experimentally verifying a complex algebraic attack on
play

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 - PowerPoint PPT Presentation

Jan 22, 2024 •169 likes •754 views

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

  1. Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 – Washington D.C. Itai Dinur 1 , Tim Güneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1 Computer Science Dept., The Weizmann Institute, Israel 18.03.2012 2 Horst Görtz Institute for IT Security, Ruhr-University Bochum

  2. Outline  Introduction  Implementation  Problems and Solutions  Results and Conclusion SHARCS 2012 | Washington D.C. | 18.03.2012 2

  3. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 3

  4. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 4

  5. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 5

  6. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 6

  7. Introduction Experimentally Explaining The Title Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 | Washington D.C. | 18.03.2012 7

  8. Introduction Grain-128  128-bit key, 96-bit IV  Boolean functions  256 clock cycles SHARCS 2012 | Washington D.C. | 18.03.2012 8

  9. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 • SHARCS 2012 | Washington D.C. | 18.03.2012 9

  10. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 •  Uses CubeTesters • Aumasson/Dinur/Meier/Shamir (FSE 2009) • Related to higher order differential attacks • Distinguishes (special) polynomials from random functions SHARCS 2012 | Washington D.C. | 18.03.2012 10

  11. Introduction Cube Attack (very brief  )  Algebraic Attack • Dinur/Shamir (FSE 2011), improved (Asiacrypt 2011) Complexity d*2 d+e-10 (d = 50, e = 39) • Implication: 2 128  2 85 •  Uses CubeTesters • Aumasson/Dinur/Meier/Shamir (FSE 2009) • Related to higher order differential attacks • Distinguishes (special) polynomials from random functions  Multiple Steps • Guess and generate scores • Determine most likely values of secret expression • Recover the key SHARCS 2012 | Washington D.C. | 18.03.2012 11

  12. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic? SHARCS 2012 | Washington D.C. | 18.03.2012 12

  13. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic?  Simulate correct guess for known key 1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list SHARCS 2012 | Washington D.C. | 18.03.2012 13

  14. Introduction Cube Attack - Partial Simulation  Motivation : • Attack complexity only estimated • Theoretical success probability realistic?  Simulate correct guess for known key 1. Compute cube summations 2. Compute score of correct guess 3. Estimate position in sorted guess list Details: Dinur et al. (Asiacrypt 2011) SHARCS 2012 | Washington D.C. | 18.03.2012 14

  15. Outline  Introduction  Implementation  Problems and Solutions  Results and Conclusion SHARCS 2012 | Washington D.C. | 18.03.2012 15

  16. Implementation Hardware Design Goals  Considerations  Flexibility  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 16

  17. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 17

  18. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility • Adaptable to modified cube attacks • Adaptable to modified parameter sets  Operability SHARCS 2012 | Washington D.C. | 18.03.2012 18

  19. Implementation Hardware Design Goals  Considerations • Needs high performance! • Data complexity? • Bottlenecks?  Flexibility • Adaptable to modified cube attacks • Adaptable to modified parameter sets  Operability • Fully working post-place and route design • Fully working on RIVYERA FPGA Cluster SHARCS 2012 | Washington D.C. | 18.03.2012 19

  20. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs SHARCS 2012 | Washington D.C. | 18.03.2012 20

  21. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs  16 Boards SHARCS 2012 | Washington D.C. | 18.03.2012 21

  22. Implementation RIVYERA Architecture  8 Spartan-3 5000 FPGAs  16 Boards  i7 Processor SHARCS 2012 | Washington D.C. | 18.03.2012 22

  23. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 23

  24. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 24

  25. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 25

  26. Implementation The Algorithm - Hands-On SHARCS 2012 | Washington D.C. | 18.03.2012 26

  27. Implementation The Algorithm - Hands-On  Focus on time consuming steps 1. Chose random key 2. Generate boolean functions (polynomials to evaluate) Compute 2 50 times the first output bit (Grain-128 Initialization) 3. 4. XOR the results in some way SHARCS 2012 | Washington D.C. | 18.03.2012 27

  28. Implementation The Algorithm - Hands-On  Focus on time consuming steps 1. Chose random key 2. Generate boolean functions (polynomials to evaluate) Compute 2 50 times the first output bit (Grain-128 Initialization) 3. 4. XOR the results in some way Sounds easy! Let’s try it in Software… SHARCS 2012 | Washington D.C. | 18.03.2012 28

