rotational xor cryptanalysis
play

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu - PowerPoint PPT Presentation

Mar 27, 2024 •223 likes •552 views

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1 Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrin Ranea & Glenn De Witte from

  1. Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1

  2. Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrián Ranea & Glenn De Witte from KU Leuven Chao Li, Jinyu Lu, Bing Sun & Wenqian Xin from NUDT 2

  3. Cryptanalysis with Invariance Some lightweight block ciphers are vulnerable to invariant attacks: light round function + simple key schedule • Invariant subspace [LAA+11] • Nonlinear invariants [TLS16] • Rotational invariance [LAA+11] Leander G., Abdelraheem M.A., AlKhzaimi H., Zenner E. (2011) A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack. CRYPTO 2011 [TLS16] Todo Y., Leander G., Sasaki Y. (2016) Nonlinear Invariant Attack. ASIACRYPT 2016. 3

  4. Rotational Invariance For a function: 2 n outputs are also rotated, then f is rotational invariant. 4 f ( x 1 , x 2 , . . . , x m ) = ( y 1 , y 2 , . . . , y l ) : F m 2 n → F l Given a bitwise left rotation by γ bits S γ on the inputs, if the f ( S γ ( x 1 ) , S γ ( x 2 ) , . . . , S γ ( x m )) = ( S γ ( y 1 ) , S γ ( y 2 ) , . . . , S γ ( y l ))

  5. Rotational Invariance in Bitwise AND Observation: with probability 1 5 S γ ( x ) ⊙ S γ ( y ) = S γ ( x ⊙ y ) • Bitwise AND is rotational invariant for any γ

  6. Rotational Invariance in Modular Addition Observation: Rotational Cryptanalysis (v1), [KN10] A rotational distinguisher holds for an ARX structure with Rotational Cryptanalysis (v2), [KN15] Refined probability estimation for a chain of modular additions 6 with probability 2 − 1 . 415 S 1 ( x ) ⊞ S 1 ( y ) = S 1 ( x ⊞ y ) Pr = ( 2 − 1 . 415 ) # ⊞

  7. Rotational Invariance in the Presence of Constants • Round keys: under related-key setting • Rotational-invariant constants: for free in most cases • Arbitrary constants? 7

  8. Rotational-XOR Cryptanalysis

  9. Idea in a Nutshell P P x y E k E k x y By XORing some difference to the outputs, the rotational invariance is regained. 8 x ′ = x ≪ r x ≪ r y ′ ⊕ δ = y ≪ r y ≪ r

  10. Rotational-XOR difference Combine rotational relation with an XOR difference to obtain an RX-pair RX-difference [AL17] T. Ashur and Y. Liu. Rotational cryptanalysis in the presence of constants. ToSC 2017 [LDRA18] Y. Liu, G. D. Witte, A. Ranea, and T. Ashur. Rotational-XOR Cryptanalysis of Reduced-round SPECK. ToSC 2018 9 ( x , S γ ( x ) ⊕ δ ) The RX-difference of a pair ( x 1 , x 2 ) : ∆ γ ( x 1 , x 2 ) = x 2 ⊕ S γ ( x 1 ) Given an RX-difference δ , an RX-pair is ( x , S γ ( x ) ⊕ δ )

  11. Properties of RX-difference RX-difference: a Rotation XOR 10 x ≪ η → x ≪ η − − − ≪ η S γ ( x ) ⊕ a → S γ ( x ≪ η ) ⊕ ( a ≪ η ) − − − ≪ η → ( a ≪ η ) − − − ⊕ x , y − − → x ⊕ y → ← − − − ← − x ⊕ a , ← − ⊕ x ⊕ y ⊕ ( a ⊕ b ) y ⊕ b − − ⊕ RX-difference: ( a , b ) − − → a ⊕ b

  12. Rotational-XOR Cryptanalysis on ARX

  13. Propagation of RX-difference in Modular Addition Modular addition where 11 S γ ( z ) ⊕ d z = ( S γ ( x ) ⊕ d x ) ⊞ ( S γ ( y ) ⊕ d y ) ⊞ RX-differences for γ = 1 : d x , d y − − → d z with a probability Pr [( d x , d y ) → d z ] = 1 ( I ⊕ SHL )( δ x ⊕ δ y ⊕ δ z ) ⊕ 1 ⪯ SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) · 2 −| SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) | · 2 − 3 + 1 ( I ⊕ SHL )( δ x ⊕ δ y ⊕ δ z ) ⪯ SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) · 2 −| SHL (( δ x ⊕ δ z ) | ( δ y ⊕ δ z )) | · 2 − 1 . 415 , δ x = L ′ ( d x ) , δ y = L ′ ( d y ) , δ z = L ′ ( d z ) .

