proving resistance against invariant attacks how to
play

Proving resistance against invariant attacks: How to choose the - PowerPoint PPT Presentation

Feb 12, 2023 •158 likes •442 views

Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universitt Bochum, Germany Inria Paris, France BFA 2017, July 2017 Outline A new condition

  1. Proving resistance against invariant attacks: How to choose the round constants Christof Beierle, Anne Canteaut, Gregor Leander, Yann Rotella Ruhr-Universität Bochum, Germany Inria Paris, France BFA 2017, July 2017

  2. Outline • A new condition on the existence of nonlinear invariants • How to check that the attack does not apply for a given cipher • Impact of the round constants and of the linear layer 1

  3. The invariant subspace attack [Leander et al. 11] Linear subspace invariant under E k . F n F n 2 2 V : a linear subspace of F n 2 E k ( V ) = V E k ✲ V V Equivalently: Let g ( x ) := 1 iff x ∈ S g ( E k ( x )) = g ( x ) or g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 2

  4. The nonlinear invariant attack [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under E k : F n F n 2 2 S : any subset of F n 2 E k ( S ) = S E k ✧ ❜ ❜ ✧ ❜ ❜ ✧ ✧ ❜ ✲ ✧ ❜ ✧ or E k ( S ) = F n 2 \ S S S ❜❜ ✧ ❜✧✧ ✧ ❜❜ ❜✧✧ Equivalently: Let g ( x ) := 1 iff x ∈ S g ( E k ( x )) = g ( x ) or g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 3

  5. The nonlinear invariant attack [Todo-Leander-Sasaki 16] Non-trivial partition of F n 2 invariant under E k : F n F n 2 2 S : any subset of F n 2 E k ( S ) = S E k ✧ ❜ ❜ ✧ ❜ ❜ ✧ ✧ ❜ ✲ ✧ ❜ ✧ or E k ( S ) = F n 2 \ S S S ❜❜ ✧ ❜✧✧ ✧ ❜❜ ❜✧✧ Equivalently: Let g be the Boolean function defined by g ( x ) := 1 iff x ∈ S ∀ x ∈ F n 2 , g ( E k ( x )) = g ( x ) or ∀ x ∈ F n 2 , g ( E k ( x )) = g ( x ) + 1 Such a g is called an invariant for E k . 4

  6. Using the same invariant for all layers in a key-alternating cipher Find an invariant g for the Sbox-layer and for all Add k i ◦ L . k 1 k 2 k t S L S L S L S S S S S S S If g is an invariant for all Add k i ◦ L , then: LS ( g ) contains ( k i + k j ) LS ( g ) is invariant under L . 5

  7. Finding an invariant g for all Add k i ◦ L g ( L ( x ) + k i ) = g ( x ) + ε i g ( L ( x ) + k j ) = g ( x ) + ε j ⇒ g ( L ( x ) + k i ) = g ( L ( x ) + k j ) + ( ε i + ε j ) ⇐ ⇒ g ( y + k i + k j ) = g ( y ) + ( ε i + ε j ) ( k i + k j ) is a linear structure of g . Linear space of a Boolean function g : LS ( g ) := { α ∈ F n 2 : x �→ g ( x + α ) + g ( x ) is constant } 6

  8. Using the same invariant for all layers in a key-alternating cipher Find an invariant g for the Sbox-layer and for all Add k i ◦ L . k 1 k 2 k t S L S L S L S S S S S S S g is an invariant for the Sbox layer and satisfies: • LS ( g ) contains ( k i + k j ) • LS ( g ) is invariant under L 7

  9. Very simple key schedules All round-keys are defined by k i = k + c i k + c 1 k + c 2 k + c t S L S L S L S S S S S S S 8

  10. The main condition for very simple key schedules � ( c i + c j ) such that k i = k + c i and k j = k + c j � D := W L ( D ) := smallest subspace invariant under L which contains D . Is there a non-trivial invariant g for the Sbox-layer such that W L ( D ) ⊆ LS ( g ) ? 9

  11. Checking that such invariants do not exist 10

  12. A simple case Question: Is there an invariant g for the Sbox-layer such that W L ( D ) ⊆ LS ( g ) ? If dim W L ( D ) ≥ n − 1 , then deg g ≤ 1 , which is impossible unless the Sbox layer has a component of degree 1 . If dim W L ( D ) ≥ n − 1 , the attack does not apply. This holds for any choice of the Sbox-layer. 11

