low memory attacks against 2 round even mansour using the
play

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR - PowerPoint PPT Presentation

Jul 13, 2023 •142 likes •733 views

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

  1. Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gaëtan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23

  2. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K P K E ( m ) 2 / 23

  3. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K � n -bit to n -bit public permutation P . secure block cipher E . n -bit secret key K . P K E ( m ) 2 / 23

  4. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Most-Simple permutation-based block cipher. m Original by Even and Mansour, Asiacrypt 91. Single-key by Dunkelman et al. , Eurocrypt 2012. K � n -bit to n -bit public permutation P . secure block cipher E . n -bit secret key K . P D = number of calls to keyed E , Q = number of calls to the public P , 1EM provable security up to DQ ≪ 2 n . K ⇒ Security up to birthday bound 2 n / 2 . = E ( m ) 2 / 23

  5. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. m K P K E ( m ) 3 / 23

  6. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y P P ( y ) K E ( x ) 3 / 23

  7. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y = ⇒ x ⊕ E ( x ) ⊕ y ⊕ P ( y ) = 0 P P ( y ) K E ( x ) 3 / 23

  8. Introduction First attack Clamping attacks Low-Data Attack Conclusion 1-Round Even-Mansour 1EM Cryptanalysis in DQ = DT = 2 n originally by Daemen, Asiacrypt 91. x ∀ x , y ∈ { 0 , 1 } n , K x ⊕ y = K ⇐ ⇒ P ( y ) ⊕ E ( x ) = K y = ⇒ x ⊕ E ( x ) ⊕ y ⊕ P ( y ) = 0 P Cryptanalysis via n -bit collision search P ( y ) Let f 0 ( x ) = x ⊕ E ( x ) and f 1 ( y ) = y ⊕ P ( y ). Find a collision between f 0 and f 1 , guess K = x ⊕ y . K = ⇒ No gap between the best proofs and attacks. E ( x ) 3 / 23

  9. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K P 1 K P 2 K E ( m ) 4 / 23

  10. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K Provably secure up to 2 2 n / 3 . P 1 Best cryptanalysis time complexity: T = 2 n / n . K P 2 K E ( m ) 4 / 23

  11. Introduction First attack Clamping attacks Low-Data Attack Conclusion 2-Round Even-Mansour 2EM m Extension by Bogdanov et al. , Eurocrypt 2012. Keeps it simple and secure beyond birthday-bound. K Provably secure up to 2 2 n / 3 . P 1 Best cryptanalysis time complexity: T = 2 n / n . K GAP There remains a significant gap between the proof, 2 2 n / 3 , and the P 2 best attacks in T = 2 n / n . K E ( m ) 4 / 23

  12. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . m Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K P 1 K P 2 K E ( m ) 5 / 23

  13. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . x Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K y In this work, we use the fact that: P 1 ∀ x , y , z ∈ { 0 , 1 } n , P 1 ( y )  K x ⊕ y = K �  z x ⊕ y = K   = K ⇐ ⇒ P 1 ( y ) ⊕ z = K P 1 ( y ) ⊕ z P 2   P 2 ( z ) ⊕ E ( x ) = K  P 2 ( z ) K E ( x ) 5 / 23

  14. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Approach Best information theoretic attack trade-off: DQ 2 = 2 2 n . 2EM This matches the proof only in D = Q = 2 2 n / 3 . x Best time complexity cryptanalysis in T = 2 n / n but it uses also a lot of memory and/or online data! K y In this work, we use the fact that: P 1 ∀ x , y , z ∈ { 0 , 1 } n , P 1 ( y )  K x ⊕ y = K �  z x ⊕ y = K   = K ⇐ ⇒ P 1 ( y ) ⊕ z = K P 1 ( y ) ⊕ z P 2   P 2 ( z ) ⊕ E ( x ) = K  P 2 ( z ) � x ⊕ y ⊕ P 1 ( y ) ⊕ z = 0 K = ⇒ x ⊕ E ( x ) ⊕ ⊕ P 2 ( z ) = 0 y E ( x ) 5 / 23

