[PPT] - Cryptanalysis of AES-PRF and Its Dual Patrick Derbez 1 Tetsu Iwata 2 PowerPoint Presentation

SLIDE 1

1/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Cryptanalysis of AES-PRF and Its Dual

Patrick Derbez1 Tetsu Iwata2 Ling Sun3,4 Siwei Sun5 Yosuke Todo6 Haoyang Wang4 Meiqin Wang3

1. Univ Rennes, CNRS, IRISA, France
2. Nagoya University, Japan
3. Shandong University, China
4. Nanyang Technological University, Singapore
5. Chinese Academy of Sciences, China
6. NTT Secure Platform Laboratories, Japan

FSE 2019, Paris, France @ March 25, 2019

SLIDE 2

2/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Overview

1. Background and Motivation
2. Preliminary
3. Overview of Our Attacks
4. Attacks on AES-PRF
5. Attacks on Dual-AES-PRF
6. Summary and Conclusion

SLIDE 3

3/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Background and Motivation

SLIDE 4

4/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Background

Pseudorandom permutation (PRP)

◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES

SLIDE 5

4/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Background

Pseudorandom permutation (PRP)

◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES

Pseudorandom function (PRF)

◮ Invertibility is unnecessary ◮ CTR encryption mode, authenticated encryption GCM

SLIDE 6

4/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Background

Pseudorandom permutation (PRP)

◮ Main primitives in symmetric-key cryptography ◮ Ultimate security goal in the design of block ciphers ◮ Many secure block ciphers are readily available, e.g., AES

Pseudorandom function (PRF)

◮ Invertibility is unnecessary ◮ CTR encryption mode, authenticated encryption GCM

PRP-to-PRF conversion

◮ Large efficiency costs design, e.g., Truncation, XOR of Permutations

(XoP), Encrypted Davies-Meyer (EDM), The Dual of EDM (EDMD)

◮ Dedicated design with small efficiency costs, e.g., FastPRF,

FastPRFK(X) = EK(X) ⊕ E1

K(X).

SLIDE 7

5/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Motivation

Observations

◮ AES-PRFs,t is as efficient as AES ◮ Efficiency and cost-effectiveness comes at the cost of provable security ◮ Provable security result of EDMD no longer applies to AES-PRF

Open Problems

◮ (s, t) = (2, 8) is left as an open question ◮ The security of AES-PRFs,t ◮ The security of the dual version (Dual-AES-PRF)

Methods

◮ ID, ZC, DC, and MITM

SLIDE 8

6/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Preliminary

SLIDE 9

7/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

AES-PRF & Dual-AES-PRF

◮ AES-PRFs,t (Mennink and Neves @ FSE 2018)

x key · · · R1 R2 Rs Rs+1 Rs+2 Rs+t · · ·

◮ Dual-AES-PRFs,t

x key · · · R1 R2 Rs Rs+1 Rs+2 Rs+t · · ·

SLIDE 10

8/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Overview of Our Attacks

SLIDE 11

9/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Attacks on AES-PRF

Impossible differential/Zero-correlation attacks (s 2)

s rounds

∆in ∆out ∆out ∆out ∆out

contradiction key recovery

Zero-correlation distinguishers (t 4)

t rounds

contradiction

Meet-in-the-middle attacks on AES-PRFs,7−s

SLIDE 12

10/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Attacks on Dual-AES-PRF

Impossible differential/Zero-correlation attacks (t 2)

t rounds

∆out ∆in ∆in ∆in ∆in

contradiction key recovery

Differential attacks (s 4)

s rounds

∆in ∆in ∆in ∆in

key recovery

SLIDE 13

11/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Attacks on AES-PRF

SLIDE 14

12/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Impossible Differential Attack for AES-PRF2,8

s rounds ∆in ∆out ∆out ∆out ∆out contradiction key recovery

P xI

1

K0

SB

xS

1 SR

xR

1 MC

xM

1

K1 xI

2 SB

xS

2 SR

xR

2

MC−1(K2) xE

3 MC

F

MC−1 MC

C

SLIDE 15

13/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Zero-Correlation Linear Attack for AES-PRF2,8

s rounds

∆in ∆out ∆out ∆out ∆out

contradiction key recovery

Γout Γout Γout Γin Γout P xI

1

K0

SB

xS

1 SR

xR

1 MC

xM

1

K1 xI

2 SB

xS

2

SR−1◦MC−1(K2)