  13. Some lightweight ciphers Skinny-64-64. D = { RC 1 + RC 17 , RC 2 + RC 18 , RC 3 + RC 19 , RC 4 + RC 20 , RC 5 + RC 21 } dim W L ( D ) = 64 The round-constants and L guarantee that the attack does not apply. Prince. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , α } . dim W L ( D ) = 56 Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . dim W L ( D ) = 42 Midori-64. W L ( D ) = { 0000 , 0001 } 16 , dim W L ( D ) = 16 12

  14. When dim W L ( D ) < n α ∈ LS ( g ) iff g ( x + α ) + g ( x ) = ε for all x . 0 -linear structures. α ∈ LS 0 ( g ) iff g ( x + α ) + g ( x ) = 0 for all x . If a subspace Z of LS 0 ( g ) is known • g is constant on each a + Z since g ( a + z ) = g ( a ) for any z ∈ Z • g ( S ( x )) = g ( x ) + ε for all x , then g is constant on S ( Z ) . 13

  15. If Z ⊆ LS 0 ( g ) is known L = {} repeat $ ← Z z Compute S ( z ) Add to L a representative of the coset of S ( z ) until | L | = 2 n − dim Z But W L ( D ) ⊆ LS ( g ) , while we need Z ⊆ LS 0 ( g ) ... 14

  16. Finding a subspace of LS 0 ( g ) Prince. For any x ∈ LS ( g ) , ( x + L ( x )) ∈ LS 0 ( g ) . D ′ := � x + L ( x ) , x ∈ D } . we have dim W L ( D ′ ) = 51 . ⇒ We can check that the Sbox-layer of Prince has no non-trivial invariant g with W L ( D ′ ) ⊆ LS 0 ( g ) . Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . ⇒ W L ( D ) ⊆ LS 0 ( g ) We can check that the Sbox-layer of Mantis has no non-trivial invariant g with W L ( D ) ⊆ LS 0 ( g ) . 15

  17. Very different behaviours Skinny-64-64. D = { RC 1 + RC 17 , RC 2 + RC 18 , RC 3 + RC 19 , RC 4 + RC 20 , RC 5 + RC 21 } dim W L ( D ) = 64 Prince. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , α } . dim W L ( D ) = 56 Mantis-7. D = { RC 1 + RC 2 , RC 1 + RC 3 , RC 1 + RC 4 , RC 1 + RC 5 , RC 1 + RC 6 , RC 1 + RC 7 , α } . dim W L ( D ) = 42 16

  18. Can we find better round-constants? 17

  19. Maximizing the dimension of W L ( c ) W L ( c ) = � L t ( c ) , t ∈ N � . dim W L ( c ) = smallest d such that there exist λ 0 , . . . , λ d ∈ F 2 : d λ t L t ( c ) = 0 . � t =0 dim W L ( c ) is the degree of the relative minimal polynomial of c Theorem. There exists c such that dim W L ( c ) = d if and only if d is the degree of a divisor of the minimal polynomial of L . ⇒ max dim W L ( c ) = deg Min L c ∈ F n 2 18

  20. For some lightweight ciphers LED. Min L ( X ) = ( X 8 + X 7 + X 5 + X 3 + 1) 4 ( X 8 + X 7 + X 6 + X 5 + X 2 + X + 1) 4 There exist some c such that dim W L ( c ) = 64 Skinny-64. Min L ( X ) = X 16 + 1 = ( X + 1) 16 There exist some c such that dim W L ( c ) = d for any 1 ≤ d ≤ 16 . Prince. Min L ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 = ( X 4 + X 3 + X 2 + X + 1) 2 ( X 2 + X + 1) 4 ( X + 1) 4 max c dim W L ( c ) = 20 Mantis and Midori. Min L ( X ) = ( X + 1) 6 ⇒ max dim W L ( c ) = 6 c 19

  21. Rational canonical form When deg( Min L ) = n , there is a basis for which the matrix of L is the companion matrix   0 1 0 0 . . . 0 0 1 0  . . .    .   . C ( Min L ) = .     0 0 0 1 . . .     p 0 p 1 p 2 . . . p n − 1 More generally, there is a basis for which the matrix of L is   C ( Q 1 )   C ( Q 2 )    ...      C ( Q r ) for r polynomials Q r | Q r − 1 | · · · | Q 1 = Min L Q 1 , Q 2 , ... , Q r are called the invariant factors of L . 20

