cryptanalysis of fides
play

Cryptanalysis of FIDES Itai Dinur 1 Jrmy Jean 1 , 2 1 cole Normale - PowerPoint PPT Presentation

Dec 20, 2023 •382 likes •725 views

Introduction State Recovery Forgery Tradeoffs The end Cryptanalysis of FIDES Itai Dinur 1 Jrmy Jean 1 , 2 1 cole Normale Suprieure, France 2 Nanyang Technological University, Singapore FSE 2014 March 3, 2014 FSE 2014 Itai Dinur,

  1. Introduction State Recovery Forgery Tradeoffs The end Cryptanalysis of FIDES Itai Dinur 1 Jérémy Jean 1 , 2 1 École Normale Supérieure, France 2 Nanyang Technological University, Singapore FSE 2014 – March 3, 2014 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 1/23

  2. Introduction State Recovery Forgery Tradeoffs The end Authenticated Encryption (AE) Motivations ◮ Crypto is not only about encryption ◮ Integrity and authenticity are often required ◮ Existing solutions (modes, MAC) ◮ Few dedicated ciphers ◮ Recent focus on this topic with the CAESAR competition Regular cipher AE AEAD ( M , K ) − → C ( M , K ) − → ( C , T ) ( M , K , A ) − → ( C , T , A ) M : plaintext T : authentication tag C : ciphertext A : optional associated data K : key FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 2/23

  3. Introduction State Recovery Forgery Tradeoffs The end Description of FIDES (1/2) FIDES ◮ Designed by Bilgin et al. and published at CHES 2013 ◮ Nonce-based lightweight authenticated cipher (N) ◮ Key sizes: 80 and 96 bits (K) ◮ Handle optional associated data (A) ◮ Leak-extraction structure similar to the duplex sponge construction ◮ Permutation: application of an unkeyed AES round A 0 A 1 A v − 1 C 0 M 0 C n − 1 M n − 1 16 Rounds 16 Rounds Truncate 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round K || N • • • • • • T 16 c K || 0 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 3/23

  4. Introduction State Recovery Forgery Tradeoffs The end Description of FIDES (2/2) Internal state: Internal state ◮ Internal state of 4 × 8 × c bits c bits ◮ Nibble size c : ◮ c = 5 for FIDES-80 ◮ c = 6 for FIDES-96 One Round of the Internal Permutation: Diffusion Matrix ◮ Extract 2 c -bit mask ��  0 1 1 1  ◮ 2 c -bit message injection �� 1 0 1 1   M = ◮ AES -like operations: SB, SR, MC, AC.   1 1 0 1   1 1 1 0 ◮ Suboptimal diffusion matrix (non MDS) M i RC i SB SR MC AC Inj FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 4/23

  5. Introduction State Recovery Forgery Tradeoffs The end Leakage and Security Claims Leakage ◮ The same positions are used to leak and inject nibbles ◮ 2 c out of 32 c bits are leaked before each round Security Claims ◮ Nonce-respecting adversary assumption ◮ Attack scenarios: state recovery, key recovery and forgery ◮ FIDES advertises 16 c -bit security against all scenarios Our Attack ◮ State recovery can be done in 2 15 c operations ◮ We can forge any message after a state recovery FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 5/23

  6. Introduction State Recovery Forgery Tradeoffs The end Similar designs FIDES is reminiscent of other AES -based design using leak-extraction. ALE [BMR + 13] LEX [Bir06] ◮ 128-bit AE cipher ◮ 128-bit key stream cipher ◮ 4/16 leaked nibbles per round ◮ 4/16 leaked nibbles per round ◮ Inject 16 nibbles every 4 rounds ◮ No injection (stream cipher) Alpha-MAC [DR05] ASC-1 [JK11] ◮ 128-bit MAC ◮ 128-bit AE cipher ◮ 4 nibbles injected per round ◮ 4/16 leaked nibbles per round ◮ No extraction ◮ Inject 16 nibbles every 4 rounds ◮ Whitening key before leakage FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 6/23

