the super sbox cryptanalysis
play

The Super-Sbox Cryptanalysis Improved Attacks for AES-like - PowerPoint PPT Presentation

Jan 08, 2024 •1.18k likes •1.38k views

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

  1. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea (February 9, 2010)

  2. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Outline Introduction Previous cryptanalysis techniques for AES -like permutations The Super-Sbox cryptanalysis Results

  3. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Outline Introduction Previous cryptanalysis techniques for AES -like permutations The Super-Sbox cryptanalysis Results

  4. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The SHA-3 competition and the current status of AES • SHA-3 competition launched in October 2008 with 51 accepted submissions (among 64). Second round brought this number to 14 only. Among them, many AES -based or AES -related candidates: • ECHO • FUGUE • Grøstl • SHAvite-3 • Because of a somewhat too light key schedule, AES -256 has been recently attacked in the related key model [CRYPTO-09], while AES -128 remains unharmed.

  5. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Block ciphers and hash functions The new AES -256 attacks may impact the AES -based hash functions using a key schedule, but some of them basically use fixed key permutations (for example ECHO or Grøstl ). CV M CV’ ECHO P CV P CV’ GROSTL M Q • What is the security of an AES -like permutation for a hash function utilization (known-key model [ASIACRYPT-07]) ? • What is the impact of the attacks on the security of the whole compression function ?

  6. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results What is an AES -like permutation ? SubBytes AddConstant ShiftRows MixColumns ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S r cells ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S c bits r cells MixColumns ◦ ShiftRows ◦ SubBytes ◦ AddConstant ( C ) . • AddConstant: in knwon-key model, just add a round-dependent constant (breaks natural symmetry of the three other functions) • SubBytes: application of a c -bit Sbox (only non-linear part) • ShiftRows: rotate column position of all cells in a row, according to its row position • MixColumns: linear diffusion layer.

  7. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Outline Introduction Previous cryptanalysis techniques for AES -like permutations The Super-Sbox cryptanalysis Results

  8. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Truncated differences • Originally introduced by Knudsen for block ciphers [FSE-94] • Later applied to hash functions (collision attack on Grindahl) [ASIACRYPT-07] • Idea: consider byte-differences, without considering their actual value (active or inactive). • Only the truncated differences propagation through MixColumns behave probabilistically. Per column: nb active input cells + nb active output cells ≥ r + 1 . P ≃ 2 − xc for x � = r inactive output cells. round 0 round 1 round 2 round 3 round 4 round 5 round 6 AC AC AC AC AC AC AC SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC

  9. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Controlled and uncontrolled rounds • Idea: use the freedom degrees in the middle of the differential path (Mendel et al. [FSE-09]). • The path is divided into two different kind of steps: • The controlled rounds: the part where the freedom degrees are used (usually in the middle of the path). On average, finding a solution for the controlled rounds should cost only a few operations. • The uncontrolled rounds: the part where all the events are verified probabilistically (left and right part of the path) because no more freedom degree is available. Determine the complexity of the overall attack. round 0 round 1 round 2 round 3 round 4 round 5 round 6 AC AC AC AC AC AC AC SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC

  10. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Rebound Attack and Start-from-the-middle • Rebound attack: allows to get 2 controlled rounds [FSE-09]. Requires 2 rc memory. It broke compression functions of many SHA-3 candidates. • Start-from-the-middle: use more complicated techniques to get up to 3 controlled rounds in the case of low weight differential paths [SAC-09]. Requires 2 rc memory. round 0 round 1 round 2 round 3 round 4 round 5 round 6 AC AC AC AC AC AC AC SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC round 0 round 1 round 2 round 3 round 4 round 5 round 6 AC AC AC AC AC AC AC SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC

  11. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Outline Introduction Previous cryptanalysis techniques for AES -like permutations The Super-Sbox cryptanalysis Results

