cube attacks on stream ciphers based on division property
play

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun - PowerPoint PPT Presentation

Jun 16, 2023 •139 likes •389 views

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

  1. Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23

  2. Plan Cube Attack: An Introduction 1 Cube Attacks with Division Property 2 Our Results 3 Conclusion and Future work 4 Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 2 / 23

  3. Motivation Symmetric key ciphers for FHE, MPC, ... Trivium [Canni` ere-Preneel ’07] LowMC [Albrecht et al. ’15] Kreyvium [Canteaut et al. ’16] Low Multiplicative Complexity (MC) is crucial Minimize the number of ANDs and multiplicative depth Our goal Cube attacks on low MC ciphers Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 3 / 23

  4. Low MC stream ciphers Trivium [Canni` ere-Preneel ’07] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 4 / 23

  5. Low MC stream ciphers Kreyvium [Canteaut et al. ’16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 5 / 23

  6. Cube attacks [Dinur-Shamir ’09] Extension of Higher Order Differential Attack and Algebraic Attacks Chosen plaintext key recovery attack - Keyed hash functions - Stream ciphers - Block ciphers - MAC algorithms Powerful for primitives with low-degree component - Stream ciphers based on low-degree NFSR - Permutations with only a few XORs and ANDs Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 6 / 23

  7. Cube attack in a nutshell Preprocessing: Sum over outputs of subspaces over chosen public variables Store equations between sums and secret variables Online: Evaluate sums over outputs of chosen plaintexts Recover key bits by solving equations Dinur-Shamir attack only needs blackbox access to the cipher Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 7 / 23

  8. Main observation Cube sum of Boolean functions f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 1 x 2 + x 3 x 4 + x 1 x 2 x 3 + x 1 x 3 x 4 = x 1 + x 1 x 2 + x 3 x 4 (1 + x 1 ) + x 1 x 2 x 3 Fix x 1 , x 2 , sum over all values of ( x 3 , x 4 ) � f ( x 1 , x 2 , x 3 , x 4 ) = 4 x 1 + 4 x 1 x 2 + 1 + x 1 + 2 x 1 x 2 ( x 3 , x 4 ) ∈ F 2 2 = 1 + x 1 The set { ( c 1 , c 2 , x 3 , x 4 ) ∈ F 4 2 } is a cube with dim 2 The resulting sum is the superpoly of the cube Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 8 / 23

  9. The attack Write a cipher by f ( x , v ) �→ Output Public variables v controlled by the attacker, e.g., a message or nonce Secret variables x Output: Ciphertext, keystream, or a hash bit Preprocessing Find cubes with simple (eg. linear) superpoly p ( x ) Reconstruct p ( x ) Online Collect a system of linear equations p ( x ) = b Recover key bits by solving the equations and exhaustive search for remaining key bits if necessary Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 9 / 23

  10. Preprocessing phase Given cube I of size C Find cubes with simple (eg. linear) superpoly p ( x ) Property test of superpoly Complexity O ( N 1 2 C ), N 1 is number of queries Reconstruct superpoly p ( x ) � f ( v , x ) = p ( x ) v ∈ I Superpoly p ( x ) can be recovered by Moebius Transformation Complexity O ( N 2 2 C ), N 2 is number of queries More information on p , smaller N 2 Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 10 / 23

  11. Problems and Progress How to find the most efficient cube? Random walk heuristic algorithm [Dinur-Shamir’09] Cube variables with conditions [Dinur et al. ’15] Conditional cube attack [Huang et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 11 / 23

  12. Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( ≤ 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

  13. Problems and Progress Attack in blackbox model - Cannot leverage the specific structural properties Size cube exploitable is limited ( ≤ 40) - Due to large complexity of testing superpoly - Cannot predict what will happen if bigger cube chosen Kill two birds with one stone: Division property Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 12 / 23

  14. Division property [Todo ’15] A method to construct higher order differential/integral distinguisher Successfully used to analyze block ciphers and hash functions Efficient evaluation by MILP [Xiang et al. ’16] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 13 / 23

  15. Cube attacks with division property Ideas of the new attack [Todo et al. ’17] Analyze involved variables in the ANF of superpoly by division property + Non-Blackbox attack + Applied to nonlinear superpoly Model and solve the division propagation by MILP + Much more efficient than cube sum + Allow to search large cubes since no need to do cube sum to test the property of superpoly Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 14 / 23

