cryptanalysis reverse engineering and design of symmetric
play

Cryptanalysis, Reverse-Engineering and Design of Symmetric - PowerPoint PPT Presentation

Oct 03, 2023 •388 likes •1.76k views

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

  1. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Motivation A malicious designer can easily hide a structure in an S-Box. 16 / 54

  2. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Motivation A malicious designer can easily hide a structure in an S-Box. To keep an advantage in implementation (WB crypto)... 16 / 54

  3. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Motivation A malicious designer can easily hide a structure in an S-Box. To keep an advantage in implementation (WB crypto)... ... or an advantage in cryptanalysis (backdoor). 16 / 54

  4. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. 17 / 54

  5. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. Definition (DDT) The Difference Distribution Table of S is a matrix of size 2 n × 2 n such that DDT [ a , b ] = # { x ∈ F n 2 | S ( x ⊕ a ) ⊕ S ( x ) = b } . 17 / 54

  6. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. Definition (DDT) The Difference Distribution Table of S is a matrix of size 2 n × 2 n such that DDT [ a , b ] = # { x ∈ F n 2 | S ( x ⊕ a ) ⊕ S ( x ) = b } . Definition (LAT) The Linear Approximations Table of S is a matrix of size 2 n × 2 n such that LAT [ a , b ] = # { x ∈ F n 2 | x · a = S ( x ) · b } − 2 n − 1 . 17 / 54

  7. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Example S = [ 4 , 2 , 1 , 6 , 0 , 5 , 7 , 3 ] The DDT of S . The LAT of S .     8 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0         0 0 0 0 2 2 2 2 0 0 2 2 0 0 2 − 2         0 0 0 0 2 2 2 2 0 2 2 0 0 2 − 2 0         0 0 4 4 0 0 0 0 0 2 0 2 0 − 2 0 2         0 0 0 0 2 2 2 2 0 2 0 − 2 0 − 2 0 − 2         0 4 4 0 0 0 0 0 0 − 2 2 0 0 − 2 − 2 0         0 4 0 4 0 0 0 0 0 0 − 2 2 0 0 − 2 − 2         0 0 0 0 2 2 2 2 0 0 0 0 − 4 0 0 0 18 / 54

  8. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Coefficient Distribution in the DDT If an n -bit S-Box is bijective, then its DDT coefficients behave like independent and identically distributed random variables following a Poisson distribution: Pr [DDT[ a , b ] = 2 z ] = e − 1 / 2 2 z z . 19 / 54

  9. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Coefficient Distribution in the DDT If an n -bit S-Box is bijective, then its DDT coefficients behave like independent and identically distributed random variables following a Poisson distribution: Pr [DDT[ a , b ] = 2 z ] = e − 1 / 2 2 z z . Always even, ≥ 0 Typically between 0 and 16. Lower is beter. 19 / 54

  10. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Coefficient Distribution in the LAT If an n -bit S-Box is bijective, then its LAT coefficients behave like independent and identically distributed random variables following this distribution: � 2 n − 1 � 2 n − 2 + z Pr [LAT[ a , b ] = 2 z ] = . � 2 n � 2 n − 1 20 / 54

  11. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Coefficient Distribution in the LAT If an n -bit S-Box is bijective, then its LAT coefficients behave like independent and identically distributed random variables following this distribution: � 2 n − 1 � 2 n − 2 + z Pr [LAT[ a , b ] = 2 z ] = . � 2 n � 2 n − 1 Always even, signed. Typically between -40 and 40. Lower absolute value is beter. 20 / 54

  12. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Looking Only at the Maximum ℓ log 2 ( Pr [max ( L ) ≤ ℓ ] ) δ log 2 ( Pr [max ( D ) ≤ δ ] ) 38 -0.084 14 -0.006 36 -0.302 34 -1.008 12 -0.094 32 -3.160 10 -1.329 30 -9.288 8 -16.148 28 -25.623 26 -66.415 6 -164.466 24 -161.900 4 -1359.530 22 -371.609 DDT LAT Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutation is at most equal to a certain threshold. 21 / 54

  13. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Looking Only at the Maximum ℓ log 2 ( Pr [max ( L ) ≤ ℓ ] ) δ log 2 ( Pr [max ( D ) ≤ δ ] ) 38 -0.084 14 -0.006 36 -0.302 34 -1.008 12 -0.094 32 -3.160 10 -1.329 30 -9.288 8 -16.148 28 -25.623 26 -66.415 6 -164.466 24 -161.900 4 -1359.530 22 -371.609 DDT LAT Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutation is at most equal to a certain threshold. 21 / 54

  14. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Taking Number of Maximum Values into Account −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 22 / 54

  15. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Application of this Analysis? We applied this method on the S-Box of Skipjack. 23 / 54

