improved attacks on full gost
play

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and - PowerPoint PPT Presentation

Nov 26, 2022 •643 likes •995 views

Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel GOST Designed by Soviet cryptographers in the 1980 s Motivated by the desire to construct an

  1. Improved Attacks on Full GOST Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel

  2. GOST • Designed by Soviet cryptographers in the 1980 ’s • Motivated by the desire to construct an alternative to DES • Declassified in 1994

  3. Design philosophy • Like DES, a Feistel structure over 64-bit blocks • Use simpler components compared to DES • Try to get higher security • DES uses 56 bits of key and 16 rounds • GOST uses 256 bits of key and 32 rounds • Does not specify the Sboxes

  4. One Round of GOST

  5. The Key Schedule • Break the 256-bit key into 8 subkeys of 32 bits • In the first 24 rounds the keys are used in their cyclic order • In the final 8 rounds the round keys are used in reverse order • Perhaps to avoid slide attacks K1,K2 ,…,K 8,K1,K2 ,…,K 8,K1,K2 ,…K 8 ,K8,K7 ,…,K 1

  6. Previous Single Key Attacks • In 2011 Isobe published the first single key attack on full GOST • Data 2 32 , Time 2 224 , Memory 2 64 • Based on the reflection self-similarity property of GOST (Kara 2008) • Uses a meet-in-the-middle attack • Requires invertible Sboxes • Several attacks were later published by Courtois • Their complexity was evaluated for the Sboxes used by Russian banks • It is expected that the attacks have similar complexities for other choices of Sboxes (C’ 12)

  7. Self-Similarity Properties Used in Our Attacks • The reflection property (Kara 2008) • A new fixed point property (independently discovered by Courtois’ 11) • Reduce attacking 32-round GOST to attacking 8- round GOST given 2 input-output pairs

  8. The Reflection Property (Kara 2008) • Requires about 2 32 known plaintext-ciphertext pairs • Guess the 64-bit value X • Altogether, apply the 8-round attack 2 96 times • We have another “half pair” since we know that the two sides of Y are equal • We do not know how to efficiently exploit this information

  9. The Fixed-Point Property (independently discovered by Courtois’ 11) • Requires about 2 64 known plaintext-ciphertext pairs (the full codebook) • Apply the 8-round attack 2 64 times • Given c·2 64 known plaintexts for c<1, this fixed point occurs with probability c • The success probability is reduced by c

  10. Given Two 8-Round Input-Output Pairs • 128-bit constraint • The 8-round attacks leave 2 256-128 =2 128 keys • Need to test the remaining 2 128 keys • The time complexity of the 8-round attacks is at least 2 128

  11. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle ( 2DMITM ) attack • Time 2 128 , memory 2 36

  12. Attacks on Full GOST • Select one of the two self-similarity properties for the outer loop: • If we have 2 64 data , select the fixed point property • If we have 2 32 data , select the reflection property • Select one of last two 8-round attacks: • If we have 2 36 memory , select the 2DMITM attack • If we have 2 19 memory (fits cache), select the low-memory attack • Altogether we obtain 4 attacks on full GOST

  13. Attacks on Full GOST LOG(T) 256 2 32 data 236 I’ 11 224 C ’ 11 204 2 64 data 192 LOG(M) 0 19 36 64

  14. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  15. A Basic MITM Attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 128-bit value of K 1 -K 4 • Partially encrypt I and I *, and store the 128-bit suggestions for Y and Y* in a sorted list • For each 128-bit value of K 5 -K 8 • Partially decrypt O and O*, and look for matches in the list • For each match test the full key • Time 2 128 , memory 2 128

  16. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  17. A More Efficient MITM attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 64-bit value of Y • Use a 4-round attack to obtain suggestions for K 1 -K 4 given ( I ,Y) in time 2 64 • Independently obtain suggestions for K 5 -K 8 given (Y,O) • Store the suggestions in two lists of size 2 128-64 =2 64 • Perform a basic MITM attack on ( I *,O*) using the keys stored in the lists • Time 2 64 ·2 64 =2 128 , memory 2 64

  18. A More Efficient MITM attack The 4-Round Attack I K 1 -K 4 Y K 5 -K 8 O • Given ( I ,Y) perform a basic MITM attack to obtain 2 64 suggestions for K 1 -K 4 • Repeat independently for K 5 -K 8

  19. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  20. The Low Memory Attack I I * K 1 -K 4 Y Y* K 5 -K 8 O O* • For each 128-bit value of K 5 -K 8 • Partially decrypt O and O* and obtain two 4-round input- output pairs ( I ,Y) and ( I *,Y*) • Execute a 4- round “Guess and Determine” routine to obtain suggestions for the (expected number of) 2 128-128 =1 key

  21. The 4- Round “Guess and Determine” Routine • Exploits the slow diffusion of the key into the state • Traverse a layered tree of partial guesses for K 1 -K 4 • The nodes in each layer specify guesses for a certain subset of the key bits • The nodes of the last layer contain guesses for K 1 -K 4

  22. The 4-Round “Guess and Determine” Routine • Expand a node by guessing the values of a small number of additional key bits • Calculate intermediate encryption bits from both sides of the block cipher • Discard nodes for which the values do not match

  23. The Size of the Tree • The time complexity is proportional to the number of nodes • Minimize the number of nodes by guessing the smallest number of bits in each layer • Use DFS to minimize memory complexity

  24. The “Guess and Determine” Routine S-GOST S1 • A simplified version of GOST • The layer procedure: work on 4- 12 bit chunks K 1 • Discard wrong key guesses by evaluating 4 state bits from both sides • The procedure of each layer is S4 12 basically the same and is called an K 2 iteration • 8 iterations to recover the key