  15. Introduction First attack Clamping attacks Low-Data Attack Conclusion First result : A Link to the 3-XOR 2EM x  ⊕ y ⊕ P 1 ( y ) ⊕ = 0 x z  K x ⊕ E ( x ) ⊕ y ⊕ P 2 ( z ) = 0 y  P 1 P 1 ( y ) K z P 2 P 2 ( z ) K E ( x ) 6 / 23

  16. Introduction First attack Clamping attacks Low-Data Attack Conclusion First result : A Link to the 3-XOR 2EM x  ⊕ y ⊕ P 1 ( y ) ⊕ = 0 x z  K x ⊕ E ( x ) ⊕ y ⊕ P 2 ( z ) = 0 y  P 1 Cryptanalysis via the 3-XOR Problem with 2 n -bit functions P 1 ( y ) f 0 ( x )= x || x ⊕ E ( x ) K z y f 1 ( y )= y ⊕ P 1 ( y ) || P 2 f 2 ( z )= z || P 2 ( z ) P 2 ( z ) Solve the 3-XOR problem between f 0 , f 1 and f 2 . K Guess K = x ⊕ y . E ( x ) 6 / 23

  17. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. 7 / 23

  18. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. Definition (3-XOR problem) Given three functions f 0 , f 1 , f 2 , find three inputs ( x 0 , x 1 , x 2 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) ⊕ f 2 ( x 2 ) = 0. 7 / 23

  19. Introduction First attack Clamping attacks Low-Data Attack Conclusion 3-XOR Problem Definition (Collision problem) Given two functions f 0 , f 1 , find two inputs ( x 0 , x 1 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) = 0. Definition (3-XOR problem) Given three functions f 0 , f 1 , f 2 , find three inputs ( x 0 , x 1 , x 2 ) such that f 0 ( x 0 ) ⊕ f 1 ( x 1 ) ⊕ f 2 ( x 2 ) = 0. Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. 7 / 23

  20. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. 8 / 23

  21. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. Solving Random 3-XOR with 2 n -bit elements Requires | L 0 | · | L 1 | · | L 2 | = 2 2 n so at least one list of size 2 2 n / 3 . | L 0 | = | L 1 | = | L 2 | = 2 2 n / 3 is enough: compute sum of all triples to find a solution. So we have a proof and Information Theoretical attack in 2 2 n / 3 . However best algorithms run in time T = O (2 n / n )... 8 / 23

  22. Introduction First attack Clamping attacks Low-Data Attack Conclusion Gap of the 3-XOR Problem Definition (3-XOR problem with lists) Given three lists L 0 , L 1 , L 2 , find three elements ( e 0 , e 1 , e 2 ) ∈ L 0 × L 1 × L 2 such that e 0 ⊕ e 1 ⊕ e 2 = 0. Cryptanalysis of n -bit 2EM as a 3-XOR with 2 n -bit elements. Solving Random 3-XOR with 2 n -bit elements Requires | L 0 | · | L 1 | · | L 2 | = 2 2 n so at least one list of size 2 2 n / 3 . | L 0 | = | L 1 | = | L 2 | = 2 2 n / 3 is enough: compute sum of all triples to find a solution. So we have a proof and Information Theoretical attack in 2 2 n / 3 . However best algorithms run in time T = O (2 n / n )... = ⇒ We found the same gap... again ! 8 / 23

  23. Introduction First attack Clamping attacks Low-Data Attack Conclusion Our Strategy 3-XOR solving Two main techniques: Multicollision based [Nikolic&Sasaki15] and Linear algebra based [Joux09]. Roughly same asymptotic time complexity. 9 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick Seurin 4 John Steinberger 1 1 Tsinghua University, China 2 University of Versailles, France 3 Sejong University, Korea 4 ANSSI, France August 18, 2014

1.07k views • 88 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory attacks: an ongoing war David

725 views • 44 slides
Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

1 2 Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round 2 Table 2: Daniel J. Bernstein Ignoring cost of memory: 368 185 enum, ignoring hybrid Tanja Lange 230 169 enum, including hybrid 153

