probabilistic slide cryptanalysis and its applications to
play

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and - PowerPoint PPT Presentation

Nov 15, 2022 •213 likes •712 views

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

  1. Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21

  2. Outline Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 2 / 21

  3. Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 3 / 21

  4. Iterated Block Cipher Block cipher: E K ( P ) : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n Iterated block cipher: · · · R k n − 1 R k 1 R k 2 R k 3 R k 4 R k n P C C = R k n ◦ · · · ◦ R k 2 ◦ R k 1 ( P ) 4 / 21

  5. Iterated Block Cipher with Periodic Subkeys R k 1 · · · R k m R k 1 · · · R k m · · · R k 1 · · · R k m P C 5 / 21

  6. Iterated Block Cipher with Periodic Subkeys R k 1 · · · R k m R k 1 · · · R k m · · · R k 1 · · · R k m P C { { { F k F k F k ◮ The cipher can be presented as a cascade of identical functions F k . 5 / 21

  7. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ 6 / 21

  8. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) 6 / 21

  9. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ 6 / 21

  10. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = 6 / 21

  11. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = Typical countermeasures: Key-schedule or round constants. 6 / 21

  12. Slide Cryptanalysis [Biryukov Wagner 99] F k F k · · · F k F k P C P ′ F k F k · · · F k F k C ′ P ′ = F k ( P ) C ′ = F k ( C ) (Slid pair) = ⇒ Pr [ P ′ = F k ( P )] = 2 − n ( C ′ ) , P ′ = F k ( P )] = 2 − n > 2 − 2 n Pr [ C = F − 1 k ⇒ 2 n pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a slid pair. = Typical countermeasures: Key-schedule or round constants. This Work: Probabilistic technique to overcome round constants in block ciphers based on the Even-Mansour scheme with a single key. 6 / 21

  13. Even-Mansour Scheme with a Single Key K K K K K K · · · · · · F 1 F i F s P C 7 / 21

  14. Even-Mansour Scheme with a Single Key K K K K K K · · · · · · F 1 F i F s P C R RC j R RC j + 1 R RC j + m · · · Known as Step ◮ Block ciphers like LED-64, PRINCE core , Zorro and PRINTcipher. 7 / 21

  15. LED-64 AddConstants SubCells ShiftRows MixColumns ⊕ ⊕ S S S S ⊕ ⊕ S S S S ⊕ ⊕ S S S S ⊕ ⊕ S S S S ◮ Presented at CHES 2011 [Guo et al 11] ◮ 64-bit block cipher and supports 64-bit key ◮ 6 steps ◮ Each step consists of four rounds. 8 / 21

  16. Zorro SubCells AddConstants ShiftRows MixColumns S S S S ⊕ ⊕ ⊕ ⊕ ◮ Presented at CHES 2013 [G´ erard et al 13] ◮ 128-bit block cipher and supports 128-bit key ◮ 6 steps ◮ Each step consists of four rounds 9 / 21

  17. Introduction Slide Cryptanalysis Even-Mansour Scheme with a Single Key Probabilistic Slide Cryptanalysis Applications on LED-64 and Zorro Conclusion 10 / 21

  18. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. 11 / 21

  19. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. 11 / 21

  20. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . 11 / 21

  21. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. 11 / 21

  22. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . 11 / 21

  23. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. 11 / 21

  24. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . 11 / 21

  25. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . ◮ But its application is limited to involutional block ciphers. 11 / 21

  26. Overview of Previous Attacks ◮ Slide cryptanalysis requires known plaintexts. ◮ But it is limited to the ciphers with identical rounds. ◮ Differential cryptanalysis is usually applicable on any round functions [Biham Shamir 90] . ◮ But there exists a lower bound for active S-boxes and it usually requires chosen plaintexts. ◮ Related-key differential usually has less active S-boxes and applicable on more rounds [Kelsey et al 97] . ◮ But usually it is not a realistic model. ◮ Probabilistic reflection attack is applicable on block ciphers with almost symmetric rounds [Soleimany et al 13] . ◮ But its application is limited to involutional block ciphers. This Work Exploit previous ideas to take advantage of the positive properties and overcome the negative aspects! 11 / 21

  27. Probabilistic Slide Distinguisher K K K K K K F 1 F 2 · · · F s − 1 F s P C ∆ 0 ∆ 1 ∆ s-2 ∆ s-1 K P ′ F 1 F 2 · · · F s − 1 F s C ′ K K K K K ◮ Assume there exists a sequence of differences D = { ∆ 0 , . . . , ∆ s − 1 } such that Pr [ F r ( x ) ⊕ F r − 1 ( x ⊕ ∆ r − 2 ) = ∆ r − 1 ] = 2 − p r − 1 where 0 ≤ p r . ◮ A differential-type characteristic with input difference ∆ in = ∆ 0 and output difference ∆ out = ∆ s − 1 can be obtained with probability 2 − p = Π s − 1 r = 1 2 − p r . 12 / 21

  28. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in 12 / 21

  29. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K probability 2 − p P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ( C ′ ⊕ K ) = ∆ out C ⊕ F − 1 = ⇒ s 12 / 21

