experiments on the multiple linear cryptanalysis of
play

Experiments on the Multiple Linear Cryptanalysis of Reduced Round - PowerPoint PPT Presentation

Oct 30, 2022 •114 likes •448 views

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

  1. Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL Crypto Group) FSE 2008 1 / 31

  2. Happy Birthday, Nathalie ! Collard B. (UCL Crypto Group) FSE 2008 2 / 31

  3. Outline Outline Various experimental attacks against reduced-round Serpent are presented. We used the framework proposed by Biryukov et al. at crypto 2004 [2] The purposes are the following : To confirm the relevance of their theoretical approach To show the practical improvements of multiple approximations To observe the consequences of linear dependancies in the approximations To compare the specificities of Matsui’s Algorithm 1 and 2 Collard B. (UCL Crypto Group) FSE 2008 3 / 31

  4. Table of content Table of content 1 Linear cryptanalysis 2 Preliminary remarks 3 Experimental attacks with Algorithm 1 4 Experimental attacks with Algorithm 2 5 Conclusion and further work Collard B. (UCL Crypto Group) FSE 2008 4 / 31

  5. Linear cryptanalysis 1. Linear Cryptanalysis Collard B. (UCL Crypto Group) FSE 2008 5 / 31

  6. Linear cryptanalysis Introduction Initially proposed by Matsui [8] in 1993 Exploits bias in the occurrence probability of a linear approximation Such expressions are obtained by linear approximations of the non-linear elements of the cipher Linear Approximation P [ χ P ] ⊕ C [ χ C ] = K [ χ K ] (1) P , C and K denote the plaintext, ciphertext and the secret key A [ χ ] stands for A a 1 ⊕ A a 2 ⊕ ... ⊕ A a n χ is usually denoted as a mask For a ’good’ approximation, the equation holds with a probability significantly different than 1 / 2 Collard B. (UCL Crypto Group) FSE 2008 6 / 31

  7. Linear cryptanalysis Algorithms Given a r-round approximation P [ χ P ] ⊕ C [ χ C ] = K [ χ K ] with bias ǫ Algorithm 1 Algorithm 1 attacks r-round cipher by simply evaluating P [ χ P ] ⊕ C [ χ C ] for a sufficiently large number of plaintext-ciphertext. The parity of K [ χ K ] can then be guessed thanks to the probability of the left parity. This attack recovers one bit of key parity. Algorithm 2 Algorithm 2 targets (r+1)-rounds cipher by partially decrypting the last round with a key guess and then evaluates the experimental bias for each guess. Several bits can be recovered at the same time. In both cases, the data complexity is proportional to 1 /ǫ 2 Collard B. (UCL Crypto Group) FSE 2008 7 / 31

  8. Linear cryptanalysis Multiple linear cryptanalysis Multiple linear cryptanalysis Improves cryptanalysis by using multiple approximations Introduced by Kalisky and Robshaw [5] in 1994 Improved by Biryukov et al. [2] in 2004 Defines capacity as c 2 = 4 · � n i =1 ǫ 2 i ⇒ Decreases the data complexity to O (1 / c 2 ) Collard B. (UCL Crypto Group) FSE 2008 8 / 31

  9. Linear cryptanalysis Multiple linear cryptanalysis Theoretical framework Given m approximations on r rounds : P [ χ i P ] ⊕ C [ χ i C ] = K [ χ i K ] (1 ≤ i ≤ m ) , (2) We want to determine the value of the vector of parity : Z = ( z 1 , z 2 , ..., z m ) = ( K [ χ 1 K ] , K [ χ 2 K ] , ..., K [ χ m K ]) (3) Define a counter T i for approximation i T i is incremented when the approximation is verified for a P-C pair The experimental biases ǫ ∗ i are evaluated as ( T i − N / 2) / N A sorted list of the vector parity candidates is built according to the distance between theoretical and experimental biases The remaining unknown bits are guessed by exhaustive search. Collard B. (UCL Crypto Group) FSE 2008 9 / 31

  10. Linear cryptanalysis Gain Definition (Gain) if an attack is used to recover an n-bit key and is expected to return the correct key after having checked M candidates in average , then the gain of the attack, expressed in bits, is defined as : 2 · M − 1 γ = − log 2 (4) 2 n Intuitively, the gain is a measure of the remaining key candidates to test after a cryptanalysis has been performed. This gain is determined by the position of the correct vector of parity in the weighted list of candidates obtained during the analysis phase. Collard B. (UCL Crypto Group) FSE 2008 10 / 31

