Introduction to symmetric cryptography
|
|
- Irene Cox
- 5 years ago
- Views:
Transcription
1 Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, / 48
2 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions and cryptographic Sboxes ttacks against block ciphers exploiting a low algebraic degree lgebraic attacks Higher-order differential attacks Integral attacks Estimating the algebraic degree of iterated constructions 2 / 48
3 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions and cryptographic Sboxes ttacks against block ciphers exploiting a low algebraic degree lgebraic attacks Higher-order differential attacks Integral attacks Estimating the algebraic degree of iterated constructions 2 / 48
4 Bibliography The Block ipher ompanion, Lars Knudsen and Matt Robshaw Lecture Notes on ryptographic Boolean Functions, nne anteaut nalyse de Fonctions de Hachage ryptographiques, Thèse, hristina Boura 3 / 48
5 Introduction to symmetric-key cryptography Outline 1 Introduction to symmetric-key cryptography 4 / 48
6 Introduction to symmetric-key cryptography Symmetric-key encryption lice and Bob exchange the secret key through a secure channel. Encryption Decryption 5 / 48
7 Introduction to symmetric-key cryptography Symmetric-key encryption lice and Bob exchange the secret key through a secure channel. Encryption Decryption Key-exchange problem birth of the public-key cryptography. 5 / 48
8 Introduction to symmetric-key cryptography Public-key encryption Encryption %gti2z* Decryption 6 / 48
9 Introduction to symmetric-key cryptography dvantages and disadvantages of each system Secret-key Public-key dvantages Fast systems Relatively short-keys No key-exchange needed n users: 2n keys Disadvantages Need secure key-exchange n users: n(n 1) 2 Slow systems keys Relatively long-keys 7 / 48
10 Introduction to symmetric-key cryptography Hybrid encryption Idea: Use a combination of asymmetric and symmetric encryption to benefit from the strengths of every system. Encryption Decryption Encryption Decryption 8 / 48
11 Introduction to symmetric-key cryptography Hybrid encryption Use a public-key cryptosystem to exchange a key (session key). Use the exchanged key to encrypt data by using a symmetric-key cryptosystem. dvantages: Slow public-key cryptosystem is used to encrypt a short string only. Fast symmetric-key cryptosystem is used to encrypt the longer communication session. 9 / 48
12 Introduction to symmetric-key cryptography Symmetric-key authentication Message authentication code (M) Verify Y/N Sign 10 / 48
13 Introduction to symmetric-key cryptography Public-key authentication Digital signatures Verify Y/N Sign lice s public key lice s secret key 11 / 48
14 Introduction to symmetric-key cryptography Hash functions If the message to sign is long, the signing process becomes heavy... Idea: Use a cryptographic hash function. H : {0,1} {0,1} n good hash function should be preimage, second-preimage and collision resistant. In recent hash proposals: n = 256, 512 Hash functions are considered as symmetric-key functions because they use similar building blocks with block-ciphers. 12 / 48
15 Introduction to symmetric-key cryptography Hash and sign Sign Verify Y/N lice s secret key lice s public key 13 / 48
16 Introduction to symmetric-key cryptography The best of the two worlds Secrecy: Hybrid encryption uthentication: Digital signatures with hashing There is a need for both public and symmetric-key cryptosystems. 14 / 48
17 Introduction to symmetric-key cryptography Symmetric-key cryptosystems cryptosystem is a five-tuple (P,, K, E, D) P: set of possible plaintexts : set of possible ciphertexts K: set of possible keys For each k K, there is an encryption rule e k E and a decryption rule d k D. For each k K : d k (e k (m)) = m, for every m P. m e k c d k m 15 / 48
18 Introduction to symmetric-key cryptography Kerckhoffs s principle (1883) In 1883 ugust Kerckhoffs stated 6 design principles for military ciphers. The 2nd principle states: cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Reformulated by laude Shannon as The enemy knows the system. i.e., One ought design systems under the assumption that the enemy will immediately gain full familiarity with them. 16 / 48
19 Introduction to symmetric-key cryptography laude Shannon s theory ommunication Theory of Secrecy Systems, published in Many fundamental ideas of modern cryptography are introduced there: Provable security. onfusion and diffusion. Product ciphers. 17 / 48
20 Introduction to symmetric-key cryptography Shannon s idea of perfect secrecy No information about the plaintext can be obtained by observing the ciphertext. Shannon s definition: cryptosystem has perfect secrecy if n equivalent formulation: Pr(m c) = Pr(m) for all m P,c. Pr(c m) = Pr(c) for all m P,c. 18 / 48
21 Introduction to symmetric-key cryptography Shannon s theorem cryptosystem where P = = K provides perfect secrecy iff 1 Pr K (k) = 1/ K, k K 2 m P,c, exists unique k such that e k (m) = c. Fact: If P > K then no scheme is perfectly secure. 19 / 48
22 Introduction to symmetric-key cryptography The Vernam ipher or One-time Pad One-time Pad Let n 1 and P,,K = {0,1} n. If m = (m 1,...,m n ) P and k = (k 1,...,k n ) K then c = e k (m) = (m 1 k 1,...,m n k n ). Decryption: d k (c) = c k = m k k = m The One-time Pad provides perfect secrecy if used correctly: ll keys are equally likely. Each key is used only once. Two-time Pad c c = (m k) (m k) = m m. 20 / 48
23 Introduction to symmetric-key cryptography The One-time Pad is perfectly secure but... The secret key must be as long as the message. new key has to be generated for each communication. These long keys have to be exchanged in a secure way. Problem of generating truly random sequences for the key. 21 / 48
