new observations on impossible differential cryptanalysis
play

New Observations on Impossible Differential Cryptanalysis of - PowerPoint PPT Presentation

Sep 12, 2022 •209 likes •472 views

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

  1. New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3. Tsinghua University, 4.Donghua University FSE 2012 M ar. 19 , 2012

  2. Outline Shanghai Jiao Tong University Impossible Differential Cryptanalysis The Block Cipher Camellia Our Results • 7-Round Impossible Differentials of Camellia for Weak Keys and Their Applications ( By Leibo Li, Xiaoyun Wang, Jiazhe Chen ) • 8-Round Impossible Differentials of Camellia and Their Applications ( By Ya Liu, Dawu Gu, Zhiqiang Liu, Wei Li ) Conclusion http://LoCCS.sjtu.edu.cn

  3. Impossible Differential Cryptanalysis (1/2) Shanghai Jiao Tong University Impossible differential attack was independently proposed by Knudsen and Biham. • L.R. Knudsen: DEAL – A 128-bit Block Cipher , AES Proposal, 1998 • E. Biham, A. Biryukov and A. Shamir: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials (EUROCRYPT 99) http://LoCCS.sjtu.edu.cn

  4. Impossible Differential Cryptanalysis (2/2) Shanghai Jiao Tong University Basic ideas: Impossible 1 differential attack uses differentials that hold with p =1 probability zero to derive the r right key by discarding the wrong keys which lead to the Contradiction impossible differential. Some block ciphers were r+1 analyzed by using impossible q =1 differentials: ARIA, AES, CLEFIA, MISTY1 … 2r http://LoCCS.sjtu.edu.cn

  5. Camellia (1/3) Shanghai Jiao Tong University K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, T. Tokita. Camellia: A 128-bit Block Cipher Suitable for Multiple Platforms-Design and Analysis (SAC 2000) In 2002, Camellia was selected an e-government recommended cipher by CRYPTREC . In 2003, Camellia was recommended in NESSIE block cipher portfolio. In 2005, Camellia was adopted as an ISO/IEC international standard. Basic Information • Block Size: 128 bits • Key Sizes: 128/192/256 (Camellia-128/192/256) • The Number of Rounds: 18/24 • Structure: Feistel structure with some key-dependent functions FL/FL -1 inserted every 6 rounds. http://LoCCS.sjtu.edu.cn

  6. Encryption Procedure of Camellia(2/3) Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  7. Property of FL/FL -1 (3/3) Shanghai Jiao Tong University Key-dependent Functions: FL/FL -1 http://LoCCS.sjtu.edu.cn

  8. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University 75% http://LoCCS.sjtu.edu.cn

  9. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University (0|0|0|0|0|0|0|0, a |0|0|0| c |0|0|0) ↛ (0|0|0|0| d |0|0|0,0|0|0|0|0|0|0|0) (9) =0 or KL R (8) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0| a |0|0|0| c |0|0) ↛ (0|0|0|0|0| d |0|0,0|0|0|0|0|0|0|0) (17) =0 or KL R (16) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0|0| a |0|0|0| c |0) ↛ (0|0|0|0|0|0| d |0,0|0|0|0|0|0|0|0) (25) =0 or KL R (24) =1, and d (1) =0. with conditions KL L (0|0|0|0|0|0|0|0,0|0|0| a |0|0|0| c ) ↛ (0|0|0|0|0|0|0| d ,0|0|0|0|0|0|0|0) (1) =0 or KL R (32) =1, and d (1) =0. with conditions KL L 5+2 WKID http://LoCCS.sjtu.edu.cn

  10. 7-Round Impossible Differentials of Camellia for Weak Keys Shanghai Jiao Tong University (0|0|0|0| d |0|0|0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0, a |0|0|0| c |0|0|0) with conditions KL’ L (9) =0 or KL’ R (8) =1, and d (1) =0. (0|0|0|0|0| d |0|0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0| a |0|0|0| c |0|0) with conditions KL’ L (17) =0 or KL’ R (16) =1, and d (1) =0. (0|0|0|0|0|0| d |0,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0|0| a |0|0|0| c |0) with conditions KL’ L (25) =0 or KL’ R (24) =1, and d (1) =0. (0|0|0|0|0|0|0| d ,0|0|0|0|0|0|0|0) ↛ (0|0|0|0|0|0|0|0,0|0|0| a |0|0|0| c ) with conditions KL’ L (1) =0 or KL’ R (32) =1, and d (1) =0. 2+5 WKID http://LoCCS.sjtu.edu.cn