  16. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What is Skipjack? (1/2) Type Block cipher Bloc 64 bits Key 80 bits Authors NSA Publication 1998 24 / 54

  17. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [NIST, 1998] , 25 / 54

  18. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [NIST, 1998] , It uses an 8 × 8 S-Box ( F ) specified only by its LUT, 25 / 54

  19. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [NIST, 1998] , It uses an 8 × 8 S-Box ( F ) specified only by its LUT, Skipjack was to be used by the Clipper Chip . 25 / 54

  20. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Reverse-Engineering F For Skipjack’s F , max ( LAT ) = 28 and #28 = 3 . 26 / 54

  21. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Reverse-Engineering F For Skipjack’s F , max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 26 / 54

  22. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Reverse-Engineering F For Skipjack’s F , max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 26 / 54

  23. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Reverse-Engineering F For Skipjack’s F , max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 Pr [max ( LAT ) = 28 and #28 ≤ 3] ≈ 2 − 55 26 / 54

  24. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What Can We Deduce? F has not been picked uniformly at random. F has not been picked among a feasibly large set of random S-Boxes. Its linear properties were optimized (though poorly). 27 / 54

  25. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion What Can We Deduce? F has not been picked uniformly at random. F has not been picked among a feasibly large set of random S-Boxes. Its linear properties were optimized (though poorly). The S-Box of Skipjack was built using a dedicated algorithm. 27 / 54

  26. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Skipjack F 28 / 54

  27. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Skipjack F 28 / 54

  28. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Distinguisher vs. Decomposition We have figured out that F is not random... 29 / 54

  29. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Distinguisher vs. Decomposition We have figured out that F is not random... But what can we do to find actual structures? Structural Atacks Atacks against structures regardless of their details. Examples: Integral atacks against SPNs, Yoyo game against Feistel Networks, Looking at the Pollock representations of the DDT/LAT, 29 / 54

  30. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Distinguisher vs. Decomposition We have figured out that F is not random... But what can we do to find actual structures? Structural Atacks Atacks against structures regardless of their details. Examples: Integral atacks against SPNs, Yoyo game against Feistel Networks, Looking at the Pollock representations of the DDT/LAT, TU-Decomposition. 29 / 54

  31. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion TU-Decomposition in a Nutshell 1 Identify linear paterns in zeroes of LAT; 30 / 54

  32. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion TU-Decomposition in a Nutshell µ 1 Identify linear paterns in zeroes of LAT; 2 Deduce linear layers µ , η such that π is T decomposed as in right picture; U η 30 / 54

  33. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion TU-Decomposition in a Nutshell µ 1 Identify linear paterns in zeroes of LAT; 2 Deduce linear layers µ , η such that π is T decomposed as in right picture; U 3 Decompose U , T ; η 30 / 54

  34. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion TU-Decomposition in a Nutshell µ 1 Identify linear paterns in zeroes of LAT; 2 Deduce linear layers µ , η such that π is T decomposed as in right picture; U 3 Decompose U , T ; 4 Put it all together. η 30 / 54

  35. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Kuznyechik/Stribog Stribog Type Hash function Publication [GOST, 2012] Kuznyechik Type Block cipher Publication [GOST, 2015] 31 / 54

  36. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Kuznyechik/Stribog Stribog Type Hash function Publication [GOST, 2012] Kuznyechik Type Block cipher Publication [GOST, 2015] Common ground Both are standard symmetric primitives in Russia. Both were designed by the FSB (TC26). Both use the same 8 × 8 S-Box, π . 31 / 54

  37. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion The LAT of π 32 / 54

  38. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion The LAT of η ◦ π ◦ µ 33 / 54

  39. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Final Decomposition Number 1 α ⊙ ⊙ Multiplication in F 2 4 I ν 0 ν 1 α Linear permutation I Inversion in F 2 4 ν 0 , ν 1 , σ 4 × 4 permutations ϕ ⊙ ϕ 4 × 4 function σ ω Linear permutation ω 34 / 54

  40. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... 35 / 54

  41. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? 35 / 54

  42. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? Belarussian inspiration The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box, somewhat similar to π ... 35 / 54

  43. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? Belarussian inspiration The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box, somewhat similar to π ... ... based on a finite field exponential! 35 / 54

