key recovery attacks on keccak based constructions
play

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint - PowerPoint PPT Presentation

Dec 23, 2022 •13 likes •603 views

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

  1. Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41

  2. Outlines 1 Introduction 2 Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 2 / 41

  3. Introduction Outline 1 Introduction Keyed Keccak Constructions Our Work 2 Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 3 / 41

  4. Introduction Its relatives Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Permutation: Xoodoo Pseudorandom function: Kravatte Authenticated encrytion: Keyak , Ketje Keccak under keyed modes: KMAC , Keccak -MAC Keyed Keccak Constructions Selected as SHA-3 standard Gilles Van Assche Designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Permutation-based hash function Keccak 3 / 41 Underlying permutation: Keccak - p [1600 , 24]

  5. Introduction state bits Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song http://www.iacr.org/authors/tikz/ Row Lane Column Slice 4 / 41 Keyed Keccak Constructions steps: each round R consists of fjve b of Keccak - p [ b , n r ] Permutation b bits: seen as a 5 × 5 array 25 -bit lanes, A [ x , y ] n r rounds R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : S-box on each row π, ρ : change the position of

  6. Introduction Keyed Keccak Constructions http://keccak.noekeon.org/ The Column Parity kernel Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 5 / 41 Keccak - p Round Function: θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] If C [ x ] = 0 , 0 ≤ x < 5, then the state A is in the CP kernel.

  7. Introduction 2,4 0,2 0,3 0,4 1,0 1,1 1,2 1,3 1,4 2,0 2,1 2,2 2,3 3,0 0,0 3,1 3,2 3,3 3,4 4,0 4,1 4,2 4,3 4,4 Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 0,1 4,0 Keyed Keccak Constructions 2,3 http://keccak.noekeon.org/ 0,4 0,3 0,2 0,1 0,0 1,4 1,3 1,2 1,1 1,0 2,4 2,2 3,1 4,1 4,2 4,3 4,4 3,0 3,2 3,3 3,4 2,0 2,1 6 / 41 Keccak - p Round Function: ρ, π ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] π step: permutation on lanes, A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] π

  8. Introduction Keyed Keccak Constructions Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song The algebraic degree of n rounds is 2 n . Nonlinear term: product of two adjacent bits in a row. 7 / 41 Keccak - p Round Function: χ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1 ) · x 2 , y 1 = x 1 + ( x 2 + 1 ) · x 3 , y 2 = x 2 + ( x 3 + 1 ) · x 4 , y 3 = x 3 + ( x 4 + 1 ) · x 0 , y 4 = x 4 + ( x 0 + 1 ) · x 1 . y 0 y 1 y 2 y 3 y 4

  9. Introduction Keyed Keccak Constructions Sponge construction [BDPV11] b -bit permutation f Keccak -MAC Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 8 / 41 Keccak : Keccak - p [1600 , 24] + Sponge Two parameters: bitrate r , capacity c , and b = r + c . Take K || M as input

  10. Introduction KMAC Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Ketje Keyak Keyed Keccak Constructions 9 / 41 Keyed Keccak Constructions output N || S M || L ||00 K ⌊⋅⌋ L pad pad pad r 0 f f f f f ... c 0 absorbing squeezing σ 0 σ 1 K ||Nonce K ||Nonce σ 0 σ j Z 0 M 0 M 0 Z 0 ⌊⋅⌋ ρ pad pad pad pad pad r r ... ... ... ... ... ... ... ... 0 f f f 0 f 0 f 1 f 1 f 1

  11. Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  12. Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  13. Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  14. Introduction Solve the open problem of “Full State Keyed Duplex (Sponge)” Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Cube Attacks on Keccak-based Constructions . To appear in ASIACRYPT 2018 Ling Song, Jian Guo, Danping Shi, San Ling: New MILP Modeling: Improved Conditional MILP . IACR Transactions on Symmetric Cryptology, 2018(3), 182-214. Ling Song, Jian Guo: Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using Ketje and Keccak-MAC so far Our Work Best key recovery attacks on round-reduced KMAC , Keyak , types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 11 / 41 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  15. Cube Attacks Outline 1 Introduction 2 Cube Attacks auxCube conCube 3 MILP Model for Searching Cubes 4 Main Results Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 12 / 41

  16. Cube Attacks The the cube sum is exactly Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song Cube Attacks [DS09] (Higher Order Difgerential Cryptanalysis) 12 / 41 q contains terms that are not divisible by t I Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = v i 1 ... v i d , I = { v i 1 , ..., v i d } , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q p S I is called the superpoly of I in f v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = p S I ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a linear polynomial in key bits. Cube testers: distinguish p S I from a random function. If deg ( f ) < d , p S I = 0

  17. Cube Attacks auxCube Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song the cipher to obtain the cube sum; look up the table to 10110... 11...11 ... ... 11010... 00...01 01011... 00...00 Cube sum Renamed auxCube Cube-Attack-Like Cryptanalysis [DMP+15] 13 / 41 Idea: do not recover the exact linear p S I but try to limit the number ( n i ) of key bits involved in p S I using n a auxiliary variables. Preprocessing phase Build a lookup table. The complexity is 2 n i + d . n i key bits Online phase Guess the value of n a auxiliary variables and then query recover the n i key bits. The complexity is 2 n a + d .

