provable security against differential and linear
play

Provable Security Against Differential and Linear Cryptanalysis - PowerPoint PPT Presentation

Oct 11, 2023 •270 likes •757 views

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

  1. “Provable” Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012

  2. Introduction CRADIC Linear Hull SPN and Two Strategies Highly Nonlinear Functions Generalized Linearity Linear Approximations Are Universal Distinguishing Distributions Conclusions FSE 2012 March 19, 2012 2/47

  3. Disclaimer ◮ Many more authors should have been mentioned ◮ ... and contributions should have been quoted ◮ In particular, I will not cover decorrelation theory, impossible differentials, zero-correlation linear cryptanalysis, weak keys, etc. FSE 2012 March 19, 2012 3/47

  4. Introduction FSE 2012 March 19, 2012 4/47

  5. State of the Art ◮ HIGHT(CHES 2006) 128-bit keys - Block length 64 bits - 32 rounds - 3048 GE 31 round attack ◮ DESL (FSE 2007) Is based on the general structure of DES, while using a specially selected S-box. (1848 GE) ◮ PRESENT (CHES 2007) 80-bit keys - Block length 64 bits - 31 rounds - 1570GE 26 rounds attack ◮ KATAN and KTANTAN (CHES 2009) 80-bit keys - Block length (32-48-64) bits - 254 rounds - (462-1054)GE Full round attack for KTANTAN Do we know how to design block ciphers? FSE 2012 March 19, 2012 5/47

  6. Brief History ◮ Biham-Shamir 1989: Differential Cryptanalysis ◮ Massey, Lai and Murphy 1990: Differentials and Markov ciphers ◮ 1991: Perfect nonlinear S-boxes FSE 2012 March 19, 2012 6/47

  7. CRADIC Cipher Resistant Against Differential Cryptanalysis FSE 2012 March 19, 2012 7/47

  8. Provable Security Theorem with L. Knudsen, Crypto 1992 Rump Session, J Crypt 1995 Theorem (KN Theorem) It is assumed that in a DES-like cipher with f : F m 2 → F n 2 the round keys are independent and uniformly random. Then the probability of an s-round differential, s ≥ 4 , is less than or equal to 2 p 2 max . Here p m ax = max α R � = 0 Pr [ α L + f ( E ( X + α R )) + K ) + f ( E ( X ) + K ) = β R ] max β ≤ p f = max max a � = 0 Pr [ f ( Y + a ) + f ( Y ) = b ] b If f bijective, then the claim of Theorem holds for s ≥ 3. Later Aoki showed that the constant 2 can be removed. FSE 2012 March 19, 2012 8/47

  9. 4-Round Feistel Differentials FSE 2012 March 19, 2012 9/47

  10. CRADIC aka KN-Cipher 6-round Feistel cipher with round function f : F 32 2 → F 32 2 based on the cube operation in F 33 2 No key schedule, 198-bit key Jakobsen & Knudsen (1997) break KN-Cipher ◮ with 512 chosen plaintexts and 2 41 running time, ◮ or with 32 chosen plaintexts and 2 70 running time ◮ using higher order differential cryptanalysis Round-function based on the inversion operation not any more resistant. This approach was then abandonded. FSE 2012 March 19, 2012 10/47

  11. Applications and Further Developments Feistel ◮ Schneier-Kelsey (FSE 1996) Unbalanced Feistel networks ◮ Nyberg (Asiacrypt 1996) Generalized Feistel networks ◮ Matsui (FSE 1997) Nested structure: MISTY I and II and (3GPP 1999) KASUMI ◮ Matsui, Moriai et al.(2000) CAMELLIA ◮ etc. ... and more generally and importantly ◮ the role of differentials: single characteristic approach not sufficient FSE 2012 March 19, 2012 11/47

  12. Linear Hull Or What is the Equivalent of Differential in Linear Cryptanalysis? FSE 2012 March 19, 2012 12/47

  13. Linear Hull Eurocrypt 1994 Rump Session Theorem Let X, K and Y be random variables in F m 2 , F ℓ 2 , and F n 2 , resp. where Y = F ( X , K ) and X and K are independent. If K is uniformly distributed, then for all a ∈ F m 2 and b ∈ F n 2 , Exp K corr ( a · X + b · Y ) 2 = � corr ( a · X + b · Y + c · K ) 2 . c ∈ F ℓ 2 Here, for random variable Z in Z (binary strings) 1 � Pr [ z ]( − 1 ) u · z . corr ( u · Z ) = |Z| z ∈Z Approximate linear hull given a and b : ALH ( a , b ) = { a · X + b · Y + c · K | c ∈ F ℓ 2 } Application to DES given. An analogue of the KN Theorem for linear cryptanalysis achieved. FSE 2012 March 19, 2012 13/47