24 Introduction to symmetric-key cryptography onfusion and diffusion Diffusion: Each digit of the plaintext and each digit of the secret key should influence many digits of the ciphertext. onfusion: The ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the cryptanalyst. Idea: Use permutations to attain diffusion and substitutions to attain confusion. Product iphers 22 / 48
25 Introduction to symmetric-key cryptography Security notions Perfectly secret system: the key has to be at least as long as the message. ll cryptosystems used in practice can theoretically be broken. Symmetric-key approach: Try to make the system secure against all known attacks. No attack should be faster than exhaustive search on the key. 23 / 48
26 Introduction to symmetric-key cryptography Exhaustive search Expected time to recover a κ-bit key: 2 κ 1 operations. κ Time complexity Security (bits) (operations) easy to break practical to break not currently feasible very strong exceptionally strong Table from [Knudsen, Robshaw, The Block ipher ompanion, 2011.] The universe is less than 2 80 microseconds old! The number of the protons in the universe is / 48
27 Introduction to symmetric-key cryptography ryptanalysis of an encryption scheme Different attack models: iphertext-only attack. Known-plaintext attack. hosen-plaintext/ciphertext attack. daptively chosen-plaintext/ciphertext attack. The performance of an attack is measured by its: time complexity. data complexity. memory complexity. 25 / 48
28 Introduction to symmetric-key cryptography Symmetric encryption schemes Stream ciphers ombine (XOR) plaintext bits with a keystream generated by a pseudo-number generator. Keystream should have good statistical properties. dvantages: Performance and low hardware complexity. Block ciphers Operate on blocks of data. Probably the best understood symmetric primitives. an be used to build hash functions, stream ciphers, Ms, authenticated encryption algorithms, PRNGs / 48
29 Introduction to symmetric-key cryptography Block ciphers Encrypt a block of message m into a block of ciphertext c under the action of the key k. E : {0,1} n {0,1} κ {0,1} n (m,k) E(m,k) = c k m E c Given k, it must be easy to compute c from m. Given m,c it must be hard to compute k such that E(m,k) = c. 27 / 48
30 Introduction to symmetric-key cryptography Two important parameters: block size, n key size, κ block cipher generates a family of permutations indexed by a key k. (2 n )! permutations subset 2 κ Ideal design: 2 κ permutations chosen uniformly at random from all 2 n! 2 (n 1)2n permutations. 28 / 48
31 Introduction to symmetric-key cryptography Iterated block ciphers Idea: Iterate a round function f several times. The function f r is waited to be strong for large r. dvantages: ompact implementation. Easier analysis. master key k Key schedule k 1 k 2 k r m f f f c Use a key schedule to extend the user-supplied (or master) key to a sequence of r subkeys. 29 / 48
32 Introduction to symmetric-key cryptography How to build the round function? Two major approaches: Feistel network. Substitution-Permutation Network (SPN). 30 / 48
33 Introduction to symmetric-key cryptography Feistel Network Encryption L 0 R 0 k 1 Introduced by Horst Feistel in the early 70 s. F Split plaintext block: m = (L 0,R 0 ) For each round i = 0,...,r do: L i+1 = R i R i+1 = L i F(R i k i+1 ) iphertext block c = (R r+1,l r+1 ) k 2 F k r F R r+1 L r+1 31 / 48
34 Introduction to symmetric-key cryptography Feistel Network Introduced by Horst Feistel in the early 70 s. Split ciphertext block: c = (R r+1,l r+1 ) For each round i = r,...,0 do: R i = L i+1 L i = R i+1 F(L i+1 k i+1 ) Plaintext block m = (L 0,R 0 ) Decryption R r+1 L r+1 k r F k r 1 F Decryption with K = (k 1,...,k r ) equals encryption with K = (k r,...,k 1 ). F has not to be invertible. L 0 k 1 F R 0 31 / 48
35 Introduction to symmetric-key cryptography Data Encryption Standard (DES) The first and probably most famous Feistel cipher. Designed by IBM and published in Based on an earlier internal design called Lucifer. 1977: DES is published as a FIPS standard [FIPS 46]. 32 / 48
36 Introduction to symmetric-key cryptography DES Block size: 64 bits Key size: 56 bits 16 rounds 32 bits L 0 IP k 1 48 bits F R 0 32 bits Ri (32 bits) ki (48 bits) k 2 E 48 bits F S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 k 16 F P IP 1 R 16 L / 48
37 Introduction to symmetric-key cryptography Generalized Feistel Networks lassical Feistel Unbalanced Feistel lternating Feistel F F F G Type-1 Feistel Type-2 Feistel F F G 34 / 48
38 Introduction to symmetric-key cryptography Structrural properties of DES The omplementation Property DES k (m) = DES k (m) where x := bitwise complement of x Limited impact to the security in the classical model. Halves the cost of the exhaustive key search. Encrypt m and m: c = DES k (m) and c = DES k (m) For each candidate t, compute d = DES t (m). heck if d = c t candidate for k. heck if d = c (d = DES t (m)) t candidate for k. 35 / 48
39 Introduction to symmetric-key cryptography Structrural properties of DES Weak keys k weak: DES k (DES k (m)) = m. 4 weak keys were found for DES. Each weak key has 2 32 fixed points m : DES k (m) = m. 36 / 48
40 Introduction to symmetric-key cryptography Breaking DES 1992 : Differential cryptanalysis (theoretical attack, 2 47 chosen plaintexts) : Linear cryptanalysis (practical attack, a DES key is recovered). 1997: DESHLL Project (brute-force project over the net). message encrypted with DES is broken for the first time. 1999: Deep rack and distributed.net break a DES key in less than 23 hours. 2004: The standard is withdrawn. Key-length too short!!! DES still survives via its Triple-DES form. 37 / 48
