structural attacks on block ciphers
play

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September - PowerPoint PPT Presentation

Oct 17, 2023 •702 likes •2.18k views

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

  1. Subspaces in block ciphers Subspace trail cryptanalysis Mixed Space Definition ( Mixed spaces ) The ith mixed subspace M i is defined as M i = MC � SR ( C i ) . For instance, M 0 corresponds to the image of 2 ( α + 1 ) · x 2 3 α · x 1 x 4 x 3 � ⇢ ( α + 1 ) · x 3 � x 1 x 4 α · x 2 6 7 � M 0 = � ∀ x 1 , x 2 , x 3 , x 4 ∈ F 2 8 6 7 � ( α + 1 ) · x 4 x 1 α · x 3 x 2 4 5 ( α + 1 ) · x 1 α · x 4 x 3 x 2 where α is the generator of the AES field.

  2. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  3. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  4. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  5. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  6. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  7. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  8. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  9. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  10. Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

  11. Subspaces in block ciphers Subspace trail cryptanalysis Attack on Simpira

  12. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  13. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  14. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  15. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  16. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  17. From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

  18. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  19. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  20. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  21. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  22. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  23. From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

  24. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  25. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  26. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  27. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  28. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  29. From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

  30. From subspace trails to invariant subspaces in Simpira Two round property The parallel F-function f ( x ) one AES round minus key addition f ( x ) ⇥ f ( x ) (in parallell) constants c 1 = and c 2 = Parallell F-function F 1 ( a ) ⇥ F 2 ( a ) = f ( f ( a ) � c 1 ) ⇥ f ( f ( a ) � c 2 )

  31. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Trivial Invariant subspace in f ( x ) ⇥ f ( x ) f ( a ) ⇥ f ( a ) = b ⇥ b SB SB SR SR MC MC

  32. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

  33. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

  34. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

  35. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

  36. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  37. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  38. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  39. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  40. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  41. From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

  42. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  43. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  44. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  45. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  46. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  47. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  48. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  49. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  50. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  51. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

  52. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  53. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  54. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  55. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  56. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  57. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

  58. From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Zero-di ff erence cryptanalysis of AES

  59. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The zero di ff erence pattern Definition (Zero di ff erence pattern) Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q . Define ν ( α ) = ( z 0 , z 1 , . . . , z n � 1 ) 2 F n 2 where ( 1 if α i is zero , z i = 0 otherwise .

  60. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

  61. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

  62. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

  63. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

  64. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The S-box Lemma For two states α and β in F n q , the zero di ff erence pattern is preserved by a permutation S-box ν ( α � β ) = ν ( S ( α ) � S ( β )) . Proof. Follows since α i � β i = 0 i ff s ( α i ) � s ( β i ) = 0 and thus the S-box preserves the zero di ff erence pattern.

  65. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The S-box Lemma For two states α and β in F n q , the zero di ff erence pattern is preserved by a permutation S-box ν ( α � β ) = ν ( S ( α ) � S ( β )) . Proof. Follows since α i � β i = 0 i ff s ( α i ) � s ( β i ) = 0 and thus the S-box preserves the zero di ff erence pattern.

  66. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The exchange operation Definition For a vector c 2 F n 2 and a pair of states α , β 2 F n q define a new state ρ c ( α , β ) by ( if c i = 1 , α i ρ c ( α , β ) i = if c i = 0 . β i Example Let c = ( 0110 ) and α = ( α 0 , α 1 , α 2 , α 3 ) and β = ( β 0 , β 1 , β 2 , β 3 ) . Then 0 = ρ ( 0110 ) ( α , β ) = ( β 0 , α 1 , α 2 , β 3 ) α and 0 = ρ ( 0110 ) ( β , α ) = ( α 0 , β 1 , β 2 , α 3 ) β

  67. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The exchange operation Definition For a vector c 2 F n 2 and a pair of states α , β 2 F n q define a new state ρ c ( α , β ) by ( if c i = 1 , α i ρ c ( α , β ) i = if c i = 0 . β i Example Let c = ( 0110 ) and α = ( α 0 , α 1 , α 2 , α 3 ) and β = ( β 0 , β 1 , β 2 , β 3 ) . Then 0 = ρ ( 0110 ) ( α , β ) = ( β 0 , α 1 , α 2 , β 3 ) α and 0 = ρ ( 0110 ) ( β , α ) = ( α 0 , β 1 , β 2 , α 3 ) β

  68. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

  69. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

  70. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

  71. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

  72. Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a permutation if there is an inverse function f 1 : { 0 , 1 } { 0 , 1 } satisfying x { 0 , 1 } : f 1 ( f ( x )) = x

1.05k views • 62 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 3: Block Ciphers and the Data Encryption Standard Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005

339 views • 23 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED cipher algorithm would be the default cipher together with AES in SRTP Motivation In Korea, many companies provide VoIP service and we

294 views • 6 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides

More recommend