SR MC

8 rounds

MC−1 SR−1

SR−1◦MC−1(C)

SR MC

C C′ =

SLIDE 16

14/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Distinguishers against AES-PRF7,3 & AES-PRF6,4

t rounds contradiction

Γout Γout Γout Γout ZC Distinguisher for AES3

SB SR MC SB SR MC SB SR

Contradiction Non-zero Mask Unknown Mask Zero Mask

ZC Distinguisher for AES4

SB SR MC SB SR MC SB SR MC SB SR

Contradiction Non-zero Mask Unknown Mask Zero Mask

SLIDE 17

15/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Attack against AES-PRF3,4

AK SB SR MC AK SB SR MC AK SB SR MC AK SB SR MC

◮ The number of possible sequences: (28)255 = 22040 −

→ (28)25 = 2200 P xI

1

xR

1

xI

2

xR

2

xI

3

xR

3

xI

4

xR

4

xI

5

xR

5

xI

6

xR

6

xI

7

xR

7

xI

8

C

SLIDE 18

16/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Attacks on Dual-AES-PRF

SLIDE 19

17/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Impossible Differential Attack for Dual-AES-PRF2,8

t rounds

∆out ∆in ∆in ∆in ∆in

contradiction key recovery P C

SB SB SR SR MC

1 1 1 1 2 2 2 2

xI

10

xE

9

xS

9

8 rounds

=MC−1(K EK

9 9

K10 )

SLIDE 20

18/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Zero-correlation attack for Dual-AES-PRF8,2

t rounds

∆out ∆in ∆in ∆in ∆in

contradiction key recovery

Γin Γin Γin Γout Γin

SB−1(xR

9 ) SB

xR

9

MC−1(K9) xE

9 MC

xI

10 SB

xS

10 SR

xR

10

K10 C P

SR

SR(P )

SR−1

8 rounds

SR

SLIDE 21

19/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Differential Attack for Dual-AES-PRF4,6

s rounds ∆in ∆in ∆in ∆in key recovery

P K0 xI

1 SB

xS

1 SR

EK1 xR

1 MC

xE

1

xO

1

xI

2 SB

xS

2 SR

xR

2 MC

xO

2

EK2 xE

2

xI

3 SB

xS

3 SR

xR

3 MC

xM

3

K3 xO

3

xI

4 SB

xS

4 SR

xR

4 MC

xM

4

K4 xO

4

6 rounds

C

SLIDE 22

20/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Summary and Conclusion

SLIDE 23

21/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Summary

Target s t Time Data Memory Method Ref AES-PRF 1 * 2101 267 CP 267 ID @FSE 2017 * 1 − − − Statistics AES-PRF 1 * 271 271 CP 264 ID Our Results 1 * 2122.49 2103.34 KP 296 ZC 2 * 294 294 CP 288 ID 2 * 2115.14 2115.06 KP 265 ZC * 3 284.96 284.96 KP 284.96 ZC distinguisher * 4 296.95 296.95 KP 264 ZC distinguisher s 7 − s 2107 2107 CP 2104 MitM Dual-AES-PRF * 1 271 271 CP 264 ID Our Results * 1 2122.49 2103.34 KP 296 ZC * 2 2104 2104 CP 272 ID * 2 2115.14 2115.06 KP 265 ZC 3 * 297 297 CP 232 Differential 4 * 2121 2121 CP 28 Differential

SLIDE 24

22/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Conclusion

◮ Comparison between AES-PRF and Dual-AES-PRF

◮ The security of AES-PRF is higher than Dual-AES-PRF from the

applicability of differential attacks.

◮ Both AES-PRF and Dual-AES-PRF have only one round as the

security margin. ◮ Choice of the parameter

◮ The balanced case AES-PRF5,5 is certainly a natural choice of the

design.

◮ However, our results indicate that (s, t) = (4, 6) for AES-PRF is

potential to be more secure, since the margin with respect to the attacked rounds becomes larger.

R1 R2 R3 R4 4 rounds R5 R6 R7 R8 R9 R10 6 rounds

SLIDE 25

23/23 Motivation Preliminary Overview Attacks on AES-PRF Attacks on Dual-AES-PRF Conclusion

Thank you for your attention!

Thank the anonymous FSE 2019 reviewers and Samuel Neves for careful reading and many helpful comments. Thank all the group members at ASK 2017 for the fruitful discussion.