41 Introduction to symmetric-key cryptography Substitution Permutation Network (SPN) m k1 Substitution Permutation k2 Substitution Permutation k3 Substitution Permutation k4 Substitution Permutation k5 c 38 / 48
42 Introduction to symmetric-key cryptography Substitution Permutation Network (SPN) m k1 S S S S k2 S S S S k3 S S S S k4 S S S S k5 c 38 / 48
43 Introduction to symmetric-key cryptography The dvanced Encryption Standard (ES) ompetition [ ] On January 2, 1997 the NIST announced that they wished a successor to DES (to be known as ES). Public competition, inputs from the cryptographic community. Requirements: Block size of 128 bits, key size of 128, 192, 256 bits, security of 2-key triple-des as minimum. 21 submissions (15 accepted for the 1st round) 5 finalists (Rijndael, Serpent, Twofish, R6, MRS) On October 2, 2000, Rijndael becomes the ES. 2001: Standardization [FIPS 197] 39 / 48
44 Introduction to symmetric-key cryptography ES Designed by Joan Daemen and Vincent Rijmen. Structure: Byte-oriented Substitution-Permutation Network. State: 128 bits, seen as a 4 4 matrix of bytes. 3 key-lengths: 128, 192, 256 bits Number of rounds: 10, 12, 14 rounds resp. 40 / 48
45 Introduction to symmetric-key cryptography ES Representation Each byte is viewed in two different ways: string of 8 bits (b 7,b 6,b 5,b 4,b 3,b 2,b 1,b 0 ) (8 th -dim vector over F 2 ) n element of the finite field with 2 8 elements F 2 8 b 7 X 7 +b 6 X 6 +b 5 X 5 +b 4 X 4 +b 3 X 3 +b 2 X 2 +b 1 X 1 +b 0 Irreducible polynomial R P R P = X 8 +X 4 +X 3 +X / 48
46 Introduction to symmetric-key cryptography n ES round Four byte-oriented transformations. SubBytes ShiftRows Mixolumns ddroundkey 42 / 48
47 Introduction to symmetric-key cryptography SubBytes S 43 / 48
48 Introduction to symmetric-key cryptography The ES Sbox S : F 2 8 F 2 8 x x 1 followed by an affine transformation on F 8 2 : y x 0 1 y x 1 1 y x 2 0 y 3 y 4 = x x y x 5 1 y x 6 1 y x 7 0 Good resistance against differential and linear cryptanalysis. 44 / 48
49 Introduction to symmetric-key cryptography ShiftRows 45 / 48
50 Introduction to symmetric-key cryptography Mixolumns M x 0 y x x 2 = y 1 y x 3 y 3 46 / 48
51 Introduction to symmetric-key cryptography Mixolumns M MDS matrix. Branch number = min x F 8 2 (HW(x)+HW(M(x)) = / 48
52 Introduction to symmetric-key cryptography ddroundkey K i Lightweight non-linear key-schedule (memory, performance) 47 / 48
53 Introduction to symmetric-key cryptography ryptanalysis of ES 2000 Integral attacks 2002 lgebraic attacks: ES is claimed to be broken. Proved to be not realistic Related-key attacks: ES-192 and ES-256 are broken under this model. Should we care? Meet-in-the-middle attacks 2011 Biclique attacks: First theoretical attacks on full ES. omplexity is quite marginal (see them as accelerated exhaustive search). 48 / 48
54 Boolean Functions lgebraic attacks hristina Boura École de printemps en codage et cryptographie May 18, / 42
55 Boolean functions and cryptographic Sboxes Outline 1 Boolean functions and cryptographic Sboxes 2 lgebraic attacks 2 / 42
56 Boolean functions and cryptographic Sboxes Boolean functions Inspired by nne anteaut s Lecture Notes Boolean function f of n variables is a function f : F n 2 F 2 x = (x 1,...,x n ) f(x) Value vector: Binary vector v f of length 2 n composed of all values f(x), for x F n 2. Example: f : F 3 2 F 2 v f = (f(1,1,1),f(1,1,0),f(1,0,1),f(1,0,0),f(0,1,1),f(0,1,0),f(0,0,1),f(0,0,0)) v f = (1,0,0,1,1,0,1,0) 3 / 42
57 Boolean functions and cryptographic Sboxes Truth table x x x f(x 1,x 2,x 3 ) / 42
58 Boolean functions and cryptographic Sboxes Question Question: How many different Boolean functions of n variables exist? 5 / 42
59 Boolean functions and cryptographic Sboxes Question Question: How many different Boolean functions of n variables exist? 2 2n 5 / 42
60 Boolean functions and cryptographic Sboxes Hamming weight of a Boolean function Let f : F n 2 F 2. The Hamming weight of f is defined as the number of 1 s in v f. wt(f) = wt(v f ) = #{x F n 2 : f(x) 0} For many cryptographic applications, we need Boolean functions that have a behaviour close to random functions. Use balanced functions. f is balanced wt(f) = 2 n 1 6 / 42
61 Boolean functions and cryptographic Sboxes Balancedness and bias Let f : F n 2 F 2. The bias of f is E(f) = x F n 2 ( 1) f(x) = #{x F n 2 : f(x) = 0} #{x F n 2 : f(x) = 1} = 2 n #{x F n 2 : f(x) = 1} #{x Fn 2 : f(x) = 1} = 2 n 2wt(f) f is balanced E(f) = 0 7 / 42
62 Boolean functions and cryptographic Sboxes lternative representation of a Boolean function Representation of a Boolean function, where the function is seen as a multivariate polynomial. In F 2 : +: XOR : ND x 2 i = x i (as 0 2 = 0 and 1 2 = 1) Monomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n ): product of distinct variables Examples: x 1, x 3 x 4, x 2 x 4 x 5, x 1 x 2...x n 8 / 42
63 Boolean functions and cryptographic Sboxes Monomials Notation : Monomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n ): where u = (u 1,...,u n ) F n 2. x u = n i=1 x u i i, Example: x F 4 2 : x1010 = x 1 1 x0 2 x1 3 x0 4 = x 1x 3 9 / 42
64 Boolean functions and cryptographic Sboxes lgebraic normal form (NF) Proposition: ny f : F n 2 F 2 can be uniquely written as a multivariate polynomial in F 2 [x 1,...,x n ]/(x 2 1 +x 1,...,x 2 n +x n): f(x 1,...,x n ) = a u x u, where a u F 2. u F n 2 This polynomial is called the lgebraic Normal Form (NF) of f. The coefficients a u can be computed as follows: a u = x uf(x), where x u x i u i, pour 1 i n 10 / 42