  16. What’s new Apply division property to analyze stream ciphers Exploit large cubes Improve key recovery attacks on stream ciphers, e.g. Trivium Round Complexity Cube size Ref 2 36 767 30 [Dinur-Shamir ’09] 2 62 799 40 [Fouque-Vannet ’13] 2 79 832 72 [Todo et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 15 / 23

  17. Our idea Investigate higher-degree monomials in the ANF of superpoly by division property Improve the MILP model by removing redundant division trails Highlights of improved method Detect more information on superpoly Reduce complexity of superpoly recovery Attack more rounds Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 16 / 23

  18. Trivium [Canni` ere-Preneel ’07] 80 bit key and 80 bit IV, 288 bit state 1152 rounds in initialization phase ( s 1 , s 2 , . . . , s 93 ) ← ( K 1 , K 2 , . . . , K 80 , 0 , ..., 0) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 1 , IV 2 , . . . , IV 80 , 0 , ..., 0) ( s 178 , s 279 , . . . , s 288 ) ← (0 , ..., 0 , 1 , 1 , 1) t 1 ← s 66 ⊕ s 93 t 2 ← s 162 ⊕ s 177 t 3 ← s 243 ⊕ s 288 z ← t 1 ⊕ t 2 ⊕ t 3 t 1 ← t 1 ⊕ s 91 · s 92 ⊕ s 171 t 2 ← t 2 ⊕ s 175 · s 176 ⊕ s 264 t 3 ← t 3 ⊕ s 286 · s 287 ⊕ s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 279 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 17 / 23

  19. Results on reduced-round Trivium Improved key recovery attack on Trivium Round Complexity Cube size Ref 2 62 799 40 [Fouque-Vannet ’13] 2 79 832 72 [Todo et al. ’17] 2 75 833 74 new Possible to further improve attack rounds! Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 18 / 23

  20. Kreyvium [Canteaut et al. ’16] 128-bit variant of Trivium, | K | = | IV | = 128 1152 rounds initialization ( K ∗ 127 , K ∗ 126 , . . . , K ∗ 0 ) ← ( K 1 , K 2 , . . . , K 128 ) ( IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 0 ) ← ( IV 1 , IV 2 , . . . , IV 128 ) ( s 1 , s 2 , . . . , s 93 ) ← ( K 1 , K 2 , . . . , K 93 ) ( s 94 , s 95 , . . . , s 177 ) ← ( IV 1 , IV 2 , . . . , IV 84 ) ( s 178 , s 279 , . . . , s 288 ) ← ( IV 85 , IV 86 , ..., IV 128 , 1 , ..., 1 , 0) t 1 ← s 66 ⊕ s 93 t 2 ← s 162 ⊕ s 177 t 3 ← s 243 ⊕ s 288 ⊕ K ∗ 0 z ← t 1 ⊕ t 2 ⊕ t 3 t 1 ← t 1 ⊕ s 91 · s 92 ⊕ s 171 ⊕ IV ∗ 0 t 2 ← t 2 ⊕ s 175 · s 176 ⊕ s 264 t 3 ← t 3 ⊕ s 286 · s 287 ⊕ s 69 ( s 1 , s 2 , . . . , s 93 ) ← ( t 3 , s 1 , . . . , s 92 ) ( s 94 , s 95 , . . . , s 177 ) ← ( t 1 , s 94 , . . . , s 176 ) ( s 178 , s 279 , . . . , s 288 ) ← ( t 2 , s 178 , . . . , s 287 ) ( K ∗ 127 , K ∗ 126 , . . . , K ∗ 0 ) ← ( K ∗ 0 , K ∗ 127 , K ∗ 126 , . . . , K ∗ 1 ) ( IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 0 ) ← ( IV ∗ 0 , IV ∗ 127 , IV ∗ 126 , . . . , IV ∗ 1 ) Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 19 / 23

  21. Results on reduced-round Kreyvium Improved key recovery attack on Kreyvium Round Complexity Cube size Ref 2 124 872 85 [Todo et al. ’17] 2 124 884 95 new Still no clue on the security margin Lower security margin than Trivium - see also Conditional Differential Cryptanalysis [Watanabe et al. ’17] Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 20 / 23

