Some integral properties of Rijndael, Grøstl-512 and LANE-256
|
|
- Philip Jefferson
- 5 years ago
- Views:
Transcription
1 Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering, Loughborough U., UK 3 XLIM, University of Limoges, France CCA Seminar
2 Guideline Description of the AES and of its little brothers Integral properties of the AES Integral properties of the different Rijndael versions Deduced distinguishers With unknown keys With known keys Grøstl-512 and LANE-256 Conclusion CCA Seminar
3 The AES and its brothers CCA Seminar
4 AES and Rijndael (1/3) [DR 98] Rijndael, created by J. Daemen and V. Rijmen, AES new standard Iterative block ciphers with a parallel structure. blocks sizes: 128, 160, 192, 224 or 256 bits. Key sizes: 128, 192 or 256 bits. The number of rounds vary between 10 and 14 according to the blocks sizes and the key sizes. Plaintexts (128, ,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4 K initial Key addition 0 K 1 K 9 Byte Sub Shift Row Mix Column Key Addition Byte Sub Shift Row Mix Column Key Addition CCA Seminar round 1 round 9, 11 ou 13 Byte Sub Last Shift Row Round K Key Addition 10 Ciphertexts (128, ,224, 256 bits) Bytes matrix 4x, 5x, 6x, 7x, 8x4
5 The AES (2/3): Round function (1/2) Byte Substitution Shift Row a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 20 a 21 a 22 a 23 a 30 a 31 a 32 a 33 (8x8 S-box S) a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 20 a 21 a 22 a 23 a 30 a 31 a 32 a S(a 00 ) S(a 01 ) S(a 01 ) S(a 00 ) S(a 13 ) S(a 12 ) S(a 11 ) S(a 10 ) S(a 23 ) S(a 22 ) S(a 21 ) S(a 20 ) S(a 33 ) S(a 32 ) S(a 31 ) S(a 30 ) a 00 a 01 a 02 a 03 a 11 a 12 a 13 a 10 a 22 a 23 a 20 a 21 a 32 a 30 a 33 a 31 CCA Seminar
6 The AES (3/3): Round function (2/2) Mix Column Key Addition a 00 a 01 a 02 a 03 a 10 a 11 a 12 a 13 a 00 a 01 a 02 a 03 a 20 a 21 a 22 a 23 a 10 a 11 a 12 a 13 a 30 a 31 a 32 a 33 a 20 a 21 a 22 a a 30 a 31 a 32 a 33 K i (128 bits) b 00 b 01 b 02 b 03 b 00 b 01 b 02 b 03 b 10 b 11 b 12 b 13 b 10 b 20 b 11 b 21 b 12 b 22 b 13 b 23 b 20 b 21 b 22 b 23 b 30 b 31 b 32 b 33 b 30 b 31 b 32 b 33 CCA Seminar
7 Rijndael: main differences Change: nb of rounds ShiftRows AES (4 col.) Rijndael-160 (5 col.) Rijndael-192 (6 col.) Rijndael-224 (7 col.) Rijndael-256 (8 col.) CCA Seminar
8 General principle of cryptanalysis X [n bits] Intermediate rounds Initial rounds f f f f.. K X x = Ψ(X,K X ) x [ n bits] R(x,y ) Distinguisher A: To find a relation R(x,y ) on intermediate states which has a probability p of happening as far as possible from the uniform probability p*: Final rounds K r. f y [ n bits] Y K Y y = Φ(Y,K Y ) Pr[A]=Adv(A)= p-p* Test over the keys sur (K X, K Y ) CCA Seminar
9 Integral properties CCA Seminar
10 Integral property of the AES (1/2) byte y = Y MixColumns AddRoundKey other bytes = constants Z SubBytes ShiftRows 255 y = 0 s(y) = 0 R S y SubBytes ShiftRows S(z 3 ) S(z 2 ) S(z 1 ) S(y) SubBytes ShiftRows z 0 z 1 z 2 z 3 S(z 0 ) MixColumns AddRoundKey MixColumns AddRoundKey s CCA Seminar
11 Integral property of the AES (2/2) On 6 rounds: 2 32 textes clairs 4 key bytes For each 9 bytes of keys: Test if: 255 y = 0 s(y) =? 0 3 rounds As before Y Trois rounds S( y ) Good keys pass the test. Take care of false alarms. Lasr round without MixColumn 2 32 textes chiffrés 4 key bytes CCA Seminar
12 Complexity of integral attacks Improvement by Ferguson: Sum over the 2 32 values => Complexity for 6 rounds Nb plaintexts = 6*2 32 Complexity = 2 46 using partial sum techniques For 7 rounds: Nb plaintexts = (with herd technique) Complexity = cipher operations CCA Seminar
13 For Rijndael The same kind of properties But, due to the slower diffusion, => more rounds and better extensions CCA Seminar
14 Rijndael-256: first remark y Note: SR: 1, 2, 4 z0 z1 Nb rounds: 14 (min) z2 z3 z0 z3 z2 z1 SubBytes ShiftRows z2 z1 a 0 b 0 a 1 b 1 a 2 b 2 a 3 b 3 MixColumns AddKey CCA Seminar
15 Rijndael 256 Integral property Distinguisher on 4 rounds: Saturation on 3 bytes => Complexity: 2 24 ciphers y n p z0 z1 z2 z3 First round Second round Third round Fourth round CCA Seminar
16 Rijndael 224 Integral property y z0 z1 z2 z3 p First round Second round Distinguisher on 4 rounds: Saturation on 2 bytes Third round => Complexity: 2 16 ciphers Fourth round CCA Seminar
17 Rijndael 192 Integral property (1) y z0 z1 z2 z3 p Distinguisher on 4 rounds: Saturation of 2 bytes => Complexity: 2 16 ciphers = 2 = 2 = 1 = 1 CCA Seminar
