cryptanalysis of the advanced encryption standard
play

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen - PowerPoint PPT Presentation

Feb 22, 2024 •167 likes •664 views

Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013 Content AES Bounding the EDP of differentials over 2, 4 rounds of AES AES and the hypothesis of stochastic equivalence The Advanced Encryption

  1. Cryptanalysis of the Advanced Encryption Standard Vincent Rijmen Albena 2013

  2. Content • AES • Bounding the EDP of differentials over 2, 4 rounds of AES • AES and the hypothesis of stochastic equivalence

  3. The Advanced Encryption Standard round S S S S S S S S S round Key Schedule round Mixing transformation . . . . . round

  4. AES round transformation • 10/12/14 iterations • Composed of 4 steps, each its own purpose: – SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

  5. Message input representation a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7  Rectangular array of bytes:  4 rows  AES: 4 columns  Rijndael: 4, 6, or 8 columns (128-, 192-, 256-bit plaintext block)

  6. Key input representation k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)

  7. Round step 1: SubBytes S-box b 0,0 b 0,1 b 0,2 b 0,3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a i,j b 1,0 b 1,1 b 1,2 b 1,3 b i,j a 2,0 a 2,1 a 2,2 a 2, 3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Bytes are transformed by invertible S-box. • One S-box (lookup table) for complete cipher (simplicity)

  8. The Rijndael S-box S[x] = P(x -1 ) • x -1 : good cryptographic properties – Optimally resistant against linear and differential cryptanalysis – Output functions with maximal nonlinear degree (7) • P(x): affine transformation to remove regularity

  9. Round step 3: MixColumns a 0 ,j b 0 ,j a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1 ,j a 1,0 a 1,1 a 1,2 a 1,3 b 1 ,j b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2 ,j b 2,0 b 2,1 b 2,2 b 2,3 b 2 ,j a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 a 3 ,j b 3 ,j • Columns transformed by matrix over GF(2 8 ) • High intra-column diffusion: – based on theory of error-correcting (MDS) codes 9

  10. Round step 2: ShiftRows m n o p m n o p g h i j h i j g y z w x y z w x b c d e e b c d • Rows are shifted over 4 different offsets • High diffusion over multiple rounds: – Interaction with MixColumns – Bits flip in minimum 25 active S-boxes per 4 rounds 10

  11. Key schedule k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 round key table (virtual) 1+ 10/12/14 round keys ...

  12. Key schedule for 128-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 + k 1,3 RC k 2,3 Substitution + k 3,3 k 0,3 + + + k 0,4 k 0,5 k 0,6 k 0,7 k 1,4 k 1,5 k 1,6 k 1,7 k 2,4 k 2,5 k 2,6 k 2,7 k 3,4 k 3,5 k 3,6 k 3,7

  13. Key schedule for 192-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 + k 1,5 RC k 2,5 Substitution + k 3,5 k 0,5 + + + + + k 0,6 k 0,7 k 0,8 k 0,9 k 0,10 k 0,11 k 1,6 k 1,7 k 1,8 k 1,9 k 1,10 k 1,11 k 2,6 k 2,7 k 2,8 k 2,9 k 2,10 k 2,11 k 3,6 k 3,7 k 3,8 k 3,9 k 3,10 k 3,11

  14. Key schedule for 256-bit keys k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 + k 1,7 RC k 2,7 + Substitution k 3,7 k 0,7 + + + + + + + Substitution k 0,8 k 0,9 k 0,10 k 0,11 k 0,12 k 0,13 k 0,14 k 0,15 k 1,8 k 1,9 k 1,10 k 1,11 k 1,12 k 1,13 k 1,14 k 1,15 k 2,8 k 2,9 k 2,10 k 2,11 k 2,12 k 2,13 k 2,14 k 2,15 k 3,8 k 3,9 k 3,10 k 3,11 k 3,12 k 3,13 k 3,14 k 3,15

  15. Alternative representations S S S S S S S S S S S S S S S S MC MC MC MC + + + + + + + + + + + + + + + + S S S S S S S S S S S S S S S S MC MC MC MC + + + + + + + + + + + + + + + +