  12. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox view • Introduced by Daemen and Rijmen (e.g. [SCN-06]) to simplify the analysis of AES differential properties and not for cryptanalysis purposes. • Idea: one can view two rounds of an AES -like permutation as a layer of big 2 rc -bit Sboxes preceded and followed by simple affine transformations. We call those Super-Sboxes first round second round AC SB ShR MC AC SB ShR MC AC ShR SB MC AC SB ShR MC AC ShR ShR MC 4 Super-Sbox

  13. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The controlled rounds in the Super-Sbox view • One can get 3 controlled rounds, even for high weight differential paths. • Forward: start with a random (not truncated) difference δ ′ start at the beginning of round 2 (such that we obtain a compatible truncated difference ∆ start when inverting SB and AC ). Then, pass ShR , MC , AC and ShR to obtain the aimed input difference ∆ in on the r Super-Sboxes. • Backward: start with a random (not truncated) difference ∆ end at the end of round 4, and invert MC and ShR in order to obtain the aimed output difference ∆ out on the r Super-Sboxes. • Problem: need the ability to find for each of the r columns, a value that maps ∆ in to ∆ out ... seems hard. round 0 round 1 round 2 round 3 round 4 round 5 round 6 round 7 AC AC AC AC AC AC AC AC SB SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC MC ∆ ′ start ∆ in ∆ out ∆ end δ start Super-SB AC ShR MC AC ShR MC SB ShR

  14. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The controlled rounds • Idea: pay a big price (2 rc operations and memory), but get many solutions (2 rc ) once you paid. • 1st step: Fix a random ∆ ′ start difference value, which gives a fixed random ∆ in . For each of the r Super-Sboxes, exhaust all 2 rc possible actual values, then sort the results in r tables according to the output difference obtained. • 2nd step: try 2 rc distinct ∆ end differences. Then, for each ∆ out obtained by computing backward, check if for all the r columns the appropriate 2 rc -bit difference is present in the corresponding table. On average, one solution is found per ∆ end try. • The average complexity for finding one internal state pair verifying the controlled rounds is 1 . round 0 round 1 round 2 round 3 round 4 round 5 round 6 round 7 AC AC AC AC AC AC AC AC SB SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC MC ∆ ′ start ∆ in ∆ end δ start ∆ out Super-SB AC ShR MC AC ShR MC SB ShR

  15. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The uncontrolled rounds Eight-round path: • On the left side, one has one 4 �→ 1 MixColumns transition to control (round 1): P ≃ 2 − ( r − 1 ) c • On the right side, one has one 4 �→ 1 MixColumns transition to control (round 5): P ≃ 2 − ( r − 1 ) c • Total complexity for finding a solution for the whole path: 2 2 ( r − 1 ) c operations. round 0 round 1 round 2 round 3 round 4 round 5 round 6 round 7 AC AC AC AC AC AC AC AC SB SB SB SB SB SB SB SB ShR ShR ShR ShR ShR ShR ShR ShR MC MC MC MC MC MC MC One has also to check that we have enough freedom degrees, such that a valid pair can be found.

  16. Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results Outline Introduction Previous cryptanalysis techniques for AES -like permutations The Super-Sbox cryptanalysis Results

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Super-Sbox Cryptanalysis Thomas Peyrin CCRG seminar - Nanyang Technological University

The Super-Sbox Cryptanalysis Thomas Peyrin CCRG seminar - Nanyang Technological University

Introduction Super-Sbox Results Grstl The Super-Sbox Cryptanalysis Thomas Peyrin CCRG seminar - Nanyang Technological University Singapore - October 26, 2010 Introduction Super-Sbox Results Grstl Outline Introduction The Super-Sbox

410 views • 27 slides
Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 18, 2020 1 / 24 My optimizations F : 4 Sbox : 26 Sbox 8 b i t : 12 Sbox 16 b i t : 12 Round f u n c t i o n : 14 Next roundkey : 6 Encrypt : 318 Encrypt u n r o l l e d : 314 2 / 24 Sbox

470 views • 27 slides
Meet in the Middle March 13, 2019 1 / 25 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 13, 2019 1 / 25 My optimizations F : 4 Sbox : 26 Sbox 8 b i t