  29. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 1 0 0 0 1 1 0 1 0 1 0 0 1 0 1 • Red: cube indices • Blue: dynamic variables SHARCS 2012 | Washington D.C. | 18.03.2012 29

  30. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 1 0 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 30

  31. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 0 1 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 31

  32. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 1 1 0 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 SHARCS 2012 | Washington D.C. | 18.03.2012 32

  33. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup SHARCS 2012 | Washington D.C. | 18.03.2012 33

  34. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup  But: Very slow in Software (2 50 Grain iterations per key) SHARCS 2012 | Washington D.C. | 18.03.2012 34

  35. Implementation Software View  Prepare IV in an array Example • Unfilled: initial IV (unchanged) … 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 0 • Red: cube indices • Blue: dynamic variables  Update the IV: Let’s try hardware! • Increment cube indices by 1 • Evaluate polynomials 0 and 1 xor 0 and 1 and 1  Polynomial Evaluation • Loop over all Monomials • Simple Array-Lookup  But: Very slow in Software (2 50 Grain iterations per key) SHARCS 2012 | Washington D.C. | 18.03.2012 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on

Algebraic embeddings of complex and almost complex structures Jean-Pierre Demailly (based on joint work with Herv e Gaussier) Institut Fourier, Universit e de Grenoble Alpes & Acad emie des Sciences de Paris CIME School on Complex

971 views • 57 slides
The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA

The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA

The constant appeared in algebraic and complex geometry Min Ru University of Houston TX, USA Min Ru The constant appeared in algebraic and complex geometry Nevanlinna theory: Introduction the notations Let X be a complex projective

1.14k views • 80 slides
Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin

Guess-then-algebraic attack on the Self-Shrinking Generator Blandine Debraize, Louis Goubin Lausanne, February 12, 2008 Outline 1 Introduction The Self-Shrinking Generator Methods to Solve Algebraic Systems Guessing Information Lausanne,

518 views • 34 slides
demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman

demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman

Meeting today's demands for Validating, Verifying and Certifying complex SDR Applications Ken Dingman Harris Corporation THIS INFORMATION WAS APPROVED FOR PUBLISHING PER THE ITAR AS `BASIC MARKETING INFORMATION OF DEFENSE ARTICLES` OR AS

352 views • 31 slides
Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University

Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University

Transcendental lattices of complex algebraic surfaces Transcendental lattices of complex algebraic surfaces Ichiro Shimada Hiroshima University November 25, 2009, Tohoku 1 / 27 Transcendental lattices of complex algebraic surfaces

419 views • 27 slides
Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in

Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in

Introduction: The problem of CSG r-matrix structure Algebraic structures of Poisson brackets of L The YB equations for a,s On the Algebraic structure of classical integrability for complex sine-Gordon J. Avan 1 Work in collaboration with Luc

594 views • 22 slides
Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20,

Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20,

Examples of non- algebraic classes in the Brown-Peterson tower Institut Mittag-Leffler April 20, 2017 Gereon Quick NTNU Algebraic classes: smooth complex schemes Let E be a motivic spectrum over Sm C . Algebraic classes: smooth complex

1.81k views • 144 slides
Algebraic and combinatorial methods for bounding the number of the complex embeddings of

Algebraic and combinatorial methods for bounding the number of the complex embeddings of

Algebraic and combinatorial methods for bounding the number of the complex embeddings of minimally rigid graphs E. Bartzos, I.Z. Emiris, J. Schicho 14 June 2019 Geometric constraint systems: rigidity, flexibility and applications Lancaster

606 views • 31 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
A Brief Comparison: some experimentally verified Generalize the key constraints and

A Brief Comparison: some experimentally verified Generalize the key constraints and

MN1 T. Metodiev D. Copsey F.T. Chong I.L. Chuang M. Oskin J. Kubiatowicz Motivation Many Proposed Technologies All work toward the same goal A Brief Comparison: some experimentally verified Generalize the key

361 views • 5 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Two-dimensional materials from high-throughput computational exfoliation of experimentally known

Two-dimensional materials from high-throughput computational exfoliation of experimentally known

Two-dimensional materials from high-throughput computational exfoliation of experimentally known compounds Nicolas Mounet, Marco Gibertini, Philippe Schwaller, Davide Campi, Andrius Merkys, Antimo Marrazzo, Thibault Sohier, Ivano Eligio