  14. SPECK Block Ciphers R i k i y i x i • ARX cipher designed by the NSA in 2013 i k i l i 12 • Block size 2 n bits, n = 16 / 24 / 32 / 48 / 64 • Key size mn bits, m = 2 , 3 , 4 ≫ α l i + m − 2 · · · ≪ β y i + 1 x i + 1

  15. RX-differences in SPECK R r Search for RX-characteristics in the key part and data part r 13 ∆ 1 a r ∆ 1 b r ≫ α ∆ 1 a r ≫ α ∆ 1 l r + 2 ∆ 1 l r + 1 ∆ 1 l r ∆ 1 k r ∆ 1 d r ∆ 1 k r ≪ β ∆ 1 b r ≪ β ∆ 1 a r + 1 ∆ 1 b r + 1

  16. Search Strategy 1. Aim: Find a characteristic covering more rounds 2. Find a good key characteristic with weight w k 3. Fix the RX-characteristic in the key part and use it to find a good characteristic in the encryption part with weight w d 4. Binary search 14

  17. RX-characteristics found in SPECK32/SPECK48 12 11 Version [FWG+16] 48/96 11 Ours 48/96 48/96 12 13 48/96 14 48/96 15 [Din14] Dinur, I. Improved Differential Cryptanalysis on Round-reduced SPECK. FSE 2014. [FWG+16] Fu K., Wang M., Guo Y., Sun S., and Hu L. MILP-Based Automatic Search Algorithms for Differential and Linear Trails for SPECK. FSE 2016. 48/96 2 96 32/64 10 Rounds Data Prob. Key Class Size Ref. 32/64 9 2 64 [Din14] 32/64 15 32/64 Ours 11 2 − 30 2 − 19 . 15 2 28 . 10 2 − 22 . 15 2 18 . 68 2 − 25 . 57 2 4 . 92 2 − 45 2 − 24 . 15 2 25 . 68 2 − 26 . 57 2 43 . 51 2 − 31 . 98 2 24 . 51 2 − 37 . 40 2 0 . 34 2 − 43 . 81 2 1 . 09

  18. Application to the pseudorandom function SipHash SipHash Round • ARX-based Pseudorandom function 16 • Four 64-bit modular additions in each SipHash round • 256-bit permutation parted to 4 branches u v w v b ! ! z ! ! ! $ % ! u v w v a !" z !" !" !" ! !# !# !" v u v w c !" z !" !" !" ! !" u v w v d !" !" !" !" z ! " # !"

  19. Application to the pseudorandom function SipHash SipHash-1-x with one message block 3. Initial constants get a collision 2. Requirements on the input and output RX-differences to messages 1. Related-key setting and RX-differences injected by the 17 k k m , a !"#$%&'()*+ V !"#$%&'()*+ !"#$%&'()*+ a b b V H !" # c c V V d d m k k xff

  20. Application to the pseudorandom function SipHash Version [XLL19] W. Xin, Y. Liu, C. Li. Improved cryptanalysis on SipHash. CANS 2019. 2 RX Revised SipHash-1-x 1 RX Revised SipHash-1-x 2 RX SipHash-1-x Probability Blocks Type 18 2 − 280 2 − 93 . 6 2 − 160

  21. Rotational-XOR Cryptanalysis on AND-RX

  22. • It has a probability that is the same as the probability of Properties of RX-difference same function. • The resistance against RX-cryptanalysis relies on the design of the constants 19 Bitwise AND: S a ( x ) ⊙ S b ( x ) S a ( S γ ( x ) ⊕ α ) ⊙ S b ( S γ ( x ) ⊕ α ) = S γ ( S a ( x ) ⊙ S b ( x )) ⊕ β ⊙ RX-differences: α → β − − the XOR-difference propagation ( α → β ) through the

  23. The block ciphers SIMON and SIMECK • SIMON: proposed together with SPECK • AND-RX-based structure with a linear key schedule • No design rationales Yang et al. in 2015 • SIMON-like cipher with a nonlinear key schedule • Different rotational amounts 20 • SIMECK: SIMON + SPECK by

  24. The block ciphers SIMON and SIMECK One round of SIMON: One round of SIMECK: 21 x i y i S 8 k i +3 k i +2 k i +1 k i S 1 S − 3 c ⊕ ( z j ) i S 2 S − 1 x i +1 y i +1 x i y i S 5 t i +2 t i +1 t i k i S 5 S 1 S 1 c ⊕ ( z j ) i x i +1 y i +1

  25. Find RX-characteristics in SIMECK Model for RX-difference propagations 1. Define RX-differences as bit-string variables in SMT 2. Describe the propagation rules in the round function and the key schedule by clauses 4. Ask for a satisfiability verification Advantage: The characteristics do not require a key characteristic found beforehand 22 3. Set an upper bound for the cost w d and w k

  26. Applications to SIMON32/64 Best RX-characteristic found in round-reduced SIMON32/64 less rounds than the differential ones. However, the best found RX-characteristic in SIMON32 covers RX 11 RX 10 RKDC 10 32/64 Type Probability Rounds Version 23 with γ = 1 2 − 16 2 − 14 2 − 24

