Some attacks against block ciphers
|
|
- Aleesha Lane
- 5 years ago
- Views:
Transcription
1 Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, / 59
2 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 2 / 59
3 Last-round attacks Statistical attacks Statistical attacks exploit relations that hold with a certain probability only. Rely on the existence of a distinguisher. distinguisher D for a block cipher (E k ) k is an algorithm taking N pairs (x i,y i ), 1 i N and returning 0 or 1. Goal: Decide if the N pairs are input-output pairs of the target block cipher or not: 1: If the (x i,y i ) are input-output pairs of E k for some key k. 0: If the (x i,y i ) are input-output pairs of a random permutation. 3 / 59
4 Last-round attacks dvantage of the distinguisher Let p be the probability that the algorithm returns 1 (the N pairs come from the target block cipher). Let p be the probability that the algorithm returns 0 (the N pairs come from a random permutation). The capacity to distinguish the target block cipher from a random permutation is measured as p p and is called advantage. 4 / 59
5 Last-round attacks onsequences of a distinguisher The existence of a distinguisher with a non-negligeable advantage is an undesirable property for a block cipher. However, this does not always guarantee that once the distinguisher is discovered, the secret key will be recovered. But: For iterated ciphers a distinguisher for the reduced cipher E k = F kr F kr 1 F k1 can be a serious thread. G k = F kr 1 F k1 5 / 59
6 Last-round attacks ttack on the last round (I) If an attacker finds a distinguisher D for the reduced-round cipher G k, then he can run a last-round attack. Goal: Recover the last-round subkey k r. 6 / 59
7 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F F z G k (x) ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). 7 / 59
8 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). For all possible values k compute y i = F 1 k (z i ) 7 / 59
9 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k 8 / 59
10 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) 8 / 59
11 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) 8 / 59
12 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k r x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) : P(k ) = F 1 k E k = F 1 k F kr F kr 1 F kr 2 F k1 = F 1 k r F kr F kr 1 F kr 2 F k1 = F kr 1 F kr 2 F k1 = G k P(k ) belongs to the family of reduced-ciphers. 8 / 59
13 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is a wrong subkey, P(k ) is assumed to have the same behaviour as a randomly chosen permutation. This assumption is known as the wrong-key randomization hypothesis. 8 / 59
14 Last-round attacks lgorithm Data: N plaintext-ciphertext couples (x i,z i ), for 1 i N Result: set of candidate keys for the last-round subkey k r for all possible values k of k r do counter 0 ; for i = 0...N do compute y i = F 1 k (z i ); counter counter + D(x i,y i ); end if counter τ then return k ; end end The value τ is a threshold value fixed by the attacker. 9 / 59
15 Last-round attacks Remarks s we exhaust all values of the last round subkey, this attack only works in this basic form if the subkeys have a small size (eg. not for ES-128) In practice, we only try to recover a small part of the last round key (some bits). For the other bits of the subkey, we repeat the attack by modifying the parameters of the attack. Once the last subkey recovered, how do we proceed next? For some ciphers, once a subkey completely recovered, one can compute back through the key schedule to retrieve the master key. If the different subkeys are not related, one can Exhaustively search the remaining key bits Repeat the same attack on the ciphers obtained by successively removing the last round ombine both approaches 10 / 59
16 Higher-order differential attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 11 / 59
17 Higher-order differential attacks Higher-order derivatives Let F : F n 2 Fn 2. Derivative of F at a point a F n 2 : D a F(x) := F(x a) F(x), for every x F n 2 Xuejia Lai extended this notion in Definition[k-th order derivative of F] For any k-dimensional subspace V of F n 2, the k-th order derivative of F with respect to V is the function defined by D V F(x) = D a1 D a2...d ak F(x) = F(x+v), v V for every x F n 2, where (a 1,...,a k ) is a basis of V. 12 / 59
18 Higher-order differential attacks Example Let F : F n 2 Fn 2 and V = a 1,a 2 F n 2 of dimension 2. The 2 nd -order derivative of F with respect to V is D V F(x) = D a1 D a2 F(x) = D a1 (F(x)+F(x+a 2 )) = F(x)+F(x+a 1 )+F(x+a 2 )+F(x+a 1 +a 2 ). 13 / 59
