Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise - - PowerPoint PPT Presentation

meet in the middle stp
SMART_READER_LITE
LIVE PREVIEW

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise - - PowerPoint PPT Presentation

Aug 11, 2023 449 likes •689 views

Meet in the Middle - STP March 20, 2019 1 / 17 Last weeks exercise Solution on whiteboard. 2 / 17 Recap of MitM attack Whiteboard 3 / 17 Searching for attacks By hand - Last week(s) Using the computer - This week 4 / 17

slide-1
SLIDE 1

Meet in the Middle - STP

March 20, 2019

1 / 17

slide-2
SLIDE 2

Last week’s exercise

Solution on whiteboard.

2 / 17

slide-3
SLIDE 3

Recap of MitM attack

Whiteboard

3 / 17

slide-4
SLIDE 4

Searching for attacks

◮ By hand - Last week(s) ◮ Using the computer - This week

4 / 17

slide-5
SLIDE 5

Searching for attacks

◮ By hand - Last week(s) ◮ Using the computer - This week

◮ Excel ◮ Tailored program ◮ STP - Simple Theorem Prover ◮ MILP - Mixed Integer Linear Programming

4 / 17

slide-6
SLIDE 6

STP

◮ Can be used to prove certain properties of a system. ◮ Constraint Solver. ◮ Quantifier free. ◮ Bitvectors. ◮ Many input languages, we will use CVC (Least annoying).

5 / 17

slide-7
SLIDE 7

STP (2)

We can give a set of constraints to STP and ask if the set of constraints is satisfiable. x = 5 y = 6 x > y

6 / 17

slide-8
SLIDE 8

STP (2)

We can give a set of constraints to STP and ask if the set of constraints is satisfiable. x = 5 y = 6 x > y Is unsatisfiable. x = 0x5 y ∈ {0, 1}4 z = x ⊕ y z = 0xF

6 / 17

slide-9
SLIDE 9

STP (2)

We can give a set of constraints to STP and ask if the set of constraints is satisfiable. x = 5 y = 6 x > y Is unsatisfiable. x = 0x5 y ∈ {0, 1}4 z = x ⊕ y z = 0xF Is satisfiable.

6 / 17

slide-10
SLIDE 10

CVC

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( x = 0hex5 AND z = BVXOR( x , y ) AND z = 0hexF ) ; QUERY(FALSE ) ; COUNTEREXAMPLE;

7 / 17

slide-11
SLIDE 11

CVC

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( x = 0hex5 AND z = BVXOR( x , y ) AND z = 0hexF ) ; QUERY(FALSE ) ; COUNTEREXAMPLE; % OUTPUT ASSERT( y = 0xA ) ; ASSERT( z = 0xF ) ; ASSERT( x = 0x5 ) ; I n v a l i d .

7 / 17

slide-12
SLIDE 12

CVC (2)

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( % x i s non zero NOT ( x = 0hex0 ) AND % y i s zero y = 0hex0 AND % s e t a c o n s t r a i n t

  • n z

z = x & (( y << 2 ) [ 3 : 0 ] ) AND % a s s e r t that z i s nonzero NOT ( z = 0hex0 ) ) ; QUERY(FALSE ) ; COUNTEREXAMPLE;

8 / 17

slide-13
SLIDE 13

CVC (2)

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( % x i s non zero NOT ( x = 0hex0 ) AND % y i s zero y = 0hex0 AND % s e t a c o n s t r a i n t

  • n z

z = x & (( y << 2 ) [ 3 : 0 ] ) AND % a s s e r t that z i s nonzero NOT ( z = 0hex0 ) ) ; QUERY(FALSE ) ; COUNTEREXAMPLE; % OUTPUT Valid .

8 / 17

slide-14
SLIDE 14

CVC (2.5)

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( % x i s non zero NOT ( x = 0hex0 ) AND % y i s zero NOT( y = 0hex0 ) AND % s e t a c o n s t r a i n t

  • n z

z = x & (( y << 2 ) [ 3 : 0 ] ) AND % a s s e r t that z i s nonzero NOT ( z = 0hex0 ) ) ; QUERY(FALSE ) ; COUNTEREXAMPLE;

9 / 17

slide-15
SLIDE 15

CVC (2.5)

% INPUT x , y , z : BITVECTOR ( 4 ) ; ASSERT( % x i s non zero NOT ( x = 0hex0 ) AND % y i s zero NOT( y = 0hex0 ) AND % s e t a c o n s t r a i n t

  • n z

z = x & (( y << 2 ) [ 3 : 0 ] ) AND % a s s e r t that z i s nonzero NOT ( z = 0hex0 ) ) ; QUERY(FALSE ) ; COUNTEREXAMPLE; % OUTPUT ASSERT( x = 0x4 ) ; ASSERT( y = 0x1 ) ; ASSERT( z = 0x4 ) ; I n v a l i d .

9 / 17

slide-16
SLIDE 16

CVC (3)

For more information on STP and CVC: https://github.com/ stp/stp/blob/master/docs/cvc-input-language.rst CVC normal AND / OR / NOT && / || / ! | / & / ˜ | / & / ˜ BVXOR(a, b) a ˆb BVPLUS(a, b) a + b BVMULT(a, b) a ∗ b BVSUB(a, b) a − b CVC normal 0hex5/0bin0110 0x5/0b0110 x :BITVECTOR(n) x ∈ {0, 1}n a @ b concatenation a[4:1] extraction << left shift >> right shift

10 / 17

slide-17
SLIDE 17

TC03

TC03 is a Feistel network with a block size of 8 bits, and a key size

  • f 64-bit.

Round Function

F ′(w) = ((w ≪ 1)&(w ≪ 2)) ⊕ w

Key Schedule

K = k0|k1|k2|k3| . . . |k15 The i-th round key is given by: rki = k(i

mod 16)

l r l′ r′ rki ⊕ F ′

11 / 17

slide-18
SLIDE 18

CVC (4)

◮ Overkill for finding MitM attacks, but is interesting for finding differential/linear charactersitics. ◮ Very verbose (no quantifiers). ◮ Write a python script to create CVC description of the cipher.

12 / 17

slide-19
SLIDE 19

SKINNY Round Function

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

S4 = [C 6 9 0 1 A 2 B 3 8 5 D 4 E 7 F] M =     1 1 1 1 1 1 1 1    

13 / 17

slide-20
SLIDE 20

SKINNY Tweakey Schedule

Extracted 8s-bit subtweakey PT LFSR LFSR

PT = [9 15 8 13 10 14 12 11 0 1 2 3 4 5 6 7] LFSRTK2 = (x3||x2||x1||x0) → (x2||x1||x0||x3 ⊕ x2)

14 / 17

slide-21
SLIDE 21

Skinny with STP

◮ Model knowledge on nibble level instead of bitlevel. ◮ Also model the Key schedule. ◮ Upperbound the key weight to find ‘best’ attacks. ◮ We can find all attacks by removing instances from the search space and retrying until no valid attacks are possible.

15 / 17

slide-22
SLIDE 22

The End?

◮ STP is powerfull, but for example getting the minimum number of keybits is not (natively) possible. Better to use MILP (Mixed Integer Linear Programming). ◮ MitM attacks are powerful, but as we will see next week there exist better attacks (more rounds). ◮ Only the basics of MitM attacks, we can squeeze out a bit more if we really want.

16 / 17

slide-23
SLIDE 23

For nextnext week

◮ Next week no class! ◮ Do this weeks exercises (deadline 3rd of april). ◮ Play a bit with STP (Hint: If you find your attack on TC02 with STP you get extra points).

17 / 17