practical cryptanalysis of armadillo 2
play

Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and - PowerPoint PPT Presentation

Dec 28, 2022 •394 likes •846 views

The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar a Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological

  1. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Practical Cryptanalysis of ARMADILLO-2 Mar´ ıa Naya-Plasencia and Thomas Peyrin University of Versailles - France Nanyang Technological University - Singapore FSE 2012 Washington - March 19, 2012

  2. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  3. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  4. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion What is ARMADILLO-2 ? • ARMADILLO-2 is a lightweight , multi-purpose cryptographic primitive published by Badel et al. at CHES 2010 • in the original article, ARMADILLO-1 is proposed but the authors identified a security issue and advised to use ARMADILLO-2 • ARMADILLO-2 is • a FIL-MAC • a stream-cipher • a hash function • they are all based on an internal function that uses data-dependent bit transpositions • 5 different parameters sizes defined

  5. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state Q A ( B ) A B

  6. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 Q A ( B ) A 1 − → apply σ 1 and xor B

  7. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 Q A ( B ) A 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  8. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  9. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  10. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 1010 · · · 10 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 1 − → apply σ 1 and xor 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  11. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The basic building block: a parametrized permutation Q X ARMADILLO-2 uses a permutation Q A ( B ) as basic building block: • the internal state is initialized with input B we apply a steps, where a is the bitsize of the input parameter A • for each step i : • extract bit i from A 1010 · · · 10 • if A[i]=0, apply the bitwise permutations σ 0 , otherwise σ 1 1010 · · · 10 • bitwise XOR the constant 1010 · · · 10 to the internal state 1010 · · · 10 1010 · · · 10 1010 · · · 10 1010 · · · 10 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 0 − → apply σ 0 and xor Q A ( B ) A 0 − → apply σ 0 and xor 1 − → apply σ 1 and xor 1 − → apply σ 1 and xor B

  12. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The ARMADILLO-2 compression function C ′ • two inputs: - the chaining variable C - the message block M Y • one output: - the chaining variable C ′ Q X ( C || M ) X Q M ( C || M ) M C M C M

  13. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The ARMADILLO-2 compression function k c m C ′ 128 80 48 192 128 64 Y 240 160 80 288 192 96 384 256 128 Q X ( C || M ) X Q M ( C || M ) M C M C M

  14. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Cryptanalysis of ARMADILLO-2 Abdelraheem et al. (ASIACRYPT 2011): • key recovery attack on the FIL-MAC • key recovery attack on the stream cipher • (second)-preimage attack on the hash function ... but computation and memory complexity is very high , often close to the generic complexity (example 256-bit preimage with 2 208 computations and 2 205 memory or 2 249 computations and 2 45 memory) We provide very practical attacks (only a few operations): • distinguisher and related-key recovery on the stream cipher • free-start collision on the compression function (chosen-related IVs) • semi-free-start collision on the compression/hash function (chosen IV)

  15. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion First tools For two random k -bit words A and B of Hamming weight a and b respectively, the probability that HAM ( A ∧ B ) = i is � a �� k − a � b �� k − b � � i b − i i a − i P and ( k , a , b , i ) = = . � k � k � � b a For two random k -bit words A and B of Hamming weight a and b respectively, the probability that HAM ( A ⊕ B ) = i is P and ( k , a , b , a + b − i � ) for ( a + b − i ) even 2 P xor ( k , a , b , i ) = 0 for ( a + b − i ) odd

  16. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion Outline The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion

  17. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side C ′ Y Q X ( C || M ) X Q M ( C || M ) M C M C M

  18. b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side M ∆ M = 0 C M HAM (∆ C ) = 1 ∆ M = 0

  19. b b b b b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side HAM (∆ X ) = 1 M ∆ M = 0 C M HAM (∆ C ) = 1 ∆ M = 0 We have HAM (∆ X ) = 1 with probability 1

  20. b b b b b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - right side ∆ X = 0 . . . 01 ∆ M = 0 M C M HAM (∆ C ) = 1 ∆ M = 0 We have ∆ X = 0 . . . 01 with probability P X = 1 k

  21. The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - left side C ′ Y Q X ( C || M ) X Q M ( C || M ) M C M C M

  22. b b b The ARMADILLO-2 function Free-start collision attack Semi-free-start collision attack Conclusion The differential path - left side C ′ Y X ∆ X = 0 . . . 01 C M HAM (∆ C ) = 1 ∆ M = 0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales

Armadillo By Jessie An armadillo is like 5.9-9. 8 in. long,5.9-9.0 tall. Brown, and black scales long claws for digging, and a long black tail. The nine-banded armadillo prefers to build burrows in moist soil near the creeks, streams, and