65 Boolean functions and cryptographic Sboxes Example (x 1,x 2,x 3 ) (1,1,1) (0,1,1) (1,0,1) (0,0,1) (1,1,0) (0,1,0) (1,0,0) (0,0,0) f(x 1,x 2,x 3 ) a 000 = f(0,0,0) = 0 a 100 = f(1,0,0)+f(0,0,0) = 1+0 = 1 a 010 = f(0,1,0)+f(0,0,0) = 0+0 = 0 a 110 = f(1,1,0)+f(0,1,0)+f(1,0,0)+f(0,0,0) = = 0 a 001 = f(0,0,1)+f(0,0,0) = 1+0 = 1 a 101 = f(1,0,1)+f(1,0,0)+f(0,0,1)+f(0,0,0) = = 0 a 011 = f(0,1,1)+f(0,1,0)+f(0,0,1)+f(0,0,0) = = 1 a 111 = x F 3 f(x) = wt(f) mod 2 = / 42
66 Boolean functions and cryptographic Sboxes Example (x 1,x 2,x 3 ) (1,1,1) (0,1,1) (1,0,1) (0,0,1) (1,1,0) (0,1,0) (1,0,0) (0,0,0) f(x 1,x 2,x 3 ) a 000 = f(0,0,0) = 0 a 100 = f(1,0,0)+f(0,0,0) = 1+0 = 1 a 010 = f(0,1,0)+f(0,0,0) = 0+0 = 0 a 110 = f(1,1,0)+f(0,1,0)+f(1,0,0)+f(0,0,0) = = 0 a 001 = f(0,0,1)+f(0,0,0) = 1+0 = 1 a 101 = f(1,0,1)+f(1,0,0)+f(0,0,1)+f(0,0,0) = = 0 a 011 = f(0,1,1)+f(0,1,0)+f(0,0,1)+f(0,0,0) = = 1 a 111 = x F 3 f(x) = wt(f) mod 2 = 0 2 f(x 1,x 2,x 3 ) = x 1 +x 3 +x 2 x 3 11 / 42
67 Boolean functions and cryptographic Sboxes Degree of a Boolean function The algebraic degree of a Boolean function f is defined as deg(f) = max{wt(u) : a u 0} u F n 2 Example: f(x 1,x 2,x 3 ) = x 1 x 2 x 3 +x 1 x 3 +x deg(f) = 3 12 / 42
68 Boolean functions and cryptographic Sboxes Functions of degree n Let f : F n 2 F 2. a = x F n 2 f(x) = wt(f) mod 2 deg(f) = n iff wt(f) is odd. Functions of maximum degree are not balanced. Maximal degree functions are not used in cryptographic applications. 13 / 42
69 Boolean functions and cryptographic Sboxes ffine functions Let f : F n 2 F 2 of degree 1. Then, wt(f) = 2 n 1. ffine functions are balanced. Let f = b x+ε, with b F n 2 \{0} and ε F 2. If ε = 1, f(x) = 1 iff b x = 0 iff x b (hyperplane) If ε = 0, f(x) = 1 iff b x = 1 iff x F n 2 \ b 14 / 42
70 Boolean functions and cryptographic Sboxes ryptographic Sboxes n Sbox S from F n 2 into Fm 2 variables. is a collection of m Boolean functions of n Example (PRESENT Sbox S : F 4 2 F4 2 ) x a b c d e f S(x) c 5 6 b 9 0 a d 3 e f S 1 (x) S 2 (x) S 3 (x) S 4 (x) / 42
71 Boolean functions and cryptographic Sboxes NF of the Sbox S 1 = x 1 +x 3 +x 4 +x 2 x 3 S 2 = x 2 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 3 +x 4 +x 1 x 2 +x 1 x 4 +x 2 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 4 = 1+x 1 +x 2 +x 4 +x 2 x 3 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 The functions S 1,...,S m are called the coordinates of the Sbox. 16 / 42
72 Boolean functions and cryptographic Sboxes omponents of the Sbox Let S : F n 2 Fm 2. The components of the Sbox are the n-variable Boolean functions S λ : x λ S(x) for all λ F m 2. Examples: S 3 = S 1 +S 2 S 15 = S 1 +S 2 +S 3 +S 4 The components of an Sbox offer a useful characterisation. 17 / 42
73 Boolean functions and cryptographic Sboxes When an Sbox is a permutation Let S : F n 2 Fn 2. S is a permutation iff all its non-trivial components are balanced. Proof. (S permutation S λ are balanced) Suppose S is a permutation and let λ 0. Then, E(S λ ) = ( 1) λ S(x) = ( 1) λ y = 0. x F n 2 y F n 2 18 / 42
74 Boolean functions and cryptographic Sboxes lgebraic degree of an Sbox Let S : F n 2 Fm 2. The degree of S is the maximal degree of the NF of its components. Example: S = (S 1,S 2,S 3,S 4 ) S 1 = x 1 +x 3 +x 4 +x 2 x 3 S 2 = x 2 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 3 +x 4 +x 1 x 2 +x 1 x 4 +x 2 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 4 = 1+x 1 +x 2 +x 4 +x 2 x 3 +x 1 x 2 x 3 +x 1 x 2 x 4 +x 1 x 3 x 4 deg(s) = 3 19 / 42
75 Boolean functions and cryptographic Sboxes lgebraic degree of a permutation Boolean functions of maximal degree are not balanced. n Sbox is a permutation iff all its non-trivial components are balanced. The degree of an Sbox is the maximal degree of its components. Let S : F n 2 Fn 2. S is a permutation deg(s) n 1 20 / 42
76 Boolean functions and cryptographic Sboxes Univariate representation Identify the vector space F n 2 with the finite field F 2 n. S(X) = 2 n 1 i=0 b i X i, b i F 2 n. 21 / 42
77 Boolean functions and cryptographic Sboxes Degree in the univariate representation Let S be an n-bit Sbox and let F(x) = 2 n 1 i=0 be its univariate representation in F 2 n[x]. The degree of F is given by b i x i deg(f) = max{wt(i) : 0 i < 2 n and b i 0}. 22 / 42
78 lgebraic attacks Outline 1 Boolean functions and cryptographic Sboxes 2 lgebraic attacks 23 / 42
79 lgebraic attacks Basic algebraic attack Principle introduced by laude Shannon in Express the whole cipher as a large system of multivariate algebraic equations. Known-plaintext attack Known coefficients : plaintext and ciphertext bits Uknowns: key bits Solve the algebraic system and recover the secret key. 24 / 42
80 lgebraic attacks Linearization (I) The complexity of the attack depends on the degree of the system. (naive) method for solving such a system: linearization. Idea: Identify the system with a linear system of d i=1 ( ) n variables, i where n is the block size. Each product of i initial variables, 1 i d is seen as a new variable. 25 / 42
81 lgebraic attacks Linearization (II) Solve the linear system by linear algebra. omplexity: ( d i=1 ( ) ) ω n n ω, i where ω depends on the method used for the resolution (ω 2.37). Other methods for solving the system: Gröbner basis algorithms ad-hoc techniques: XL, XSL. 26 / 42
82 lgebraic attacks Example on a toy cipher nne anteaut s Lecture Notes Block size: n = 4 bits Key size: 8 bits k 1 k 2 m u S v c c = k 2 S(m k 1 ) c k 2 = S(m k 1 ) One plaintext-ciphertext pair gives 4 equations in 8 variables. 27 / 42