500 views • 23 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law

Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law

Do Now Date: February 9, 2015 Obj: Experimentally confirm (or disconfirm) Boyles Law for the behavior of gases. Choose and answer one of the following: Why do divers get the bends? Why do your ears pop going up a

892 views • 62 slides
Inseparable leaves of polynomial submersions Francisco Braun Departamento de Matem atica

Inseparable leaves of polynomial submersions Francisco Braun Departamento de Matem atica

Inseparable leaves of polynomial submersions Francisco Braun Departamento de Matem atica Universidade Federal de S ao Carlos June 20, 2019 Joint work with F. Fernandes (DM-UFSCar) Partially supported by Fapesp Grant 2017/00136-0 and

2.09k views • 124 slides
CPSC 490 Graphs+DP Part 4: SCC, 2-SAT; Part 1: Intro Lucca Siaudzionis and Jack

CPSC 490 Graphs+DP Part 4: SCC, 2-SAT; Part 1: Intro Lucca Siaudzionis and Jack

CPSC 490 Graphs+DP Part 4: SCC, 2-SAT; Part 1: Intro Lucca Siaudzionis and Jack Spalding-Jamieson 2020/01/21 University of British Columbia Announcements Assignment 1 is due this Saturday !!! In todays lecture, we will cover what

1.05k views • 67 slides
Hodge theory in combinatorics Eric Katz (University of Waterloo) joint with June Huh (IAS) and

Hodge theory in combinatorics Eric Katz (University of Waterloo) joint with June Huh (IAS) and

Hodge theory in combinatorics Eric Katz (University of Waterloo) joint with June Huh (IAS) and Karim Adiprasito (IAS) May 14, 2015 But Hodge shant be shot; no, no, Hodge shall not be shot. Samuel Johnson Eric Katz (Waterloo)

1.1k views • 93 slides
Introduction Plethystic substitution Substitution operation in the ring of power series in

Introduction Plethystic substitution Substitution operation in the ring of power series in

A simplicial groupoid for plethysm Alex Cebrian Universitat Aut` onoma de Barcelona July 11, 2018 arXiv:1804.09462 Introduction Plethystic substitution Substitution operation in the ring of power series in infinitely many variables,

567 views • 30 slides
HW/SW Codesign GEZEL ECE 495/595 GEZEL: Basics We will capture hardware designs into a language

HW/SW Codesign GEZEL ECE 495/595 GEZEL: Basics We will capture hardware designs into a language

HW/SW Codesign GEZEL ECE 495/595 GEZEL: Basics We will capture hardware designs into a language called GEZEL Cycle-Based Bit-Parallel HW Single-clock cycle digital logic design is called synchronous design We first describe variables used in

333 views • 18 slides
Chapter 16 Network Flow V - Min-cost flow CS 573: Algorithms, Fall 2013 October 22, 2013 16.1

Chapter 16 Network Flow V - Min-cost flow CS 573: Algorithms, Fall 2013 October 22, 2013 16.1

Chapter 16 Network Flow V - Min-cost flow CS 573: Algorithms, Fall 2013 October 22, 2013 16.1 Minimum Average Cost Cycle 16.1.0.1 Minimum Average Cost Cycle (A) G = ( V , E ): a digraph , n vertices, m edges. (B) : E I R weight on the

711 views • 7 slides
Right-angled Coxeter groups commensurable to right-angled Artin groups Ivan Levcovitz (Technion)

Right-angled Coxeter groups commensurable to right-angled Artin groups Ivan Levcovitz (Technion)

Right-angled Coxeter groups commensurable to right-angled Artin groups Ivan Levcovitz (Technion) joint with Pallavi Dani (LSU) RAAGs and RACGs a finite simplicial graph with vertex set S and edge set E RAAGs and RACGs a finite simplicial

976 views • 86 slides
About the CRT method to compute class Sminaire LFANT 10/05/2012 (Bordeaux) polynomials in

About the CRT method to compute class Sminaire LFANT 10/05/2012 (Bordeaux) polynomials in

About the CRT method to compute class Sminaire LFANT 10/05/2012 (Bordeaux) polynomials in dimension 2 Kristin Lauter 1 , Damien Robert 2 1 Microsoft Research 2 LFANT Team, IMB & INRIA Bordeaux Sud-Ouest Class polynomials Speeding up the

671 views • 31 slides

More recommend