  44. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Final Decomposition Number 2 (!) log w , 16 0 1 2 3 4 5 6 7 8 9 a b c d e f T 0 0 1 2 3 4 5 6 7 8 9 a b c d e f T 1 0 1 2 3 4 5 6 7 8 9 a b c d e f ⊗ − 1 T 2 0 1 2 3 4 5 6 7 8 9 a b c d f e T 3 0 1 2 3 4 5 6 7 8 9 a b c f d e T T 4 0 1 2 3 4 5 6 7 8 9 a b f c d e T 5 0 1 2 3 4 5 6 7 8 9 a f b c d e T 6 0 1 2 3 4 5 6 7 8 9 f a b c d e ⊞ T 7 0 1 2 3 4 5 6 7 8 f 9 a b c d e T 8 0 1 2 3 4 5 6 7 f 8 9 a b c d e T 9 0 1 2 3 4 5 6 f 7 8 9 a b c d e q ′ T a 0 1 2 3 4 5 f 6 7 8 9 a b c d e T b 0 1 2 3 4 f 5 6 7 8 9 a b c d e T c 0 1 2 3 f 4 5 6 7 8 9 a b c d e T d 0 1 2 f 3 4 5 6 7 8 9 a b c d e ω ′ T e 0 1 f 2 3 4 5 6 7 8 9 a b c d e T f 0 f 1 2 3 4 5 6 7 8 9 a b c d e 36 / 54

  45. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Kuznyechik/Stribog π 37 / 54

  46. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Kuznyechik/Stribog π 37 / 54

  47. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Kuznyechik/Stribog π 37 / 54

  48. Introduction Mathematical Background On S-Box Reverse-Engineering Detailed Analysis of the Two Tables On Lightweight Cryptography TU-Decomposition Conclusion Conclusion on Kuznyechik/Stribog π ? 37 / 54

  49. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Outline Introduction 1 On S-Box Reverse-Engineering 2 On Lightweight Cryptography 3 Conclusion 4 37 / 54

  50. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Plan of this Section Introduction 1 On S-Box Reverse-Engineering 2 On Lightweight Cryptography 3 Internet of Things State of the Art Our Block Cipher: SPARX 4 Conclusion 37 / 54

  51. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion What Things? Everything is being connected to the internet. 38 / 54

  52. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion What Things? Everything 38 / 54

  53. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion What Things? Everything 38 / 54

  54. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion What Things? Everything 38 / 54

  55. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Security “In IoT, the S is for Security.” Internet-enabled devices have security flaws. Security is an aferthought (at best). Security has a cost in terms of engineering... ... and computationnal resources! 39 / 54

  56. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Lightweight Cryptography Lightweight cryptography uses litle resources. 40 / 54

  57. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Lightweight Cryptography from the Industry Stream ciphers, unless †(BC) or ‡(MAC) A5/1 CryptoMem. Cryptomeria † A5/2 Hitag2 Csa -BC † Cmea † Megamos Csa -SC Oryx Keeloq † PC-1 A5-GMR-1 Dst 40 † SecurID ‡ A5-GMR-2 iClass E0 Dsc Crypto-1 SecureMem. RC4 Css 41 / 54

  58. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Lightweight Cryptography from the Industry Stream ciphers, unless † (BC) or ‡ (MAC) A5/1 CryptoMem. Cryptomeria † A5/2 Hitag2 Csa -BC † Cmea † Megamos Csa -SC Oryx Keeloq † PC-1 A5-GMR-1 Dst 40 † SecurID ‡ A5-GMR-2 iClass E0 Dsc Crypto-1 SecureMem. RC4 Css They’re all dead (atacks in less than 2 64 ). 41 / 54

  59. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Lightweight Block Ciphers from Academia 3-Way DESLX PRINCE RECTANGLE RC5 PRESENT ITUbee Fantomas Misty1 MIBS TWINE Robin XTEA KATAN Zorro Midori AES GOST rev. Chaskey SIMECK Khazad PRINTCipher PRIDE RoadRunneR Noekeon EPCBC Joltik FLY Iceberg KLEIN LEA Mantis mCrypton LBlock iScream SKINNY HIGHT LED LBlock-s SPARX SEA Piccolo Scream Mysterion CLEFIA PICARO Lilliput Qarma 48 distinct block ciphers! 42 / 54

  60. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Common Trade-Offs in LWC Small internal state size. 43 / 54

  61. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Common Trade-Offs in LWC Small internal state size. Small key. 43 / 54

  62. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Common Trade-Offs in LWC Small internal state size. Small key. Simple key schedule. 43 / 54

  63. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Common Trade-Offs in LWC Small internal state size. Small key. Simple key schedule. No table look-ups (instead, ARX or bit-sliced S-Box). 43 / 54

  64. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion How did we design SPARX? 44 / 54

  65. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Block Cipher Design (1/2) Requirement S-Box-based ARX-based Confusion S ⊞ Diffusion L ⊞ , ≪ , ⊕ 45 / 54

  66. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Block Cipher Design (2/2) � ∆ S � # active S-Boxes P diff ≤ 2 b Design of an S-Box based SPN (wide trail strategy) 46 / 54

