known key distinguisher on full present
play

Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas - PowerPoint PPT Presentation

Dec 02, 2023 •113 likes •434 views

Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao

  1. Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C´ 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao Tong University, China CRYPTO 2015 Presented by Pierre Karpman Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  2. Introduction New Distinguisher Application to PRESENT Conclusion Outlook � Introduction � Our Known-Key Distinguisher � Application to PRESENT � Conclusion Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  3. Introduction New Distinguisher Application to PRESENT Conclusion Block Cipher Definition A block cipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is a family of efficiently invertible permutations on n -bit values, whose index is a k -bit key value. Applications in Cryptography: a fundamental primitive ◮ Encryption Scheme: ECB, CBC, CFB, OFB, CTR ◮ Message Authentication Code: EMAC, CMAC, PMAC ◮ Authenticated Encryption: GCM, OCB, EAX, CCM ◮ Hash Function: PGV schemes, MDC-2, MJH, Hirose Scheme Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  4. Introduction New Distinguisher Application to PRESENT Conclusion Security Requirement on Block Cipher A classical security notion: the indistinguishability from an ideal block cipher. Ideal Block Cipher Each permutation indexed by a key value is a random permutation. Moreover, any two permutations indexed by distinct key values are completely independent. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  5. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher Secret-key Model Open-Key Model ◮ Secret key value ◮ Public key value ◮ Impact to Encryption, MAC ◮ Impact to Hash Function ◮ Single-key attack ◮ Known-key attack ◮ Related-key attack ◮ Chosen-key attack Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  6. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher • Open-key model is more generous to adversary. • More rounds are expected to be attacked in open-key model. • For AES-128 as an example, the number of attacked rounds is Secret-key model: 7 rounds [DFJ13]; Open-key model: 10 (full) rounds [Gilbert14]. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  7. Introduction New Distinguisher Application to PRESENT Conclusion Attack Models on Block Cipher • Open-key model is more generous to adversary. • More rounds are expected to be attacked in open-key model. • For AES-128 as an example, the number of attacked rounds is Secret-key model: 7 rounds [DFJ13]; Open-key model: 10 (full) rounds [Gilbert14]. Interestingly the situation for standardized lightweight block cipher PRESENT is rather different, which motivates this research. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  8. Introduction New Distinguisher Application to PRESENT Conclusion PRESENT Cipher • ISO/IEC standard lightweight block cipher • Block size is 64 bits; Key size is 80 bits (referred to as PRESENT -80) or 128 bits (referred to as PRESENT -128). • Composed of 31 rounds: Each round consists of a round-key XOR, an Sbox layer and a simple linear bit permutation layer ⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕ S 15 S 14 S 13 S 12 S 11 S 10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 Figure: One round of PRESENT Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  9. Introduction New Distinguisher Application to PRESENT Conclusion Previous Analysis Results on PRESENT • Most scrutinized lightweight cipher. • Multidimensional linear attack is the most powerful one: easy-to-trace linear trails with large correlations • Link between differential property and linear correlation in [BN14]: A multidimensional linear distinguisher can be converted to a truncated differential distinguisher. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  10. Introduction New Distinguisher Application to PRESENT Conclusion Previous Analysis Results on PRESENT # rounds Version Attack Reference 16 80 differential [Wang08] 19 128 algebraic differential [AC09] 19 128 multiple differential [BN13] Secret-key Model 25 128 linear [NSZ+09] 26 80 multidimensional linear [Cho10] 26 80 truncated differential [BN14] 18 80 differential rebound [KS+12] Open-key Model 26 80 linear [LR15] 27 128 linear [LR15] Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  11. Introduction New Distinguisher Application to PRESENT Conclusion Our Results on PRESENT # rounds Version Attack Reference 16 80 differential [Wang08] 19 128 algebraic differential [AC09] 19 128 multiple differential [BN13] Secret-key Model 25 128 linear [NSZ+09] 26 80 multidimensional linear [Cho10] 26 80 truncated differential [BN14] 18 80 differential rebound [KS+12] Open-key Model 26 80 linear [LR15] 27 128 linear [LR15] 31 (full) 80/128 truncated differential Ours Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  12. Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher • Key is known to the distinguisher • Improve estimation of the security margin of block cipher • Encompass the scenario of block cipher-based hash function • The goal for an attacker: generate input/output pairs with a certain property, such that the complexity for the target block cipher is lower than the generic complexity when dealing with an ideal block cipher − target block cipher: open access to internal states to exploit structural weakness; − ideal block cipher: black-box access to encryption and decryption oracles Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  13. Introduction New Distinguisher Application to PRESENT Conclusion Our Known-Key Distinguisher Distinguishing property Find a set of N plaintexts, such that they all have the same value on s pre-determined bits and such that there is a bias on the number of collisions observed on q pre-determined bits of corresponding ciphertexts ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Block Cipher E ∗∗∗∗∗∗∗∗∗∗ 0 ∗∗∗∗∗ Figure: Our distinguisher model Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  14. Introduction New Distinguisher Application to PRESENT Conclusion Our Known-Key Distinguisher Distinguishing property Find a set of N plaintexts, such that they all have the same value on s pre-determined bits and such that there is a bias on the number of collisions observed on q pre-determined bits of corresponding ciphertexts Generic attack on an ideal block cipher: 1. Pick N random plaintexts having ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ the same values on s pre-determined bit positions Block Cipher E 2. Query them, and count the number of collisions on the q ∗∗∗∗∗∗∗∗∗∗ 0 ∗∗∗∗∗ pre-determined bit positions of corresponding ciphertexts Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  15. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  16. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] We decided to base our distinguisher on truncated differential attacks, because • it can reach the maximum number of attacked rounds • it is easier to handle than multidimensional linear attack in the known-key setting Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  17. Introduction New Distinguisher Application to PRESENT Conclusion Application to PRESENT It is important to study known-key distinguishers on PRESENT . • a natural candidate to build a lightweight hash function • DM-PRESENT and H-PRESENT in [BL+08] We decided to base our distinguisher on truncated differential attacks, because • it can reach the maximum number of attacked rounds • it is easier to handle than multidimensional linear attack in the known-key setting On the other hand, • its statistical bias is small, and a large number of plaintexts is necessary • pre- and post-adding extra differential characteristics cannot work well, since they reduce #available plaintexts. Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