  16. Super Box differentials a • Differentials ( a , e ) S S S S b – with EDP( a , e ) MixColumns c = MC × b • Characteristics Q = ( a , b , c , d , e ) + + + + – with EDP( Q ) d = c • EDP( a , e ) = ∑ Q EDP( Q ) S S S S e • given a and e , only b free • EDP of Q is product of DP of S-boxes: – EDP( a , b , d , e ) = ∏ i DP S ( a i , b i ) ∏ j DP S ( d j , e j )

  17. Branch number • DP S (0,0) = 1 • Avoid existence of trails with many zeroes X Mixing transformation L Y • Branch number B :

  18. Branch number and codes X Mixing transformation L Y • Code C: XX L(X) • Branch number of L = minimum distance of C

  19. Bound on EDP [Park+ ‘03] When all S-boxes are the same:

  20. Example 0 a 0 0 0 0 S S S S S b 0 0 0 0 0 L d 0 d 1 d 4 0 0 • Sum runs over all entries in a row or + + + + + column S • Sum is largest if you S S S S combine largest with the e 4 e 0 e 1 0 0 largest, …

  21. [Hong+ ’00] Hence:

  22. The AES S-box a • Composed of: – x –1 in GF(2 8 ) x –1 S = b – L : affine mapping L -1 • matrix in GF(2) • linearised polynomial c • Differential properties: – those of x –1 – L : deterministic • c = L -1 b; b = L c

  23. Differential properties of x –1 x –1 + ( x + a ) -1 = b • If x ≠ a , x ≠ 0: ( x + a ) + x = b ( x + a ) x ( x / a ) 2 + x / a + 1/ ab = 0 • 2 solutions iff Trace(1/ ab ) = 0 • x = a is solution of x 254 + ( x + a ) 254 = b – only if b = a -1 – Solutions are: 0, a , va , v 2 a with v 2 + v +1=0

  24. DP over AES S-box • DP( a,b ) : – 2 –6 if ab = 1 , – 2 –7 if Tr( a –1 b –1 ) = 0 if Tr( a –1 b –1 ) = 1 – 0 • For fixed a : – 1 b with DP( a , b ) = 2 -6 – 126 b ’s with DP( a , b ) = 2 -7 • Same for fixed b

  25. AES Super box EDP bounds • MixColumns has branch number 5 • Hong et al. bound: • Park et al. bound: • Keliher-Sui ‘07: the best differentials have 13.25 × 2 -32

  26. Differential properties of x –1 • Trace function Tr( x ) – Maps extension field GF(2 8 ) to ground field GF(2) – Linear mapping: • Tr( x + y ) = Tr( x ) + Tr( y ) • Tr( ax ) = 0 : solutions x for given a defines vector space over GF(2) • Given a , values of b –1 for which DP( a , b ) > 0 form a vector space of dimension 7

  27. Example differential • Characteristics ( a, b, d, e ) a 0 0 0 0 • Properties: – 255 possible values for b 0 S S S S – d = (2 b 0 , b 0 , b 0 , 3 b 0 ) b 0 0 0 0 – d i = u d i b 0 fixed ratio MixColumns • Conditions for b 0 and d i to d 0 d 1 d 2 d 3 define a characteristic with DP > 0 + + + + –1 L ( b 0 ) –1 ) = 0 – Tr( a 0 –1 L ( e i ) –1 ) = 0 S S S S – Tr( d i e 0 e 1 e 2 e 3

  28. Example differential • Conditions on d i define a –1 a 0 0 0 0 vector space on b 0 – dimension is 8 minus S S S S dimension of vector space –1 )} i generated by { u d b 0 i L ( e i 0 0 0 – minimum 4, maximum 7 MixColumns – straight conditions d 0 d 1 d 2 d 3 • Condition on b 0 doesn’t – due to presence of L + + + + – blurred condition – can be approached S S S S statistically: • number of trails has e 0 e 1 e 2 e 3 hypergeometric distribution

  29. Differentials with 5 active S-boxes • Given characteristic, nonzero b i and d j values have fixed ratios • 255 characteristics • Differential characterized by two parameters: ฀ α : dimension of: { u d –1 )} i i L ( e i ฀ β : number of different nonzero elements in: ( a 0 , u b 0 ) ( a 1 , u b 1 ) ( a 2 , u b 2 ) ( a 3 , u b 3 ) • Number of trails has hypergeometric distribution with mean and variance determined by α and β

