[PPT] - COSIC COSIC Korea University K.U. Leuven FSE 2007 PowerPoint Presentation

SLIDE 1

Korea University

COSIC COSIC

K.U. Leuven

Related-Key Rectangle Attacks on Reduced AES-192 and AES-256

Jointly worked with Seokhie Hong and Bart Preneel,

Speaker: Jongsung Kim

FSE 2007 in Luxembourg, 2007/Mar./26~28

SLIDE 2

FSE 2007 CIST and COSIC

Motivations of this work (1)

One of the important issues on block ciphers is to evaluate the security of the Advanced Encryption Standard (AES). The main motivation of this work is on the previous best known attack on AES-192 (related-key rectangle attack on 9-round AES-192).

▬

it starts from round 2. ▬ it is based on two consecutive related-key truncated differentials; the second one holds with probability one. ▬

ur work starts from the question: “what if the related-key

rectangle attack is applied from round 0 and uses two consecutive related-key truncated differentials with probabilities less than one?”

SLIDE 5

FSE 2007 CIST and COSIC

Motivations of this work (2)

If we apply the related-key rectangle attack to AES- 192 from round 0 and use two consecutive related- key truncated differentials with probabilities less than one, then we would be able to obtain 10-round AES-192 attack.

▬ the first differential: rounds 1~4 (4 rounds) ▬ the second differential: rounds 5~8 (4 rounds)

(Comparison) Previous 9-round AES-192 attack:

▬ the first differential: rounds 4~6 (3 rounds) ▬ the second differential: rounds 7~9 (3 rounds)

SLIDE 6

FSE 2007 CIST and COSIC

Related-Key Rectangle Attack Related-Key Rectangle Attack

This attack has been introduced in ACISP’04 and Eurocrypt’05. In this attack there exist several related-key rectangle distinguishers:

▬ 2 related-key based distinguisher ▬ 4 related-key based distinguisher ▬ related-key structure based distinguisher

SLIDE 9

FSE 2007 CIST and COSIC

Related-Key Rectangle Related-Key Rectangle Distinguisher (1) Distinguisher (1)

1

P

k

1

C

2

P α

*

k

2

C

k Δ

3

P

' k ' k Δ

3

C α

4

P

*

' k k Δ ' k Δ

4

C D ∈ δ D ∈ ' δ

Check

? ] ' , , | Pr[ = Δ Δ k k D α

. For the cipher :

E

SLIDE 10

FSE 2007 CIST and COSIC

Related-Key Rectangle Related-Key Rectangle Distinguisher (2) Distinguisher (2)

) , , ( k p Δ β α ) ' , , ( k D q Δ γ ) ' , , ( k D q Δ γ

1

P

1

C α

2

P

2

C D ∈ δ

3

C

3

P D ∈ ' δ

4

C

4

P α β γ β

γ

k

E

*

k

E

' k

E

*

' k

E

*

' 1 k

E

' 1 k

E

k

E

1

*

1 k

E

n −

2

Check

) , , ( k p Δ β α

SLIDE 11

FSE 2007 CIST and COSIC

Related-Key Rectangle Related-Key Rectangle Distinguisher (3) Distinguisher (3)

For a random cipher:
If , then the related-key rectangle

distinguisher works.

2 2

| | 2 ] ' , , | Pr[ D k k D

n ⋅

= Δ Δ

−

α

∑ ∑ ∑

Δ = Δ = ⋅ ⋅ = Δ ⋅ Δ ⋅ = Δ Δ

− − γ β γ β

γ β α γ β α α ) ' , , ( ˆ , ) , , ( ˆ , ˆ ˆ 2 ) ' , , ( ) , , ( 2 ] ' , , | Pr[

2 2 2 2 2 , 2

k D q q k p p where q p k D q k p k k D

n n

For the cipher:

E

2 2 2 2

ˆ ˆ 2 2 | |

n n

p q D

− −

⋅ ⋅ ≥ ⋅

SLIDE 12

FSE 2007 CIST and COSIC

Description of AES-192 Description of AES-192

AES-192 is a 128-bit block cipher with a 192-bit key and 12 rounds. One round of AES-192 is composed of

▬ a nonlinear layer SubBytes (SB) ▬ three linear layers ShiftRows (SR), MixColumns (MC) and AddRoundKey (ARK)

Before the first round, an extra ARK step is applied, called a whitening key step, and MC is

mitted in the last round.

SLIDE 14

FSE 2007 CIST and COSIC

Key Schedule of AES-192 Key Schedule of AES-192

SLIDE 15

FSE 2007 CIST and COSIC

Strategy of Our Attacks on Strategy of Our Attacks on 10-Round AES-192 10-Round AES-192

Treat 10-round AES-192 as a cascade of four sub-ciphers Eb, E0,

E1, Ef.