  18. Introduction New Distinguisher Application to PRESENT Conclusion Overview of Our Distinguisher on PRESENT It consists of ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Λ Extension using r 0 = 7 • Meet-in-the-middle layer a MitM layer ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ • Truncated differential layer ∆ Strong truncated r 1 ≤ 24 differential distinguisher ∗∗ 0 ∗∗∗∗∗∗∗∗∗∗∗∗∗ Γ Figure: Overview of our distinguisher Known-Key Distinguisher on Full PRESENT C. Blondeau, T. Peyrin, L.Wang

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident

Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident

Full Y ear 2015 Results 15 March 2016 Disclaimer 2 The following present ations are confident ial and are being made only to, and are No st atement in this present ation is intended as a profit forecast or profit estimate only directed at ,

763 views • 30 slides
Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza

Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza

Full Abstraction for Expressiveness: Past, Present and Future Daniele Gorla Sapienza ,Universit di Roma Bertinoro, June 18 th , 2014 Overview Absolute vs Relative Expressiveness (encodings) PAST Full abstraction:

664 views • 21 slides
This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit is built I will start with the main components. This is a Full Kit 2568D/AT12 HP/2x AEB inj 4cyl. with all components. To present you how our Kit

412 views • 17 slides
A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes erie Gauthier 1 , Ayoub Otmani 1 and Jean-Pierre Tillich 2 Val GREYC - Universit e de Caen - Ensicaen SECRET Project - INRIA Rocquencourt

624 views • 43 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides
A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project),

A distinguisher for high-rate McEliece Cryptosystems J.C. Faug` ere (INRIA, SALSA project), Val erie Gauthier (Math. dep. Tech. Univ. of Denmark), A. Otmani (Universit e Caen- INRIA, SECRET project), L. Perret (INRIA, SALSA project),

