improved key recovery attacks on reduced round aes on
play

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round - PowerPoint PPT Presentation

Dec 29, 2023 •276 likes •863 views

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

  1. Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir

  2. AES • AES is the best known and most widely used secret key cryptosystem • Almost all secure connections on the Internet use AES • Almost all secure connections on the Internet use AES • Its security had been analyzed for more than 20 years • AES has either 10, 12, or 14 rounds depending on the key size (128, 192, 256 bits) 256 bits) • To date there is no known attack on full AES which is significantly faster than exhaustive search

  3. Analyzing reduced round AES • Interesting as a platform for analyzing the remaining • Interesting as a platform for analyzing the remaining security margins • Several Light Weight Cryptosystems and Hash functions use 4 or 5 rounds AES as a building block functions use 4 or 5 rounds AES as a building block • 4-Round AES: ZORRO, LED and AEZ • 5-Round AES: WEM, Hound and ELmD

  4. Analyzing reduced round AES • There are 3 relevant parameters: • There are 3 relevant parameters: Time (T), Memory (M) and Data (D) • To combine these 3 complexity measures it is common to summarize them as a single number common to summarize them as a single number max(T,M,D) defined as their Total Complexity max(T,M,D) defined as their Total Complexity

  5. Best attacks on 5 round AES • Only a few techniques led to successful attacks against 5-round AES Technique Complexity Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 2 32 Imp. Differential Imp. Differential 2017 2 32 Yoyo

  6. Recent attacks on 5 rounds AES • In 2017 a new technique (the multiple-of-8 attack [GRR, EC’17]) was proposed, and in 2018 Grassi applied a special EC’17]) was proposed, and in 2018 Grassi applied a special version of it (the mixture-differentials attack) to 5 round AES • However, its complexity was not better than previous attacks attacks • In this work we improve the 20 year old record to 2 22

  7. Recent attacks on 5 rounds AES • In 2017 a new technique (the multiple-of-8 attack • In 2017 a new technique (the multiple-of-8 attack [GRR, EC’17]) was proposed, and in 2018 Grassi had applied a special version of it (the mixture- differentials attack) to 5 round AES • However, its complexity was not better than previous • However, its complexity was not better than previous attacks

  8. Best attacks on 5 round AES - updated Complexity Technique Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 Imp. Differential Imp. Differential 2 2017 2 32 Yoyo 2 32 Grassi 2018

  9. Our new result • Breaking the 20 years old 2 32 barrier by a factor of 1000: Technique Complexity Year Max(T, D, M) 2000 2 32 Square 2001 2001 2 32 Imp. Differential Imp. Differential 2 2017 2 32 Yoyo 2 32 Grassi 2018 2 22 Our new result 2018

  10. AES structure • 10, 12, or 14 rounds, where each round of AES consists of: • Extra ARK operation before the first round • No Mix Column in the last round

  11. SB – SubBytes Operation By User:Matt Crypto - Own work , Public Domain, https://commons.wikimedia.org/w/index.php?curid= 1118913

  12. SR – ShiftRows Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118782

  13. MC – MixColumn Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118874

  14. ARK – Add Round Key Operation By User:Matt Crypto - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1118831

  15. The notation of mixtures (Grassi et. al 2017) • What is a mixture of an AES state pair (x,y)? X Y A1 A2 v B1 B2 Equal C1 C2 A Specific Value D1 D2 4 values Xor to 0 Z Z W W Arbitrary Value A1 A2 B2 B1 C1 C2 D2 D1

  16. The evolution of mixtures under AES • Consider the following 4 inputs to round i X Y A1 A2 B1 B2 Equal C1 C2 A Specific Value D1 D2 4 values Xor to 0 Z Z W W Arbitrary Value A1 A2 B2 B1 C1 C2 D2 D1

  17. The evolution of mixtures under AES • Round i after Sub Byte X Y A1* A2* B1* B2* Equal C1* C2* A Specific Value D1* D2* 4 values Xor to 0 Z Z W W Arbitrary Value A1* A2* B2* B1* C1* C2* D2* D1*

