two ways of building round functions for block ciphers
play

Two ways of building round functions for block ciphers Joan Daemen - PowerPoint PPT Presentation

Aug 03, 2023 •30 likes •620 views

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

  1. Two ways of building round functions for block ciphers Joan Daemen Radboud University Šibenik summer school 2016 1 / 44

  2. Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 2 / 44

  3. Block ciphers and statistical attacks Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 3 / 44

  4. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  5. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  6. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  7. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  8. Block ciphers and statistical attacks Product cipher [Claude Shannon, 1949] and SPN 4 / 44

  9. Block ciphers and statistical attacks Iterated block ciphers [DES and later] 5 / 44

  10. Block ciphers and statistical attacks offline: guess k a Statistical attacks Basic attacks Many variants … Two phases: 6 / 44 Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) K P Wrong guess destroys Ω Key Data sched. path DC: requires 1 / DP couples rounds rounds LC: requires 1 / C 2 couples C

  11. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P Wrong guess destroys Ω Distinguisher DC: requires 1 / DP couples LC: requires 1 / C 2 couples a k a C

  12. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P ∆ p Wrong guess destroys Ω DP( ∆ p, ∆ a ) DC: requires 1 / DP couples LC: requires 1 / C 2 couples ∆ a a k a C

  13. Block ciphers and statistical attacks Basic attacks Many variants … Statistical attacks 6 / 44 offline: guess k a Two phases: Exploits Distinguisher Ω over r − 1 rounds online: get many ( C i , P i ) P u p Wrong guess destroys Ω C 2 ( u p, u a ) DC: requires 1 / DP couples LC: requires 1 / C 2 couples u a a k a C

  14. Block ciphers and statistical attacks Distinguisher: difference propagation 7 / 44 Differential trail: DP ( Q ) ≈ ∏ i DP ( Sbox i ) and w ( Q ) = ∑ i w ( Sbox i ) Differential: DP ( ∆ p , ∆ a ) = ∑ ∆ p → Q → ∆ a DP ( Q )

  15. Block ciphers and statistical attacks Distinguisher: difference propagation 7 / 44 Differential trail: DP ( Q ) ≈ ∏ i DP ( Sbox i ) and w ( Q ) = ∑ i w ( Sbox i ) Differential: DP ( ∆ p , ∆ a ) = ∑ ∆ p → Q → ∆ a DP ( Q )

  16. Correlation basics Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 8 / 44

  17. Correlation basics 0 1 0 1 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 1 1 1 1 0 1 1 1 1 1 1 0 0 1 1 0 1 1 1 1 0 1 0 1 1 0 0 0 0 Boolean function x 4 0 0 1 0 0 0 0 y x 3 1 x 2 x 1 y x 4 x 3 x 2 x 1 Algebraic expression: Mapping from GF(2 n ) to GF(2) 0 1 1 1 1 0 1 0 1 0 1 0 1 0 0 1 1 0 0 1 1 0 0 0 9 / 44 Input is a vector x = ( x 1 , x 2 , . . . x n ) y = x 1 x 2 + x 1 x 3 x 4 + x 2 x 4 + 1 Truth table: 2 n bit array or vector :

  18. Correlation basics We define an inner product: The correlation now becomes Correlation between two Boolean functions x 10 / 44 Real-valued counterpart of a Boolean function: C ( f , g ) = 2Pr ( f ( x ) = g ( x )) − 1 f ( x ) = ( − 1 ) f ( x ) ˆ g > = ∑ < ˆ ˆ f , ˆ f ( x ) ˆ g ( x ) √ …and norm || ˆ < ˆ f , ˆ f || = f > C ( f , g ) = < ˆ f , ˆ g > || ˆ f || · || ˆ g ||

  19. Correlation basics Correlation between Boolean functions geometrically g f 11 / 44 ✕ ✁ ✁ ˆ C ( f , g ) = cos α ✁ ✁ ✁ ✁ ✯ ✟ ✟✟✟✟✟✟✟✟✟✟✟ ✁ ✁ ✁ α ˆ ✁ ✁ ✁ Vector space: R 2 n

