Cold Boot Key Recovery by Solving Polynomial Systems with Noise
|
|
- Laurel Foster
- 5 years ago
- Views:
Transcription
1 Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April 2011
2 Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application
3 Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application
4 Coldboot Attacks I In [5] a method for extracting cryptographic key material from DRAM used in modern computers was proposed. Contrary to popular belief information in DRAM is not instantly lost when the power is cut, but decays slowly over time. This decay can be further slowed down by cooling the chip. Thus, an attacker can 1. deep-freeze a DRAM module 2. move it to a target machine which dumps the content to disk 3. find the most likely key candidate (which is erroneous due to decay) 4. use some mechanism to correct those errors The technique is called Coldboot attack in literature.
5 Coldboot Attacks II Definition (The Coldboot Problem) We are given 1. K : F n 2 FN 2 where N > n, 2. two real numbers 0 δ 0, δ 1 1, 3. K = KS(k) and K i the i-th bit of K. 4. K = (K 0, K 1,..., K N 1 ) FN 2 with the following distribution: Pr[K i = 0 K i = 0] = 1 δ 1, Pr[K i = 1 K i = 0] = δ 1, Pr[K i = 1 K i = 1] = 1 δ 0, Pr[K i = 0 K i = 1] = δ and some control function E : F n 2 {True, False}, which returns true for the pre-image of the noise free version of K. The task is to recover k such that E(k) returns True or a noise-free K. The Coldboot problem is equivalent to decoding a (non-)linear code with biased noise.
6 Coldboot Attacks III A bit K i = 0 of K is correct with probability Pr[K i = 0 K i = 0] = Pr[K i = 0 K i = 0]Pr[K i = 0] Pr[K i = 0] Likewise, a bit K i = 1 of K is correct with probability denote these values by 0 and 1 respectively. = (1 δ 1) (1 δ 1 + δ 0 ). (1 δ 0) (1 δ 0+δ 1). We
7 Coldboot Attacks IV Results in [5]: Cipher δ 0 δ 1 Success Time DES % DES % AES % 1s AES % 30s Can we do better and can we recover keys for more complicated key schedules like Serpent?
8 Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application
9 PoSSo We define polynomial system solving (PoSSo) as the problem of finding a solution to a system of polynomial equations over some field. Definition (PoSSo) Consider the set F = {f 0,..., f m 1 } where each f i F[x 0,..., x n 1 ]. A solution to F is any point x F n such that f i F : f i (x) = 0. Note, that we restrict ourselves to solutions in the base field here.
10 Max-PoSSo I We can define a family of Max-PoSSo problems, analogous to the well known Max-SAT family of problems.
11 Max-PoSSo II Definition (Max-PoSSo) Find a point x F n which satisfies the maximum number of polynomials in F = {f 0,..., f m 1 } F[x 0,..., x n 1 ].
12 Max-PoSSo III Definition (Partial Max-PoSSo) Find a point x F n such that for two sets of polynomials H and S in F[x 0,..., x n 1 ] f H : f (x) = 0 and the number of polynomials f S with f (x) = 0 is maximised. Max-PoSSo is Partial Max-Posso with H =. H for hard and S for soft. Both terms are borrowed from Partial Max-SAT.
13 Max-PoSSo IV Definition (Partial Weighted Max-PoSSo) Find a point x F n such that f H : f (x) = 0 and f S C(f, x) is minimized where C : f S, x F n R 0 is a cost function which returns 0 if f (x) = 0 and some value > 0 if f (x) 0. Partial Max-PoSSo is Weighted Partial Max-PoSSo where C(f, x) returns 1 if f (x) 0 for all f S.
14 Coldboot as Partial Weighted Max-PoSSo Let F K be an equation system corresponding to K. Assume that for each noisy output bit K i there is some f i F K of the form g i + K i where g i is some polynomial. Assume that these are the only polynomials involving output bits. Denote the set of these polynomials S. Denote the set of all remaining polynomials F K as H. Define the cost function C as a function which returns for K i = 0, f (x) 0, for K i = 1, f (x) 0, 0 otherwise. Express E as a polynomial system which is satisfiable for k only and add these polynomials to H.
15 Other Applications RFID authentication protocols often based on the LPN problem which is easily described as a Max-PoSSo problem. Homomorphic Gentry s scheme rests on the LWE problem which is easily described as a Max-PoSSo problem. Side-Channel data leakage is often noisy. Alg. Attacks can be improved by simplifying equation systems using probabilistic equations.