18 Rijndael 192 Integral property y p n (2) z0 z1 z2 z3 Distinguisher on 4 rounds: Saturation on 3 bytes => Complexity: 2 24 ciphers = = 1 = = CCA Seminar
19 Rijndael 160 Integral property y z0 z1 z2 z3 p n Distinguisher on 4 rounds: Saturation de 3 bytes => Complexity: 2 24 ciphers = 2 = = 1 = 1 CCA Seminar
20 Unknown keys Distinguishers CCA Seminar
21 Extension of 2 rounds at the end [Ferguson and al. -00]: partial sums s directly deduced from c i,j For each ciphertext c, we associate the partial sum: Use to sequentially determine k k => Share in 4 steps the key serach CCA Seminar
22 Extension at the beginning: 2 methods [Ferguson and al. - 00]: one initial round => attack on 5 rounds with 2 32 plaintexts CCA Seminar
23 The herd technique One more round at the beginning: Naively plaintexts (work, cf Nakhara and al.) Fix a particular byte x => a herd: set of ciphertexts of 2 88 structures Test on a single herd. X depends on (p 4,,p 7 ) and on 4 bytes of K 0 1. Using 2 64 counters m y counters n z 3. Filter information on the key guess CCA Seminar
24 Combine those extensions attack over 2+4+2=8 rounds (for Rijndael-256) 1. Increment the 64 bits (c 0,,c 3,p 4,, p 7 ) 2. Guess the 4 bytes of K 0, compute x, separate counters into herds. 3. Choose a single herd, n z en ajoutant (c 0,,c 3 ) pour chaque y correct 4. Guess the 5 bytes of K 7 and of K 6 of the two last rounds to decipher each z on one byte. Sum this value over the 2 32 values of z and look at the 0s. 5. Repeat this point for each value of thek 0 bytes. => The 4 bytes (p 4,, p 7 ) and the 4 bytes of K 0 give 4 bytes => 2 24 smaller herds => reduce the exhaustive search to plaintexts. CCA Seminar
25 Complexity and attacks on 9 rounds Total cost: plaintexts cipher operations => Add one round at the end using a complete exhaustive search on the subkey K 9 CCA Seminar
26 Summary of the attacks CCA Seminar
27 Known Keys Distinguishers CCA Seminar
28 [Knudsen Rijmen 07] Notion of Known Key Distinguisher Principle: create a distinguisher beginning at the middle of the cipher Then, determine a particular property linking plaintexts and ciphertexts Comparison withe the complexity required to find such a structure for a random permutation Interest: create distinguishers when block ciphers are used as hash functions CCA Seminar
29 Theoritical model [Africacrypt 09] Advantage of Distinguishers [Vaudenay 97]: Adv E (A) Two more cases: non-adaptative, adaptative CCA Seminar
30 Case of an adaptative SPRP Distinguisher CCA Seminar
31 Case of a non-adaptative Known Key Distinguisher CCA Seminar
32 Case of study: the AES [Knu-Rij 07] Forward sense Backward sense CCA Seminar
33 KK distinguisher for the AES KK distinguisher on 7 rounds 3 in backward, 4 in forward 3 4 rounds rounds Requires 2 56 middletexts and 2 56 cipher operations For a random permutation => k-sum problem, Complexity: 2 58 operations => KK distinguisher for the AES CCA Seminar
34 KK distinguisher for Rijndael Same kind of properties in the backward sense Summary of the KK distinguishers for Rijndael [Africacrypt 2009]: CCA Seminar
35 A last idea: some integral distinguishers for the SHA3 candidates: Grøstl-512 and LANE-256 ( CCA Seminar
36 Grøstl-512 CCA Seminar
37 Description of Grøstl-512 (Phase 3!) [Gauravaram, Knudsen, Matusiewicz, Mendel, Rechberger, Schläffer, Thomsen 2009] iterated hash function Compression function with 2 permutations P and Q. A t-block message M (after padding) is hashed using f(h i-1, M i ) and output g(h t ): H 0 = IV ; H i = f(h i-1, M i ) = H i-1 P(H i-1 M i ) Q(M i ) ; at the end, h = g(h t ) = trunc(h t P(H t )) CCA Seminar
38 P (and Q) permutations of Grøstl-512 P and Q: similar design as AES with a fixed key input and 14 rounds The state = 1024-bit seen as a 8x16 matrix of bytes The round transformations: AddRoundConstant (AC): adds one-byte constants to the state SubBytes (SB): apply the AES S-box to each byte of the state ShiftBytes (ShB): rotates the bytes of row j: MixBytes (MB): linear diffusion layer: each column is multiplied by a constant matrix B. CCA Seminar
39 Integral properties of Grøstl-512 (1/3) Direct sense: 4 rounds property with 2 40 texts Extension by 1 round at the beginning with texts: CCA Seminar
40 Integral properties of Grøstl-512 (2/3) Backward sense: 3 rounds property with 2 16 texts Extension by 2 round at the beginning with texts: CCA Seminar
