cube testers and key recovery attacks on reduced round
play

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and - PowerPoint PPT Presentation

Apr 08, 2023 •239 likes •515 views

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

  1. Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27

  2. Cube attacks 2 / 27

  3. Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper on ePrint, attack on 771-round Trivium Oct 08 : cube attacks reported on 14-round MD6 Oct 08 : cube testers reported on 18-round MD6 Dec 08 : Dinur/Shamir paper accepted to EUROCRYPT Jan 09 : cube testers reported on Shabal 3 / 27

  4. Cube attacks in a nutshell Can attack any primitive with secret and public variables ◮ keyed hash functions ◮ stream ciphers ◮ block ciphers ◮ MACs Target algorithms with low-degree components ◮ stream ciphers based on low-degree NFSR ◮ hash functions with only XORs and a few ANDs 4 / 27

  5. Cube attacks in a nutshell Requirements of the attacker: ◮ only black-box access to the function ◮ negligible memory Cube attacks work in 2 phases ◮ precomputation : chosen keys and chosen IVs ◮ online : fixed unknown key and chosen IVs 5 / 27

  6. Key observation 1 Any function f : { 0 , 1 } m �→ { 0 , 1 } n admits an algebraic normal form (ANF) Example: f : { 0 , 1 } 10 �→ { 0 , 1 } 4 f 1 ( x ) = x 1 x 2 + x 2 x 8 x 9 + x 3 x 4 x 5 x 6 x 7 f 2 ( x ) = x 2 x 4 + x 6 x 8 x 9 + x 5 x 6 x 7 x 8 x 9 x 10 f 3 ( x ) = 1 f 4 ( x ) = 1 + x 1 + x 3 + x 5 6 / 27

  7. Key observation 2 Computation of the largest monomial’s coefficient f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 + 0 × x 1 x 2 x 3 x 4 Sum over all values of ( x 1 , x 2 , x 3 , x 4 ) : f ( 0 , 0 , 0 , 0 )+ f ( 0 , 0 , 0 , 1 )+ f ( 0 , 0 , 1 , 0 )+ · · · + f ( 1 , 1 , 1 , 1 ) = 0 7 / 27

  8. Key observation 3 Evaluation of factor polynomials f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 x 3 + x 1 x 2 x 4 = x 1 + x 3 + x 1 x 2 ( x 3 + x 4 ) Fix x 3 and x 4 , sum over all values of ( x 1 , x 2 ) : � f ( x 1 , x 2 , x 3 , x 4 ) = 4 × x 1 + 4 × x 3 + 1 × ( x 3 + x 4 ) ( x 1 , x 2 ) ∈{ 0 , 1 } 2 = x 3 + x 4 8 / 27

  9. Key observation 3 Evaluation of factor polynomials f ( x 1 , x 2 , x 3 , x 4 ) = · · · + x 1 x 2 ( x 3 + x 4 ) Fix x 3 and x 4 , sum over all values of ( x 1 , x 2 ) : � f ( x 1 , x 2 , x 3 , x 4 ) = x 3 + x 4 ( x 1 , x 2 ) ∈{ 0 , 1 } 2 9 / 27

  10. Terminology f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 3 + x 1 x 2 ( x 3 + x 4 ) ( x 3 + x 4 ) is called the superpoly of the cube x 1 x 2 10 / 27

  11. Evaluation of a superpoly x 3 and x 4 fixed and unknown f ( · , · , x 3 , x 4 ) queried as a black box ANF unknown , except: x 1 x 2 ’s superpoly is ( x 3 + x 4 ) f ( x 1 , x 2 , x 3 , x 4 ) = · · · + x 1 x 2 ( x 3 + x 4 ) + · · · Query f to evaluate the superpoly: � f ( x 1 , x 2 , x 3 , x 4 ) = x 3 + x 4 ( x 1 , x 2 ) ∈{ 0 , 1 } 2 11 / 27