  18. The evolution of mixtures under AES • Round i after Shift Rows X Y A1* A2* B1* B2* C1* C2* Equal D1* D2* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1* A2* B2* B1* C1* C2* D2* D1*

  19. The evolution of mixtures under AES • Round i after Mix Column X Y A1c D1c C1c B1c A2c D2c C2c B2c Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c D2c C1c B2c A2c D1c C2c B1c

  20. The evolution of mixtures under AES • Round i after Add Round Key X Y A1c* D1c* C1c* B1c* A2c* D2c* C2c* B2c* Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c* D2c* C1c* B2c* A2c* D1c* C2c* B1c*

  21. The evolution of mixtures under AES • Input to round i+1 X Y A1c* D1c* C1c* B1c* A2c* D2c* C2c* B2c* Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c* D2c* C1c* B2c* A2c* D1c* C2c* B1c*

  22. The evolution of mixtures under AES • Round i+1 after Sub Byte X Y A1c’ D1c’ C1c’ B1c’ A2c’ D2c’ C2c’ B2c’ Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A1c’ D2c’ C1c’ B2c’ A2c’ D1c’ C2c’ B1c’

  23. The evolution of mixtures under AES • Implies weaker property in round i+1 after Sub Byte X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  24. The evolution of mixtures under AES • Round i+1 after Shift Row, Mix Column and ARK X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  25. The evolution of mixtures under AES • Input to round i+2 X Y Equal A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value

  26. Extending this property to 4 rounds • Assume states (X,Y) are equal in one of their diagonals X Y A A B B C C Equal D D A Specific Value 4 values Xor to 0 • Then: • Then: Z Z W W Arbitrary Value A’ A’ B’ B’ C’ C’ D’ D’

  27. Extending this property to 4 rounds • Round i+2 after Sub Byte X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’* A’* B’* B’* C’* C’* D’* D’*

  28. Extending this property to 4 rounds • Round i+2 after Shift rows X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A'* A'* B'* B'* C'* C'* D'* D'*

  29. Extending this property to 4 rounds • Round i+2 after Mix Column X Y A° A° B° B° C° C° Equal D° D° A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A°’ A°’ B°’ B°’ C°’ C°’ D°’ D°’

  30. Extending this property to 4 rounds • Round i+2 after Add Round Key X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A*’ A*’ B*’ B*’ C*’ C*’ D*’ D*’

  31. Extending this property to 4 rounds • Then in the input to round i+3 we get X Y A* A* B* B* C* C* Equal D* D* A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A*’ A*’ B*’ B*’ C*’ C*’ D*’ D*’

  32. Extending this property to 4 rounds • Round i+3 after sub byte X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A^’ A^’ B^’ B^’ C^’ C^’ D^’ D^’

  33. Extending this property to 4 rounds • Round i+3 after Shift Rows and before Mix Column X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’^ A’^ B’^ B’^ C’^ C’^ D’^ D’^

  34. AES 4 Round Distinguisher • Last round of AES has no Mix Column X Y A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 Z Z W W Arbitrary Value A’^ A’^ B’^ B’^ C’^ C’^ D’^ D’^

  35. A 5 Round AES Attack (Grassi 18) • Precede the 4 round distinguisher with an extra round before it • We encrypt all possible values of A,B,C,D • We encrypt all possible values of A,B,C,D A B C Equal D A Specific Value 4 values Xor to 0 • Then as input to round 1 we get: • Then as input to round 1 we get: Arbitrary Value A’ B’ A’, B’, C’, and D’ is a permutation of A, B, C, D C’ which depends only on 4 key bytes D’

  36. A 5 Round AES Attack [Grassi 18] • We look for a “good ciphertext pair”, and get the plaintext X ciphertext Y ciphertext A^ A^ B^ B^ C^ C^ Equal D^ D^ A Specific Value 4 values Xor to 0 X plaintext X plaintext Y plaintext Y plaintext Arbitrary Value A A’ B B’ C C’ D D’