  18. Find balanced attacks where n i and n a are close and as small as Cube Attacks avoiding adjacent cube variables. Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song possible. (low complexity). 2 (attack more rounds). 1 -dimensional cubes where n is as large as possible; Find 2 n 1 Task of the MILP Model The algebraic degree of n rounds is 2 n . Linearize the fjrst round by auxCube auxCube On Keccak 14 / 41 k 0 k 1 v a v i ρ, π θ i d = 64, n a = 64, n i = 64,

  19. Cube Attacks auxCube Milano, Italy Key-Recovery Attacks on Keccak-Based Constructions Ling Song possible. (low complexity). 2 (attack more rounds). 1 Task of the MILP Model avoiding adjacent cube variables. The algebraic degree of n rounds is 2 n . Linearize the fjrst round by auxCube On Keccak 14 / 41 k 0 k 1 v a v i ρ, π θ i d = 64, n a = 64, n i = 64, Find 2 n − 1 -dimensional cubes where n is as large as possible; Find balanced attacks where n i and n a are close and as small as

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Estonian Theory Days, Koke, Estonia Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa Helsinki University of Technology, Finland Guilin Wang and Feng Bao Institute of Infocomm Research, Singapore Koke,

732 views • 37 slides
New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery

New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery

New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery from Fourier -like measurements with applications to fast Johnson-Lindenstrauss transforms , etc. Jelani Nelson, Eric Price, and Mary Wootters February

394 views • 24 slides
Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
The Wisdom of Crowds: attacks and optimal constructions George Danezis 1 Claudia Diaz 2 asper 2

The Wisdom of Crowds: attacks and optimal constructions George Danezis 1 Claudia Diaz 2 asper 2

Outline Anonymous Peer-to-Peer Routing via Crowds The Always Down-or-Up Scheme (ESORICS 08) Optimality of Crowds The Wisdom of Crowds: attacks and optimal constructions George Danezis 1 Claudia Diaz 2 asper 2 Emilia K Carmela Troncoso 2 1

357 views • 15 slides
Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

. .. . .. . . .. . . .. . . .. . . . .. . .. . . .. . . .. . Permutation-based symmetric cryptography and Keccak Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . . . .. .

695 views • 52 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Axiomatizing Consciousness with applications Henk Barendregt Antonino Raffone Faculty of

Axiomatizing Consciousness with applications Henk Barendregt Antonino Raffone Faculty of

Axiomatizing Consciousness with applications Henk Barendregt Antonino Raffone Faculty of Science Faculty of Psychology Radboud University Sapienza University Nijmegen, The Netherlands Rome, Italy 1. Overview

794 views • 20 slides
GLM for fMRI data analysis Lab Exercise 1 March 19, 2015 Medical Image Processing Lab Medical

GLM for fMRI data analysis Lab Exercise 1 March 19, 2015 Medical Image Processing Lab Medical

AUDIO 1st level Getting Started The Batch Interface GLM for fMRI data analysis Lab Exercise 1 March 19, 2015 Medical Image Processing Lab Medical Image Processing Lab GLM for fMRI data analysis AUDIO 1st level Getting Started The Batch

482 views • 26 slides
Clinico-Pathological Conference Bollen- None Larimer- None Andrew W. Bollen DVM, MD Professor

Clinico-Pathological Conference Bollen- None Larimer- None Andrew W. Bollen DVM, MD Professor

2/13/2015 Disclosures Betjemann- None Clinico-Pathological Conference Bollen- None Larimer- None Andrew W. Bollen DVM, MD Professor of Pathology, UCSF John Betjemann MD Assistant Professor of Neurology, UCSF Phil Larimer MD, PhD Neurology

446 views • 21 slides
Case study: Bulgarias environment policy before and after joining the EU 2015 Plamena

Case study: Bulgarias environment policy before and after joining the EU 2015 Plamena

Case study: Bulgarias environment policy before and after joining the EU 2015 Plamena Borisova EAP CSF WG3 Environment, climate change and energy security Chronology of Bulgaria's accession to EU 1995 - 2004 2007 1990 National

501 views • 32 slides
Please feel free to include these slides in your own material, or modify them as you see fit. If

Please feel free to include these slides in your own material, or modify them as you see fit. If

S OCIAL M EDIA M INING Introduction Dear instructors/users of these slides: Please feel free to include these slides in your own material, or modify them as you see fit. If you decide to incorporate these slides into your presentations, please

379 views • 35 slides
Core Extensional Mathematics and Local Constructive Set Theory in honor of the 60th birthday of

Core Extensional Mathematics and Local Constructive Set Theory in honor of the 60th birthday of

Core Extensional Mathematics and Local Constructive Set Theory in honor of the 60th birthday of Giovanni Sambin Advances in Constructive Topology and Logical Foundations, Padua, October 2008 . Peter Aczel petera@cs.man.ac.uk Manchester

770 views • 17 slides
A very short, sketchy, introduction to A very short, sketchy, introduction to Bioconductor

A very short, sketchy, introduction to A very short, sketchy, introduction to Bioconductor

A very short, sketchy, introduction to A very short, sketchy, introduction to Bioconductor Bioconductor Abhijit Dasgupta Abhijit Dasgupta Fall, 2019 Fall, 2019 1 BIOF339, Fall, 2019 Bioconductor Bioconductor provides tools for the

612 views • 50 slides
LREC/ZREC YEAR 3 RFP Bidder Meeting May 5, 2014 1 Program Overview CL&amp;P Christie Bradway

LREC/ZREC YEAR 3 RFP Bidder Meeting May 5, 2014 1 Program Overview CL&amp;P Christie Bradway

LREC/ZREC YEAR 3 RFP Bidder Meeting May 5, 2014 1 Program Overview CL&amp;P Christie Bradway Denae Corcoran Laura Stilwell UI Gary Zielanski 2 Standard Contract is the Controlling Document In the event of any inconsistency between the

943 views • 69 slides

More recommend