Meet in the Middle March 13, 2019 1 / 25 My optimizations F : 4 Sbox : 26 Sbox 8 b i t : 12 Sbox 16 b i t : 12 Round f u n c t i o n : 14 Next roundkey : 6 Encrypt : 318 Encrypt u n r o l l e d : 314 2 / 25 Last

405 views • 28 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
A new criterion for avoiding the propagation of linear relations through an Sbox Christina Boura

A new criterion for avoiding the propagation of linear relations through an Sbox Christina Boura

A new criterion for avoiding the propagation of linear relations through an Sbox Christina Boura and Anne Canteaut INRIA Paris-Rocquencourt DTU Compute March 13, 2013 1 / 23 Outline Introduction 1 The notion of ( v, w ) -linearity 2

488 views • 37 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
SUPER SUPER Issue : May 2, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : May 2, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : May 2, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR AUDIENCE ANYTIME, ANYWHERE on ANY DEVICE Home PC On the Go Source: myTV SUPER subscription management system MASS PENETRATION EVERYONE IS WATCHING

1.01k views • 56 slides
SUPER SUPER Issue : May 23, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : May 23, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : May 23, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR AUDIENCE ANYTIME, ANYWHERE on ANY DEVICE Home PC On the Go Source: myTV SUPER subscription management system MASS PENETRATION EVERYONE IS WATCHING

806 views • 55 slides
Bigger is Better Trends in super computers, super software, and super data Michael L. Norman,

Bigger is Better Trends in super computers, super software, and super data Michael L. Norman,

Bigger is Better Trends in super computers, super software, and super data Michael L. Norman, Director San Diego Supercomputer Center UC San Diego Why are supercomputers needed? The universe is famously large. Douglas Adams Complexity

850 views • 71 slides
Super-parameterization: what it is and what is super about it? Wojciech Grabowski

Super-parameterization: what it is and what is super about it? Wojciech Grabowski

Super-parameterization: what it is and what is super about it? Wojciech Grabowski Mesoscale and Microscale Meteorology (MMM) Laboratory National Center for Atmospheric Research (NCAR) Boulder, Colorado, USA This material is based upon

1.02k views • 86 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
SUPER SUPER Issue : March 1, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : March 1, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR

SUPER SUPER Issue : March 1, 2018 THE FUTURE OF TV IS HERE Are you ready? CONNECT YOUR AUDIENCE ANYTIME, ANYWHERE on ANY DEVICE Home PC On the Go Source: myTV SUPER subscription management system MASS PENETRATION EVERYONE IS WATCHING

764 views • 59 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grstl Kimmo

Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grstl Kimmo

Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grstl Kimmo Jrvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3

311 views • 12 slides
Administrivia Clear (10); mostly clear (7); unclear (6). Lecture 5 Please ask questions! Pace:

Administrivia Clear (10); mostly clear (7); unclear (6). Lecture 5 Please ask questions! Pace:

Administrivia Clear (10); mostly clear (7); unclear (6). Lecture 5 Please ask questions! Pace: fast (9); OK (6); slow (1). The Big Picture/Language Modeling Feedback (2+ votes): More/better examples (4). Talk louder/clearer/slower (4).

327 views • 31 slides
Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written

Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written

Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich Assertion Side-Effects Flags error if assert() has side effects

422 views • 13 slides
Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software

Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software

Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software Baroque? 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Find the Bug! 2/22/2005 4 Find the Bug! 2/22/2005 6 Specifications(1)

338 views • 15 slides
Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types

Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types

Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types April 2011 School of Computer Science Empirical Study: Protocols in Java Object Protocol [Beckman, Kim, & A to appear in ECOOP 2011]

734 views • 21 slides
Pr r t

Pr r t

Pr r t s ts r rt rt

576 views • 43 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and

MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and

MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and Computer Science University of Texas at Dallas Aussois, January 711, 2013 The talk was given during the 17th Combinatorial Workshop 2013 in

543 views • 42 slides

More recommend