16 Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application
17 Mixed Integer Programming I Integer optimization deals with the problem of minimising (or maximising) a function in several variables subject to linear equality and inequality constraints and integrality restrictions on some or all of the variables. Definition (MIP) A linear mixed-integer programming problem (MIP) is defined as a problem of the form where min x {c T x Ax b, x Z k R l } A is an m n-matrix (n = k + l), b is an m-vector and c is an n-vector.
18 Mixed Integer Programming II Example Maximise x + 5y, thus c = (1, 5), subject to the constraints x + 0.2y 4 and 1.5x + 3y 4 where x 0 is real valued and y 0 is integer valued. The optimal value for c T x is for x = 2 3 and y = 1. sage : p = M i x e d I n t e g e r L i n e a r P r o g r a m ( ) sage : x, y = p. n e w v a r i a b l e ( ), p. n e w v a r i a b l e ( ) sage : p. s e t i n t e g e r ( y [ 0 ] ) sage : p. a d d c o n s t r a i n t ( x [ 0 ] y [ 0 ], max=4) sage : p. a d d c o n s t r a i n t ( 1. 5 x [ 0 ] + 3 y [ 0 ], max=4) sage : p. s e t m i n ( x [ 0 ], 0 ) ; p. s e t m i n ( y [ 0 ], 0 ) sage : p. s e t o b j e c t i v e ( x [ 0 ] + 5 y [ 0 ] ) sage : p. s o l v e ( )
19 PoSSo as MIP I Consider some f F 2 [x 0,..., x n 1 ] and let Z a function that takes a polynomial over F 2 lifts it to the integers. Analogous for elements in F Restrict all x i to binary values. 2. Let l be zero if 1 does not appear in f and one otherwise.them 3. Let w be the number of monomials in f and u = 2 w/2. 4. Introduce some integer variable 0 m u Replace each monomial in f 2m by a new linearised variable, call the result g and add the linear constraint g = For each monomial t = N i=1 x i add a constraint xi t and add a constraint 0 N i=1 x i t N 1. This is the Integer Adapted Standard Conversion [2].
20 PoSSo as MIP II Example Consider f = ac + a + b + c + 1 u = 2 1. g = M + a + b + c + 1 2m = 0 2. a M 3. c M 4. 0 a + c M 1
21 PoSSo as MIP III sage : a t t a c h anf2mip. py sage : B.<a, b, c> = B o o l e a n P o l y n o m i a l R i n g ( ) sage : f = a c + a + b sage : bc = B o o l e a n P o l y n o m i a l M I P C o n v e r t e r ( ) sage : p = bc. i n t e g e r a d a p t e d s t a n d a r d c o n v e r s i o n ( [ f ] ) ; p Mixed I n t e g e r Program ( m i n i m i z a t i o n,... sage : p. show ( ) M i n i m i z a t i o n : x 1 +x 2 +x 3 +x 4 C o n s t r a i n t s : 0 <= 2 x 0 +x 1 +x 2 +x 3 <= 0 1 <= x 2 1 x 3 <= 0 1 <= x 2 1 x 4 <= 0 0 <= 1 x 2 +x 3 +x 4 <= 1 V a r i a b l e s : x 0 i s an i n t e g e r v a r i a b l e ( min =0.0, max=1.0) x 1 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0) x 2 i s a r e a l v a r i a b l e ( min =0.0, max=1.0) x 3 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0) x 4 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0)
22 PoSSo as MIP IV sage : a t t a c h anf2mip. py sage : B.<a, b, c> = B o o l e a n P o l y n o m i a l R i n g ( ) sage : f = a c + a + b + 1 sage : g = a + c + 1 sage : p = bc. i n t e g e r a d a p t e d s t a n d a r d c o n v e r s i o n ( [ f ] ) ; p Mixed I n t e g e r Program (... sage : p. s o l v e ( ) 1. 0 sage : bc. s o l v e ( [ f ] ) CPU Time : Wall time : , Obj : {b : 1, c : 0, a : 0} sage : bc. s o l v e ( [ f, g ], s o l v e r= SCIP ) CPU Time : Wall time : , Obj : {b : 0, c : 0, a : 1}
23 Partial Weighted Max-PoSSo as MIP We only need to consider Partial Weighted Max-PoSSo because it is the most general case: Convert each f H to linear constraints as before. For each f i S add a new binary slack variable e i to f i and convert the resulting polynomial as before. The objective function we minimise is c i e i where c i is the value of C(f, x) for some x such that f (x) 0. Any optimal solution x S will be an optimal solution to the Partial Weighted Max-PoSSo problem.