83 lgebraic attacks NF of the Sbox x a b c d e f S(x) f e b c 6 d a S 1 = 1+x 1 +x 3 +x 2 x 3 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 +x 2 x 3 x 4 S 2 = 1+x 1 x 2 +x 1 x 3 +x 1 x 2 x 3 +x 4 +x 1 x 4 +x 1 x 2 x 4 +x 1 x 3 x 4 S 3 = 1+x 2 +x 1 x 2 +x 2 x 3 +x 4 +x 2 x 4 +x 1 x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 S 4 = 1+x 3 +x 1 x 3 +x 4 +x 2 x 4 +x 3 x 4 +x 1 x 3 x 4 +x 2 x 3 x 4 28 / 42
84 lgebraic attacks Write down the equations Express each ciphertext bit c i, 1 i 4, as a multivariate polynomial in the plaintext bits m 1,...,m 4 and in the key bits k 1,...,k 8. c 1 +k 5 = 1+(m 1 +k 1 )+(m 3 +k 3 )+(m 2 +k 2 )(m 3 +k 3 )+(m 4 +k 4 ) + (m 2 +k 2 )(m 4 +k 4 )+(m 3 +k 3 )(m 4 +k 4 )+(m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) + (m 2 +k 2 )(m 3 +k 3 )(m 4 +k 4 ) c 2 +k 6 = 1+(m 1 +k 1 )(m 2 +k 2 )+(m 1 +k 1 )(m 3 +k 3 )+(m 1 +k 1 )(m 2 +k 2 )(m 3 +k 3 ) + (m 4 +k 4 )+(m 1 +k 1 )(m 4 +k 4 )+(m 1 +k 1 )(m 2 +k 2 )(m 4 +k 4 ) + (m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) c 3 +k 7 = 1+(m 2 +k 2 )+(m 1 +k 1 )(m 2 +k 2 )+(m 2 +k 2 )(m 3 +k 3 )+(m 4 +k 4 ) + (m 2 +k 2 )(m 4 +k 4 )+(m 1 +k 1 )(m 2 +k 2 )(m 4 +k 4 )+(m 3 +k 3 )(m 4 +k 4 ) + (m 1 +k 1 )(m 3 +k 3 )(m 4 +k 4 ) c 4 +k 8 = 1+(m 3 +k 3 )+(m 1 +k 1 )(m 4 +k 3 )+(m 4 +k 4 )+(m 3 +k 2 )(m 4 +k 4 ) + (m 3 +k 3 )(m 4 +k 4 )+(m 2 +k 1 )(m 3 +k 3 )(m 4 +k 5 ) + (m 2 +k 2 )(m 3 +k 4 )(m 4 +k 4 ) 29 / 42
85 lgebraic attacks Re-write the equations c 1 +k 5 = S 1 (m)+(1+m 3 m 4 )k 1 +(m 3 +m 4 +m 3 m 4 )k 2 + (1+m 2 +m 4 +m 1 m 4 +m 2 m 4 )k 3 + (1+m 2 +m 3 +m 1 m 3 +m 2 m 3 )k 4 +m 4 k 1 k 3 +m 3 k 1 k 4 +(1 +m 4 )k 2 k 3 + (1+m 3 )k 2 k 4 +(1+m 1 +m 2 )k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 c 2 +k 6 = S 2 (m)+(m 2 +m 3 +m 2 m 3 +m 4 +m 2 m 4 +m 3 m 4 )k 1 + (m 1 +m 1 m 3 +m 1 m 4 )k 2 +(m 1 +m 1 m 2 +m 1 m 4 )k 3 + (1+m 1 +m 1 m 2 +m 1 m 3 )k 4 +(1 +m 3 +m 4 )k 1 k 2 +(1+m 2 +m 4 )k 1 k 3 + (1+m 2 +m 3 )k 1 k 4 +m 1 k 2 k 3 +m 1 k 2 k 4 +m 1 k 3 k 4 +k 1 k 2 k 3 +k 1 k 2 k 4 +k 1 k 3 k 4 c 3 +k 7 = S 3 (m)+(m 2 +m 2 m 4 +m 3 m 4 )k 1 +(1+m 1 +m 3 +m 4 +m 1 m 4 )k 2 + (m 2 +m 4 +m 1 m 4 )k 3 +(1+m 2 +m 3 +m 1 m 2 +m 1 m 3 )k 4 +(1 +m 4 )k 1 k 2 + m 4 k 1 k 3 +(m 2 +m 3 )k 1 k 4 +k 2 k 3 +m 1 k 3 k 4 +(1 +m 1 )k 2 k 4 +k 3 k 4 +k 1 k 2 k 4 + k 1 k 3 k 4 c 4 +k 8 = S 4 (m)+(m 3 +m 3 m 4 )k 1 +(m 4 +m 3 m 4 )k 2 + (1+m 1 +m 4 +m 1 m 4 +m 2 m 4 )k 3 +(1 +m 2 +m 3 +m 1 m 3 +m 2 m 3 )k 4 + (1+m 4 )k 1 k 3 +(m 3 )k 1 k 4 +m 4 k 2 k 3 +(1+m 3 )k 2 k 4 +(1+m 1 +m 2 )k 3 k 4 + k 1 k 3 k 4 +k 2 k 3 k 4 30 / 42
86 lgebraic attacks Replace the known values From the plaintext-ciphertext couple (m, c) = (0x0, 0x4) we get c 1 +k 5 = 1+k 1 +k 3 +k 4 +k 2 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 c 2 +k 6 = 1+k 4 +k 1 k 2 +k 1 k 3 +k 1 k 4 +k 1 k 2 k 3 +k 1 k 2 k 4 +k 1 k 3 k 4 c 3 +k 7 = 1+k 2 +k 4 +k 1 k 2 +k 2 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 2 k 4 +k 1 k 3 k 4 c 4 +k 8 = 1+k 3 +k 4 +k 1 k 3 +k 2 k 4 +k 3 k 4 +k 1 k 3 k 4 +k 2 k 3 k 4 Polynomial system of degree d = 3 with 8 unknowns. 31 / 42
87 lgebraic attacks Linearize the system Replace each monomial in the key bits of degree 2 or 3 with a new unknown: k 9 = k 1 k 2,k 10 = k 1 k 3,...,k 14 = k 3 k 4,k 15 = k 1 k 2 k 3,...,k 18 = k 2 k 3 k 4 c 1 +k 5 = 1+k 1 +k 3 +k 4 +k 12 +k 13 +k 14 +k 16 +k 18 c 2 +k 6 = 1+k 4 +k 9 +k 10 +k 11 +k 15 +k 17 +k 16 c 3 +k 7 = 1+k 2 +k 4 +k 9 +k 12 +k 13 +k 14 +k 17 +k 16 c 4 +k 8 = 1+k 3 +k 4 +k 10 +k 13 +k 14 +k 16 +k 18 Linear system with 8+ ( 4 2) + ( 4 3) = 18 unknowns. 32 / 42
88 lgebraic attacks Solve the system Here, 5 (m,c) couples are enough to solve the system (4 5 = 20 equations). In practice, block ciphers have a much larger block size and are composed of many rounds. The degree of the polynomial system increases with the number of rounds. Solving such systems: infeasible even for a few rounds. 33 / 42
89 lgebraic attacks lternative solution: use intermediate variables Use intermediate variables to control the degree of the system. k 1 k 2 w S x k 3 m u S v c onsider the 4 bits of v as additional unknowns. One known P- pair gives 8 equations of degree 3 with 16 unknowns (12 key bits + 4 bits of v). For any additional P- pair : +4 equations but +4 unknowns N P- pairs 8N equations and N unknowns. 34 / 42
90 lgebraic attacks dvanced algebraic attack Decrease the degree of the polynomial system even if the round function has a high degree. Idea introduced by ourtois and Pieprzyk in Example: Relations of degree 2 between inputs and outputs: x 2 x 4 +x 2 S 1 (x 1,...,x 4 )+x 2 S 2 (x 1,...,x 4 ) = 0 We get then the following quadratic equation: (m 4 +c 1 +c 2 )k 2 +m 2 k 4 +m 2 k 5 +m 2 k 6 +k 2 k 4 +k 2 k 5 +k 2 k 6 = m 2 m 4 +m 2 c 1 +m 2 c / 42
91 lgebraic attacks Relations of degree 2 21 linearly independent relations of degree 2 between the input and the output bits can be exhibited. System easier to solve than the original equations. Question: What is the least number of linearly independent relations of degree at most d? d i=0 ( ) 2n 2 n i 36 / 42
92 lgebraic attacks Example ny function from F 4 2 into F4 2 has at least 2 i=0 ( ) = = 21 i quadratic relations between its inputs and outputs. 37 / 42
93 lgebraic attacks The case of ES (I) The ES Sbox can be seen as the composition of the inversion over F 2 8 with an affine function. For the inverse operation, the input a and output b satisfy the relation over F 2 8. ab = 1 (a 7 X 7 +a 6 X 6 +a 5 X 5 +a 4 X 4 +a 3 X 3 +a 2 X 2 +a 1 X +a 0 ) (b 7 X 7 +b 6 X 6 +b 5 X 5 +b 4 X 4 +b 3 X 3 +b 2 X 2 +b 1 X +b 0 ) = 1 38 / 42
