cryptanalysis of c2
play

Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, - PowerPoint PPT Presentation

Jul 15, 2023 •608 likes •979 views

Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19 Outline C2 - description Attack scenarios Conclusion C2 - description 1

  1. Outline C2 - description Attack scenarios Conclusion Cryptanalysis of C2 Julia Borghoff , Lars R. Knudsen, Gregor Leander, Krystian Matusiewicz CRYPTO 2009 1 / 19

  2. Outline C2 - description Attack scenarios Conclusion C2 - description 1 Attack scenarios 2 The S-box recovery attack Key recovery attack Key and S-box recovery attack Conclusion 3 2 / 19

  3. Outline C2 - description Attack scenarios Conclusion The block cipher C2 64-bit block cipher with 56-bit key 8-to-8 S-box is kept secret ⇒ 2048 additional secret bits 10-round Feistel cipher Designed by 4C Entity (IBM, Intel, Matsushita and Toshiba) Used in CPRM/CPPM Digital Rights Management scheme DVD-Audio, SD-cards 3 / 19

  4. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  5. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  6. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  7. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  8. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  9. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  10. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  11. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  12. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  13. Outline C2 - description Attack scenarios Conclusion C2: round function 10 Feistel rounds L i R i C 2 rk i 9 5 22 1 S L i +1 R i +1 4 / 19

  14. Outline C2 - description Attack scenarios Conclusion C2: round function The GF (2)-linear part is not relevant for the attack L i R i rk i GF (2)-linear function S L i +1 R i +1 4 / 19

  15. Outline C2 - description Attack scenarios Conclusion C2: key scheduling Produces 10 round keys rk i out of 56-bit master key K K 17 · i 56 × 16 i S 32 rk i 5 / 19

  16. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Possible attacks There are three possible attack scenarios provided we can . . . recover 1. set the key and query the device S-box 2. query the device and know the S-box the secret key 3. query the device S-box and secret key 6 / 19

  17. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Previous work Japanese distributed cracking effort in 2004. Brute force over key space for a guessed S-box. Guess was wrong and the project failed. Algebraic S-box recovery attack for 8 out of 10 rounds (R.-P. Weinmann). 7 / 19

  18. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Complexity The three attacks and their complexities provided we can . . . recover complexity 2 24 1. set key + query device S-box 2 48 2. query device + know S-box key 2 53 . 5 3. query the device S-box +key 8 / 19

  19. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Idea of attack 1 One encryption generates 20 inputs to the S-box 10 in the key schedule 10 in the encryption algorithm There are 2 20 × 8 = 2 160 possibilities if we guess the S-box entries. Try to minimize the S-box entries we have to guess 9 / 19

  20. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Outline of the attack 1 Preprocessing-phase masterkeys which generate only 3 distinct S-box inputs in key schedule Construct preprocessing Find plaintexts which generate only the same 3 S-box inputs in first 7 rounds Trial & Online-phase Error Encrypt each plaintext (one plaintext for each guess of the S-box outputs) online Check if the ciphertext after 7 rounds Test is the expected. If yes, determine 3 S-box entries. 10 / 19

  21. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Master key Fix the master key to 0x40, 0x84, 0x88, 0x40, 0x02, 0x80,0x09 . This key generates only the inputs 0x88, 0x04, 0x27, 0x27, 0x04, 0x04, 0x27, 0x27, 0x88, 0x88 to the S-box in the key schedule. 11 / 19

  22. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Fix the input to the S-boxes of 4 rounds L 0 R 0 L 2 R 2 X 0 X 2 C C rk 0 rk 2 GF (2)-linear GF (2)-linear function function S S L 1 R 1 L 3 R 3 X 1 X 3 C C rk 1 rk 3 GF (2)-linear GF (2)-linear function function S S L 4 R 4 12 / 19

  23. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Calculate backwards L i R i X i C rk i GF (2)-linear function R i , 0 ··· 7 S L i +1 R i +1 12 / 19

  24. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts For every 8-bit vector z holds F ( X ⊕ ( z ≪ 23)) 0 .. 7 = F ( X ) 0 .. 7 ⊕ z F maps X i to U i L i R i U i X i C 2 rk i 9 5 22 1 S L i +1 R i +1 12 / 19

  25. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts For every 8-bit vector z holds F ( X ⊕ ( z ≪ 23)) 0 .. 7 = F ( X ) 0 .. 7 ⊕ z F maps X i to U i L i R i U i X i C 2 rk i 9 5 22 1 S L i +1 R i +1 12 / 19

  26. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Find z 1 and z 2 L 0 R 0 L 2 R 2 F ( X 2 ⊕ ( z 2 ≪ 23)) X 0 X 2 C C 2 rk 0 rk 2 9 GF (2)-linear 5 function 22 1 S S L 1 R 1 L 3 R 3 F ( X 1 ⊕ ( z 1 ≪ 23)) X 1 X 3 C C 2 rk 1 rk 3 9 GF (2)-linear 5 function 22 1 S S L 4 R 4 12 / 19

  27. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Generating plaintexts Choose L ′ 2 = ( X 1 ⊕ ( z 1 ≪ 23) ⊕ C ) ⊟ rk 1 R ′ 2 = ( X 2 ⊕ ( z 2 ≪ 23) ⊕ C ) ⊟ rk 2 Decrypt 2 rounds, then the plaintext will satisfy the condition for 4 rounds. Complexity of generating a plaintext that also fits in round � 256 � 3 = 2 19 encryptions by trial-and-error. 5-7 is 3 12 / 19