  12. Key-recovery attack On a stream cipher with key k and IV v f : ( k , v ) �→ first keystream bit Offline : find cubes with linear superpolys f ( k , v ) = · · · + v 1 v 3 v 5 v 7 ( k 2 + k 3 + k 5 ) + · · · f ( k , v ) = · · · + v 1 v 2 v 6 v 8 v 12 ( k 1 + k 2 ) + · · · · · · = · · · f ( k , v ) = · · · + v 3 v 4 v 5 v 6 ( k 3 + k 4 + k 5 ) + · · · (reconstruct the superpolys with linearity tests) Online : evaluate the superpolys, solve the system 12 / 27

  13. Cube testers 13 / 27

  14. Cube testers in a nutshell Like cube attacks: ◮ need only black-box access ◮ target primitives with secret and public variables and ◮ built on low-degree components Unlike cube attacks: ◮ give distinguishers rather than key-recovery ◮ don’t require low-degree functions ◮ need no precomputation 14 / 27

  15. Basic idea Detect structure (nonrandomness) in the superpoly, using algebraic property testers A tester for property P on the function f : ◮ makes (adaptive) queries to f ◮ accepts when f satisfies P ◮ rejects with bounded probability otherwise 15 / 27

  16. Examples of efficiently testable properties ◮ balance ◮ linearity ◮ low-degree ◮ constantness ◮ presence of linear variables ◮ presence of neutral variables General characterization by Kaufman/Sudan, STOC’ 08 16 / 27

  17. Superpolys attackable by testing... . . . low-degree (6) · · · + x 1 x 2 x 3 ( x 2 x 3 + x 4 x 21 + x 6 x 9 x 20 x 30 x 40 x 50 ) + · · · . . . neutral variables ( x 6 ) · · · + x 1 x 2 x 3 x 4 x 5 · g ( x 7 , x 8 , . . . , x 80 ) + · · · . . . linear variables ( x 6 ) · · · + x 1 x 2 x 3 x 4 x 5 · ( x 6 + g ( x 7 , x 8 , . . . , x 80 )) + · · · 17 / 27

  18. Results 18 / 27

  19. MD6 Presented by Rivest at CRYPTO 2008 Submitted to the SHA-3 competition ◮ quadtree structure ◮ construction RO-indifferentiable ◮ low-degree compression function ◮ at least 80 rounds ◮ best attack by the designers: 12 rounds 19 / 27

  20. MD6’s compression function { 0 , 1 } 64 × 89 �→ { 0 , 1 } 64 × 16 Input: 64-bit words A 0 . A 1 , . . . , A 88 Compute the A i ’s with the recursion x ← S i ⊕ A i − 17 ⊕ A i − 89 ⊕ ( A i − 18 ∧ A i − 21 ) ⊕ ( A i − 31 ∧ A i − 67 ) x ← x ⊕ ( x ≫ r i ) A i ← x ⊕ ( x ≪ ℓ i ) ◮ round-dependent constant S i ◮ quadratic step, at least 1280 steps 20 / 27

  21. Results on MD6 Cube attack (key recovery) ◮ on the 14-round compression function ◮ recover any 128-bit key ◮ in time ≈ 2 22 Cube testers (testing balance) ◮ detect nonrandomness on 18 rounds ◮ detect nonrandomness on 66 rounds when S i = 0 ◮ in time ≈ 2 17 , 2 24 , resp. 21 / 27

  22. Trivium Stream cipher by De Canni` ere and Preneel, 2005 eSTREAM HW portfolio ◮ 80-bit key and IV ◮ 3 quadratic NFSRs ◮ 1152 initialization rounds ◮ best attack on 771 rounds (cube attack) 22 / 27

  23. Cube testers on Trivium Test the presence of neutral variables Distinguishers (only choose IVs) ◮ 2 24 : 772 rounds ◮ 2 30 : 790 rounds Nonrandomness (assumes some control of the key) ◮ 2 24 : 842 rounds ◮ 2 27 : 885 rounds Full version: 1152 rounds 23 / 27