  30. AES Superboxes  Highest EDP values occur for  differentials with 5 active S-boxes  ... with small values for α and β  Presence of L in S-box has important impact on the distributions of Super box EDP values:  if absent: all conditions become straight  Max EDP would increase  from 13.25 × 2 –32 (12 differentials)  to 19.75 × 2 –32 (3825 differentials)

  31. AES megabox Super box Super box Super box Super box MC MC MC MC + + + + + + + + + + + + + + + + Super box Super box Super box Super box

  32. Megabox bounds • Hong et al.: • Park et al.: ??? – We would need all the EDP-values over the Super boxes – Computation has been finished for differentials where all trails have exactly 25 active S-boxes and where the S-box is pure inversion:

  33. Plateau characteristics • Illustration of the difference between EDP and DP[k] • DP is a stochastic variable, with EDP as expected value • Expected value doesn’t fully characterize the distribution • Structure in the sets of right pairs • Case study for characteristics in AES (2 rounds)

  34. Often assumed distribution of DP(Q) Pr(DP(Q) = i) ≈ z(i – EDP(Q)) • Narrow around EDP(Q) Fraction of keys DP( Q ) EDP( Q )  Hypothesis of stochastic equivalence

  35. 2-round mapping b S a c R + B [ k ] k • B[ k ]( x ) = S ( k + R ( x )) • Characteristic over B[ k ] : Q = ( a , b , c ) – Differential ( a , b ) over R , followed by – Differential ( b , c ) over S

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Encryption Standard

Advanced Encryption Standard

Advanced Encryption Standard 1 Advanced Encryption Standard (AES) Advanced Encryption Standard (AES) 1997 NIST call for candidate larger key size (bits): 128, 192, 256

645 views • 40 slides
Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys:

403 views • 39 slides
An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky,

An Overview of Cryptanalysis Research for the Advanced Encryption Standard Alan Kaminsky, Rochester Institute of Technology Michael Kurdziel, Harris Corporation Stanisaw Radziszowski, Rochester Institute of Technology November 2, 2010 1

219 views • 19 slides
Advanced Encryption Standard different hardware implementations: 8 bit - 32 bit 1998 15

Advanced Encryption Standard different hardware implementations: 8 bit - 32 bit 1998 15

Advanced Encryption Standard (AES) Advanced Encryption Standard (AES) 1997 NIST call for candidate larger key size (bits): 128, 192, 256 larger block size (bits): 128 larger block size (bits): 128 Advanced Encryption Standard

733 views • 7 slides
The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the twenty-first century: the advanced encryption standard. In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS)

477 views • 24 slides
The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the

The Advanced Encryption Standard - see Susan Landaus paper: Communications security for the twenty-first century: the advanced encryption standard. In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS)

160 views • 15 slides
Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Cryptography Advanced Encryption Standard Overview of AES Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography AES in OpenSSL AES in Python School of Engineering and Technology CQUniversity

2.59k views • 30 slides
Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography

Cryptography Advanced Encryption Standard Overview of AES Advanced Encryption Standard Simplified-AES Simplified-AES Example Details of AES Cryptography AES in OpenSSL AES in Python School of Engineering and Technology CQUniversity

456 views • 30 slides
2.2.5 Advanced Encryption Standard (AES) A collection of proposals has been studied by the

2.2.5 Advanced Encryption Standard (AES) A collection of proposals has been studied by the

2.2.5 Advanced Encryption Standard (AES) A collection of proposals has been studied by the (American) National Institute of Standards and Technology (NIST for short) for a new industrial standard for a block cipher. The names of these proposals

767 views • 8 slides
CAST-256 A Submission for the Advanced Encryption Standard Carlisle Adams First AES Candidate

CAST-256 A Submission for the Advanced Encryption Standard Carlisle Adams First AES Candidate

CAST-256 A Submission for the Advanced Encryption Standard Carlisle Adams First AES Candidate Conference August 20-22, 1998 Orchestrating Enterprise Security 1997 Entrust Technologies Vital Statistics ! Name CAST-256 ! Inventors

608 views • 33 slides
Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods

Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods

Faculty of Information Engineering and Technology Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods AddRoundKey SubBytes ShiftRows MixColumns Key Expansion Conclusion AES Group | The Feather

926 views • 31 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Kryptographie Advanced Encryption Standard Uwe Egly Vienna University of Technology Institute

Kryptographie Advanced Encryption Standard Uwe Egly Vienna University of Technology Institute