▬ Eb: round 0 including the whitening key addition step and excluding the key addition step of round 0 ▬ E0: rounds 1-4 including the key addition step of round 0 ▬ E1: rounds 5-8 ▬ Ef: round 9

Construct related-key truncated differentials on E0 and E1 to
btain a 8-round related-key rectangle distinguisher for E1◦ E0.
Recover 112 bits of the keys in Eb and Ef by checking that

plaintext quartets satisfy our rectangle distinguisher.

SLIDE 16

FSE 2007 CIST and COSIC

Slow Difference Propagation of Slow Difference Propagation of the Key Schedule of AES-192 the Key Schedule of AES-192

We can use 256 related keys to make 3-round key differences and satisfying and . It allows to construct two consecutive 4-round related-key differentials with high probabilities.

SLIDE 17

FSE 2007 CIST and COSIC

The First Related-Key Differential and The First Related-Key Differential and the Preceding differential the Preceding differential

b

E

b

E

b

E

b

E

2 * * 32 7 2 7 32 32 6 2 32 39 5 5 5 5

ˆ Pr[ ' ' ] (2 2 ) (2 2) 2 (2 2 ) 2 2 p I I I I

− − − − −

= ⊕ = ⊕ = ⋅ ⋅ − ⋅ + ⋅ ⋅ ≈

SLIDE 18

FSE 2007 CIST and COSIC

The Second Related-Key Differential The Second Related-Key Differential and the follow ing differential and the follow ing differential

Difference b goes to difference a through S-box in the third column
f the fourth round.
For AES-192, the rectangle probability is
For a random cipher, the rectangle probability is

f

E

1

E

2 * * 64 64 64 64 6 6 6 6

ˆ Pr[ ' ' ] (2 2 ) 2 2 q I I I I

− − −

= ⊕ = ⊕ = ⋅ ⋅ =

2 2 128 231

ˆ ˆ 2 2 . p q

− −

⋅ ⋅ =

128 2 242

(2 127) 2 .

− −

⋅ =

SLIDE 19

FSE 2007 CIST and COSIC

Complexity of Our 10-round Complexity of Our 10-round AES-192 Attack AES-192 Attack

Number of required related keys = 256 Data complexity = 2125 related-key chosen plaintexts Time complexity = 2182 encryptions Success rate = 0.99 We can reduce the number of required related keys from 256 to 64 with almost the same attack complexity.

SLIDE 20

FSE 2007 CIST and COSIC

Other Cryptanalytic Results

Using two related keys we can attack 8-round AES-192 and using four related keys we can attack 9-round AES-256. We point out some flaw in the previous 9-round AES-192 attack, show how to fix it and enhance the attack in terms of the number of related keys.

SLIDE 22

FSE 2007 CIST and COSIC

Conclusion

SLIDE 23

FSE 2007 CIST and COSIC

Thank you for your attention

SLIDE 24

FSE 2007 CIST and COSIC

Brief Discripton Brief Discripton of Our 10-

f Our 10-

round AES-192 Attack round AES-192 Attack

Encrypt lots of chosen plaintexts such that about 32 plaintext quartets are expected to satisfy our rectangle distinguisher. Filter out all the obtained ciphertext quartets that do not satisfy our desired differences, Guess some portions of the key in Eb, Ef. With the guessed key, partially encrypt plaintext quartets and partially decrypt corresponding ciphertext quartets to check if the quartets follow our rectangle distinguisher. Output a guessed key such that at least 16 quartets follow our rectangle distinguisher.

10

' . I Δ

SLIDE 25

FSE 2007 CIST and COSIC

Notation Notation

* *

' ' '

i i i i i

K K K K K ⊕ = ⊕ = Δ

* *

' '

i i i i

K K K K K

i

⊕ = ⊕ = Δ

* *

' '

i i i i

I I I I I

i

⊕ = ⊕ = Δ

* *

' ' '

i i i i i

I I I I I ⊕ = ⊕ = Δ

COSIC COSIC Korea University K.U. Leuven FSE 2007 - - PowerPoint PPT Presentation

COSIC COSIC

Contents

Contents

Motivations of this work (1)

Motivations of this work (2)

Contents

Related-Key Rectangle Attack Related-Key Rectangle Attack

Related-Key Rectangle Related-Key Rectangle Distinguisher (1) Distinguisher (1)

Related-Key Rectangle Related-Key Rectangle Distinguisher (2) Distinguisher (2)

Related-Key Rectangle Related-Key Rectangle Distinguisher (3) Distinguisher (3)

∑ ∑ ∑

Contents

Description of AES-192 Description of AES-192

Key Schedule of AES-192 Key Schedule of AES-192

Strategy of Our Attacks on Strategy of Our Attacks on 10-Round AES-192 10-Round AES-192

Complexity of Our 10-round Complexity of Our 10-round AES-192 Attack AES-192 Attack

Contents

Other Cryptanalytic Results

Conclusion

Thank you for your attention

Brief Discripton Brief Discripton of Our 10-

round AES-192 Attack round AES-192 Attack

Notation Notation