  24. Conclusions 24 / 27

  25. Cube testers + ◮ more general than classical cube attacks ◮ no precomputation ◮ “polymorphic” – ◮ only gives distinguishers ◮ only finds feasible attacks ◮ relevant for a minority of functions (like cube attacks) 25 / 27

  26. Open issues How to predict the existence of unexpected properties? How to find the best cubes? Attack on (reduced versions of) other algorithms: Grain, ESSENCE, Keccak, Luffa, Shabal,. . . 26 / 27

  27. Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 27 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

454 views • 27 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Sourav Chakraborty Chennai Mathematical Institute Introduction Techniques Testing of Function

Sourav Chakraborty Chennai Mathematical Institute Introduction Techniques Testing of Function

Introduction Techniques Testing of Function Properties Graph Property testing Isomorphism Testing Conclusion Property Testing: Sublinear Algorithms for Promise Problems Sourav Chakraborty Chennai Mathematical Institute Introduction

2.19k views • 169 slides
CompSci 316 online sql tester Just click the link!

CompSci 316 online sql tester Just click the link!

CompSci 316 online sql tester Just click the link! http://compsci316-db-server.cs.duke.edu:5050/browser/ Click server -> Dashboard -> Add new server Add a name And then click connection Enter as shown Host: compsci316-db-

418 views • 10 slides
MediCoordination: A practical approach to interoperability in the Swiss health system Henning

MediCoordination: A practical approach to interoperability in the Swiss health system Henning

Business Information Systems MediCoordination: A practical approach to interoperability in the Swiss health system Henning MLLER, Michael SCHUMACHER, David GODEL, Abu Khaled OMAR, Francois MOOSER, Sandrine DING HES SO, Switzerland

617 views • 19 slides
Acemap Research Paper Recommender System Based On Citation

Acemap Research Paper Recommender System Based On Citation

Acemap Research Paper Recommender System Based On Citation Recommender System Examples Why&What : Research

287 views • 28 slides
TETRA Progress in the U.S. Progression from Pilot to Full Deployment in the U.S. Presented By:

TETRA Progress in the U.S. Progression from Pilot to Full Deployment in the U.S. Presented By:

DESIGN | BUILD | MAINTAIN Wireless Communications TETRA Progress in the U.S. Progression from Pilot to Full Deployment in the U.S. Presented By: In Affiliation With Rick Nielson, PE President, Bay Electronics DESIGN

657 views • 23 slides
Tutorial 4 : Test Pattern generations using TetraMAX Authors: Bibhas Ghoshal & Subhadip Kundu

Tutorial 4 : Test Pattern generations using TetraMAX Authors: Bibhas Ghoshal & Subhadip Kundu

Tutorial 4 : Test Pattern generations using TetraMAX Authors: Bibhas Ghoshal & Subhadip Kundu Objectives: 1. To generate test patterns for a synthesized netlist 1. Invoke TetraMAX To run TetraMAX, just type tmax in the command prompt.

359 views • 8 slides
Scalar mesons and tetraquarks from twisted mass lattice QCD Excited QCD 2013 Sarajevo, Bosnia

Scalar mesons and tetraquarks from twisted mass lattice QCD Excited QCD 2013 Sarajevo, Bosnia

Scalar mesons and tetraquarks from twisted mass lattice QCD Excited QCD 2013 Sarajevo, Bosnia Marc Wagner Goethe-Universit at Frankfurt am Main, Institut f ur Theoretische Physik mwagner@th.physik.uni-frankfurt.de

357 views • 23 slides
Spin Hamiltonian and Order out of Coulomb Phase in Pyrochlore Structure of FeF3 Farhad Shahbazi

Spin Hamiltonian and Order out of Coulomb Phase in Pyrochlore Structure of FeF3 Farhad Shahbazi

Spin Hamiltonian and Order out of Coulomb Phase in Pyrochlore Structure of FeF3 Farhad Shahbazi in collaboration with Azam Sadeghi (IUT) Mojtaba Alaei (IUT) arXiv: 1407.0849 Michel J. P. Gingras (UWaterloo) 1 Outline Experimental

981 views • 29 slides

More recommend