Cryptanalysis of AES-PRF and Its Dual Patrick Derbez 1 Tetsu Iwata 2 - PowerPoint PPT Presentation

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Cryptanalysis of AES-PRF and Its Dual Patrick Derbez 1 Tetsu Iwata 2 Ling Sun 3 , 4 Siwei Sun 5 Yosuke Todo 6 Haoyang Wang 4 Meiqin Wang 3 1. Univ Rennes, CNRS, IRISA, France 2. Nagoya University, Japan 3. Shandong University, China 4. Nanyang Technological University, Singapore 5. Chinese Academy of Sciences, China 6. NTT Secure Platform Laboratories, Japan FSE 2019, Paris, France @ March 25, 2019 1/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Overview 1. Background and Motivation 2. Preliminary 3. Overview of Our Attacks 4. Attacks on AES-PRF 5. Attacks on Dual-AES-PRF 6. Summary and Conclusion 2/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Background and Motivation 3/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Background Pseudorandom permutation (PRP) ◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES 4/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Background Pseudorandom permutation (PRP) ◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES Pseudorandom function (PRF) ◮ Invertibility is unnecessary ◮ CTR encryption mode, authenticated encryption GCM 4/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Background Pseudorandom permutation (PRP) ◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES Pseudorandom function (PRF) ◮ Invertibility is unnecessary ◮ CTR encryption mode, authenticated encryption GCM PRP-to-PRF conversion ◮ Large efficiency costs design, e.g., Truncation, XOR of Permutations (XoP), Encrypted Davies-Meyer (EDM), The Dual of EDM (EDMD) ◮ Dedicated design with small efficiency costs, e.g., FastPRF, FastPRF K ( X ) = E K ( X ) ⊕ E 1 K ( X ) . 4/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Motivation Observations ◮ AES-PRF s,t is as efficient as AES ◮ Efficiency and cost-effectiveness comes at the cost of provable security ◮ Provable security result of EDMD no longer applies to AES-PRF Open Problems ◮ ( s, t ) = (2 , 8) is left as an open question ◮ The security of AES-PRF s,t ◮ The security of the dual version (Dual-AES-PRF) Methods ◮ ID, ZC, DC, and MITM 5/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Preliminary 6/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion AES-PRF & Dual-AES-PRF ◮ AES-PRF s,t (Mennink and Neves @ FSE 2018) key x R 1 R 2 R s R s +1 R s +2 R s + t · · · · · · ◮ Dual-AES-PRF s,t key x R s +1 R s +2 R s + t R 1 R 2 · · · R s · · · 7/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Overview of Our Attacks 8/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Attacks on AES-PRF Impossible differential/Zero-correlation attacks ( s � 2) ∆ out ∆ in ∆ out ∆ out ∆ out 0 s rounds 0 key recovery contradiction Zero-correlation distinguishers ( t � 4) t rounds 0 0 contradiction Meet-in-the-middle attacks on AES-PRF s, 7 − s 9/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Attacks on Dual-AES-PRF Impossible differential/Zero-correlation attacks ( t � 2) ∆ in ∆ in ∆ in ∆ in ∆ out 0 t rounds 0 contradiction key recovery Differential attacks ( s � 4) ∆ in ∆ in ∆ in ∆ in 0 0 s rounds key recovery 10/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Attacks on AES-PRF 11/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Impossible Differential Attack for AES-PRF 2 , 8 K 0 K 1 SB SR MC x I x S x R x M P 1 1 1 1 ∆ out MC − 1 ( K 2 ) ∆ in ∆ out ∆ out 0 ∆ out s rounds 0 SB SR key recovery contradiction x I x S x R x E 2 2 2 3 MC F MC − 1 MC C 12/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Zero-Correlation