41 Integral properties of Grøstl-512 (3/3) Combine both senses for P and Q on 10 rounds: For P: start from the middle with middletexts with 64 active bytes then, go backward on five rounds to obtain inputs that sum to 0 on 3 shifted columns go forward on 5 rounds to obtain outputs that sum to 0 on 4 columns. Do the same for Q. Using Q, get the M t messages. Using those messages and the inputs of P, compute the H t-1 values. Those values verify that their sums = 0 on 3 shifted columns => The sum taken over the outputs of the compression function is zero at 7 byte positions and the corresponding inputs H t-1 and M t have 0-sum on 3 shifted columns. => Structural property of the Grøstl-512 compression function to find 0-sums for 10 rounds of P and Q Computational cost = operations with few memory requirements CCA Seminar
42 LANE-256 CCA Seminar
43 Description of LANE-256 (Phase 1) [Indesteege 08] Chaining values: H i-1 (256 bits) Message blocks: M i (512 bits) A counter: C i Compression function: H i =f(h i-1,m i,c i ) H i-1 and M i produced the inputs of P 0,,P 5 via a message expansion CCA Seminar
44 Compression function of LANE-256 P 0,,P 5 = 6 rounds, Q 0,Q 1 = 3 rounds The state Input of the round function = a 256 bits word seen as a double AES state Round function: SubBytes (SB), ShiftRows (SR), MixColumns (MC) AddConstant (AC): add columns constants AddCounter (ACO): add a column counter SwapColumns (SC): swaps the two right columns of the left half-state with the two left columns of the right halfstate SwapColumns transform CCA Seminar
45 Integral properties of LANE-256 (1/4) Same principle (2 senses): Direct sense: 4 rounds property with 2 16 texts Extension by 2 rounds at the beginning with texts: CCA Seminar
46 Integral properties of LANE-256 (2/4) Backward sense: 3 backward rounds property with 2 16 texts Extension by 1 round at the beginning with 2 64 texts: CCA Seminar
47 Integral properties of LANE-256 (3/4) Combining both integral properties on 9 rounds: => Distinguisher on 9 rounds with middletexts CCA Seminar
48 Integral properties of LANE-256 (4/4) Extension to the LANE-256 compression function with P 0,P 1,P 2 limited to 3 rounds with values Using for the left part the previous property with middletexts Repeat the 6-round forward property for values of h 0 h 1 => intrinsic property of the compression function of LANE when using values Same kind of properties for LANE-512. CCA Seminar
49 Conclusion Integral properties of Rijndael were not well studied Unknown Keys Distinguishers Known Keys Distinguishers The last model is really useful to create distinguishers for the SHA-3 competition but less efficient than rebound! CCA Seminar
50 Thank you for your attention! [DR98] J. Daemen, V. Rijmen, AES proposal: Rijndael. In First AES conference, NIST, 1998 [Ferguson and al. -00] N. Ferguson, et al.: Improved Cryptanalysis of Rijndael. FSE 2000: [Knudsen-Rijmen 07] L. R. Knudsen, V. Rijmen: Known-Key Distinguishers for Some Block Ciphers. ASIACRYPT 2007: Grøstl: LANE: CCA Seminar
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationAttacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512
Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512 Charles Bouillaguet 1, Orr Dunkelman 2, Gaëtan Leurent 1, and Pierre-Alain Fouque 1 1 Département
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationPractical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function
Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function Jérémy Jean and Pierre-Alain Fouque Ecole Normale Supérieure 45 rue d Ulm 75230 Paris Cedex 05 France {Jeremy.Jean,Pierre-Alain.Fouque}@ens.fr
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl
Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Jian Zou, Wenling Wu, Shuang Wu, and Le Dong Institute of Software Chinese Academy of Sciences Beijing 100190, China
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationPractical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function
Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function Jérémy Jean, Pierre-Alain Fouque To cite this version: Jérémy Jean, Pierre-Alain Fouque. Practical Near-Collisions
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationRevisiting AES Related-Key Differential Attacks with Constraint Programming
Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationImpossible Differential Cryptanalysis of Reduced-Round SKINNY
Impossible Differential Cryptanalysis of Reduced-Round SKINNY Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal,