  37. A 5 Round AES Attack [Grassi 18] • For all 2 32 possible key bytes: partially encrypt (AKR, SB, SR, MC) X partial round encryption Y partial round encryption A* A’* B* B’* C* C’* Equal D* D’* A Specific Value 4 values Xor to 0 X plaintext X plaintext Y plaintext Y plaintext Arbitrary Value A A’ B B’ C C’ D D’

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Basic Idea Guess And Determine Determine partial internal state by guessing Use this to reduce

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {

634 views • 45 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3

Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds Jian Guo 1 , Yu Sasaki 2 , Lei Wang 1 , Meiqin Wang 3 and Long Wen 3 1: Nanyang Technological University, Singapore 2: NTT Secure Platform Laboratories,

412 views • 25 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods,

IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods,

IOR TECHNOLOGY: ENHANCING PRODUCTION WHAT IS IMPROVED OIL RECOVERY? Any of various methods, chiefly reservoir drive mechanisms and enhanced recovery techniques, designed to improve the flow of hydrocarbons from the reservoir to the wellbore to

176 views • 13 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for general theorem proving Set theory vs. higher-order logic Herbrand-based approaches

475 views • 18 slides
A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef

A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef

A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef Iraqi {mkhonji, youssef.iraqi}@ku.ac.ae Khalifa University, UAE Outline General Impostors (quick intro; our imp.) Score aggregation.

487 views • 12 slides
1 Peter Series Lesson #155 December 13, 2018 Dean Bible Ministries www.deanbibleministries.org

1 Peter Series Lesson #155 December 13, 2018 Dean Bible Ministries www.deanbibleministries.org

1 Peter Series Lesson #155 December 13, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Humility; Casting Our Cares Upon Him 1 Peter 5:78 Servant leadership is based on humility, but humility is based

491 views • 38 slides
Bunched Beam Cooling Experiment Report (and future plan) Haipeng Wang Jefferson Lab Funding

Bunched Beam Cooling Experiment Report (and future plan) Haipeng Wang Jefferson Lab Funding

Bunched Beam Cooling Experiment Report (and future plan) Haipeng Wang Jefferson Lab Funding Support by the EIC R&D FOA 2018-2019 award of US DOE under Contract No. DE-AC05-06OR23177 and by the NSF of China under Contract No. 11575264, No.

760 views • 40 slides
Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead!

Look, no Mocks! Functional TDD with F# Mark Seemann http://blog.ploeh.dk @ploeh TDD is dead! http://david.heinemeierhansson.com/2014/tdd-is-dead-long-live-testing.html Is TDD dead? A system you cant test Detestable

656 views • 63 slides
The K Framework and a Formal Semantics of C Chucky Ellison Traian Florin S , erb anut , a

The K Framework and a Formal Semantics of C Chucky Ellison Traian Florin S , erb anut , a

The K Framework Semantics of C The K Framework and a Formal Semantics of C Chucky Ellison Traian Florin S , erb anut , a Grigore Ros , u University of Illinois MVD10 September 17, 2010 MVD10 Chucky Ellison The K Framework and

576 views • 35 slides
CSC 7101: Programming Language Structures 1 Specification Language Should be high-level

CSC 7101: Programming Language Structures 1 Specification Language Should be high-level

Operational Semantics Winskel, Ch. 2 Slonneger and Kurtz Ch 8.4, 8.5, 8.6 1 Operational vs. Axiomatic Axiomatic semantics Describes properties of program state, using first-order logic Concerned with constructing proofs for

263 views • 10 slides
Towards Smart Proof Search for Isabelle PSL and all that k e e w t s a Yutaka Nagashima |

Towards Smart Proof Search for Isabelle PSL and all that k e e w t s a Yutaka Nagashima |

s a n w o n k y l A r e T m C I r N o f Towards Smart Proof Search for Isabelle PSL and all that k e e w t s a Yutaka Nagashima | Trustworthy System Research Group l l i t n March 2017 u www.csiro.au Example

266 views • 23 slides

More recommend