231 views • 7 slides
Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider

Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider

Armadillo 9XR Start Page Performance Safety Comfort Tech. Data Economy Armadillo 9XR | Rider Sweeper Overview Armadillo 9XR Created for the toughest applications An extremely robust machine with excellent sweeping power even under the

508 views • 15 slides
Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2

Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2

Context Our Contribution Conclusion Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures ebastien Coron 1 David Naccache 2 Jean-S Mehdi Tibouchi 2 Ralf Philipp Weinmann 1 1 Universit e du Luxembourg 2 Ecole normale sup erieure

1.13k views • 73 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction

Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction

Armadillo C++ linear algebra library Umair Muslim 341318 Overview Introduction Libraries comparison Features History API Structural Representation Functionality overview Evaluation Conclusion 2 Armadillo by

418 views • 18 slides
CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope, Technology, and Future of CrypTool 1.4.xx Prof. Bernhard Esslinger and the CrypTool Team www.cryptool.org (Updated: 19 September 2017, with release CT

1.22k views • 121 slides
Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing

Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing

Accelerate Framework & the Armadillo Library Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps Today Motivation Accelerate Framework BLAS & LAPACK Armadillo Library Algorithm Software Architecture

942 views • 47 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Why is it so difficult to co-operate? Implementing information literacy into the curriculum of

Why is it so difficult to co-operate? Implementing information literacy into the curriculum of

Why is it so difficult to co-operate? Implementing information literacy into the curriculum of HAMK www.hamk.fi MBA Eerika Kaasalainen, Information Specialist at HAMK PhD, Adj. Prof. Maria Lassila-Merisalo, Project Manager at HAMK The

154 views • 13 slides
Is that spam in my ham? A novices inquiry into classification. Lorena Mesa | EuroPython 2016

Is that spam in my ham? A novices inquiry into classification. Lorena Mesa | EuroPython 2016

Is that spam in my ham? A novices inquiry into classification. Lorena Mesa | EuroPython 2016 @loooorenanicole bit.ly/europython2016-lmesa Hi, Im Lorena Mesa. Have you seen this before? (Youre not alone.) Subject: De-junk And Speed

1.23k views • 37 slides
Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio

Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio

Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio Boschi , Riccardo DeSalvo, Virginio Sannibale California Institute of Technology Pierangelo Masarati, Giuseppe Quaranta Politecnico di Milano 1

531 views • 32 slides
DNS in OpenStack What is the OpenStack DNS API? https://gra.ham.ie | @grahamhayes 1 Graham

DNS in OpenStack What is the OpenStack DNS API? https://gra.ham.ie | @grahamhayes 1 Graham

DNS in OpenStack What is the OpenStack DNS API? https://gra.ham.ie | @grahamhayes 1 Graham Hayes Principal Engineer @ Azure Ex Designate PTL OpenStack TC https://gra.ham.ie @grahamhayes gr@ham.ie https://gra.ham.ie | @grahamhayes

445 views • 21 slides
Learning: Nave Bayes Classifier CE417: Introduction to Artificial Intelligence Sharif

Learning: Nave Bayes Classifier CE417: Introduction to Artificial Intelligence Sharif

Learning: Nave Bayes Classifier CE417: Introduction to Artificial Intelligence Sharif University of Technology Spring 2018 Soleymani Slides are based on Klein and Abdeel, CS188, UC Berkeley. Machine Learning Up until now: how use a model

964 views • 45 slides
Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank

Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank

Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank Drewes Department of Computing Science Ume a University Frank Drewes (Ume a University) Efficient Algorithms and Problem Complexity Lecture

307 views • 20 slides
COARSE-TO-FINE, COST-SENSITIVE CLASSIFICATION OF E-MAIL Jay Pujara jay@cs.umd.edu Lise Getoor

COARSE-TO-FINE, COST-SENSITIVE CLASSIFICATION OF E-MAIL Jay Pujara jay@cs.umd.edu Lise Getoor

COARSE-TO-FINE, COST-SENSITIVE CLASSIFICATION OF E-MAIL Jay Pujara jay@cs.umd.edu Lise Getoor getoor@cs.umd.edu 12/10/2010 Parallel Coarse-to-Fine Problems Structure in output Labels naturally have a hierarchy from coarse-to-fine

153 views • 14 slides
Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Hard Problems What do you do when your problem is NP-Hard ? Give up? (A) Solve a special case! Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate solution. Traveling Salesperson Problem (D) Find a

546 views • 5 slides

More recommend