24 Coldboot as MIP Coldboot Partial Weighted Max-PoSSo MIP This approach is essentially the non-linear generalisation of decoding random linear codes with linear programming [4].
25 Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application
26 Simplifications We do not model E since its representation is often too costly; consequently we have no guarantee that the optimal k returned is indeed the k we are looking for. We do not include all equations available to us but restrict our attention to a subset (e.g. one or two rounds). We may use an aggressive modelling strategy where we assume δ 1 = 0 which allows us to promote some polynomials from S to H. The normal modelling assumes δ 1 = 0 + ɛ.
27 AES [3] I Core Core
28 AES [3] II Most of the key schedule is linear. The original key k appears in the output. The S-box size is 8-bit (explicit degree: 7).
29 AES [3] III N δ 0 aggr limit t r min t avg. t max t % s s s s 63% 1.38 s 8.84 s s s 70% 1.78 s s s s 66% 4.81 s s s s 69% 4.86 s s s s 65% 4.66 s s s s 68% 4.45 s s s s 47% 4.95 s s s s 61% 4.97 s s s s 62% 7.72 s s s s 8% 6.57 s s s s 13% 6.10 s s s Table: AES considering N rounds of key schedule output.
30 Serpent [1] I w 8 w 7 w 6 w 5 w 4 w 3 w 2 w 1 φ i w i 8 w i 7 w i 6 w i 5 w i 4 w i 3 w i 2 w i 1 w i 11 w i w i+1 w i+2 w i+3 S k i k i+1 k i+2 k i+3
31 Serpent [1] II All key schedule output bits depend non-linearly on the input. The original key k does not appear in the output. The S-box size is 4-bit (explicit degree: 3).
32 Serpent [1] III N δ 0 aggr limit t r min t avg. t max t s 37% 8.22 s s s s 84% 0.67 s s s s 79% 0.88 s s s s 64% s s s s 74% 1.13 s s s s 21% s s s s 38% s s s Table: Serpent considering 32 N bits of key schedule output
33 Serpent [1] IV Ad-hoc approach: We wish to recover a 128-bit key, so we need to consider at least 128-bit of output. On average the noise free output should have 64 bits set to zero. In order to consider an error rate up to δ 0, we have to consider δ 0 64 i=0 candidates and test them. If δ 0 = 0.15 we have If δ 0 = 0.30 we have ( ) 64 + δ0 64 i
34 Thank you for your attention!
35 Literature I Eli Biham, Ross J. Anderson, and Lars R. Knudsen. Serpent: A new block cipher proposal. In S. Vaudenay, editor, Fast Software Encryption 1998, volume 1372 of Lecture Notes in Computer Science, pages Springer Verlag, Julia Borghoff, Lars R. Knudsen, and Mathias Stolpe. Bivium as a Mixed-Integer Linear programming problem. In Matthew G. Parker, editor, Cryptography and Coding 12th IMA International Conference, volume 5921 of Lecture Notes in Computer Science, pages , Berlin, Heidelberg, New York, Springer Verlag. Joan Daemen and Vincent Rijmen. AES Proposal: Rijndael, Available at rijndael/rijndael-ammended.pdf.
36 Literature II Jon Feldman. Decoding Error-Correcting Codes via Linear Programming. PhD thesis, Massachusetts Institute of Technology, J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of 17th USENIX Security Symposium, pages 45 60, 2008.
Algebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationCold Boot Attacks in the Discrete Logarithm Setting
Cold Boot Attacks in the Discrete Logarithm Setting B. Poettering 1 & D. L. Sibborn 2 1 Ruhr University of Bochum 2 Royal Holloway, University of London October, 2015 Outline of the talk 1 Introduction
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationBetter Algorithms for MSB-side RSA Reconstruction
Better Algorithms for MSB-side RSA Reconstruction Pratibha Jagnere, Srijan Sanket, Anuj Chauhan, and Ragesh Jaiswal Department of Computer Science and Engineering, Indian Institute of Technology Delhi.