  25. The “Guess and Determine” Procedure Real GOST S1 • Guess additional carry and state S2 bits • The iterations are performed in K 1 their natural order • Guess carries only in the first iteration • In the remaining iterations they are S4 S5 known K 2 • We pay for state bit guesses only in the first iteration

  26. The Low Memory Attack Complexity Analysis • The “Guess and Determine” routine • Time 2 12 , memory 2 19 (using tables computed once and for all) • The low memory attack • Time 2 128 · 2 12 =2 140 , memory 2 19

  27. 8-Round Attacks • A basic meet-in-the-middle (MITM) attack • Time 2 128 , memory 2 128 • A more efficient MITM attack • Time 2 128 , memory 2 64 • A variant of Isobe’s attack • Combined with the reflection property, gives an attack on full GOST with the same parameters as Isobe’s • A new low-memory attack • Time 2 140 , memory 2 19 • A new 2-dimensional meet-in-the-middle attack • Time 2 128 , memory 2 36

  28. The 2-Dimensional Meet-in-the- Middle Attack (2DMITM) I I * K 1 -K 4 (top part) Y Y* K 5 -K 8 (bottom part) O O* • Exploit slow avalanche of state bits • Do not guess K 5 -K 8 in advance • Run 4 out of 8 iterations of the “Guess and Determine" attack with knowledge of 82 out of 128 bit of Y and Y*

  29. The 2-Dimensional Meet-in-the- Middle Attack Top MITM K 1 -K 4 Y,Y* K 5 -K 8 Bottom MITM • Split each “Guess and Determine" attack into two partial 4-round attacks • Run each attack for all possible values of Y and Y* it requires (2 82 times) • Run MITM attacks to combine the suggestions of the partial attacks to suggestions for the 4-round keys

  30. The 2-Dimensional Meet-in-the- Middle Attack Top MITM K 1 -K 4 Y,Y* Joint MITM K 5 -K 8 Bottom MITM • Join the values suggested by the top and bottom parts to obtain suggestions for the full key using a final MITM attack • We did not filter any keys in the top and bottom 4- round attacks • The attack requires 2 128 memory • The partial 4-round attacks take at most 2 18 time and are executed 2 82 times

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

The Slavic guest and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020 RUSSIAN ACADEMY OF SCIENCES PSl. * gost- - (m.) OCS, ORuss. gost, Bulg. gost, B/C/S gst , Gen. gsta , Slov. gst ,

520 views • 36 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of

Improved Correlation Attacks on SOSEMANUK and SOBER-128 Joo Yeon Cho Helsinki University of Technology Department of Information and Computer Science, Espoo, Finland 24th March 2009 1 / 35 SOSEMANUK Attack Approximations SOBER-128

365 views • 35 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni

Understanding Screaming Channels: From a Detailed Analysis to Improved Attacks Giovanni Camurati*, Aurlien Francillon*, Franois-Xavier Standaert** *EURECOM, **Universit catholique de Louvain Who am I? Giovanni Camurati Ph.D. Student at

1.27k views • 94 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch Abstract Follow-up of

506 views • 16 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

991 views • 56 slides
Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating

Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating

1 Results Presentation. Full Year Results 2018 www.mybucks.com Salient features. 2 Operating profit improved by 26% year-on-year. Loss after tax improved as a result of increased revenues, improved impairment to revenue, reduced cost of

446 views • 20 slides
Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France

Match Box Meet-in-the-Middle Attack against KATAN Thomas Fuhr and Brice Minaud ANSSI, France FSE, March 3-5 2014 Plan 1 Match Box Meet-in-the-Middle Attacks Sieve-in-the-Middle Framework Match Box Cryptanalysis of KATAN 2 Description

1.61k views • 37 slides
Programming the Demirci-Selc uk Meet-in-the-Middle Attack with Constraints Danping Shi 1 Siwei

Programming the Demirci-Selc uk Meet-in-the-Middle Attack with Constraints Danping Shi 1 Siwei

Programming the Demirci-Selc uk Meet-in-the-Middle Attack with Constraints Danping Shi 1 Siwei Sun 1 Patrick Derbez 2 Yosuke Todo 3 Bing Sun 4 Lei Hu 1 1 Institute of Information Engineering, Chinese Academy of Sciences, China 2 Universit

726 views • 60 slides
VISUALIZING THE DRIFT OF LOD USING SELF-ORGANIZING MAPS

VISUALIZING THE DRIFT OF LOD USING SELF-ORGANIZING MAPS

VISUALIZING THE DRIFT OF LOD USING SELF-ORGANIZING MAPS Albert Meroo-Peuela, Peter WiHek, Sndor Darnyi 1 st DriL-a-LOD Workshop, EKAW #

748 views • 25 slides
Automated Testing Laboratory for Embedded Linux Distributions . Pawe Wieczorek October 11,

Automated Testing Laboratory for Embedded Linux Distributions . Pawe Wieczorek October 11,

Automated Testing Laboratory for Embedded Linux Distributions . Pawe Wieczorek October 11, 2016 Samsung R&amp;D Institute Poland Agenda . 1. Introduction 2. Motivation 3. Automation opportunities with our solutions 4. Future plans 5.

683 views • 53 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity:

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity:

CS CS 134 134 Fa Fall2016 Mi Midterm rm Re Review 1 Co Comp mputer r Se Securi rity: y: Th The Ca Cast of of C Characters Your Computer/Phone/Tablet Attacker or Adversary Your data: financial, health records, intellectual

958 views • 75 slides
Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t : 12 Sbox 16 b i t : 12 Round f u n c t i o n : 14 Next roundkey : 6 Encrypt : 318 Encrypt u n r o l l e d : 314 2 / 24 Sbox

470 views • 27 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides

More recommend