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationMARVELlous: a STARK-Friendly Family of Cryptographic Primitives
MARVELlous: a STARK-Friendly Family of Cryptographic Primitives Tomer Ashur and Siemen Dhooghe imec-cosic, KU Leuven, Heverlee, Belgium [tomer.ashur,siemen.dhooghe]@esat.kuleuven.be Abstract The ZK-STARK
More informationNanyang Technological University, Singapore École normale supérieure de Rennes, France
Analysis of BLAKE2 Jian Guo Pierre Karpman Ivica Nikolić Lei Wang Shuang Wu Nanyang Technological University, Singapore École normale supérieure de Rennes, France The Cryptographer s Track at the RSA Conference,
More informationNew Insights on AES-Like SPN Ciphers
New Insights on AES-Like SPN Ciphers Bing Sun 1,2,3, Meicheng Liu 3,4, Jian Guo 3, Longjiang Qu 1, Vincent Rijmen 5 1 College of Science, National University of Defense Technology, Changsha, Hunan, P.R.China,
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationBlock Ciphers that are Easier to Mask: How Far Can we Go?
Block Ciphers that are Easier to Mask: How Far Can we Go? Benoît Gérard, Vincent Grosso, María Naya-Plasencia, François-Xavier Standaert To cite this version: Benoît Gérard, Vincent Grosso, María Naya-Plasencia,
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationTuple cryptanalysis of ARX with application to BLAKE and Skein
Tuple cryptanalysis of AR with application to BLAKE and Skein Jean-Philippe Aumasson 1, Gaëtan Leurent 2, Willi Meier 3,, Florian Mendel 4, Nicky Mouha 5,6,, Raphael.-W. Phan 7, Yu Sasaki 8, and Petr Susil
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationRebound Attack. Florian Mendel
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationCryptanalysis of AES-Based Hash Functions
Cryptanalysis of AES-Based Hash Functions by Martin Schläffer A PhD Thesis Presented to the Faculty of Computer Science in Partial Fulfillment of the Requirements for the PhD Degree Assessors Prof. Dr.
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationDifferential and Correlation Power Analysis Attacks on HMAC-Whirlpool
2011 Eighth International Conference on Information Technology: New Generations Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool Fan Zhang and Zhijie Jerry Shi Department of Computer
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationCryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
Downloaded from orbit.dtu.dk on: Jan 8, 219 Cryptanalysis of the 1-Round Hash and Full Compression Function of SHAvite-3-512 Gauravaram, Praveen; Leurent, Gaëtan; Mendel, Florian; Plasencia, Maria Naya;
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-18 Pierre-Alain Fouque 1, Jérémy Jean,, and Thomas Peyrin 3 1 Université de Rennes 1, France École Normale Supérieure, France 3
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationCryptanalysis of Twister
Cryptanalysis of Twister Florian Mendel and Christian Rechberger and Martin chläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationDifferential Analysis of the LED Block Cipher
Differential Analysis of the LED Block Cipher Florian Mendel, Vincent Rijmen, Deniz Toz, Kerem Varıcı KU Leuven, ESAT/COSIC and IBBT, Belgium {florian.mendel,vincent.rijmen,deniz.toz,kerem.varici}@esat.kuleuven.be
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationImproved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256
Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256 Leibo Li 1 and Keting Jia 2 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics,
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationCryptography: Key Issues in Security
L. Babinkostova J. Keller B. Schreiner J. Schreiner-McGraw K. Stubbs August 1, 2014 Introduction Motivation Group Generated Questions and Notation Translation Based Ciphers Previous Results Definitions
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationAutomatic Search of Attacks on round-reduced AES and Applications
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque ENS, CNRS, INRIA, 45 rue d Ulm, 75005 Paris, France {charles.bouillaguet,patrick.derbez,pierre-alain.fouque}@ens.fr
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationMILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek, Yu Sasaki 2, Yosuke Todo 2, Mohamed Tolba, and Amr M. Youssef :Concordia University, 2: NTT
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More information