mars attacks revisited
play

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS - PowerPoint PPT Presentation

Jun 19, 2023 •654 likes •1.16k views

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

  1. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT’11 Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Bauhaus-University Weimar, Germany Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 1 / 27

  2. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation What is MARS? • block cipher with 128 bit block size • developed 1998 by a team from IBM as a candidate for the Advanced Encryption Standard (AES) • one of five finalists in the AES competition 2001 • no attacks from 2001 till 2009 Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 2 / 27

  3. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  4. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  5. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES • MARS structure differs from other ciphers (mixing rounds) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  6. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Motivation (cont’d) Why is MARS an interesting subject to study? • full AES is theoretically broken • many attacks on AES base on exploiting the relatively weak key schedule of AES • MARS structure differs from other ciphers (mixing rounds) • key scheduler much stronger/ more complex than key scheduler of AES Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 3 / 27

  7. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion What we did We propose two attacks: • extend 11-round distinguisher by Kelsey et al to 12 core rounds Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 4 / 27

  8. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion What we did We propose two attacks: • extend 11-round distinguisher by Kelsey et al to 12 core rounds • establish first key recovery attack on the MARS key schedule, using the distinguisher to recover the secret key Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 4 / 27

  9. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Outline MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 5 / 27

  10. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion MARS Plaintext A i− B i− C i− D i− 1 1 1 1 Whitening Rounds • 128 bit block size Core • internal state: 4 × 32 bit words Core ( A , B , C , D ) Whitening Rounds Ciphertext A i B i C i D i Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 6 / 27

  11. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion MARS - Structure of the Core Rounds 8 x forward round 8 x backward round A <<< 13 <<< 13 E E B C D Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 7 / 27

  12. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery Exploits differential properties of the MARS core • 3-round differential characteristic with probability 1 (0 , 0 , 0 , α ) → ( β, 0 , 0 , 0) • distinguisher uses the 3-rounds characteristic twice, for rounds 4 - 6 and 7 - 9 • differences, if multiplied with a constant, propagate only in the most significant bits (used in round 10) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 8 / 27

  13. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K + K 6 E E E (0 , a , b , 0) K 5 K* K 7 K* K* K 9 B C D (0,0,c,d) (0,a,b,0) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  14. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K + K 6 E E E (0 , a , b , 0) K* K 5 K* K 7 K 9 K* 2. partially decrypt B (0 , a , b , 0) to reach ( A , B , C , D ) C D (0,0,c,d) (0,a,b,0) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  15. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: 1. choose 2 56 texts with Round 1 Round 2 Round 3 A <<< 13 <<< 13 <<< 13 arbitrary differences K + K 4 K 6 K + E E E (0 , a , b , 0) K* K 5 K 7 K* K 9 K* 2. partially decrypt B (0 , a , b , 0) to reach ( A , B , C , D ) C 3. create 2 56 batches D with 302 texts each (0,0,c,d) (0,a,b,0) with difference ( A , B , C , D ) between batches Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 9 / 27

  16. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 5. partially decrypt all <<< 13 <<< 13 <<< 13 ciphertexts with each of the 2 32 subkey K + E E K 26 E K 27 K* candidates for Round 12 and extract the bit “ a ” for each ciphertext ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 10 / 27

  17. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 5. partially decrypt all <<< 13 <<< 13 <<< 13 ciphertexts with each of the 2 32 subkey K + E E K 26 E K 27 K* candidates for Round 12 and extract the bit “ a ” for each ciphertext 6. build 2 56 strings of ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) 302 “ a ” bits for each batch Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 10 / 27

  18. MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Distinguisher and Subkey Recovery (cont’d) For each of the 2 154 subkey candidates of the first three rounds do: Round 10 Round 11 Round 12 7. store and sort the <<< 13 <<< 13 <<< 13 resulting bit strings K + E E K 26 E in order of the K 27 K* chosen plaintexts ((? 6 ,a,0 6 ,? 19 ),0,0,0) ((? 15 ,a,0 6 ,? 10 ),?,?,?) (?,?,?,(? 2 ,a,0 6 ,? 23 )) Michael Gorski, Thomas Knapke, Eik List, Stefan Lucks, Jakob Wenzel Mars Attacks! Revisited! 11 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila , Ricardo J. Rodr guez Jos 594190@unizar.es, rj.rodriguez@unileon.es All wrongs reversed University of Zaragoza, Spain RIASC,

1.03k views • 53 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a

Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a

Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a point with the naked eye. Even at its largest, it is too small to resolve as a disk. This image shows the full Moon next to an image of Mars scaled

355 views • 24 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS

MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS

MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS Discovered by American astronomer Asaph Hall First found Deimos August 12 th 1877 then Phobos August 18 th 1877 GREEK NAMES Named after

363 views • 19 slides
ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to

ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to

ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to Stay and Mars Exploration IV. Space Resource Utilization RECOMMENDATIONS 1. Long range strategic plan 2. National Program Office 3. NASA