94 lgebraic attacks The case of ES (II) Derive 8 multivariate quadratic equations over F 2 (one for each coefficient of the previous equation). Example a 0 b 0 +a 7 b 1 +a 6 b 2 +a 5 b 3 +a 4 b 4 +a 3 b 5 +a 2 b 6 + a 1 b 7 +a 7 b 6 +a 6 b 7 +a 7 b 5 +a 6 b 6 +a 5 b 7 = 1. Derive other equations by exploiting for example relations of the form a 2 b = a and ab 2 = b over F / 42
95 lgebraic attacks Quadratic system for ES There are in total 39 quadratic relations for the ES Sbox (much more than for a randomly chosen mapping over F 8 2. Use these relations of degree 2 to form a quadratic system by introducing new variables for the outputs of successive rounds quadratic equations of 1600 variables. 40 / 42
96 lgebraic attacks Solving the system How to solve the resulting system? XSL (extended Sparse Linearisation): based on linearization, but attempting to exploit the sparsity and specific structure of the equation system. Gröbner Basis algorithms, ST-solvers, etc. ourtois and Pieprzyk claimed that by using XSL it was possible to mount an (at least theoretical) successful attack against ES-128. However, it was shown by id and Leurent (siacrypt 05) that the algorithm did not work as expected, so one could not claim that ES was broken. 41 / 42
97 lgebraic attacks The limitations of algebraic attacks No well-known block cipher has been broken using pure algebraic techniques faster than with other techniques. lgebraic cryptanalysis works better in the case of stream ciphers and resistance against such attacks is a design criteria goal. The applicability of an algebraic attack mainly depends on the algebraic degree of the block cipher. Other attacks depending on the algebraic degree: Higher-order differential attacks, their derivatives and extensions. 42 / 42
98 Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, / 59
99 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 2 / 59
100 Last-round attacks Statistical attacks Statistical attacks exploit relations that hold with a certain probability only. Rely on the existence of a distinguisher. distinguisher D for a block cipher (E k ) k is an algorithm taking N pairs (x i,y i ), 1 i N and returning 0 or 1. Goal: Decide if the N pairs are input-output pairs of the target block cipher or not: 1: If the (x i,y i ) are input-output pairs of E k for some key k. 0: If the (x i,y i ) are input-output pairs of a random permutation. 3 / 59
101 Last-round attacks dvantage of the distinguisher Let p be the probability that the algorithm returns 1 (the N pairs come from the target block cipher). Let p be the probability that the algorithm returns 0 (the N pairs come from a random permutation). The capacity to distinguish the target block cipher from a random permutation is measured as p p and is called advantage. 4 / 59
102 Last-round attacks onsequences of a distinguisher The existence of a distinguisher with a non-negligeable advantage is an undesirable property for a block cipher. However, this does not always guarantee that once the distinguisher is discovered, the secret key will be recovered. But: For iterated ciphers a distinguisher for the reduced cipher E k = F kr F kr 1 F k1 can be a serious thread. G k = F kr 1 F k1 5 / 59
103 Last-round attacks ttack on the last round (I) If an attacker finds a distinguisher D for the reduced-round cipher G k, then he can run a last-round attack. Goal: Recover the last-round subkey k r. 6 / 59
104 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F F z G k (x) ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). 7 / 59
105 Last-round attacks ttack on the last round (II) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k ollect enough plaintext-ciphertext pairs (x i,z i ), where z i = E k (x i ). For all possible values k compute y i = F 1 k (z i ) 7 / 59
106 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r x F F F y F z G k (x) k 8 / 59
107 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) 8 / 59
108 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) 8 / 59
109 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k r x F F F F z F 1 y G k (x) If k is the right subkey (k = k r ) : P(k ) = F 1 k E k = F 1 k F kr F kr 1 F kr 2 F k1 = F 1 k r F kr F kr 1 F kr 2 F k1 = F kr 1 F kr 2 F k1 = G k P(k ) belongs to the family of reduced-ciphers. 8 / 59
110 Last-round attacks ttack on the last round (III) E k (x) k 1 k 2 k r 1 k r k x F F F F z F 1 y G k (x) If k is a wrong subkey, P(k ) is assumed to have the same behaviour as a randomly chosen permutation. This assumption is known as the wrong-key randomization hypothesis. 8 / 59
111 Last-round attacks lgorithm Data: N plaintext-ciphertext couples (x i,z i ), for 1 i N Result: set of candidate keys for the last-round subkey k r for all possible values k of k r do counter 0 ; for i = 0...N do compute y i = F 1 k (z i ); counter counter + D(x i,y i ); end if counter τ then return k ; end end The value τ is a threshold value fixed by the attacker. 9 / 59
112 Last-round attacks Remarks s we exhaust all values of the last round subkey, this attack only works in this basic form if the subkeys have a small size (eg. not for ES-128) In practice, we only try to recover a small part of the last round key (some bits). For the other bits of the subkey, we repeat the attack by modifying the parameters of the attack. Once the last subkey recovered, how do we proceed next? For some ciphers, once a subkey completely recovered, one can compute back through the key schedule to retrieve the master key. If the different subkeys are not related, one can Exhaustively search the remaining key bits Repeat the same attack on the ciphers obtained by successively removing the last round ombine both approaches 10 / 59
113 Higher-order differential attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 11 / 59