19 Higher-order differential attacks Degree of a derivative Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Then, D a F d 1. Examples: F(x 1,...,x n ) = x 1. Then, D a F(x) = D a (x 1 ) = (x 1 a 1 ) x 1 = a 1 deg(d a F) = 0 F(x 1,...,x n ) = x 1 x 2. Then, D a F(x) = D a (x 1 x 2 ) = (x 1 a 1 )(x 2 a 2 ) x 1 x 2 = x 1 x 2 a 1 x 2 a 2 x 1 a 1 a 2 x 1 x 2 = a 1 x 2 a 2 x 1 a 1 a 2 deg(d a F) = 1 14 / 59
20 Higher-order differential attacks Important property Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Example: F(x 1,...,x n ) = x 1 x 2 x d. Then, D a (x 1 x 2 x d ) = (x 1 a 1 )(x 2 a 2 )...(x d a d ) x 1 x 2 x d = x 1 x d terms of deg d 1 x 1 x d deg(d a F) d 1 Proposition[Lai 94] For every subspace V with dim V > deg F, D V F(x) = v V F(x+v) = 0, for every x F n / 59
21 Higher-order differential attacks ttack on the last round ttack based on a low degree. F k 0 S k 1 S k r 1 S k r m S L S L S L c S S S z = F 1 k (c) deg < d 16 / 59
22 Higher-order differential attacks Use higher-order derivatives [Knudsen 94] For all values of k check whether m z = F 1 k (c) has degree < d. How? k r 1 S S L k r c heck whether all derivatives of order d are zero. S z = F 1 k (c) 17 / 59
23 Higher-order differential attacks The attack Let V be a vector space of dimension d. Input: hoose 2 d plaintexts of the form m v, v V (coset of V ) and get the corresponding ciphertexts. Example d = 3,m = 0, V = v 1,v 2,v 3. hosen plaintexts: 0,v 1,v 2,v 3,v 1 v 2,v 1 v 3,v 2 v 3,v 1 v 2 v 3. If for a key k, 2 d 1 i=0 we conclude that k is a wrong key. F 1 k (c i) 0, 18 / 59
24 Higher-order differential attacks Number of candidate keys What is the probability that for a wrong key, i F 1 k (c i) = 0? (false alarm probability) 2 d 1 P F 1 k (c i) = 0 = 2 n, where n is the block size. i=0 s there are 2 κ key candidates (κ is the size of a subkey), around 2 κ n among them will be proposed as candidates for the right key. 19 / 59
25 Higher-order differential attacks Find the right candidate How to find the right key among the left candidates? Do an exhaustive search among the remaining candidates or Repeat the attack by choosing a different vector space of dimension d. Data complexity: 2 d chosen plaintexts. Time complexity: 2 d 2 κ. Remark In practice, we recover smaller fragments of the key. 20 / 59
26 Higher-order differential attacks The KN cipher [Knudsen-Nyberg 95] 6-round Feistel cipher x i 1 y i 1 ki E : F 32 2 F33 2 linear T : F 33 2 F32 2 linear k i : 33-bit subkey T S E S : F 2 33 F 2 33 with x x 3 x i y i F 32 2 F32 2 F 32 2 F32 2 (x,y) (y,x T S(E(x) k i )) 21 / 59
27 Higher-order differential attacks The role of the function S Name initially given to the cipher: RDI (ipher Resistant gainst Differential ryptanalysis). The function S plays a crucial role. The function x x 3 on the field F 33 2 was chosen. This function is known to be resistant against linear and differential attacks. But, this function is of degree / 59
28 Higher-order differential attacks Higher-order differential attack against KN Presented by Jacobsen and Knudsen in Exploit the low algebraic degree of the round function. Input: Plaintexts of the form (x 0,y 0 ) F 32 2 F32 2, where y 0 = c, for some constant c. 23 / 59
29 Higher-order differential attacks 4 rounds of encryption x 0 = x y 0 = c F k1 y 0 (x) = c y 1 (x) = x F k1 (c) := x c y 2 (x) = F k2 (x c ) c y 3 (x) = F k3 (F k2 (x c ) c) x c y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) + F k2 (x c ) c F k2 F k3 F k4 F k5 d = 1 d = 2 d = 4 y 4 d = 8 F k6 x 6 y 6 24 / 59
30 Higher-order differential attacks Evaluate the degree of y 4 y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) F k2 (x c ) c Obviously, the degree of y 4 is bounded by the degree of G = F k4 F k3 F k2 s deg(f ki ) = deg(s) = 2, we get that deg(y 4 ) deg(g) deg(f k4 ) deg(f k3 ) deg(f k2 ) / 59
31 Higher-order differential attacks Write down the equations If V is a subspace of F 32 2 we have: with dim(v) = 9, D V y 4 (x) = v V y 4 (v x) = 0, for all x F We get now the following equation: y 4 F k5 d = 8 F k6 y 5 x 6 (x) = F k6 (y 5 (x)) y 4 (x), y 4 (x) = F k6 (y 5 (x)) x 6 (x) x 6 y 6 26 / 59
32 Higher-order differential attacks ttack equation F k6 (y 5 (v w)) x 6 (v w) = 0. v V v V Recover the key k 6. There will be in average = 2 candidate keys for k 6. Recover the remaining subkeys by mounting the same attack on the reduced-round cipher. 27 / 59
33 Integral attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 28 / 59
34 Integral attacks Integral attacks - History ttack exploiting weaknesses of the non-linear as well as the linear layer of the target cipher. In 1997, the SQURE cipher was presented by Daemen, Knudsen and Rijmen. During the design, the authors discover a new chosen-plaintext attack against 6 rounds of the cipher. This new attack was named the square attack. In the beginning the attack was applied against SPN ciphers. Later, Lucks generalizes the attack to other type of ciphers and call it the saturation attack. In 2002, Knudsen and Wagner unify the different aspects of these attacks and give them the name integral attacks. 29 / 59