  22. Example For Prince. Min L ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 = ( X 4 + X 3 + X 2 + X + 1) 2 ( X 2 + X + 1) 4 ( X + 1) 4 8 invariant factors: Q 1 ( X ) = Q 2 ( X ) = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X 2 + 1 Q 3 ( X ) = Q 4 ( X ) = X 8 + X 6 + X 2 + 1 = ( X + 1) 4 ( X 2 + X + 1) 2 Q 5 ( X ) = Q 6 ( X ) = Q 7 ( X ) = Q 8 ( X ) = ( X + 1) 2 21

  23. Maximizing the dimension of W L ( c 1 , . . . , c t ) Theorem. Let Q 1 , Q 2 , . . . , Q r be the r invariant factors of L . For any t ≤ r , t � c 1 ,...,c t dim W L ( c 1 , . . . , c t ) = max deg Q i . i =1 We need r elements to get W L ( D ) = F n 2 . For Prince. For t = 5 , max dim W L ( c 1 , . . . , c 5 ) = 20 + 20 + 8 + 8 + 2 = 58 We need 8 elements to get the full space. Mantis and Midori. r = 16 invariant factors Q 1 ( X ) = . . . , Q 8 ( X ) = ( X + 1) 6 and Q 9 ( X ) = . . . , Q 16 ( X ) = ( X + 1) 2 For t = 7 , max dim W L ( c 1 , . . . , c 7 ) = 42 , For t = 8 , max dim W L ( c 1 , . . . , c 8 ) = 48 . We need 16 elements to get the full space. 22

  24. Maximum dimension for # D constants 64 56 max dim W L ( D ) 48 40 32 24 16 Prince 8 Mantis 0 2 4 6 8 10 12 14 16 # D 23

  25. For random constants For t ≥ r , [ W L ( c 1 , · · · , c t ) = F n Pr 2 ] $ ← F n c 1 ,...,c t 2 can be computed from the degrees of the irreducible factors of Min L and from the invariant factors of L . LED. Min L ( X ) = ( X 8 + X 7 + X 5 + X 3 + 1) 4 ( X 8 + X 7 + X 6 + X 5 + X 2 + X + 1) 4 2 ] = (1 − 2 − 8 ) 2 ≃ 0 . 9922 [ W L ( c ) = F 64 Pr c $ ← F 64 2 24

  26. Probability to achieve the full dimension 1 P (dim W L ( D ) = 64) 0 . 8 0 . 6 0 . 4 LED Skinny64 0 . 2 Prince Mantis 0 0 2 4 6 8 10 12 14 16 18 20 22 24 26 # D 25

  27. Conclusions Easy to prevent the attack: • by choosing a linear layer which has a few invariant factors • by choosing appropriate round constants Open question: Can we use different invariants for the Sbox-layer and the linear layer? 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in

On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in

Intro Invariant Subspace Attack Non-linear Invariant Attack How to prevent those attacks On Invariant Attacks Gregor Leander Ruhr University Bochum Germany 1 FSE 2019 1 Based on work in collaboration with: Christof Beierle, Anne Canteaut,

1.41k views • 120 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
2/13/2014 What is Tamper Resistance? Resistance to tampering the device by either normal

2/13/2014 What is Tamper Resistance? Resistance to tampering the device by either normal

2/13/2014 What is Tamper Resistance? Resistance to tampering the device by either normal users or systems or others with physical Physical Attacks and Tamper Resistance access to it

449 views • 11 slides
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stphanie Delaune / Steve Kremer / Mark D. Ryan Some desired properties of e-voting systems Eligibility: only eligible voters can vote, and only once.