734 views • 35 slides
Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of

Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of

Full Cost Allocation Plan and User Fee Study Results Presentation Goals t Present scope of services and study objectives t Present basic costing methodology and approach t Discuss a summary of findings and results t Questions Scope of Services t

434 views • 25 slides
Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and

Distinguisher-Dependent Simulation Dakshita Khurana Joint work with Abhishek Jain, Yael Kalai and Ron Rothblum Interactive Proofs for NP Interactive Proof (GMR85, Babai85) ? , P V accept Security Against Malicious

515 views • 35 slides
Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of

Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of

Shane Rigby LIXI CTO Presentation Summary November 2015 What to present to a room full of experts? I have joined LIXI with fresh eyes Opportunity to review LIXIs practices This is not a deeply technical presentation We speak

137 views • 11 slides
Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad

Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad

Institute for Applied Information Processing and Communications (IAIK) Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad Institute for Applied Information Processing and Communications (IAIK) Graz

741 views • 73 slides
full year results full year results full year results full full year results full year results full

full year results full year results full year results full full year results full year results full

AMP results presentation FULL YEAR RESULTS 2010 full year results full year results full year results full full year results full year results full year results full 2010 full year results Craig Dunn Chief Executive Officer Paul Leaming Chief

691 views • 24 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil & Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not

Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not

Monday, May 6, 2013, Barrows 56 Please consider staying for the full session. If that is not possible, be sure to arrive at least 10 minutes before you present. Follow the schedule; I do not announce who is next (who should be coming to the front

169 views • 3 slides
Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

| 2018 Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate Marketing 2002 - Present SEM / Ads 2003 to Present Current Jenga Digital LLC 2013 - Present Personal Born in

385 views • 20 slides
Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches

Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches

Empowering your Family: How to Improve Communication and Decrease Stress So Your Child Reaches Their Full Potential Connecting and being present with your kids starts with you being connected and present with yourself: Important to cultivate

68 views • 5 slides
CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Homework 1 Answers 4 [5 pts] Block

277 views • 12 slides
SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. Eita Kobayashi, NEC Corporation DIAC 2014 August 23, 2014, Santa Barbara, USA

557 views • 30 slides
PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken

PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken

PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken Friis Larsen Thomas Jensen University of Copenhagen and INRIA Rennes Workshop on Foundations of Computer Security June 22, 2020 Background and

149 views • 4 slides
Certification of Bounds of Non-linear Functions : the Templates Method Joint Work with B. Werner,

Certification of Bounds of Non-linear Functions : the Templates Method Joint Work with B. Werner,

Flyspeck-Like Global Optimization Classical Approach: Taylor + SOS Max-Plus Based Templates Certified Global Optimization with Certification of Bounds of Non-linear Functions : the Templates Method Joint Work with B. Werner, S. Gaubert and X.

720 views • 36 slides
Global control using a laser strainmeter for KAGRA Kouseki Miyo Sep 9, 2019, TAUP2019 at Toyama

Global control using a laser strainmeter for KAGRA Kouseki Miyo Sep 9, 2019, TAUP2019 at Toyama

Global control using a laser strainmeter for KAGRA Kouseki Miyo Sep 9, 2019, TAUP2019 at Toyama Contents 3000 m 500 m 1500 m 1000 m X arm Y arm Laser Strainmeter 1. Introduction 2. Strainmeter of KAGRA 3. Sensor Correction Technique

808 views • 22 slides
Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific Research (B), Grant

317 views • 30 slides
Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger

Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger

Your Host : Darren Rowse web : ProBlogger.net twitter : @ProBlogger facebook : facebook/problogger Guest : Tsh Oxenreider web : SimpleMom.net twitter : @SimpleMom facebook : facebook/simplemomblog Our Webinar Hashtag is #PBWebinar To Be Notified

457 views • 27 slides
Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria

Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 19 October, 2012 Handout 4 Summary of this handout: Block Ciphers continued Modes of Operation Cryptomeria II.1.5 Modes

353 views • 7 slides

More recommend