  14. Fixed Key Approach FSE 2012 March 19, 2012 14/47

  15. Correlation of Boolean Function f : F n 2 �→ F 2 Boolean function Given two vectors a = ( a 1 , . . . , a n ) , x = ( x 1 , . . . , x n ) ∈ F n 2 the inner product (dot product) is defined as a · x = a 1 x 1 + · · · + a n x n . Linear Boolean function: f ( x ) = a · x , where a ∈ F n 2 is called a linear mask Vector Boolean function: f : F n 2 �→ F m 2 with f = ( f 1 , . . . , f m ) , , where b · f i are Boolean functions, for all b ∈ F m 2 Correlation between b · f ( x ) and a · x c f ( a , b ) = 1 2 n (# { x ∈ F n 2 | b · f ( x ) = a · x } − # { x ∈ F n 2 | b · f ( x ) � = a · x } ) FSE 2012 March 19, 2012 15/47

  16. Fixed Key Approach Daemen (1994) Correlation of a composed function computed as matrix product � c f ◦ g ( a , b ) = c g ( a , u ) c f ( u , b ) u For key-alternating block cipher E , round functions x �→ f i ( x + K i ) , and fixed set of round keys K 0 , . . . , K r : r � � ( − 1 ) u 0 · K 0 + ... u r · K r c E ( u 0 , u r ) = c f i ( u i − 1 , u i ) u 1 ,..., u r − 1 i = 1 Assuming that the round keys are uniformly distributed and independent: r Average K 0 ,..., K r c E ( u 0 , u r ) 2 = � � c f i ( u i − 1 , u i ) 2 . u 1 ,..., u r − 1 i = 1 FSE 2012 March 19, 2012 16/47

  17. Trail Correlations It is straightforward to check that for key-alternating block cipher with round functions x �→ f i ( x + K i ) , and independent and uniformly distributed key K = K 0 || · · · || K r − 1 we have r � corr ( a · X + b · Y + c · K ) = c f i ( u i − 1 , u i ) , i = 1 where a = u 0 , b = u r , and c is in unique correspondence with the trail masks u 1 , . . . , u r − 1 . FSE 2012 March 19, 2012 17/47

  18. A Note on Key Scheduling Design goal: the magnitudes of the correlations r � ( − 1 ) u 0 · K 0 + ... u r · K r � c E ( u 0 , u r ) = c f i ( u i − 1 , u i ) u 1 ,..., u r − 1 i = 1 should not vary too much with the key. If all dominating trail correlations are of about equal magnitude and the map: � r � � ( u 1 , . . . , u r − 1 ) �→ sign c f i ( u i − 1 , u i ) i = 1 is highly nonlinear, the correlations | c E ( u 0 , u r ) | are bounded by a small linearity bound. ◮ The bent and cube mappings have highly nonlinear correlation sign functions. ◮ Correlation sign function of the cube mapping restricted to a half space is bent. FSE 2012 March 19, 2012 18/47

  19. SPN and Two Strategies FSE 2012 March 19, 2012 19/47

  20. Chopping Algebraic S-boxes ◮ Lesson learnt from CRADIC: To avoid algebraic attacks, no large algebraic building blocks can be used. ◮ Small S-boxes can be searched exhaustively ◮ Saarinen (SAC 2011): Complete classification or 4 × 4 S-boxes with respect to large number of cryptographic and implementation criteria. FSE 2012 March 19, 2012 20/47

  21. Design of AES ◮ Get guarantees for the minimum number of active S-boxes ◮ MDS matrices for creating larger S-boxes with controlled diffusion ◮ Wide-Trail Strategy ensures that ◮ collecting all dominant differential or linear trails becomes impossible ◮ the full linear hull effect cannot be exploited ◮ Provable security in the sense of the KN Theorem ◮ The best known upperbounds for 4 and more rounds by Keliher (2005) FSE 2012 March 19, 2012 21/47

  22. Design of PRESENT ◮ Bit permutation between rounds for optimal diffusion ◮ Hardware optimized S-box exhibits strong linear correlations with single-bit masks. ◮ Fairly accurate estimates of correlations achievable using single-bit linear approximation trails. ◮ Bad news: Linear attacks more powerful than expected by the designers (Cho, CT-RSA 2010) ◮ Good news: Better estimates of strength against linear attacks, including multidimensional linear attacks ◮ Leander, Eurocrypt 2011: Statistical Saturation Attack and Multidimensional Linear Cryptanalysis are the same attack ◮ Provable security under the assumption that the effect of the single-bit trails is almost complete. FSE 2012 March 19, 2012 22/47