Kryptographie Advanced Encryption Standard Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 23 History Due to severe problems, DES, 3DES had to be replaced 1997: NIST

523 views • 23 slides
Chapter 5: Advanced Encryption Standard (AES) Dr. Loai Tawalbeh Computer Engineering

Chapter 5: Advanced Encryption Standard (AES) Dr. Loai Tawalbeh Computer Engineering

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 5: Advanced Encryption Standard (AES) Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005 History

323 views • 8 slides
The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide F - 1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics Algorithm Computer

499 views • 31 slides
Data Encryption Standard (DES)

Data Encryption Standard (DES)

Data Encryption Standard (DES) 1 DES DES Data Encryption Standard (Data Encryption Data Encryption Standard (Data Encryption Algorithm, DEA) 1973 National

1.28k views • 82 slides
Revisiting the Area under the ROC Berry de Bruijn Institute for Information Technology National

Revisiting the Area under the ROC Berry de Bruijn Institute for Information Technology National

Revisiting the Area under the ROC Berry de Bruijn Institute for Information Technology National Research Council, Canada Personalize with title, slogan or I/B/P name in master slide Purpose Take a look at the Area under the ROC curve from a

326 views • 13 slides
Agenda Course 02402 Introduction to Statistics 1 Stochastic Variables and Distributions The

Agenda Course 02402 Introduction to Statistics 1 Stochastic Variables and Distributions The

Agenda Course 02402 Introduction to Statistics 1 Stochastic Variables and Distributions The definition of a Stochastic Variable Lecture 2: Discrete Distributions Density function The distribution function 2 Specific Statistical distributions

289 views • 9 slides
1 -norm regularization Ji Zhu (Michigan), Saharon Rosset (IBM T. J. Watson), Trevor Hastie

1 -norm regularization Ji Zhu (Michigan), Saharon Rosset (IBM T. J. Watson), Trevor Hastie

l NIPS03 Workshop: 1 -norm regularization Ji Zhu, Saharon Rosset, Trevor Hastie, Rob Tibshirani 1 l 1 -norm regularization Ji Zhu (Michigan), Saharon Rosset (IBM T. J. Watson), Trevor Hastie (Stanford), Rob Tibshirani (Stanford) l NIPS03

326 views • 19 slides
Robust Feature Matching and Fast GMS Solution Singapore University of Technology and Design

Robust Feature Matching and Fast GMS Solution Singapore University of Technology and Design

Robust Feature Matching and Fast GMS Solution Singapore University of Technology and Design (SUTD) Advanced Digital Sciences Center (ADSC) Speaker JiaWang Bian( ) http://jwbian.net/ June 14,2017 6/14/2017 Robust Feature Matching

726 views • 57 slides
Introduction to Machine Learning Hyperparameter Tuning - Problem Definition

Introduction to Machine Learning Hyperparameter Tuning - Problem Definition

Introduction to Machine Learning Hyperparameter Tuning - Problem Definition compstat-lmu.github.io/lecture_i2ml TUNING Recall: Hyperparameters are parameters that are inputs to the training problem, in which a learner I minimizes the

504 views • 7 slides
MLbase: A System for Distributed Machine Learning Ameet Talwalkar

MLbase: A System for Distributed Machine Learning Ameet Talwalkar

MLbase: A System for Distributed Machine Learning Ameet Talwalkar

1.56k views • 37 slides
Model Selection Matt Gormley Lecture 4 January 29, 2018 1 Q&A Q: How do we deal with ties

Model Selection Matt Gormley Lecture 4 January 29, 2018 1 Q&A Q: How do we deal with ties

10-601 Introduction to Machine Learning Machine Learning Department School of Computer Science Carnegie Mellon University Model Selection Matt Gormley Lecture 4 January 29, 2018 1 Q&A Q: How do we deal with ties in k-Nearest Neighbors

1.09k views • 75 slides
CMSC5743 L09: Network Architecture Search Bei Yu (Latest update: September 13, 2020) Fall 2020

CMSC5743 L09: Network Architecture Search Bei Yu (Latest update: September 13, 2020) Fall 2020

CMSC5743 L09: Network Architecture Search Bei Yu (Latest update: September 13, 2020) Fall 2020 1 / 29 Overview Search Space Design Blackbox Optimization NAS as a hyperparameter optimization Reinforcement Learning Evolution methods

567 views • 33 slides

More recommend