurements quantum measurements relative to a basis relative to a basis Georgios Styliaris Paolo Zanardi Georgios Styliaris Paolo Zanardi arXiv: 1901.06382

737 views • 27 slides
Web Briefing for Journalists: Consumer Issues Ahead of the ACA's Second Open Enrollment Season

Web Briefing for Journalists: Consumer Issues Ahead of the ACA's Second Open Enrollment Season

11/13/2014 Web Briefing for Journalists: Consumer Issues Ahead of the ACA's Second Open Enrollment Season Thursday, November 13, 2014 Presented by the Kaiser Family Foundation During first open enrollment period, enrollment was slow to ramp up, but

270 views • 11 slides
Fiscal 2011 General Fund Ending Balance Preliminary Balance: $ 343.8 M Expected Balance: $

Fiscal 2011 General Fund Ending Balance Preliminary Balance: $ 343.8 M Expected Balance: $

General Fund Status Fiscal Year 2011 Actual/ 2013 Biennium Projected Terry W. Johnson Principal Fiscal Analyst Legislative Fiscal Division (LFD ) September 26, 2011 A report to the Revenue & Transportation Interim Committee 1

426 views • 11 slides
MicroOS Desktop Richard Brown The Road to Daily Driving MicroOS Release Engineer aka We Need

MicroOS Desktop Richard Brown The Road to Daily Driving MicroOS Release Engineer aka We Need

MicroOS Desktop Richard Brown The Road to Daily Driving MicroOS Release Engineer aka We Need YOUR HELP rbrown@opensuse.org sysrich on Freenode.net @sysrich About Me ~15 years with openSUSE & other FOSS communities >7 years

637 views • 28 slides
Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek

Ensuring Liveness Properties of Distributed Systems (A Research Agenda) Rob van Glabbeek Data61, CSIRO, Sydney, Australia University of New South Wales, Sydney, Australia September 2016 Distributed Systems systems consisting of multiple

878 views • 29 slides
Weak and Strong Compatibility in Data Fitting Problems under Interval Uncertainty Sergey P.

Weak and Strong Compatibility in Data Fitting Problems under Interval Uncertainty Sergey P.

Weak and Strong Compatibility in Data Fitting Problems under Interval Uncertainty Sergey P. Shary Institute of Computational Technologies SB RAS and Novosibirsk State University, Novosibirk, Russia E-mail: shary@ict.nsc.ru Abstract For

772 views • 31 slides
C O R P O R AT E "Success is not final; failure is not fatal: It is the courage to continue

C O R P O R AT E "Success is not final; failure is not fatal: It is the courage to continue

C O R P O R AT E "Success is not final; failure is not fatal: It is the courage to continue that counts." What is Corporate? A corporation is an organization, usually a group of people or a company, authorized to act as a single

442 views • 10 slides

More recommend