  23. Highly Nonlinear Functions FSE 2012 March 19, 2012 23/47

  24. Bent Function Correlation between f : F n 2 → F 2 and linear function x �→ u · x is defined as c f ( u ) = 1 2 n (# { x ∈ F n 2 | f ( x ) = u · x } − # { x ∈ F n 2 | f ( x ) � = u · x } ) 2 c f ( u ) 2 = 1 . Parseval’s Theorem � u ∈ F n A Boolean function is called bent if | c f ( u ) | = 2 − n 2 , for all u ∈ F n 2 . [Rothaus1976][Dillon1978] If f : F n 2 → F 2 is bent then n is even. Meier and Staffelbach [1988] introduced the notion of perfect nonlinearity of Boolean functions as an important cryptographic criterion, and later observed that it is equivalent to bentness. FSE 2012 March 19, 2012 24/47

  25. Vector Bent Functions or Perfect Nonlinear S-Boxes (Eurocrypt 1991) Vector function f : F n 2 → F m 2 is said to be bent if ◮ w · f is bent, for all w � = 0; or what is equivalent, ◮ f is perfect nonlinear (PN), that is, f ( x + α ) + f ( x ) is uniformly distributed as x varies, for all fixed α ∈ F n 2 \ { 0 } . Theorem. If f : F n 2 → F m 2 is bent then n ≥ 2 m . FSE 2012 March 19, 2012 25/47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Overview Cartesian differential categories Examples of Non-linear CDCS Differential forms Cohomology Non-linear tangent categories Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan Bradet-Legris

409 views • 30 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Second Order Linear Differential Equations A second order linear differential equa- tion is an

Second Order Linear Differential Equations A second order linear differential equa- tion is an

Second Order Linear Differential Equations A second order linear differential equa- tion is an equation which can be writ- ten in the form y + p ( x ) y + q ( x ) y = f ( x ) where p, q , and are continuous f functions on some

1.04k views • 65 slides
A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

Differential Linear Logic Smooth classical models Distributions LPDEs MFPS 2018, Halifax A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e Paris Diderot kerjean@irif.fr Differential Linear Logic

800 views • 53 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Information Transmission Chapter 6 Cryptology OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY

Information Transmission Chapter 6 Cryptology OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY

1 Information Transmission Chapter 6 Cryptology OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY Learning outcomes After this lecture the student should undertand what cryptology is and how it is used, be familiar with the crypto

307 views • 18 slides
Towards Adversarial Phishing Detection T. K. Panum, K. Hageman, R. R. Hansen, J. M. Pedersen 13th

Towards Adversarial Phishing Detection T. K. Panum, K. Hageman, R. R. Hansen, J. M. Pedersen 13th

Towards Adversarial Phishing Detection T. K. Panum, K. Hageman, R. R. Hansen, J. M. Pedersen 13th USENIX Workshop on Cyber Security Experimentation and Test Long Paper (Position) August 10, 2020 Motivation Phishing Attacks Advances in

387 views • 14 slides
Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel Secure Databases RBAC in Commercial DBMS Statistical Database Security Simone Fischer-Hbner Applied Security, DAVC17 Relational Database

194 views • 6 slides
Minimax Statistical Learning with Wasserstein distances Jaeho Lee & Maxim Raginsky NeurIPS

Minimax Statistical Learning with Wasserstein distances Jaeho Lee & Maxim Raginsky NeurIPS

Minimax Statistical Learning with Wasserstein distances Jaeho Lee & Maxim Raginsky NeurIPS 2018 Poster #86 Minimax learning Goal: find the hypothesis minimizing the worst-case risk is an ambiguity set representing

271 views • 10 slides
AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng

AI AIQL : Enabling Efficient Attack Investigation from System Monitoring Data Peng Gao 1 , Xusheng Xiao 2 , Zhichun Li 3 , Kangkook Jee 3 , Fengyuan Xu 4 , Sanjeev R. Kulkarni 1 , Prateek Mittal 1 1 Princeton University 2 Case Western Reserve

800 views • 34 slides
Statistical models for neural encoding, decoding, information estimation, and optimal on-line

Statistical models for neural encoding, decoding, information estimation, and optimal on-line

Statistical models for neural encoding, decoding, information estimation, and optimal on-line stimulus design Liam Paninski Department of Statistics and Center for Theoretical Neuroscience Columbia University http://www.stat.columbia.edu/

725 views • 40 slides
Visual Encodings of Temporal Times are often imprecise The

Visual Encodings of Temporal Times are often imprecise The

What: Data What: Data Types of Uncertainty Time Primitives What is the best way to represent an interval of time, with uncertainty? Statistical uncertainty

265 views • 3 slides
Descriptive statistics P RACTICIN G S TATIS TICS IN TERVIEW QUES TION S IN R Zuzanna

Descriptive statistics P RACTICIN G S TATIS TICS IN TERVIEW QUES TION S IN R Zuzanna

Descriptive statistics P RACTICIN G S TATIS TICS IN TERVIEW QUES TION S IN R Zuzanna Chmielewska Actuary Descriptive statistics PRACTICING STATISTICS INTERVIEW QUESTIONS IN R Descriptive statistics PRACTICING STATISTICS INTERVIEW

1.32k views • 102 slides

More recommend