114 Higher-order differential attacks Higher-order derivatives Let F : F n 2 Fn 2. Derivative of F at a point a F n 2 : D a F(x) := F(x a) F(x), for every x F n 2 Xuejia Lai extended this notion in Definition[k-th order derivative of F] For any k-dimensional subspace V of F n 2, the k-th order derivative of F with respect to V is the function defined by D V F(x) = D a1 D a2...d ak F(x) = F(x+v), v V for every x F n 2, where (a 1,...,a k ) is a basis of V. 12 / 59
115 Higher-order differential attacks Example Let F : F n 2 Fn 2 and V = a 1,a 2 F n 2 of dimension 2. The 2 nd -order derivative of F with respect to V is D V F(x) = D a1 D a2 F(x) = D a1 (F(x)+F(x+a 2 )) = F(x)+F(x+a 1 )+F(x+a 2 )+F(x+a 1 +a 2 ). 13 / 59
116 Higher-order differential attacks Degree of a derivative Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Then, D a F d 1. Examples: F(x 1,...,x n ) = x 1. Then, D a F(x) = D a (x 1 ) = (x 1 a 1 ) x 1 = a 1 deg(d a F) = 0 F(x 1,...,x n ) = x 1 x 2. Then, D a F(x) = D a (x 1 x 2 ) = (x 1 a 1 )(x 2 a 2 ) x 1 x 2 = x 1 x 2 a 1 x 2 a 2 x 1 a 1 a 2 x 1 x 2 = a 1 x 2 a 2 x 1 a 1 a 2 deg(d a F) = 1 14 / 59
117 Higher-order differential attacks Important property Let F : F n 2 Fn 2 of degree d and a = (a 1,...,a n ). Example: F(x 1,...,x n ) = x 1 x 2 x d. Then, D a (x 1 x 2 x d ) = (x 1 a 1 )(x 2 a 2 )...(x d a d ) x 1 x 2 x d = x 1 x d terms of deg d 1 x 1 x d deg(d a F) d 1 Proposition[Lai 94] For every subspace V with dim V > deg F, D V F(x) = v V F(x+v) = 0, for every x F n / 59
118 Higher-order differential attacks ttack on the last round ttack based on a low degree. F k 0 S k 1 S k r 1 S k r m S L S L S L c S S S z = F 1 k (c) deg < d 16 / 59
119 Higher-order differential attacks Use higher-order derivatives [Knudsen 94] For all values of k check whether m z = F 1 k (c) has degree < d. How? k r 1 S S L k r c heck whether all derivatives of order d are zero. S z = F 1 k (c) 17 / 59
120 Higher-order differential attacks The attack Let V be a vector space of dimension d. Input: hoose 2 d plaintexts of the form m v, v V (coset of V ) and get the corresponding ciphertexts. Example d = 3,m = 0, V = v 1,v 2,v 3. hosen plaintexts: 0,v 1,v 2,v 3,v 1 v 2,v 1 v 3,v 2 v 3,v 1 v 2 v 3. If for a key k, 2 d 1 i=0 we conclude that k is a wrong key. F 1 k (c i) 0, 18 / 59
121 Higher-order differential attacks Number of candidate keys What is the probability that for a wrong key, i F 1 k (c i) = 0? (false alarm probability) 2 d 1 P F 1 k (c i) = 0 = 2 n, where n is the block size. i=0 s there are 2 κ key candidates (κ is the size of a subkey), around 2 κ n among them will be proposed as candidates for the right key. 19 / 59
122 Higher-order differential attacks Find the right candidate How to find the right key among the left candidates? Do an exhaustive search among the remaining candidates or Repeat the attack by choosing a different vector space of dimension d. Data complexity: 2 d chosen plaintexts. Time complexity: 2 d 2 κ. Remark In practice, we recover smaller fragments of the key. 20 / 59
123 Higher-order differential attacks The KN cipher [Knudsen-Nyberg 95] 6-round Feistel cipher x i 1 y i 1 ki E : F 32 2 F33 2 linear T : F 33 2 F32 2 linear k i : 33-bit subkey T S E S : F 2 33 F 2 33 with x x 3 x i y i F 32 2 F32 2 F 32 2 F32 2 (x,y) (y,x T S(E(x) k i )) 21 / 59
124 Higher-order differential attacks The role of the function S Name initially given to the cipher: RDI (ipher Resistant gainst Differential ryptanalysis). The function S plays a crucial role. The function x x 3 on the field F 33 2 was chosen. This function is known to be resistant against linear and differential attacks. But, this function is of degree / 59
125 Higher-order differential attacks Higher-order differential attack against KN Presented by Jacobsen and Knudsen in Exploit the low algebraic degree of the round function. Input: Plaintexts of the form (x 0,y 0 ) F 32 2 F32 2, where y 0 = c, for some constant c. 23 / 59
126 Higher-order differential attacks 4 rounds of encryption x 0 = x y 0 = c F k1 y 0 (x) = c y 1 (x) = x F k1 (c) := x c y 2 (x) = F k2 (x c ) c y 3 (x) = F k3 (F k2 (x c ) c) x c y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) + F k2 (x c ) c F k2 F k3 F k4 F k5 d = 1 d = 2 d = 4 y 4 d = 8 F k6 x 6 y 6 24 / 59
127 Higher-order differential attacks Evaluate the degree of y 4 y 4 (x) = F k4 (F k3 (F k2 (x c ) c) x c ) F k2 (x c ) c Obviously, the degree of y 4 is bounded by the degree of G = F k4 F k3 F k2 s deg(f ki ) = deg(s) = 2, we get that deg(y 4 ) deg(g) deg(f k4 ) deg(f k3 ) deg(f k2 ) / 59
128 Higher-order differential attacks Write down the equations If V is a subspace of F 32 2 we have: with dim(v) = 9, D V y 4 (x) = v V y 4 (v x) = 0, for all x F We get now the following equation: y 4 F k5 d = 8 F k6 y 5 x 6 (x) = F k6 (y 5 (x)) y 4 (x), y 4 (x) = F k6 (y 5 (x)) x 6 (x) x 6 y 6 26 / 59
129 Higher-order differential attacks ttack equation F k6 (y 5 (v w)) x 6 (v w) = 0. v V v V Recover the key k 6. There will be in average = 2 candidate keys for k 6. Recover the remaining subkeys by mounting the same attack on the reduced-round cipher. 27 / 59
130 Integral attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 28 / 59
131 Integral attacks Integral attacks - History ttack exploiting weaknesses of the non-linear as well as the linear layer of the target cipher. In 1997, the SQURE cipher was presented by Daemen, Knudsen and Rijmen. During the design, the authors discover a new chosen-plaintext attack against 6 rounds of the cipher. This new attack was named the square attack. In the beginning the attack was applied against SPN ciphers. Later, Lucks generalizes the attack to other type of ciphers and call it the saturation attack. In 2002, Knudsen and Wagner unify the different aspects of these attacks and give them the name integral attacks. 29 / 59