  28. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Attacking a device Encrypt every plaintext Check whether ciphertext after 7 rounds is the expected one (three round test) If yes, 3 S-box entries are recovered Find plaintext which does not use unknown S-box entries in first 6 rounds and recover S-box entries of remaining rounds Complexity (in encryptions): 2 24 for the first 3 entries 2 20 for the remaining entries 13 / 19

  29. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Outline of attack 2 Find a characteristic for en- and decryption independent of the S-box with high probability Use this characteristic to build a boomerang Mount boomerang attack to recover parts of the first round key 14 / 19

  30. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Characteristics S-box and modular addition are nonlinear over GF (2) Differential behavior of the S-box may vary Search for characteristic in the linearized model of C2 5-round characteristic independent of the S-box with probability 2 − 12 (2 − 11 ) 15 / 19

  31. Outline The S-box recovery attack C2 - description Key recovery attack Attack scenarios Key and S-box recovery attack Conclusion Boomerang attack Assume S-box is known Q ′ P ′ ∆ ∆ Use the 5-round characteristic to P Q mount boomerang attack E 0 E 0 Boomerangs exist with average E 0 E 0 probability of 2 − 44 . 5 A ′ B ′ ∇ ′ ∆ ′ ∆ ′ All boomerangs follow the A B ∇ ′ characteristic for the first round E 1 E 1 Use boomerang attack to recover E 1 ∇ E 1 22 bits of the first round key C ′ D ′ ∇ Complexity: 2 48 encryptions and C D 2 44 . 5 chosen plaintext/ciphertext pairs 16 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
The EuDML schema, v 1.0 Thierry Bouche Cellule MathDoc, Universit de Grenoble 1 Towards a

The EuDML schema, v 1.0 Thierry Bouche Cellule MathDoc, Universit de Grenoble 1 Towards a

The EuDML schema, v 1.0 Thierry Bouche Cellule MathDoc, Universit de Grenoble 1 Towards a Digital Mathematics Library DML 2011 workshop CICM 2011, Bertinoro, July 20th 2011 EuDML Analysis NLM Conversions References The European Digital

511 views • 11 slides
DIGITAL ECOSYSTEMS AND BUSINESS MODELS: SMART EXAMPLES FROM THE SMART HOME SECTOR ANDREA

DIGITAL ECOSYSTEMS AND BUSINESS MODELS: SMART EXAMPLES FROM THE SMART HOME SECTOR ANDREA

DIGITAL ECOSYSTEMS AND BUSINESS MODELS: SMART EXAMPLES FROM THE SMART HOME SECTOR ANDREA CARUGATI AARHUS BSS ANDREA CARUGATI ASSOCIATE-DEAN FOR DIGITALIZATION AGENDA Define Ecosystems Ecosystems drivers Examples from the smart

1.31k views • 13 slides
Digital Marketing Particles // Campaign Blueprints 3 DigitalMarketingU.com

Digital Marketing Particles // Campaign Blueprints 3 DigitalMarketingU.com

Digital Marketing Particles // Campaign Blueprints 3 DigitalMarketingU.com 4 5 5 6 6 7 8 DigitalMarketingU.com 9 DigitalMarketingU.com 10 DigitalMarketingU.com 11

834 views • 40 slides
MHA Congressional Briefing April 2019 1 Medicaid DSH Allotment Reduction Current federal law

MHA Congressional Briefing April 2019 1 Medicaid DSH Allotment Reduction Current federal law

MHA Congressional Briefing April 2019 1 Medicaid DSH Allotment Reduction Current federal law reduces states Medicaid DSH allotments effective October 1, 2019. Allotment cuts authorized by the ACA slated to begin in 2014;

793 views • 20 slides
Large Scale File Systems Amir H. Payberah payberah@kth.se 31/08/2018 The Course Web Page

Large Scale File Systems Amir H. Payberah payberah@kth.se 31/08/2018 The Course Web Page

Large Scale File Systems Amir H. Payberah payberah@kth.se 31/08/2018 The Course Web Page https://id2221kth.github.io 1 / 69 Where Are We? 2 / 69 File System 3 / 69 What is a File System? Controls how data is stored in and retrieved

937 views • 92 slides
Gephi for Analysis Part I: Basics NEH Digital Culture 2020 Workshop What is Gephi? An open

Gephi for Analysis Part I: Basics NEH Digital Culture 2020 Workshop What is Gephi? An open

Gephi for Analysis Part I: Basics NEH Digital Culture 2020 Workshop What is Gephi? An open source visualization tool for graphs and networks that Works with large datasets Enables interactive network exploration Supports the

633 views • 28 slides
!"#$"%&&'($)!"#*+,- !"#$"%&&'($)!"#*+,-

!"#$"%&&'($)!"#*+,- !"#$"%&&'($)!"#*+,-

!"#$"%&&'($)!"#*+,- !"#$"%&&'($)!"#*+,- .#&/0+1)234-+&4)5677 .#&/0+1)234-+&4)5677 8#"+(#)8%"9#00%

278 views • 6 slides
Bayesian Learning for Guided Direct Illumination Sampling Vvoda , Kondapaneni, Kivnek -

Bayesian Learning for Guided Direct Illumination Sampling Vvoda , Kondapaneni, Kivnek -

1 Bayesian Learning for Guided Direct Illumination Sampling Vvoda , Kondapaneni, Kivnek - Bayesian online regression for adaptive illumination sampling 2 Guiding needs radiance approximations How to learn them reliably ? Our

594 views • 58 slides

More recommend