  20. Correlation basics Linear functions and selection vectors x 8 x 1 w T x : 0 0 0 1 0 0 1 1 0 0 1 0 w : x 3 Linear Boolean function with mask w : w T x x : x 0 x 2 x 1 x 4 x 5 x 6 x 7 x 8 x 9 12 / 44 If u ̸ = v : < ( − 1 ) u T x , ( − 1 ) v T x > = 0 Linear functions form an orthogonal basis of R 2 n x 10 x 11 + x 4 + x 5 +

  21. Correlation basics w x Spectrum of a Boolean function with coordinates given by: 13 / 44 We can represent ˆ f ( x ) with respect to the basis of linear functions: ˆ f ( x ) = ∑ F ( w )( − 1 ) w T x F ( w ) = 2 − n ∑ ˆ f ( x )( − 1 ) w T x This is called the Walsh-Hadamard transform F ( w ) = W ( f ( x )) So simply: F ( w ) = C ( f ( x ) , w T x ) Orthogonal transformation in R 2 n Consequence: Parseval’s Theorem ∑ F ( w ) 2 = 1

  22. Correlation basics Adding Boolean functions in GF(2) Spectrum of sum equals convolution of spectra Special cases: 14 / 44 Let h ( x ) = f ( x ) + g ( x ) From ˆ h ( x ) = ˆ f ( x ) ˆ g ( x ) follows H ( w ) = ∑ v F ( v + w ) G ( v ) Constant function: g ( x ) = 1 : H ( w ) = − F ( w ) Linear function: g ( x ) = u T x : H ( w ) = F ( w + u ) Disjunct functions f and g : H ( v + w ) = F ( v ) G ( w )

  23. Correlation basics 2 From this it follows Multiplying Boolean functions in GF(2) 15 / 44 Let h ( x ) = f ( x ) g ( x ) . Then: ( ) ˆ 1 + ˆ g ( x ) − ˆ h ( x ) = 1 f ( x ) + ˆ f ( x ) ˆ g ( x ) W ( fg ) = 1 2 ( δ ( w ) + W ( f ) + W ( g ) + W ( f + g )) with δ ( w ) = 1 iff w = 0

  24. Correlation basics x T h Correlation matrices [Daemen 1994] 16 / 44 Homomorphism: Correlation matrix C h : m -bit vector Boolean function: h ( x ) = ( h 1 ( x ) , h 2 ( x ) . . . h m ( x )) 2 m rows and 2 n columns element at row u , column v : C ( u T h ( x ) , v T x ) ✲ y = h ( x ) ⇕ L ⇕ L C ( h ) ✲ X with X u = ( − 1 ) x T u Y = C ( h ) X − 1 = ( C ( h ) ) If h is permutation: C ( h − 1 ) = ( C ( h ) )

  25. Correlation basics Correlation matrices of special functions i 17 / 44 Adding a constant: f ( x ) = x + k C u , u = ( − 1 ) u T k and C u , v ̸ = u = 0 Linear function: f ( x ) = Mx C u , w = 1 iff M T u = w and 0 otherwise Parallel composition: b = ( b 1 , b 2 , . . . ) = ( h 1 ( a 1 ) , h 2 ( a 2 ) , . . . ) = h ( a ) C ( h ) u , w = ∏ C ( h i ) u ( i ) , w ( i ) If w i = 0 then C ( h i ) u ( i ) , w ( i ) = 1 C ( h ) u , w is product of correlation over active S-boxes

  26. Correlation basics f w g Correlation matrices: serial composition 18 / 44 a A ✲ ✲ f ( a ) g ( f ( a )) ⇕ L ⇕ L ⇕ L C ( f ) C ( g ) ✲ ✲ C ( f ) A C ( g ) C ( f ) A C ( g ◦ f ) ( u , v ) = ∑ C ( g ) ( u , w ) C ( f ) ( w , v )

  27. Correlation basics Linear trails and correlation 19 / 44 Linear trail: C p ( Q ) = ∏ i C ( Sbox i ) Correlation: C ( u T β ( a ) , w T a ) = ∑ w → Q → u C p ( Q )