  30. Probabilistic Slide Distinguisher K K K K K K · · · F s − 1 F 1 F 2 F s P C ∆ in ∆ out K P ′ · · · F s − 1 C ′ F 1 F 2 F s K K K K K probability 2 − p P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ( C ′ ⊕ K ) = ∆ out C ⊕ F − 1 = ⇒ s Pr [ P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ] = 2 − n ( C ′ ⊕ K ) = ∆ out , P ′ ⊕ F 1 ( P ⊕ K ) = ∆ in ] = 2 − n − p Pr [ C ⊕ F − 1 s ⇒ 2 ( n + p ) pairs (( P , C ) , ( P ′ , C ′ )) are expected to find a right slid pair = 12 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems Itai Dinur 1 , Orr Dunkelman 1,2 , Nathan Keller 3 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute,

345 views • 33 slides
Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing, cryptocurrencies, and white-box cryptography Alex Biryukov Dmitry Khovratovich Johann Groschaedl University of Luxembourg 1 Introduction Passwords

2.82k views • 132 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP

Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP

Contents Slide 1 Some DSP Chip History Slide 2 Other DSP Manufacturers Slide 3 DSP Applications Slide 4 TMS320C6701 Evaluation Module (EVM) Slide 5 TMS320C6701 EVM Features Slide 6 EVM Stereo Codec Interface Slide 7 TMS320C6701

917 views • 23 slides
On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

1.32k views • 108 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Graphical models Why All probabilistic inference and learning amount at repeated applications

Graphical models Why All probabilistic inference and learning amount at repeated applications

Graphical models Why All probabilistic inference and learning amount at repeated applications of the sum and product rules Probabilistic graphical models are graphical representations of the qualitative aspects of probability distribu-

551 views • 23 slides
AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide

Slide 1 / 139 Slide 2 / 139 AP Physics C - Mechanics Dynamics - Applications of Newtons Laws 2015-12-03 www.njctl.org Slide 3 / 139 Slide 4 / 139 Table of Contents Click on the topic to go to that section Introduction Sliding Blocks

742 views • 24 slides
Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika

Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika

Probabilistic Logic Programming and its Applications Luc De Raedt with many slides from Angelika Kimmig The Turing, London, September 11, 2017 1 A key question in AI: Dealing with uncertainty Reasoning with relational data ? Learning 2

2.19k views • 188 slides
Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP

Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP

Contents Slide 1-1 Some DSP Chip History Slide 1-2 Other DSP Manufacturers Slide 1-3 DSP Applications Slide 1-4 TMS320C6713 DSP Starter Kit (DSK) Slide 1-5 TMS320C6713 DSK Features Slide 1-6 TMS320C6713 Architecture Slide 1-7 Main

538 views • 27 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den Broeck University of California, Los Angeles based on joint AAAI-2020 and UAI-2019 tutorials with Antonio Vergari YooJung Choi University of

2.07k views • 177 slides
You need to get into a vault Try all combinations. Try a subset of combinations.

You need to get into a vault Try all combinations. Try a subset of combinations.

4/25/08 You need to get into a vault Try all combinations. Try a subset of combinations. Exploit weaknesses in the locks design. Open the door (drilling, torch, ). Back-door access: walls, ceiling, floor. Observe

663 views • 41 slides
Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design Fabio Pasqualetti Florian D orfler Francesco Bullo Center for Control, Dynamical systems and Computation

994 views • 11 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de cryptosource Cryptography.

Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de cryptosource Cryptography.

Attacks and Defenses Dr. Falko Strenzke fstrenzke@cryptosource.de cryptosource Cryptography. Security. Falko Strenzke 2020 For evaluation purposes only Please do not distribute August 4, 2020 Dr. Falko Strenzke Attacks and Defenses For

531 views • 30 slides
Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU Leuven, Belgium 2 TELECOM-ParisTech, Paris, France PROOFS, Santa Barbara August 20, 2016 1 / 32 Template Attack

701 views • 36 slides
Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals Confidentiality : concealment of information or resources. Availability : preserve ability to use information or resource desired. An unavailable

318 views • 19 slides
Attacks on Structured Peer-to-Peer Anonymous Communication Systems Theresa Enghardt

Attacks on Structured Peer-to-Peer Anonymous Communication Systems Theresa Enghardt

Motivation Anonymous Communication NISAN Torsk Conclusion Attacks on Structured Peer-to-Peer Anonymous Communication Systems Theresa Enghardt theri@mailbox.tu-berlin.de Seminar Computer Security Technische Universitt Berlin 28 July 2011

390 views • 17 slides
Programmable timing functions Part 2: Timer operating modes Textbook: Chapter 8, Section 8.6

Programmable timing functions Part 2: Timer operating modes Textbook: Chapter 8, Section 8.6

Programmable timing functions Part 2: Timer operating modes Textbook: Chapter 8, Section 8.6 (pulse-width modulation) Chapter 9, Sections 9.6, 9.7 (SysTick and Timer interrupts) STM32F4xx Technical Reference Manual: Chapter 17 Basic

1.38k views • 27 slides

More recommend