cryptanalysis of the counter mode of operation
play

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras - PowerPoint PPT Presentation

Oct 31, 2023 •228 likes •975 views

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

  1. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gaëtan Leurent Inria, équipe SECRET April 10, 2018 1 / 29

  2. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction • Cryptography: Alice encrypts then sends messages to Bob. • Symmetric: Alice and Bob share the same key. • Public channel: Eve (attacker) can see and/or manipulate what is being sent. Eve ...11001101011... Alice Bob 2 / 29

  3. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. 3 / 29

  4. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. Mode of operation Describes how to use a block cipher along with a plaintext message of arbitrary length to achieve some concrete cryptographic goals. 3 / 29

  5. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. 4 / 29

  6. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. • There are authentication modes (GMAC, ...). They aim at authenticating the plaintext. → Forgery attacks. 4 / 29

  7. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Modes are classified according to their goals: • There are encryption modes (CBC, CTR, ...). They aim at hiding the plaintext. → Plaintext recovery attacks. • There are authentication modes (GMAC, ...). They aim at authenticating the plaintext. → Forgery attacks. • There are authenticated encryption modes (GCM, ...). They aim at both authenticating and hiding the plaintext. 4 / 29

  8. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i 5 / 29

  9. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. 5 / 29

  10. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. Inputs IV � i to the block cipher never repeat. 5 / 29

  11. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . 6 / 29

  12. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . Security proof ( σ the number of blocks) Adv CPA CTR- E k ( σ ) ≤ Adv PRF E k ( σ ) ≤ Adv PRP E k ( σ ) + σ 2 / 2 n + 1 Distinguishing attack After σ ≃ 2 n / 2 encrypted blocks we expect a collision on the K i with high probability in the case of a random ciphertext. That is the birthday bound coming from the birthday paradox. 6 / 29

  13. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • allowing attacks when nearing the bound c 0 c 1 c 2 7 / 29

  14. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • allowing attacks when nearing the bound c 0 c 1 c 2 Folklore assumptions [Ferguson, Schneier, Kohno] CTR leaks very little data. [...] It would be reasonable to limit the cipher mode to 2 60 blocks, which allows you to encrypt 2 64 bytes but restricts the leakage to a small fraction of a bit. When using CBC mode you should be a bit more restrictive. [...] We suggest limiting CBC encryption to 2 32 blocks or so. 7 / 29

  15. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . 8 / 29

  16. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . 8 / 29

  17. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguishing attack uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . 8 / 29

  18. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguishing attack uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . Main Idea Collect many keystream blocks K i and encryptions of secret block c j = K j ⊕ S ; then look for a value s such that K i ⊕ c j � = s ∀ i � = j . 8 / 29

  19. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 9 / 29

  20. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem Main Idea Collect many keystream blocks K i ∈ A and encryptions of secret block c j = K j ⊕ S ∈ B ; then look for a value s ∈ S such that ∀ ( a , b ) ∈ A × B , s � = a ⊕ b . The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 9 / 29

  21. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 n via coupon collector problem • To exclude 2 n candidates of S , we need n · 2 n values a i ⊕ b j • Lists A and B of size √ n · 2 n / 2 . Complexity: ˜ O ( 2 n ) 10 / 29

  22. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 • To exclude 1 candidate of S , we need 2 n values a i ⊕ b j • Lists A and B of size 2 n / 2 . Complexity: ˜ O ( 2 n ) 10 / 29

  23. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 b 6 ? a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 11 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent, Ferdinand Sibleyras Inria, quipe SECRET EUROCRYPT 2018 1 /

856 views • 56 slides
Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

917 views • 70 slides
Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and

Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and

Power Grids in Asia Power Grids in Asia Mode of operation and dynamics Mode of operation and dynamics Stephen Wilson Stephen Wilson ECONOMIC CONSULTING ECONOMIC C NSULTING ASSOC SSOCIATES LIMI ES LIMITED TED 41 Lonsdale Road London NW6

538 views • 26 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and

1.1k views • 45 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel

Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel

Adding 32-bit Mode to the ACL2 Model of the x86 ISA Alessandro Coglio Shilpi Goel Kestrel Centaur Technology Technology Workshop 2018 x86 Modes of Operation x86 Modes of Operation power on Real-Address or reset Mode no memory management,

2.01k views • 137 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count.

Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count.

Possible modes of operation of CMSQIE (1) Use noninverting mode of QIE: 2.6 fC/count. No practical limit on maximum charge/channel (2) Use calibration mode of QIE: ~1 fC/count. Maximum charge/channel of ~30 fC. (3) Place

560 views • 15 slides
Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team &

Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team &

25 th IAEA FEC, Oct 13-18, 2014 St. Petersburg, Russia ASIPP Advances in H-mode Physics for Long Pulse Operation on EAST B. N. Wan* for EAST team & collaborators** *Email: bnwan@ipp.ac.cn Institute of Plasma Physics, Chinese Academy of

367 views • 25 slides
Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *,

Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *,

Innovation in Services & the Organization-Co-operation Mode of Innovation Bruce Tether # *, Stan Metcalfe* & Abdelouahid Tajar + # Advanced Institute of Management (AIM) Research * ESRC Centre for Research on Innovation & Competition

743 views • 18 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection

Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection

Direct fibre excitation with a digital laser 1 Proof of principle Mode transfer Mode detection Mode source 2 Digital laser resonator as the mode source 3 Digital laser in operation Nd:YAG Monitor 2 SLM Driver CCD PC 2 PC 1 SLM Video

315 views • 17 slides
2. Hypothesis Car use as a habit Car use is often the first choice , mainly because of: Real

2. Hypothesis Car use as a habit Car use is often the first choice , mainly because of: Real

International Co-operation on Theories and Concepts in Traffic Safety 1. Background theory: Mode choice The Theory of Interpersonal Behaviour (Galdames et al., 2011) suggests that mode choices depend on: Can an experience with no car use

451 views • 5 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED cipher algorithm would be the default cipher together with AES in SRTP Motivation In Korea, many companies provide VoIP service and we

294 views • 6 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 14, 2013 Announcements / Goals For

459 views • 9 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides

More recommend