  11. Preliminary remarks 2. Preliminary remarks Collard B. (UCL Crypto Group) FSE 2008 11 / 31

  12. Preliminary remarks The cipher Serpent Serpent AES candidate - rated second behind Rijndael Designed by Anderson, Biham and Knudsen [1] Conservative design Architecture Substitution-Permutation Network (SPN) Composed of 32 rounds For each round : A subkey addition A passage through S-boxes A linear transformation Best known attack Linear-differential cryptanalysis on 11 rounds (Biham et al. [12] ). Collard B. (UCL Crypto Group) FSE 2008 12 / 31

  13. Preliminary remarks Experiments with a single approximation Evolution of the experimental biases according to the data complexity : We used a 4-round linear approximation with a bias of 2 − 12 We evaluated the experimental bias with up to 16 ∗ 2 24 texts The bias becomes stable after about 8 /ǫ 2 texts. The underestimated theoretical bias suggests that the linear hull effect [4] is not negligible Collard B. (UCL Crypto Group) FSE 2008 13 / 31

  14. Preliminary remarks Experiments with 64 approximations Evolution of the experimental bias according to the data complexity : We used 64 4-round linear approximations with various biases We evaluated the experimental biases for up to 1500 ∗ 2 24 texts Approximations separate into 2 according to the sign of their bias Each approximation provides some information about the key Collard B. (UCL Crypto Group) FSE 2008 14 / 31

  15. Experimental attacks with Algorithm 1 3. Experimental attacks with Algorithm 1 Collard B. (UCL Crypto Group) FSE 2008 15 / 31

  16. Experimental attacks with Algorithm 1 Selection of the approximations Linear approximation search Generation of the approximation is computationally demanding A branch-and-bound algorithm was proposed by Matsui [10] We used a modified heuristic [3] Selection of the approximations With Algorithm 1 , an adversary recovers linear combination of subkey bits This drawback can be partially relaxed using multiple approximations : The best linear approximation found is selected Then only the input/output masks of the linear trail are modified Finally, by carefully choosing the linear dependancies, the adversary ends up with an exploitable information on the cipher key. As the linear trail is the same for all the approximations except in the input/output, the adversary can easily recover first/last subkey bits. Collard B. (UCL Crypto Group) FSE 2008 16 / 31

  17. Experimental attacks with Algorithm 1 Attack results Evolution of the distance between theoretical and experimental biases : We used 64 4-round linear approximations with various biases Between 2 / c 2 and 128 / c 2 texts were used Attack results improve with the number of texts A regular structure underlines the impact of the Hamming distance. Collard B. (UCL Crypto Group) FSE 2008 17 / 31

  18. Experimental attacks with Algorithm 1 Attack results Same experiment using 4096 / c 2 texts : 10 parity bits K [ χ i K ] have to be guessed The regular structure is even more remarkable Collard B. (UCL Crypto Group) FSE 2008 18 / 31

  19. Experimental attacks with Algorithm 1 Attack results Gain of three attacks with respectively 1, 10 and 64 approximations : Only 10 linearly independent approximations Gain with 64 approx. increases ≃ 8 times faster than with 10 approx. The graph shows no influence of the linear dependencies Collard B. (UCL Crypto Group) FSE 2008 19 / 31

  20. Experimental attacks with Algorithm 1 Gain vs. success rate Definition (success rate) The success rate of an attack using n approximations is the percentage of parity bits guessed correctly among the n parities when they are choosen so as to minimize the distance between experimental and theoretical biases. Rationale Unlike the gain, it doesn’t take the linear dependencies into account Comparison allows to determine the advantage of multiple approximations. Collard B. (UCL Crypto Group) FSE 2008 20 / 31

  21. Experimental attacks with Algorithm 1 Gain vs. success rate Error Correcting code effect : Using 64 approximations, only 10 linearly independent The gain increases much faster than the succes rate Consequence of linear dependancies in the approximations The correct vector of parity must respect these dependancies This gives an efficient way to check a parity candidate Some parity candidates can be rejected a-priori. Collard B. (UCL Crypto Group) FSE 2008 21 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Linear Models II Design of Experiments, Analysis of Variance and Multiple Regression

Linear Models II Design of Experiments, Analysis of Variance and Multiple Regression

Linear Models II Design of Experiments, Analysis of Variance and Multiple Regression http://bcf.isb-sib.ch/teaching/introStat/ EMBnet Course Introduction to Statistics for Biologists, Jan 2009 The research process Scientific

687 views • 29 slides
Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan 1 ,