  28. Wide trail strategy: strongly-aligned flavor Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 20 / 44

  29. Wide trail strategy: strongly-aligned flavor Replacing the permutation in SPN by a mixing layer 21 / 44

  30. Wide trail strategy: strongly-aligned flavor Replacing the permutation in SPN by a mixing layer 21 / 44

  31. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  32. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  33. Wide trail strategy: strongly-aligned flavor 22 / 44 Mixing layer criterion: Branch number B

  34. Wide trail strategy: strongly-aligned flavor Mixing layer and error-correcting codes 23 / 44

  35. Wide trail strategy: strongly-aligned flavor Mixing layer and error-correcting codes 23 / 44

  36. Wide trail strategy: strongly-aligned flavor 24 / 44 B active S-boxes in each sequence of 2 rounds

  37. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  38. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  39. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  40. Wide trail strategy: strongly-aligned flavor Recursion: four-round theorem 25 / 44 B 1 × B 2 active S-boxes per 4 rounds

  41. Wide trail strategy: strongly-aligned flavor Rijndael [Daemen, Rijmen 1998] Trails: 25 active S-boxes per 4 rounds Clustering of trails but not alarming Costly S-box and mixing Byte-alignment leads to structural properties 26 / 44

  42. Wide trail strategy: weakly-aligned flavor Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor 4 Wide trail strategy: weakly-aligned flavor 5 Conclusions 27 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1 M 4 pad Hash function

800 views • 79 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Lower Bounds for Maximal Matchings and Maximal Independent Sets Alkida Balliu Aalto University,

Lower Bounds for Maximal Matchings and Maximal Independent Sets Alkida Balliu Aalto University,

Lower Bounds for Maximal Matchings and Maximal Independent Sets Alkida Balliu Aalto University, Finland Joint work with Sebastian Brandt ETH Zurich Juho Hirvonen Aalto University Dennis Olivetti Aalto University Mikal Rabie LIP6 -

937 views • 64 slides
Reserve Pricing in Repeated Second-Price Auctions with Strategic Bidders Alexey Drutsa Setup

Reserve Pricing in Repeated Second-Price Auctions with Strategic Bidders Alexey Drutsa Setup

Reserve Pricing in Repeated Second-Price Auctions with Strategic Bidders Alexey Drutsa Setup Second-Price (SP) Auction with Reserve Prices Setting A good (e.g., an ad space) is offered for sale by a seller to buyers Each buyer

602 views • 31 slides
Optimal Non-parametric Learning in Repeated Contextual Auctions with Strategic Buyer Alexey

Optimal Non-parametric Learning in Repeated Contextual Auctions with Strategic Buyer Alexey

Optimal Non-parametric Learning in Repeated Contextual Auctions with Strategic Buyer Alexey Drutsa Setup Repeated Contextual Posted-Price Auctions Different goods (e.g., ad spaces) described by -dimensional feature vectors (contexts)

377 views • 19 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Strategies for Schwartz Rounds Marketing &amp; Promotion An Office Hours Webinar January 8,

Strategies for Schwartz Rounds Marketing &amp; Promotion An Office Hours Webinar January 8,

Strategies for Schwartz Rounds Marketing &amp; Promotion An Office Hours Webinar January 8, 2019 1 Your Hosts Today Stephanie Adler Yuan, MS Director of Training &amp; Education The Schwartz Center for Compassionate Healthcare Kathy

261 views • 22 slides
Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and

Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and

Coding for Interactive Communication Mohsen Ghaffari (MIT) , Bernhard Haeupler (MSR, SVC) , and Madhu Sudan (MSR, NE) Interactive Communication One-way communication : one party wants to send a msg to the other. Two-way (interactive) communication

271 views • 16 slides
A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan

A Multi-Round Side Channel Attack on AES using Belief Propagation Hlne Le Bouder 1 Ronan Lashermes 1 Yanis Linge 2 Gal Thomas 3 Jean Yves Zie 1 INRIA Rennes, LHS/PEC 2 STMicroelectronics 3 Orange Labs Issy Les Moulineaux October 25th, 2016

315 views • 17 slides
TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay &amp; Jasper Lohuis

TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay &amp; Jasper Lohuis

TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig Ramsay &amp; Jasper Lohuis September 22, 2017 Introduction Your code just pushes electrons around. 0010101 10 10101010010101 Pushing electrons will make magnetic fjelds.

1.3k views • 111 slides

More recommend