cryptanalysis of jambu
play

Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 - PowerPoint PPT Presentation

Dec 14, 2023 •643 likes •1.01k views

The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of

  1. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of Computer Science and Technology, Shandong University, China 3.Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China 10 March 2015 1 / 35

  2. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 2 / 35

  3. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 3 / 35

  4. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion CAESAR Candidate: JAMBU Designers: Hongjun WU, Tao HUANG (NTU, Singapore) mode of operation is similar to OFB 2n-bit block cipher as underlying cipher process blocks of n-bit information 4 / 35

  5. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : parameters AES-JAMBU is JAMBU with AES -128 as the underlying cipher: associated data + plaintext < 2 64 bits under the same key key = 128 bits tag = 64 bits Initialization Vector/Nonce = 64 bits 5 / 35

  6. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : initialisation Initial input: 64-bit zeroes and 64-bit nonce (IV) 6 / 35

  7. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : processing of associated data Associated data A is split into 64-bit blocks A i 7 / 35

  8. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : processing of plaintext Plaintext P is split into 64-bit blocks P i Ciphertext C is split into 64-bit blocks C i 8 / 35

  9. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion AES-JAMBU : tag generation Last block P M is padded with 1 � 0 ∗ and output is truncated. If last block is a full block, an additional block of 1 � 0 63 is processed without output. 9 / 35

  10. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 10 / 35

  11. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : hardware performance JAMBU is a hardware-oriented candidate: compared with other AE modes instantiated with a 2 n -bit block cipher, JAMBU minimizes state size, which is an advantage for hardware implementations. Modes State size 6 n GCM 6 n OCB3 8 n EAX 3 n JAMBU 11 / 35

  12. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : software performance On an Intel Core i5-2540M 2.6GHz processor with AES-NI: 512-byte messages AES -128- CCM 5.19 c/B AES -128- GCM 3.33 c/B AES -128- OCB3 1.34 c/B 12.27 c/B AES-JAMBU According to the designers, AES-JAMBU should be about two times slower than AES - GCM (their implementation is not optimized yet). 12 / 35

  13. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : security claims confidentiality (bits) integrity (bits) 128 64 nonce-respecting 128 ∗ not specified nonce-misuse *: except for first block or common prefix of the message. The designers gave very good arguments why a successful forgery should require 2 64 computations. “In case that the IV is reused under the same key, the confidentiality of AES-JAMBU is only partially compromised as it only leaks the information of the first block or the common prefix of the message. And the integrity of AES-JAMBU will be less secure but not completely compromised.” 13 / 35

  14. The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion JAMBU : security claims confidentiality (bits) integrity (bits) 128 64 nonce-respecting 128 ∗ not specified nonce-misuse *: except for first block or common prefix of the message. Our attack: with about 2 34 queries and computations, we can produce a valid ciphertext block corresponding to some plaintext with a prefix that has never been queried before. 14 / 35

  15. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 15 / 35

  16. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 16 / 35

  17. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Observation 1 no difference in V i +1 ⇒ the differences in R i and Y i are the same ∆ s let the difference in X i be ∆ r 17 / 35

  18. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Observation 2 if the input difference in P i is equal to ∆ r ⇒ the difference in U i +1 will be cancelled out, and with no difference in P i +1 ⇒ the output difference in C i +1 will be ∆ s 18 / 35

  19. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Attack Overview Objective Find such a diff. structure, and find the values of ∆ r and ∆ s . Problem Seems hard to achieve: naively building the structure costs 2 64 computations, and we have no way of checking if we indeed found it (∆ s is unknown). Solution “Divide-and-conquer” use birthday attack to find a pair of nonce values partially follows this differential structure (nonce-respecting) enumerate all possible input differences in the plaintext block to force the rest of the differential structure and to find ∆ r and ∆ s (nonce-misuse) 19 / 35

  20. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Table of Contents The JAMBU Candidate 1 Performance and Security Claims 2 Nonce-misuse Attack on JAMBU 3 Differential Structure in JAMBU Details of the Attack Conclusion 4 20 / 35