  27. Applications to SIMECK 2 30 2 48 25 2 64 19 2 64 18 2 70 16 RX-characteristics found in SIMECK32 and SIMECK48 SIMECK48 19 2 40 15 SIMECK32 Weak keys Data prob. Round Cipher 24 2 − 16 2 − 30 2 − 20 2 − 26 2 − 30 2 − 46

  28. Observations 1. It takes much longer to find RX-characteristics in SIMON than in SIMECK 2. SIMECK seems to be more vulnerable to RX-cryptanalysis than SIMON 3. We believe that the cause lies in the key schedule 4. In our case, a nonlinear key schedule is no better than a linear one 25

  29. Comparisons 1 10 9 8 7 1. Change the rotational amount: not much influence 1 1 6 1 1 1 SIM1: round function of SIMON and key schedule of SIMECK observed 2. Change the key schedule: relatively high contrast 5 26 SIM2: round function of SIMECK and key schedule of SIMON SIM-1 SIMON32 SIM-2 Rounds 2 − 2 2 − 4 2 − 4 2 − 4 2 − 6 2 − 6 2 − 6 2 − 10 2 − 10 2 − 8 2 − 14 2 − 14

  30. Conclusion

  31. Wrap up 1. Rotational-XOR cryptanalysis generalises the rotational cryptanalysis to include the effect of constants 2. A new type of difference for tracking the rotational relation: RX-difference 3. RX-characteristics found • in ARX ciphers SPECK & SipHash • in AND-RX ciphers SIMON & SIMECK 4. Insights on the key schedules in terms of the resistance against RX-cryptanalysis Thank you for your attention! 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational Kinetic Energy Angular Momentum

1.46k views • 130 slides
AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

Slide 1 / 130 Slide 2 / 130 AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational

562 views • 54 slides
Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the Moment of Inertia Vector Product Torque Newtons 2nd Law for Rotation Homework 1 Rotational Kinetic Energy K i = 1 i = 1 2 m i v 2 2 m

538 views • 15 slides
Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass Rotational Energy Calculating Moment of Inertia Torque Rotational Dynamics Rotation About a Fixed Axis Static Equilibrium

160 views • 3 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational spectroscopy Energy states provided by sum of rotational and vibrational energy: n,J = ( n +1/2) + B J(J+1) CO spectrum

310 views • 10 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation Kensuke Okada 1 Shin-ichi Mayekawa 2 1 Senshu University 2 Tokyo Institute of Technology August 26 2010 Rotational indeterminacy Infinite

317 views • 19 slides
3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

Joints = rotations Rotational DOFs are widely used in character animation 3 translational DOFs 3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3 DOF: arm representation of Orientation Translation

361 views • 10 slides
AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the

AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the

Slide 1 / 42 Slide 2 / 42 AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the rotational analogue of: A kinetic energy B linear momentum C acceleration D force E mass Slide 4 / 42 2 A wooden square

617 views • 14 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need

k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need

The Art of Fabricating a Rotational Accelerometer by Mike Insalaco k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need for a device Discuss difficulty using commercial hardware Review

527 views • 16 slides
Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge,

Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge,

Matt. 7:1, Judge not, that you be not judged. Matt. 7:2, For with what judgment you judge, you will be judged; and with the measure you use, it will be measured back to you. Matt. 7:3, And why do you look at the speck in your

172 views • 5 slides
Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks Jakob Wenzel Bauhaus-Universitt Weimar FSE 2014 March 27, 2014 March 27, 2014 Agenda Motivation Simon and Speck Our Method Results

533 views • 31 slides
Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of

Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of

Multi-class Support Vector Machine Rizal Zaini Ahmad Fathony November 10, 2016 University of Illinois at Chicago Introduction Support Vector Machine The Support Vector Machine is a classification algorithm developed based on a geometric

1.65k views • 129 slides
Tre Ore Service This Good Friday, our congregation is collaborating with other congregations in

Tre Ore Service This Good Friday, our congregation is collaborating with other congregations in

GOOD FRIDAY SERVICE Tre Ore Service This Good Friday, our congregation is collaborating with other congregations in the Los Angeles area to make available an online T re Ore Service. A T re Ore Service is based on the three hours of agony

558 views • 13 slides
A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key

617 views • 28 slides
Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University Work with Michael T emkin and Jaros law W lodarczyk and work by Ming Hao Quek Also parallel work by M. McQuillan Algebraic geometry and

797 views • 77 slides
Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged David Capes Senior Research Fellow Lanier Theological Library Judge Not . . . Really David Kinnamon, Barna Group Gabe Lyons, Fermi Project

390 views • 15 slides
TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino

AutoSec 2019 Dallas, TX, USA TOUCAN: A proTocol tO secUre Controller Area Network Giampaolo Bella Gianpiero Costantino Pietro Biondi Ilaria Matteucci 1 Automotive communication domains User to Vehicle Vehicle to Infrastructure

363 views • 12 slides

More recommend