2k views • 65 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle,

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universitt Bochum, Germany Inria Paris, France BFA 2017, July 2017 Outline A new condition

442 views • 27 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 " 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR

ON THE APPLICABILITY OF BINARY CLASSIFICATION TO DETECT MEMORY ACCESS ATTACKS IN IOT C&ESAR 2018- Rennes | CEA Leti | KERROUMI Sanaa | 08/11/18 SOMMAIRE IoT node Related works Problem statement Proposed methodology Results Take out and

752 views • 36 slides
Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20 June 2018 Supervisors: Prof. Dr. Benno Stein, PD Dr. Andreas Jakoby Unmasking for short texts Obfuscation against unmasking Obfuscation

1.38k views • 95 slides
Hyperbolic surfaces, cutting sequences, and continued fractions Claire Merriman October 21, 2019

Hyperbolic surfaces, cutting sequences, and continued fractions Claire Merriman October 21, 2019

Hyperbolic surfaces, cutting sequences, and continued fractions Claire Merriman October 21, 2019 The Ohio State University merriman.72@osu.edu OCF Animation First frame of the animiation. Regular Continued Fractions Way to represent x >

979 views • 35 slides
Noise in SwitchedCapacitor Circuits 17 March 2014 Trevor Caldwell trevor.caldwell@analog.com

Noise in SwitchedCapacitor Circuits 17 March 2014 Trevor Caldwell trevor.caldwell@analog.com

Noise in SwitchedCapacitor Circuits 17 March 2014 Trevor Caldwell trevor.caldwell@analog.com What you will learn# How to analyze noise in

482 views • 22 slides
On the frequencies of patterns of rises and falls Jean-Marc Luck Institut de Physique Th

On the frequencies of patterns of rises and falls Jean-Marc Luck Institut de Physique Th

On the frequencies of patterns of rises and falls Jean-Marc Luck Institut de Physique Th eorique, Saclay (CEA & CNRS) Preprint arXiv:1309.7764 Journ ees ALEA 2014, March 1721, 2014, CIRM, Marseille 1 Outline The problem

438 views • 31 slides
Determining s by using the gradient flow in the quenched theory Eliana Lambrou in

Determining s by using the gradient flow in the quenched theory Eliana Lambrou in

Determining s by using the gradient flow in the quenched theory Eliana Lambrou in collaboration with Szabolcs Borsanyi and Zoltan Fodor Bergische Universit at Wuppertal 34th International Symposium on Lattice Field Theory Southampton,

619 views • 23 slides
From Apollonian Circle Packings to Fibonacci Numbers Je ff Lagarias , University of Michigan

From Apollonian Circle Packings to Fibonacci Numbers Je ff Lagarias , University of Michigan

From Apollonian Circle Packings to Fibonacci Numbers Je ff Lagarias , University of Michigan March 25, 2009 2 Credits Results on integer Apollonian packings are joint work with Ron Graham, Colin Mallows, Allan Wilks, Catherine Yan,

1.11k views • 73 slides
Primary and secondary cosmic rays in the NUCLEON space experiment after two years of data

Primary and secondary cosmic rays in the NUCLEON space experiment after two years of data

Lomonosov Moscow State University Primary and secondary cosmic rays in the NUCLEON space experiment after two years of data acquisition A. Panov, on behalf of the NUCLEON collaboration ICRC 2017 CONTENT Prehistory of the NUCLEON experiment

574 views • 45 slides
Staffa Island, Scotland SPIE - Spintronics San Diego 28 Aug 1 Sep 2016 O. Fruchart 1.

Staffa Island, Scotland SPIE - Spintronics San Diego 28 Aug 1 Sep 2016 O. Fruchart 1.

Staffa Island, Scotland SPIE - Spintronics San Diego 28 Aug 1 Sep 2016 O. Fruchart 1. Institut NEL, Univ. Grenoble Alpes / CNRS, France 2. SPINTEC, Univ. Grenoble Alpes / CNRS / CEA-INAC, France www.spintec.fr email:

626 views • 35 slides

More recommend