320 views • 30 slides
The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern

The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern

The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern California How do we land on Mars? Why Are We so Interested In Mars? Parameter Mars Earth Distance (AU) 1.4 1 The Terrestrial Planets Look Very

492 views • 47 slides
MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell

MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell

MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell University of Oxford Talk overview Introduction to the MARS technology MARS neutron portal project MARS antineutrino detector system

629 views • 34 slides
Mars Image-based Modeling and Rendering Mars Rovers have 3 cameras Panoramic Camera

Mars Image-based Modeling and Rendering Mars Rovers have 3 cameras Panoramic Camera

Mars Image-based Modeling and Rendering Mars Rovers have 3 cameras Panoramic Camera Hazard Identification Camera Navigation Camera Testing the roll-off on the ground at the JPL Mars Yard sandbox. 1 Panorama Camera

471 views • 8 slides
Knowledge Federation Dino Karabeg onsdag 5. mars 14 Text onsdag 5. mars 14 Text onsdag 5.

Knowledge Federation Dino Karabeg onsdag 5. mars 14 Text onsdag 5. mars 14 Text onsdag 5.

Doug Engelbarts Unfinished Revolution Program for the Future Knowledge Federation Dino Karabeg onsdag 5. mars 14 Text onsdag 5. mars 14 Text onsdag 5. mars 14 Text onsdag 5. mars 14 Text onsdag 5. mars 14 Knowledge federation

523 views • 37 slides
Lecture 7: Examples, MARS, Arithmetic Todays topics: More examples MARS intro

Lecture 7: Examples, MARS, Arithmetic Todays topics: More examples MARS intro

Lecture 7: Examples, MARS, Arithmetic Todays topics: More examples MARS intro Numerical representations 1 Dealing with Characters Instructions are also provided to deal with byte-sized and half-word quantities: lb

697 views • 31 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
Voyage to Mars Space Simulation Your class is divided into two crews Mars Control Spacecraft

Voyage to Mars Space Simulation Your class is divided into two crews Mars Control Spacecraft

Voyage to Mars Space Simulation Your class is divided into two crews Mars Control Spacecraft Record results, research Perform experiments analyze, and draw and send results to Mars conclusions Control Crew Track progress of SC crew Voyage To

536 views • 40 slides
MARS MARS MUTUAL FUND AUTOMATED PORTFOLIO REBALANCING SYSTEM WHICH PARAMETERS NEED TO BE KEPT IN

MARS MARS MUTUAL FUND AUTOMATED PORTFOLIO REBALANCING SYSTEM WHICH PARAMETERS NEED TO BE KEPT IN

MARS MARS MUTUAL FUND AUTOMATED PORTFOLIO REBALANCING SYSTEM WHICH PARAMETERS NEED TO BE KEPT IN MIND WHILE MAKING AN INVESTMENT ? Returns Risk/Volatility Safety of Capital Liquidity Tax Efficient WHAT ARE THE INVESTMENT OPTIONS ? Bank

482 views • 30 slides
By Barry S. Roffman, Lieutenant, USCG-Retired January 29, 2015 1 Why go to or care about Mars?

By Barry S. Roffman, Lieutenant, USCG-Retired January 29, 2015 1 Why go to or care about Mars?

MARS CORRECT: CRITIQUE OF ALL NASA MARTIAN WEATHER DATA By Barry S. Roffman, Lieutenant, USCG-Retired January 29, 2015 1 Why go to or care about Mars? Many think life started on Mars, came here via meteorites An asteroid or comet probably

603 views • 57 slides
Mars Desert Research Station MDRS Presentation Summary of Mars Desert Research Station HAB

Mars Desert Research Station MDRS Presentation Summary of Mars Desert Research Station HAB

Mars Desert Research Station MDRS Presentation Summary of Mars Desert Research Station HAB Crew Presenters primary responsibilities Experiments What is MDRS Mars Analog Research Stations are laboratories for learning how

859 views • 49 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal,

A Hybrid Lattice Reduction and Quantum Search Attack on LWE F. Gpfert, C. van Vredendaal, Thomas Wunderer 29.06.2017 | 1 Motivation Primal BKW Embedding LWE Hybrid Dual Embedding Make it quantum! Faster More versatile

553 views • 28 slides
Introduction to Security Markus Kuhn Computer Laboratory

Introduction to Security Markus Kuhn Computer Laboratory

Introduction to Security Markus Kuhn Computer Laboratory http://www.cl.cam.ac.uk/Teaching/2003/IntroSecurity/ Lent 2004 Part Ib, Part II (General), Diploma What is this course about? This is a basic and broad introduction to computer

1.53k views • 117 slides
rrt rtss

rrt rtss

trt r rtss s st rrt rtss

1.37k views • 50 slides
C ryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1

C ryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1

C ryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80 Achterbahn [Gammel-G ottfert-Kniffler05]

781 views • 25 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides

More recommend