545 views • 18 slides
In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M )

In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M )

X.ge#ofQu4sche-s Virtual surfaced on . Introduction O . surface X Ici smooth CE Hak tf ( X ,Z ) , 2) projective e , . In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M ) MTH ( v ) VW

537 views • 17 slides
The Parachute Drop Newtons Toy Box Activity 4 air resistance Air resistance Air resistance is

The Parachute Drop Newtons Toy Box Activity 4 air resistance Air resistance Air resistance is

The Parachute Drop Newtons Toy Box Activity 4 air resistance Air resistance Air resistance is the force exerted by air against an object moving through it; it acts in the opposite direction of the objects motion. If an object is falling,

645 views • 8 slides
Proving Termination of Imperative Programs using Max-SMT Daniel Larraz, Albert Oliveras, Enric

Proving Termination of Imperative Programs using Max-SMT Daniel Larraz, Albert Oliveras, Enric

Introduction SMT/Max-SMT solving Invariant generation Termination analysis Further work Proving Termination of Imperative Programs using Max-SMT Daniel Larraz, Albert Oliveras, Enric Rodr guez-Carbonell and Albert Rubio Universitat

1.18k views • 73 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
HIV-1-specific CTL and Drug Resistance Aim of Studies Interaction CTL/Resistance

HIV-1-specific CTL and Drug Resistance Aim of Studies Interaction CTL/Resistance

HIV-1-specific CTL and Drug Resistance Aim of Studies Interaction CTL/Resistance Analysis of the influence of the immune system on sequence variation and drug resistance mutations in HIV-1 PR/RT Cohort of 198 chronically infected

300 views • 16 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
T-duality Invariant Formalisms at the Quantum Level Daniel Thompson Queen Mary University of

T-duality Invariant Formalisms at the Quantum Level Daniel Thompson Queen Mary University of

Introduction Duality Invariant Formalisms for Abelian T-duality Renormalisation of Duality Invariant Formalism Generalising T-duality Invariant Constructions Conclusions T-duality Invariant Formalisms at the Quantum Level Daniel Thompson

424 views • 28 slides
Resistance testing practices and prevalence of HIV drug resistance in the German ClinSurv

Resistance testing practices and prevalence of HIV drug resistance in the German ClinSurv

Resistance testing practices and prevalence of HIV drug resistance in the German ClinSurv resistance study Daniel Schmidt, Christian Kollan, Barbara Bartmeyer Robert Koch-Institute Dept. Infectious Disease Epidemiology HIV/AIDS, STI unit

716 views • 15 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

589 views • 44 slides
d 1 g g = . d d 2 x d d AND Use indices , , etc.,

d 1 g g = . d d 2 x d d AND Use indices , , etc.,

Alan Guth, Black-Body Radiation and the Early History of the Universe, 8.286 Lecture 15, October 31, 2013, p. 1. Summary of Leture 14: 8.286 Leture 15 THE SPACETIME GEODESIC EQUATION Otober 31, 2013 d x d x BLACK-BODY

262 views • 3 slides
Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-&gt; Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io &gt; gem install rails

960 views • 53 slides
Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Rc 2 Server Rc 2 Client Introduction RStudio Summary Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark Lilback Department of Statistics West Virginia University June 11, 2014 Rc 2 Server Rc 2

443 views • 21 slides
How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and

How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and

How the RSS Mentoring Scheme benefited me? Mr Apostolos Fakis Head of Medical Statistics and Data Management Research, Development &amp; Innovation Department Derby Clinical Trials Support Unit 23 rd May 2017 START FOCUS &amp; MOTIVATION

355 views • 8 slides
Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph

Getting Started Rapid Web Development for with Grails the Java Platform Jason Rudolph jason@thinkrelevance.com Published under the Creative Commons Attribution Noncommercial Share Alike License Version 2.5. (Please see

758 views • 59 slides
GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens

GRAVITATIONAL LENSING LECTURE 2 Docente: Massimo Meneghetti AA 2015-2016 CONTENTS Lens equation Lensing potential From last lecture DEFLECTION OF LIGHT IN GENERAL RELATIVITY How to define the effective diffraction index? DEFLECTION

807 views • 28 slides
QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another

QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another

Rump Session 2016 QARMA Roberto Avanzi Qualcomm QARMA Memory Encryption: PRINCE , son of ENIGMA Yet another example of german technology inspired by austrian leadership! k 1 RC 0 k 1 RC 1 k 1 RC 2 k 1 RC 3 k 1 RC 4 k 1

950 views • 15 slides
Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson Department of Electrical and Computer Engineering Missouri University of Science and Technology Rolla,

579 views • 26 slides

More recommend