  11. Impossible Differential Attack on10- Round Camellia-128 for Weak Keys Shanghai Jiao Tong University Data Collections: 2 n Structures, 2 n+63 × 2 -64 =2 n-1 pairs Key Recovery: K 1,{1,5} , K 10,8 , K 10,{2,3,4,6,7} , K 10,{1,5} , K 9,5 𝜁 = 2 80 × (1 − 2 −8 ) 2 𝑜−66 = 1 ⇒ 𝑜 = 79.8 Time Complexity: 2 111.8 encryptions; Data Complexity: 2 111.8 CP; Memory Complexity: 2 84.8 Bytes. http://LoCCS.sjtu.edu.cn

  12. Impossible Differential Attack on 10-Round Camellia-128 for the Whole Key Space Shanghai Jiao Tong University Phases 1 to 4 : Perform an impossible differential attack on 10- round Camellia-128 by using each of 5+2 WKID: (0|0|0|0|0|0|0|0,a|0|0|0|c|0|0|0) ↛ (0|0|0|0|d|0|0|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|a|0|0|0|c|0|0) ↛ (0|0|0|0|0|d|0|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|0|a|0|0|0|c|0) ↛ (0|0|0|0|0|0|d|0,0|0|0|0|0|0|0|0) (0|0|0|0|0|0|0|0,0|0|0|a|0|0|0|c) ↛ (0|0|0|0|0|0|0|d,0|0|0|0|0|0|0|0) Phase 5 : If the attacks above all fail, then we obtain the key information as following: Guess the remaining keys. DC: 2 113.8 CP; TC: 2 120 encryptions; MC:2 84.8 Bytes. http://LoCCS.sjtu.edu.cn

  13. The Applications of 7-Round Impossible Differentials of Camellia with Weak Keys Shanghai Jiao Tong University We attack 10-round Camellia-128 with 2 113.8 chosen plaintexts and 2 120 encryptions, 11-round Camellia-192 with 2 114.64 chosen plaintexts and 2 184 encryptions and 12-round Camellia-256 with 2 116.17 chosen plaintexts and 2 240 encryptions, which start from the first round. We attack 12-round Camellia-192 with 2 120.1 chosen plaintexts and 2 184 encryptions and 14-round Camellia-256 with 2 120 chosen plaintexts and 2 250.5 encryptions, which include two FL/FL -1 layers. http://LoCCS.sjtu.edu.cn

  14. 8-Round Impossible Differentials of Camellia without the Keyed Layers Shanghai Jiao Tong University Insert key-dependent functions FL/FL -1 Insert key-dependent functions FL/FL -1 http://LoCCS.sjtu.edu.cn

  15. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) (?|?|?|?|?|?|?|?) http://LoCCS.sjtu.edu.cn

  16. Property of FL Shanghai Jiao Tong University Proposition 7. If the input difference of FL is ( a ,0,0,0, a’, 0,0,0), where a (1) = a ’ (8) =0 and then the output difference of FL is ( a ,0,0,0,0,0,0,0). http://LoCCS.sjtu.edu.cn

  17. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University Proposition 8. • the input difference of the 1st round: (0,0,0,0,0,0,0,0, a ,0,0,0, a′, 0,0,0) ; • the output difference of the 8th round: ( b ,0,0,0, b ′,0,0,0,0,0,0,0,0,0,0,0) ; • a , b ≠0, and a (1) = b (1) = a′ (8) = b′ (8) = 0. • where four subkeys kl i ( i = 1, · · · , 4) are used in two FL/FL −1 layers. ⇒ (0|0|0|0|0|0|0|0| a |0|0|0| a’ |0|0|0) ↛ 𝟗 ( b |0|0|0| b’ |0|0|0|0|0|0|0|0|0|0|0) is an 8-round impossible differential of Camellia with two FL/FL −1 layers. ∆ i denotes the corresponding 8-round differential for each different (2~7) | kl 4 (2~7) . key values of kl 1 A = { Δ 𝑗 0 ≤ 𝑗 ≤ 2 14 − 1 ≜ {𝜀 𝑘 |1 ≤ 𝑘 ≤ 𝑢} , where 𝑢 ≤ 2 14 . http://LoCCS.sjtu.edu.cn

  18. 8-Round Impossible Differentials of Camellia with Two Keyed Layers Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  19. Attack Strategy Shanghai Jiao Tong University S elect 𝜀 𝑗 ∈ 𝐵 , perform an impossible differential attack. • If one subkey is remained, we recover the secret key by the key schedule and verify whether it is correct by some plaintext-ciphertext pairs. • If success, end this attack. • Otherwise, try another differential δ j (j≠i) of A and perform a new impossible differential attack. • If no one subkey or more than one subkeys are left, select 𝜀 𝑘 ( j≠i ) ∈ A to execute a new impossible differential attack. http://LoCCS.sjtu.edu.cn