35 Integral attacks Multisets Multiset: Every element in the set can appear multiple times. n element of a multiset is a pair (value, multiplicity). Example. V = {1,2,2,2,3,3,4}, or V = {(1,1),(2,3),(3,2),(4,1)} The attacker studies the propagation of the multiset through the cipher. 30 / 59
36 Integral attacks Integral over a multiset pplication to word-oriented ciphers. Notation: w number of words in a plaintext. (e.g. ES: 16 words of 8-bits each). hoose plaintexts in a way that the multiset in each word verifies a specific property. Definition. We call integral over a multiset S the sum v v S 31 / 59
37 Integral attacks Properties n attacker tries to predict the values in the integrals after a certain number of rounds. Distinguish between 3 cases. (For the examples, the word-size is 3 bits.) 1 : ll w words in the multiset have the same constant value. The multiset S = {3,3,3,3,3,3,3,3} has the property. 2 : The w words in the multiset take all possible values. The multiset S = {0,1,2,3,4,5,6,7} has the property. 3 B: The integral over S is / 59
38 Integral attacks Example: ES 16 words of 8 bits. 2 8 chosen plaintexts m i of the form (m i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where m i = i, for i = 0,...,255 and c some constant. nalyze how this multiset propagates through the different operations of ES. 33 / 59
39 Integral attacks Through ddroundkey The same constant value is XORed to each byte. Example. (0x06,..., 0x06) (0x06 0x01,..., 0x06 0x01) = (0x07,..., 0x07) Property. If we XOR the same constant value to each different value of a set having we get again all possible values in the set. Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S k = {0x2,0x3,0x0,0x1} ddroundkey 34 / 59
40 Integral attacks Through SubBytes The Sbox S is a permutation. If all values of a multiset have the same constant value c, all values will have the same constant value c = S(x) after SubBytes. If the values of a multiset take all possible values, the Sbox will only permute these values. SubBytes 35 / 59
41 Integral attacks Through ShiftRows ShiftRows only permutes the bytes of the state. ShiftRows 36 / 59
42 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 1 0 = 02 x x x x y0 255 = 02 x x x x / 59
43 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 1 0 = 02 x x x x y0 255 = 02 x x x x / 59
44 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x 0 0 +c y 1 0 = 02 x 1 0 +c.... y = 02 x c 37 / 59
45 Integral attacks Through Mixolumns (II) Mixolumns 38 / 59
46 Integral attacks fter 3 rounds Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns???????????????? 39 / 59
47 Integral attacks fter Mixolumns x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 y255 0 = 02 x x x x x x x x x x x x = 02 x i 0 03 x i 1 01 x i 2 01 i=0 i=0 i=0 = = x i 3 i=0 40 / 59
48 Integral attacks fter 3 rounds of ES Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns B B B B B B B B B B B B B B B B 41 / 59
49 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent of the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
50 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent on the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
51 Integral attacks ttack over ES reduced to 4 rounds Goal: Recover the subkey k 4 of the 4 th round of ES. Remark No Mixolumns in the last round. Input: 256 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant and the corresponding ciphertexts c i, i = 0,...,255. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 43 / 59
52 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 44 / 59
53 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) 44 / 59
54 Integral attacks Divide and conquer k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) But, if k 13 4 is the right value v i = S 1 (c i k4 13 ) = 0 i=0 i=0 44 / 59
55 Integral attacks omplexity Data complexity: 2 8 chosen plaintext-ciphertext pairs (a little bit more to get rid off false alarms) Time complexity: = 2 20 XOR s. ssume that a full encryption is composed of 2 6 similar simple operations. So, time complexity 2 14 encryptions. 45 / 59
56 Integral attacks Link with higher-order differential cryptanalysis differential of order d is the sum of 2 d vecteurs of a well-chosen vector space, so it can be seen as an integral. Recently, Yosuke Todo extended integral attacks to take in a clearer way the algebraic degree into account. This extension is called the division property. 46 / 59
57 Bounds on the degree of iterated constructions Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 47 / 59