  7. Introduction State Recovery Forgery Tradeoffs The end Similar designs FIDES is reminiscent of other AES -based design using leak-extraction. ALE [BMR + 13] LEX [Bir06] ◮ 128-bit AE cipher ◮ 128-bit key stream cipher ◮ 4/16 leaked nibbles per round ◮ 4/16 leaked nibbles per round ◮ Inject 16 nibbles every 4 rounds ◮ No injection (stream cipher) Broken [KR13] Broken [DK13, BDF11] Alpha-MAC [DR05] ASC-1 [JK11] ◮ 128-bit MAC ◮ 128-bit AE cipher ◮ 4 nibbles injected per round ◮ 4/16 leaked nibbles per round ◮ No extraction ◮ Inject 16 nibbles every 4 rounds ◮ Whitening key before leakage Broken [YWJ + 09, BDF11] FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 6/23

  8. Introduction State Recovery Forgery Tradeoffs The end Results on FIDES Results Cipher Data Time Memory Generic Ref 2 75 2 15 2 80 1 KP This paper FIDES-80 2 64 KP 2 73 2 64 2 80 Long version 2 90 2 18 2 96 1 KP This paper FIDES-96 2 77 KP 2 88 2 77 2 96 Long version Notes: ◮ Guess-and-determine attacks ◮ Recover the internal state ◮ Allow to forge arbitrary messages FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 7/23

  9. Introduction State Recovery Forgery Tradeoffs The end Preliminaries (1/2) How many leaked nibbles are needed to recover the state faster than exhaustive search? Information theoretically speaking: ◮ The state consists of 32 nibbles ◮ Known-plaintext scenario ◮ 15 rounds would leak a total ( 15 + 1 ) × 2 = 32 state nibbles ◮ Uniquely determine the state ◮ But analyzing 15 consecutive AES -like rounds is difficult 2 c 2 c 2 c 2 c 2 c 2 c 2 c 2 c 2 c Initialization 16 Rounds 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round Truncate K || N T FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 8/23

  10. Introduction State Recovery Forgery Tradeoffs The end Preliminaries (2/2) With n ∈ [ 0 , 14 ] rounds: ◮ Reduce the analysis to n consecutive AES -like rounds ◮ A total of ( n + 1 ) × 2 state nibbles are leaked ◮ Unicity of the state no longer true: about 2 ( 32 − 2 n − 2 ) × c different initial states would leak the same sequence ◮ Goal: Generating all of them in less than 2 16 c computations ◮ 32 − 2 n − 2 < 16 = ⇒ n ≥ 8. FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 9/23

  11. Introduction State Recovery Forgery Tradeoffs The end Preliminaries (2/2) With n ∈ [ 0 , 14 ] rounds: ◮ Reduce the analysis to n consecutive AES -like rounds ◮ A total of ( n + 1 ) × 2 state nibbles are leaked ◮ Unicity of the state no longer true: about 2 ( 32 − 2 n − 2 ) × c different initial states would leak the same sequence ◮ Goal: Generating all of them in less than 2 16 c computations ◮ 32 − 2 n − 2 < 16 = ⇒ n ≥ 8. Our Attack ◮ We use the knowledge of 18 leaked nibbles, in 9 consecutive states linked by n = 8 rounds (in fact, only 17 nibbles) ◮ Data: less than 16 bytes of a single known plaintext ◮ Time: about 2 15 c computations to enumerate the 2 ( 32 − 17 ) c = 2 15 c state candidates ◮ Check: additional leaked bytes, or authentication tag T . FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 9/23

  12. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

  13. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

  14. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

  15. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

  16. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 2 X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) 4. Guess the 3 nibbles in the set N 2 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

  17. Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 2 X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) 4. Guess the 3 nibbles in the set N 2 5. Determine new nibble values ( N ′ 2 ) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au

DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au

DSpace at UTS DSpace at UTS Fides Datu Lawton Fides Datu Lawton fides.lawton@uts.edu.au fides.lawton@uts.edu.au Director (Library Resources Unit) Director (Library Resources Unit) UTS:Library UTS:Library Repository Market Day Repository