  22. Conclusion Apply division property to analyze stream cipher Capable to search large cubes Reduce complexity of superpoly recovery Improve key recovery attack on stream ciphers Trivium and Kreyvium Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 21 / 23

  23. Future work Find the most efficient cube for stream ciphers Optimize the complexity of key recovery phase Apply to other designs - Cube attack + structural properties Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 22 / 23

  24. Thank you! Questions? Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 23 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State

ASK 2018, ISI Kolkata November 13, 2018 Recent Results on Stream Ciphers Willi Meier 1 / 47 Overview - Stream Ciphers with Small State - A generic TMD tradeoff distinguisher - High-order differentials - Cryptanalysis with division property

944 views • 47 slides
A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif

A Countermeasure Against Power Analysis Attacks for FSR-Based Stream Ciphers Shohreh Sharif Mansouri and Elena Dubrova Department of Electronic Systems, School of ICT, KTH - Royal Institute of Technology, Stockholm Email:{shsm,dubrova}@kth.se

457 views • 17 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Objectives Classifications Feedback Based Stream Ciphers Linear Feedback Shift

Stream Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Classifications Feedback Based Stream Ciphers Linear Feedback

263 views • 15 slides
Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden

Feedback shift register based stream ciphers Thomas Johansson, Lund University, Lund, Sweden 5/15/2007 1 CONTENTS Efficient encryption and possible solutions Stream ciphers Basic security analysis of stream ciphers LFSR sequences Design

497 views • 45 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Functional tensors for probabilistic programming Fritz Obermeyer, Eli Bingham, Martin Jankowiak,

Functional tensors for probabilistic programming Fritz Obermeyer, Eli Bingham, Martin Jankowiak,

Functional tensors for probabilistic programming Fritz Obermeyer, Eli Bingham, Martin Jankowiak, Du Phan, JP Chen (Uber AI) NeurIPS workshop on program transformation 2019-12-14 Outline Motivation What are Funsors? Language overview

905 views • 48 slides
Sum of matrix entries of representations of the symmetric group and its asymptotics Dario De

Sum of matrix entries of representations of the symmetric group and its asymptotics Dario De

Sum of matrix entries of representations of the symmetric group and its asymptotics Sum of matrix entries of representations of the symmetric group and its asymptotics Dario De Stavola 13 October 2015 Advisor: Valentin Fray Affiliation:

851 views • 68 slides
PROBABILITY INEQUALITIES FOR SUMS OF RANDOM MATRICES JOEL A. TROPP 1. Overview Let X 1 ,..., X n

PROBABILITY INEQUALITIES FOR SUMS OF RANDOM MATRICES JOEL A. TROPP 1. Overview Let X 1 ,..., X n

PROBABILITY INEQUALITIES FOR SUMS OF RANDOM MATRICES JOEL A. TROPP 1. Overview Let X 1 ,..., X n be independent, self-adjoint random matrices with dimension d d . Our goal is to provide bounds for the probability n P { max ( k = 1 X k )

409 views • 3 slides
More Performance 1 Changelog Changes made in this version not seen in fjrst lecture: to be more

More Performance 1 Changelog Changes made in this version not seen in fjrst lecture: to be more

More Performance 1 Changelog Changes made in this version not seen in fjrst lecture: to be more consistent with assembly 7 November 2017: general advice [on perf assignment]: note not for when we give specifjc advice 7 November 2017: vector

1.33k views • 104 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
Bob Lee @crazybob 2 ,000,000 Dim Sum Accepting a payment Authorization 1 Capture 2

Bob Lee @crazybob 2 ,000,000 Dim Sum Accepting a payment Authorization 1 Capture 2

Bob Lee @crazybob 2 ,000,000 Dim Sum Accepting a payment Authorization 1 Capture 2 Persistent Queues ACID Atomicity Durability Filesystem Promises Renaming is atomic Fsync is durable* Segment/block writes Traditional

1k views • 45 slides
Deterministic identity testing for sum of read-once oblivious arithmetic branching programs

Deterministic identity testing for sum of read-once oblivious arithmetic branching programs

Deterministic identity testing for sum of read-once oblivious arithmetic branching programs Rohit Gurjar, Arpita Korwar, Nitin Saxena, IIT Kanpur Thomas Thierauf Aalen University June 18, 2015 Gurjar, Korwar, Saxena, Thierauf PIT for sum of

1.13k views • 70 slides

More recommend