58 Bounds on the degree of iterated constructions Iterated permutations Most of the symmetric constructions (hash functions, block ciphers) are based on a permutation iterated a high number of times. Important to estimate the algebraic degree of such iterated permutations. Functions with a low degree are vulnerable to: lgebraic attacks Higher-order differential attacks and distinguishers 48 / 59
59 Bounds on the degree of iterated constructions trivial bound Proposition: Let F be a function from F n 2 into Fn 2 F n 2 into Fm 2. Then and G a function from deg(g F) deg(g)deg(f). Example: Round function R of ES is of degree 7. Then deg(r 2 ) = deg(r R) 7 2 = / 59
60 Bounds on the degree of iterated constructions Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 50 / 59
61 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in X = {x 0,...,x 15 }. 51 / 59
62 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in Y = {y 0,...,y 15 }. The coordinates y 0 y 3 are outputs of the same Sbox (equally for the others). What is the consequence on the degree of the product? 51 / 59
63 Bounds on the degree of iterated constructions The notion of δ k Definition : For a permutation S define δ k (S) as the maximum degree of the product of k coordinates of S. δ 1 (S) := algebraic degree of S Example: degs = 3 S k δ k S permutation of F n 2 : δ k (S) = n iff k = n. 52 / 59
64 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 1 y 3 y 8 y 9 y 10. deg(π) δ 3 (S 1 )+δ 3 (S 3 ) = / 59
65 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 5 y 8 y 10 y 13 y 15. deg(π) δ 1 (S 1 )+δ 1 (S 2 )+δ 2 (S 3 )+δ 2 (S 4 ) = 12. The degree of the product is relatively low if many coordinates coming from the same Sbox are involved! 53 / 59
66 Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. 54 / 59
67 Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 1, x 3 = 3: deg(π) δ 3 x 3 +δ 4 x 4 = = / 59
68 Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 2, x 3 = 1, x 2 = 1: deg(π) δ 2 x 2 +δ 3 x 3 +δ 4 x 4 = = / 59
69 Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x 4 = 3, x 1 = 1: deg(π) δ 1 x 1 +δ 4 x 4 = = / 59
70 Bounds on the degree of iterated constructions Towards the bound S S S S Find the maximal degree of the product π of d outputs. x i = # Sboxes for which exactly i coordinates are involved in π. deg(π) with x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 54 / 59
71 Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) deg(π) 16 d 3 55 / 59
72 Bounds on the degree of iterated constructions d x 4 x 3 x 2 x 1 deg(π) deg(π) d 3 55 / 59
73 Bounds on the degree of iterated constructions bound on the degree of SPN constructions [Boura anteaut De annière - 11] Theorem. Let F be a function from F n 2 into Fn 2 corresponding to the parallel application of an Sbox, S, defined over F n 0 2. Then, for any G from F n 2 into Fl 2, we have deg(g F) n n degg, γ(s) where n 0 i γ(s) = max. 1 i n 0 1 n 0 δ i 56 / 59
74 Bounds on the degree of iterated constructions pplication to ES One round: M SR SB K. K: ddroundkey SB: SubBytes (Sboxes of degree 7) SR: ShiftRows M: Mixolumns 57 / 59
75 Bounds on the degree of iterated constructions The Super Sbox technique Two rounds: R 2 = M SR SB K M SR SB K. Equivalently: R 2 = M SR SB K M SB SR K. Denote: SuperSbox = SB K M SB. Then: R 2 = M SR SuperSbox SR K. 58 / 59
76 Bounds on the degree of iterated constructions Bound on up to 4 rounds SuperSbox: F 32 2 F32 2 : Two non-linear layers composed of Sboxes of degree 7, separated by a linear layer. deg(supersbox) (Trivial Bound: deg(r 2 ) 7 2 = 49!!!) Bound for r rounds: deg(r r ) = deg(r r 1 R) deg(rr 1 ). 7 r = 3: deg(r 3 ) 113 r = 4: deg(r 4 ) / 59
Introduction to symmetric cryptography
Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, 2016 1 / 48 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationNonlinear Invariant Attack
Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationA Stochastic Model for Differential Side Channel Cryptanalysis
A Stochastic Model for Differential Side Channel Cryptanalysis Werner Schindler 1, Kerstin Lemke 2, Christof Paar 2 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) 53175 Bonn, Germany 2 Horst
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationSieve-in-the-Middle: Improved MITM Attacks (Full Version )
Sieve-in-the-Middle: Improved MITM Attacks (Full Version ) Anne Canteaut 1, María Naya-Plasencia 1, and Bastien Vayssière 2 1 Inria Paris-Rocquencourt, project-team SECRET B.P. 105, 78153 Le Chesnay cedex,
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationData complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-18 Pierre-Alain Fouque 1, Jérémy Jean,, and Thomas Peyrin 3 1 Université de Rennes 1, France École Normale Supérieure, France 3
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More information