Introduction Brute-force FSE 2017 Quantum Difgerential and Linear Cryptanalysis Kaplan, Leurent, Leverrier & Naya-Plasencia 1 / 25 Conclusion Quantum Difgerential and Linear Cryptanalysis Truncated difgerential Difgerential Marc Kaplan

410 views • 38 slides
Unit 7: Multiple linear regression 1. Introduction to multiple linear regression Sta 101 - Fall

Unit 7: Multiple linear regression 1. Introduction to multiple linear regression Sta 101 - Fall

Announcements Unit 7: Multiple linear regression 1. Introduction to multiple linear regression Sta 101 - Fall 2018 Project questions? Duke University, Department of Statistical Science Dr. Abrahamsen Slides posted at

537 views • 10 slides
Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and

Linear Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Linear Approximations and bias value Piling Up Lemma

540 views • 17 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
!"#"$%&'("$)*&+$&%,"&-"."/012"$%&03&

!"#"$%&'("$)*&+$&%,"&-"."/012"$%&03&

!"#"$%&'("$)*&+$&%,"&-"."/012"$%&03& 41""#,&'"#,$0/05+"*&6$)&-+6/05&47*%"2*& !"#$%&'($)*&+"((,-&

1.87k views • 137 slides
Slide 16 1. Disjoint 2. Not disjoint 3. Disjoint 4. Not disjoint 5. Disjoint Slide 18 Slide 25

Slide 16 1. Disjoint 2. Not disjoint 3. Disjoint 4. Not disjoint 5. Disjoint Slide 18 Slide 25

Slide 16 1. Disjoint 2. Not disjoint 3. Disjoint 4. Not disjoint 5. Disjoint Slide 18 Slide 25 Since P(E)+P( ) = 1 P(E) = 1-P( ) Slide 26 This is a different question, but it is really similar. Slide 27 Slide 28 Slide 29 Slide 30 Slide

327 views • 14 slides
State of EB Accelerator Technologies & Future Opportunities Charles Thangaraj and Gianluigi

State of EB Accelerator Technologies & Future Opportunities Charles Thangaraj and Gianluigi

FERMILAB-SLIDES-18-028-DI State of EB Accelerator Technologies & Future Opportunities Charles Thangaraj and Gianluigi Ciovati This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the

429 views • 18 slides
IST 338 today ! A whole new class of programming CS building blocks: functions and composition

IST 338 today ! A whole new class of programming CS building blocks: functions and composition

IST 338 today ! A whole new class of programming CS building blocks: functions and composition behind the CS curtain : circuits, assembly, loops The Designing Date class Data! CS:

720 views • 70 slides
The Results Are In Data from Recent Phase 3 Trials in IPF Harold R Collard Director, ILD Program

The Results Are In Data from Recent Phase 3 Trials in IPF Harold R Collard Director, ILD Program

11/10/2014 The Results Are In Data from Recent Phase 3 Trials in IPF Harold R Collard Director, ILD Program University of California San Francisco Disclosures I have financial relationships with the following organizations: Research Grants

747 views • 26 slides
CTSA Program Steering Committee Monday, August 13, 2018 2:30 4:00 ET Agenda 2:30 Welcome

CTSA Program Steering Committee Monday, August 13, 2018 2:30 4:00 ET Agenda 2:30 Welcome

CTSA Program Steering Committee Monday, August 13, 2018 2:30 4:00 ET Agenda 2:30 Welcome Kathleen Brady and Michael Kurilla 2:30 2:40 NCATS Directors Update Michael Kurilla on behalf of Christopher Austin 2:40 2:50 In-Person

514 views • 34 slides
A new vision for the sector and a new strategy for Ofwat Carys Goodwin and Richard Collard Trust

A new vision for the sector and a new strategy for Ofwat Carys Goodwin and Richard Collard Trust

A new vision for the sector and a new strategy for Ofwat Carys Goodwin and Richard Collard Trust in water 1 Who are Ofwat? Independent economic regulator of the water and sewerage sectors in England and Wales We have defined duties and

320 views • 10 slides
Vers une Analyse Conceptuelle des Rseaux Sociaux Erick Stattner Martine Collard Laboratory of

Vers une Analyse Conceptuelle des Rseaux Sociaux Erick Stattner Martine Collard Laboratory of

Social Mining Concept of Frequent Link Experimental results Conclusion and Perspectives Vers une Analyse Conceptuelle des Rseaux Sociaux Erick Stattner Martine Collard Laboratory of Mathematics and Computer Science (LAMIA) University of

527 views • 27 slides

More recommend