  20. Impossible Differential Attack on 13-Round Camellia-256 Shanghai Jiao Tong University (0|0|0|0|0|0|0|0| a |0|0|0| a ’ |0|0|0) ↛ 𝟗 ( b |0|0|0| b’ |0|0|0|0|0|0|0|0|0|0|0) Case 1. a′=b′=0. Case 2. a′=0 and b′≠0, or a′ ≠0 and b′=0. Case 3. a′≠0 and b′≠ 0. http://LoCCS.sjtu.edu.cn

  21. Impossible Differential Attack on 13-Round Camellia-256 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

  22. The Applications of 8-Round Impossible Differentials of Camellia Shanghai Jiao Tong University We construct 8-round impossible differentials of Camellia with two FL/FL -1 layers, the length of which is the same as the length of the known best impossible differential of Camellia without the FL/FL -1 layers. The key-dependent layers cannot resist impossible differential attack effectively. We attack 12-round Camellia-192 with 2 123 chosen plaintexts and 2 187.2 encryptions and 13-round Camellia-256 with 2 123 chosen plaintexts and 2 251.1 encryptions, which include the whitening and FL/FL -1 layers. http://LoCCS.sjtu.edu.cn

  23. Summary of the attacks on Camellia Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Concept of Differentials Propagation Ratio The

471 views • 15 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai

Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai

Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai Jiao Tong University 2 Max Planck Institute for Software Systems (MPI-SWS) CPP15, 14 January 2015 Blocking synchronisation 3 H : 9 2 n :=

745 views • 25 slides
Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy

Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy

Introduction Multiple defaults risk model Optimal investment problem Backward system of BSDEs Conclusion Optimal investment under multiple defaults: a BSDE-decomposition approach en PHAM Huy LPMA-University Paris Diderot, and

487 views • 37 slides
Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 ,

Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 ,

Polynomial Invariant Generation for Non-deterministic Recursive Programs Krishnendu Chatterjee 1 , Hongfei Fu 2 Amir Kafshdar Goharshady 1 , Ehsan Kafshdar Goharshady 3 1 IST Austria 2 Shanghai Jiao Tong University 3 Ferdowsi University of Mashhad

603 views • 21 slides
Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University

Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University

Probabilistic Bisimilarity Revisited Yuxin Deng Shanghai Jiao Tong University http://basics.sjtu.edu.cn/ yuxin/ February 9, 2014 1 Outline 1. Preliminaries 2. Probabilistic bisimulation and simulation 3. A modal characterisation of

670 views • 25 slides
On Deza Circulants Sergey Goryainov Shanghai Jiao Tong University & Krasovskii Insitute of

On Deza Circulants Sergey Goryainov Shanghai Jiao Tong University & Krasovskii Insitute of

On Deza Circulants Sergey Goryainov Shanghai Jiao Tong University & Krasovskii Insitute of Mathematics and Mechanics based on joint work in progress with Alexander Gavrilyuk and Leonid Shalaginov Sun Yat-sen University, Guangzhou November

527 views • 21 slides
Easy::Jit Just-In-Time compilation for C++ codes Serge Guelton (two presentations from) Juan

Easy::Jit Just-In-Time compilation for C++ codes Serge Guelton (two presentations from) Juan

Easy::Jit Just-In-Time compilation for C++ codes Serge Guelton (two presentations from) Juan Manuel Martinez Caamao (me) Introduction Compiler-assisted library for runtime code generation An omniscient virtual machine Building

289 views • 9 slides
A Tale of Two Projects It is the best of jitting, it is the worst of jitting Collaborators

A Tale of Two Projects It is the best of jitting, it is the worst of jitting Collaborators

A Tale of Two Projects It is the best of jitting, it is the worst of jitting Collaborators Jan Vitek Oli Fluckiger Jan Jecmen Paley Li Roman Tsegelskyi Alena Sochurkova Petr Maj Design Goals Performance The

613 views • 45 slides
How PyTorch Optimizes Deep Learning Computations Vincent Quenneville-Blair, PhD. Facebook AI.

How PyTorch Optimizes Deep Learning Computations Vincent Quenneville-Blair, PhD. Facebook AI.

How PyTorch Optimizes Deep Learning Computations Vincent Quenneville-Blair, PhD. Facebook AI. Overview Compute with PyTorch Model with Neural Networks Ingest Data Use Multiple GPUs and Machines 1 Compute with PyTorch Example: Pairwise

653 views • 44 slides

More recommend