  21. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 1: birthday attack on V i +1 Using birthday attack, a collision on V i +1 can be found with about 2 32 encryption queries: query for encryption for the same one block of plaintext P 1 with 2 32 difference nonce IV find a collision in the ciphertext C 1 = C ′ 1 store the pair of nonce values IV and IV ′ 21 / 35

  22. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s To enumerate all 2 64 possible input differences of P i , we use 2 sets of 2 32 plaintext blocks. i and j ranged from 0 to 2 32 − 1 Any possible input difference [ i � j ] can be formed with a pair of plaintext blocks [ i � 0 32 ] and [0 32 � j ]. 22 / 35

  23. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s P i +1 is set to a constant value (e.g. all zeros) We ask for the encryption of [ i � 0 32 ] � [0 64 ] with nonce IV and [0 32 � j ] � [0 64 ] with nonce IV ′ . 23 / 35

  24. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s Question: how do we know that we insert the right ∆ r in P i ? Answer: the right ∆ r will give the same output difference ∆ s in the second block independent of the plaintext value in the first block. 24 / 35

  25. The JAMBU Candidate Performance and Security Claims Differential Structure in JAMBU Nonce-misuse Attack on JAMBU Details of the Attack Conclusion Step 2: finding ∆ r and ∆ s The right ∆ r will give the same output difference ∆ s independent of the value of P i , so we build a few tables. i and j ranged from 0 to 2 32 − 1 If ∆ r = [ i � j ], then C 2 [ i � 0] ⊕ C 2 [0 � j ] = C 2 [ i ⊕ 1 � 0] ⊕ C 2 [1 � j ] = ∆ s . Note that first and third tables are the same up to permutation. Hence, we need 3 · 2 32 encryption queries. 25 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale

Bilinear Cryptanalysis of Multivariate Schemes Pierre-Alain FOUQUE Crypto Team cole normale suprieure Joint work with Dubois, Stern, Shamir, Macario-Rat Summary Matsumoto-Imai (MI) cryptosystem Cryptanalysis of MI by Patarin

388 views • 21 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Region 10 Youth Preparedness Council (R10 YPC) Modeled after National YPC Purpose: Formed

Region 10 Youth Preparedness Council (R10 YPC) Modeled after National YPC Purpose: Formed

Region 10 Youth Preparedness Council (R10 YPC) Modeled after National YPC Purpose: Formed in 2012 to bring together youth leaders across the country who are interested in supporting disaster preparedness 15 members (1-2 per Region), 8

386 views • 9 slides
On the role of 5G in automotive industry Dr Mikael Fallgren, Ericsson Research 30 November 2018,

On the role of 5G in automotive industry Dr Mikael Fallgren, Ericsson Research 30 November 2018,

On the role of 5G in automotive industry Dr Mikael Fallgren, Ericsson Research 30 November 2018, Rio de Janeiro, Brasil 2018-11-30 | Ericsson Confidential Cellular V2X, complete solution on a single unified technology V2X via

561 views • 17 slides
5. Storage and Manipulation Foundations of XML Data of SSD Manipulation Shamelessly

5. Storage and Manipulation Foundations of XML Data of SSD Manipulation Shamelessly

5. Storage and Manipulation Foundations of XML Data of SSD Manipulation Shamelessly inspired by Ioana Manolescu tutorial Giorgio Ghelli The problem Classifying stores Consider the queries Essential criteria: $doc //

465 views • 8 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of

538 views • 29 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut &amp; Yann Rotella

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut &amp; Yann Rotella

Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut &amp; Yann Rotella GT BaC, 20 October 2017 Inria - SECRET, Paris, France 1 Summary Introduction : Stream ciphers Linear Feedback Shift Registers Monomial

581 views • 56 slides
H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR

H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR

H IGGS PRODUCTION AT R UN 2 AND PROJECTIONS FOR THE HL-LHC WITH THE CMS PHASE -2 DETECTOR Alessandro Da Rold, on behalf of the CMS Collaboration Interpreting the LHC Run 2 data and Beyond Trieste, 27 - 31 May 2019 O VERVIEW Run 2 H

192 views • 15 slides

More recommend