  67. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Block Cipher Design (2/2) � ∆ S � # active S-Boxes P diff ≤ 2 b Design of an ARX-cipher Design of an S-Box based SPN (wide trail (allegory) strategy) source: Wiki Commons 46 / 54

  68. Introduction Internet of Things On S-Box Reverse-Engineering State of the Art On Lightweight Cryptography Our Block Cipher: SPARX Conclusion Block Cipher Design (2/2) � ∆ S � # active S-Boxes P diff ≤ 2 b Design of an ARX-cipher Design of an S-Box based SPN (wide trail (allegory) strategy) source: Wiki Commons Can we use ARX and have provable bounds? 46 / 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

1.32k views • 108 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
S-Box Reverse-Engineering Boolean Functions, American/Russian Standards, and Butterflies Lo

S-Box Reverse-Engineering Boolean Functions, American/Russian Standards, and Butterflies Lo

S-Box Reverse-Engineering Boolean Functions, American/Russian Standards, and Butterflies Lo Perrin Based on joint works with Biryukov, Canteaut, Duval and Udovenko June 6, 2018 CECC18 Building Blocks for Symmetric Cryptography Statistics

1.28k views • 99 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler

Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler

Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler Kathleen Fisher Tufts University Tufts University Automatic Reverse Engineering of Binary y Messages Who does this: Why: Malware Communication

778 views • 15 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky,

CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky,

Introduction IC Layout Recovery Functional Recovery Case Studies Conclusion CMOS Reverse Engineering Advanced Digital IC Design (ETI135) Vt1 2012 Steffen Malkowsky, Christoph M uller Lund University February 10, 2012 Steffen Malkowsky,

670 views • 50 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Information must be Secret Metallurgical -- matters of general knowledge in an industry

Information must be Secret Metallurgical -- matters of general knowledge in an industry

Trade Secret (1) Validity Information must be Secret Metallurgical -- matters of general knowledge in an industry cannot be appropriated by one as his secret (p. 41) Restatement of Torts pp. 45, note 5 Trade Secret

517 views • 19 slides
Monetary policy decision February 2020 Low interest rate for a long time to ensure

Monetary policy decision February 2020 Low interest rate for a long time to ensure

Monetary policy decision February 2020 Low interest rate for a long time to ensure close-to-target inflation Global demand has slowed down in recent years Calmer GDP growth But strong labour market 14 14 Unemployment, United States 12 12

284 views • 13 slides
International Trade Agreements and Implications on Global Growth Tuesday, April 19, 2016 9:00

International Trade Agreements and Implications on Global Growth Tuesday, April 19, 2016 9:00

34 th Annual Monetary and Trade Conference International Trade Agreements and Implications on Global Growth Tuesday, April 19, 2016 9:00 a.m. 12:30 p.m. LeBow College of Business Drexel University Philadelphia, PA This program has been

156 views • 11 slides
Trademark and Unfair Competition Law Slides 7: Product Packaging Trade Dress: Abercrombie v.

Trademark and Unfair Competition Law Slides 7: Product Packaging Trade Dress: Abercrombie v.

Trademark and Unfair Competition Law Slides 7: Product Packaging Trade Dress: Abercrombie v. Seabrook LAWS 7341-001 Prof. Kristelia Garca Class Outline Analyzing inherent distinctiveness of product packaging trade dress: Seabrook

742 views • 12 slides
Computer Organization & Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory

Computer Organization & Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory

Computer Organization & Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory and Dependable Memory Taylor Johnson Announcements and Outline Programming assignment 2 assigned, due 11/13 (tonight) by midnight Finish

2.43k views • 164 slides
Handouts Child Protection June 2012 (Amended Version) National Programme of Training for

Handouts Child Protection June 2012 (Amended Version) National Programme of Training for

National Programme of Training for Boards of Management of Primary Schools Handouts Child Protection June 2012 (Amended Version) National Programme of Training for Boards of Management Child Protection 2012 Slide 1 Slide 2 Slide 3

428 views • 14 slides
Improving Credit Assessment and Information for SMEs in Europe to Facilitate Access to Finance

Improving Credit Assessment and Information for SMEs in Europe to Facilitate Access to Finance

Improving Credit Assessment and Information for SMEs in Europe to Facilitate Access to Finance European Commission Workshop November 27 th , 2013 Brussels, Belgium 1 Brussels November 27, 2013 Joachim C Bartels

142 views • 10 slides
MF 1 - IN-TEXT QUESTIONS 1. Which one of the following is least likely to be interested in

MF 1 - IN-TEXT QUESTIONS 1. Which one of the following is least likely to be interested in

MF Lesson 01 MF 1 - IN-TEXT QUESTIONS 1. Which one of the following is least likely to be interested in financial information of a business? a ) Government b) Investors c ) Managers d) Ex-employees 2. Which one of the following

161 views • 3 slides

More recommend