165 views • 16 slides
Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Introduction I/O Behavior and Determinism Interface Automata Learning IOAs Conclusions and Future Work Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen CONCUR 2010, Paris Fides Aarts and Frits

1.15k views • 56 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides

Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides

Establishing Regular Measurements of Halocarbons at Taunus Observatory Tanja Schuck, Fides Lefrancois, Franziska Gallmann, and Andreas Engel Goethe University Frankfurt, Institute for Atmospheric and Environmental Sciences Taunus Observatory

791 views • 21 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware Begl Bilgin, Andrey Bogdanov, Miroslav Kne evi , Florian Mendel, and Qingju Wang 1 DIAC 2013, Chicago Side Channel Resistance 2 Side

1.29k views • 76 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Miscellany Lecture 25 Using iO: Examples Shallow Computation: Why and How Using iO: An Example

Miscellany Lecture 25 Using iO: Examples Shallow Computation: Why and How Using iO: An Example

Miscellany Lecture 25 Using iO: Examples Shallow Computation: Why and How Using iO: An Example PKE from SKE using iO PK = iO( f K ( )) where f K (s,m) = (PRG(s), PRF K (PRG(s)) m) Problem using iO: iO may not hide K! But the functionality

472 views • 19 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 2

601 views • 43 slides
New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a ard 1 Daniel Escudero 1 Tore Frederiksen 2 Marcel Keller 3 Peter Scholl 1 Ivan Damg Nikolaj Volgushev 2 May 19, 2019 1 Aarhus University, Denmark 2

711 views • 32 slides
SeGng Weconsidervo0ngsystemswithendtoend (E2E)verifiability.

SeGng Weconsidervo0ngsystemswithendtoend (E2E)verifiability.

JeremyClark,UrsHengartner,&amp;KateLarson UniversityofWaterloo NotSoHiddenInforma0on: Op0malcontractsforundueinfluenceinE2Evo0ngsystems SeGng

780 views • 45 slides
Welcome Address Kevin Rideout Hong Kong Exchanges and Clearing Limited 2 irishfunds.ie Welcome

Welcome Address Kevin Rideout Hong Kong Exchanges and Clearing Limited 2 irishfunds.ie Welcome

Welcome Address Kevin Rideout Hong Kong Exchanges and Clearing Limited 2 irishfunds.ie Welcome Address Kieran Fox Irish Funds 3 irishfunds.ie Total Assets Under Administration Split between Irish &amp; Non Irish Funds Total Assets

719 views • 29 slides
Financial Markets Law Committee (FMLC) Infrastructure Scoping Forum Date: 7 November 2019

Financial Markets Law Committee (FMLC) Infrastructure Scoping Forum Date: 7 November 2019

Financial Markets Law Committee (FMLC) Infrastructure Scoping Forum Date: 7 November 2019 Time: 2.00pm to 3.30pm Location: Shearman &amp; Sterling, 9 Appold Street, London, EC2A 2AP In Attendance: Barney Reynolds (Chair) Shearman &amp;

343 views • 11 slides
CMS Theory Outreach Maurizio Pierini CERN Tuesday, October 30, 12 Outline I will discuss

CMS Theory Outreach Maurizio Pierini CERN Tuesday, October 30, 12 Outline I will discuss

CMS Theory Outreach Maurizio Pierini CERN Tuesday, October 30, 12 Outline I will discuss two examples of SUSY analyses and how they could be implemented in a phenomenology study I start with a simple cut&amp;count case (SS Dilepton +

429 views • 25 slides
Coxeter numbers: From fake degree palindromicity to the enumeration of reflection factorizations.

Coxeter numbers: From fake degree palindromicity to the enumeration of reflection factorizations.

Coxeter numbers: From fake degree palindromicity to the enumeration of reflection factorizations. Theo Douvropoulos Paris VII, IRIF ERC CombiTop November 21, 2018 Theo Douvropoulos (Paris VII, IRIF) How to count reflection

1.47k views • 96 slides

More recommend