Linear Attack for AES-PRF 2 , 8 ∆ out Γ out ∆ in ∆ out ∆ out ∆ out 0 s rounds Γ in Γ out 0 Γ out Γ out key recovery contradiction SR − 1 ◦ MC − 1 ( K 2 ) K 0 K 1 SB SR MC SB x I x S x R x M x I x S P 1 1 1 1 2 2 SR MC 8 rounds SR MC MC − 1 SR − 1 C ′ = SR − 1 ◦ MC − 1 ( C ) C 13/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Distinguishers against AES-PRF 7 , 3 & AES-PRF 6 , 4 ZC Distinguisher for AES 3 SB SR MC Non-zero Mask SB SR MC Unknown Mask Zero Mask Contradiction SB SR Γ out t rounds 0 0 Γ out Γ out Γ out ZC Distinguisher for AES 4 contradiction SB SR MC SB SR MC Non-zero Mask Contradiction Unknown Mask SB SR MC Zero Mask SB SR 14/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Attack against AES-PRF 3 , 4 AK SB SR MC AK SB SR MC AK SB SR MC AK SB SR MC ◮ The number of possible sequences: (2 8 ) 255 = 2 2040 − → (2 8 ) 25 = 2 200 x I x R x I x R x I x R x I x R 1 1 2 2 3 3 4 4 P x I x R x I x R x I x R x I 5 5 6 6 7 7 8 C 15/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Attacks on Dual-AES-PRF 16/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Impossible Differential Attack for Dual-AES-PRF 2 , 8 ∆ in ∆ in ∆ in 0 ∆ in ∆ out t rounds 0 contradiction key recovery 8 rounds P 2 2 2 2 = MC − 1 ( K EK ) K 10 9 9 1 1 1 1 SB SR MC SB SR x S x E x I C 9 9 1 0 17/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Zero-correlation attack for Dual-AES-PRF 8 , 2 ∆ in Γ in ∆ in ∆ in ∆ in ∆ out 0 t rounds 0 Γ in Γ in Γ out Γ in contradiction key recovery SR 8 rounds SR − 1 SR SR ( P ) P MC − 1 ( K 9 ) K 10 SB MC SB SR S B − 1 ( x R x R x E x I x S x R 9 ) C 9 9 10 10 10 18/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Differential Attack for Dual-AES-PRF 4 , 6 EK 1 K 0 SB SR MC x I x S x R x E x O P 1 1 1 1 1 EK 2 SB SR MC x I x S x R x E x O ∆ in 2 2 2 2 2 ∆ in ∆ in ∆ in 0 0 K 3 s rounds SB SR MC key recovery x I x S x R x M x O 3 3 3 3 3 K 4 SB SR MC x I x S x R x M x O 4 4 4 4 4 6 rounds C 19/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Summary and Conclusion 20/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Summary Target Time Data Memory Method Ref s t 2 67 CP 2 101 2 67 1 * ID AES-PRF @FSE 2017 * 1 Statistics − − − 2 71 CP 2 71 2 64 1 * ID 2 103 . 34 KP 2 122 . 49 2 96 1 * ZC 2 94 CP 2 94 2 88 2 * ID 2 115 . 06 KP AES-PRF 2 115 . 14 2 65 Our Results 2 * ZC 2 84 . 96 KP 2 84 . 96 2 84 . 96 * 3 ZC distinguisher 2 96 . 95 KP 2 96 . 95 2 64 * 4 ZC distinguisher 2 107 CP 2 107 2 104 s 7 − s MitM 2 71 CP 2 71 2 64 * 1 ID 2 103 . 34 KP 2 122 . 49 2 96 * 1 ZC 2 104 CP 2 104 2 72 * 2 ID Dual-AES-PRF Our Results 2 115 . 06 KP 2 115 . 14 2 65 * 2 ZC 2 97 CP 2 97 2 32 3 * Differential 2 121 CP 2 121 2 8 4 * Differential 21/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Conclusion ◮ Comparison between AES-PRF and Dual-AES-PRF ◮ The security of AES-PRF is higher than Dual-AES-PRF from the applicability of differential attacks. ◮ Both AES-PRF and Dual-AES-PRF have only one round as the security margin. ◮ Choice of the parameter ◮ The balanced case AES-PRF 5 , 5 is certainly a natural choice of the design. ◮ However, our results indicate that ( s, t ) = (4 , 6) for AES-PRF is potential to be more secure, since the margin with respect to the attacked rounds becomes larger. R 1 R 2 R 3 R 4 R 5 R 6 R 7 R 8 R 9 R 10 4 rounds 6 rounds 22/23

Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion Thank you for your attention! Thank the anonymous FSE 2019 reviewers and Samuel Neves for careful reading and many helpful comments. Thank all the group members at ASK 2017 for the fruitful discussion. 23/23