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationRoyal Holloway University of London
Projective Aspects of the AES Inversion Wen-Ai Jackson and Sean Murphy Technical Report RHUL MA 2006 4 25 November 2005 Royal Holloway University of London Department of Mathematics Royal Holloway, University
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationCode-based public-key encryption resistant to key leakage
Code-based public-key encryption resistant to key leakage Edoardo Persichetti University of Warsaw Abstract. Side-channel attacks are a major issue for implementation of secure cryptographic schemes. Among
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationBitslice Ciphers and Power Analysis Attacks
Bitslice Ciphers and Power Analysis Attacks Joan Daemen, Michael Peeters and Gilles Van Assche Proton World Intl. Rue Du Planeur 10, B-1130 Brussel, Belgium Email: {daemen.j, peeters.m, vanassche.g}@protonworld.com
More informationstate-recovery analysis of spritz
state-recovery analysis of spritz Ralph Ankele 1 Stefan Kölbl 2 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationMILP-aided Cryptanalysis of Round Reduced ChaCha
MILP-aided Cryptanalysis of Round Reduced ChaCha Najwa Aaraj, Florian Caullery and Marc Manzano DarkMatter, UAE Abstract The inclusion of ChaCha20 and Poly1305 into the list of supported ciphers in TLS
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationImproved Key Recovery Algorithms from Noisy RSA Secret Keys with Analog Noise
Improved Key Recovery Algorithms from Noisy RSA Secret Keys with Analog Noise Noboru Kunihiro 1 and Yuki Takahashi 1 The University of Tokyo, Japan, kunihiro@k.u-tokyo.ac.jp The University of Tokyo, Japan
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationRSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data
RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data Noboru Kunihiro 1 and Junya Honda 1 The University of Tokyo, Japan, kunihiro@k.u-tokyo.ac.jp The University of Tokyo, Japan Abstract. We
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationRecovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors
Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors Noboru Kunihiro 1, Naoyuki Shinohara 2, and Tetsuya Izu 3 1 The University of Tokyo, Japan kunihiro@k.u-tokyo.ac.jp 2 NICT, Japan
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationCryptanalysis of a homomorphic public-key cryptosystem over a finite group
Cryptanalysis of a homomorphic public-key cryptosystem over a finite group Su-Jeong Choi Simon R. Blackburn and Peter R. Wild Department of Mathematics Royal Holloway, University of London Egham, Surrey
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationIntro to Physical Side Channel Attacks
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy Šibenik, Croatia Outline Why physical attacks matter Implementation attacks and power analysis
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationAlgebraic Precomputations in Differential and Integral Cryptanalysis
Algebraic Precomputations in Differential and Integral Cryptanalysis Martin Albrecht 1, Carlos Cid 1, Thomas Dullien 2, Jean-Charles Faugère 3, and Ludovic Perret 3 1 Information Security Group, Royal
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationNew polynomials for strong algebraic manipulation detection codes 1
Fifteenth International Workshop on Algebraic and Combinatorial Coding Theory June 18-24, 2016, Albena, Bulgaria pp. 7 12 New polynomials for strong algebraic manipulation detection codes 1 Maksim Alekseev
More informationLinear Cryptanalysis Using Multiple Linear Approximations
Linear Cryptanalysis Using Multiple Linear Approximations Miia HERMELIN a, Kaisa NYBERG b a Finnish Defence Forces b Aalto University School of Science and Nokia Abstract. In this article, the theory of
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationState Recovery Attacks on Pseudorandom Generators
Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationDifferential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d
4th International Conference on Sensors, Measurement and Intelligent Materials (ICSMIM 2015) Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b,
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationA new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer
More informationPerfectly secure cipher system.
Perfectly secure cipher system Arindam Mitra Lakurdhi, Tikarhat Road, Burdwan 713102 India Abstract We present a perfectly secure cipher system based on the concept of fake bits which has never been used
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationConcurrent Error Detection in S-boxes 1
International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan
More informationCryptanalysis of Grain
Cryptanalysis of Grain Côme Berbain 1, Henri Gilbert 1, and Alexander Maximov 2 1 France Telecom Research and Development 38-40 rue du Général Leclerc, 92794 Issy-les-Moulineaux, France 2 Dept. of Information
More informationReconstruction and Error Correction of RSA Secret Parameters from the MSB Side
Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy To cite this version: Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy.
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More information