132 Integral attacks Multisets Multiset: Every element in the set can appear multiple times. n element of a multiset is a pair (value, multiplicity). Example. V = {1,2,2,2,3,3,4}, or V = {(1,1),(2,3),(3,2),(4,1)} The attacker studies the propagation of the multiset through the cipher. 30 / 59
133 Integral attacks Integral over a multiset pplication to word-oriented ciphers. Notation: w number of words in a plaintext. (e.g. ES: 16 words of 8-bits each). hoose plaintexts in a way that the multiset in each word verifies a specific property. Definition. We call integral over a multiset S the sum v v S 31 / 59
134 Integral attacks Properties n attacker tries to predict the values in the integrals after a certain number of rounds. Distinguish between 3 cases. (For the examples, the word-size is 3 bits.) 1 : ll w words in the multiset have the same constant value. The multiset S = {3,3,3,3,3,3,3,3} has the property. 2 : The w words in the multiset take all possible values. The multiset S = {0,1,2,3,4,5,6,7} has the property. 3 B: The integral over S is / 59
135 Integral attacks Example: ES 16 words of 8 bits. 2 8 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant. nalyze how this multiset propagates through the different operations of ES. 33 / 59
136 Integral attacks Through ddroundkey The same constant value is XORed to each byte. Example. (0x06,..., 0x06) (0x06 0x01,..., 0x06 0x01) = (0x07,..., 0x07) Property. If we XOR the same constant value to each different value of a set having we get again all possible values in the set. Example. S = {0x0,0x1,0x2,0x3}, k = 0x2, S k = {0x2,0x3,0x0,0x1} ddroundkey 34 / 59
137 Integral attacks Through SubBytes The Sbox S is a permutation. If all values of a multiset have the same constant value c, all values will have the same constant value c = S(x) after SubBytes. If the values of a multiset take all possible values, the Sbox will only permute these values. SubBytes 35 / 59
138 Integral attacks Through ShiftRows ShiftRows only permutes the bytes of the state. ShiftRows 36 / 59
139 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 0 1 = 02 x x x x y255 0 = 02 x x x x / 59
140 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x x x x 0 3 y 0 1 = 02 x x x x y255 0 = 02 x x x x / 59
141 Integral attacks Through Mixolumns (I) Inputs of the 1 st column: (x i 0,xi 1,xi 2,xi 3 ), 0 i 255 Outputs of the 1 st column: (y0 i,yi 1,yi 2,yi 3 ), 0 i x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 = 02 x 0 0 +c y 0 1 = 02 x 1 0 +c.... y = 02 x c 37 / 59
142 Integral attacks Through Mixolumns (II) Mixolumns 38 / 59
143 Integral attacks fter 3 rounds Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns???????????????? 39 / 59
144 Integral attacks fter Mixolumns x i 0 y i x i x i = y i 1 2 y i x i 2 3 y3 i y 0 0 y255 0 = 02 x x x x x x x x x x x x = 02 x i 0 03 x i 1 01 x i 2 01 i=0 i=0 i=0 = = x i 3 i=0 40 / 59
145 Integral attacks fter 3 rounds of ES Mixolumns ddroundrey SubBytes ShiftRows SubBytes ShiftRows Mixolumns SubBytes ShiftRows ddroundrey ddroundrey Mixolumns B B B B B B B B B B B B B B B B 41 / 59
146 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent of the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
147 Integral attacks Distinguishing property for 3 rounds of ES fter the 3 rd Mixolumns every byte position will be balanced (XOR of all 256 values in a single byte position is 0). Property that holds with probability 1. Property independent on the key. R B B B B B B B B B B B B B B B B R R The byte taking all 256 values (saturated) can be any of the 16 bytes. 42 / 59
148 Integral attacks ttack over ES reduced to 4 rounds Goal: Recover the subkey k 4 of the 4 th round of ES. Remark No Mixolumns in the last round. Input: 256 chosen plaintexts m i of the form (x i,c,c,c,c,c,c,c,c,c,c,c,c,c,c,c), where x i = i, for i = 0,...,255 and c some constant and the corresponding ciphertexts c i, i = 0,...,255. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 43 / 59
149 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 State after 3rd round ciphertext B B B B B B B B B B B B B B B B SubBytes ShiftRows 44 / 59
150 Integral attacks Divide and conquer Subkey k 4 is 128-bits long (exhaustive search not possible!). Use a divide and conquer strategy and recover the last subkey byte by byte. k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) 44 / 59
151 Integral attacks Divide and conquer k 4 k4 13 State after 3rd round ciphertext B B B B Bv i B B B B B B B B B B B SubBytes ShiftRows c i c i = S(v i ) k 13 4 v i = S 1 (c i k 13 4 ) But, if k 13 4 is the right value v i = S 1 (c i k4 13 ) = 0 i=0 i=0 44 / 59
152 Integral attacks omplexity Data complexity: 2 8 chosen plaintext-ciphertext pairs (a little bit more to get rid off false alarms) Time complexity: = 2 20 XOR s. ssume that a full encryption is composed 2 6 similar simple operations. So, time complexity 2 14 encryptions. 45 / 59
153 Integral attacks Link with higher-order differential cryptanalysis differential of order d is the sum of 2 d vecteurs of a well-chosen vector space, so it can be seen as an integral. Recently, Yosuke Todo extended integral attacks to take in a clearer way the algebraic degree into account. This extension is called the division property. 46 / 59
154 Bounds on the degree of iterated constructions Outline 1 Last-round attacks 2 Higher-order differential attacks 3 Integral attacks 4 Bounds on the degree of iterated constructions 47 / 59
155 Bounds on the degree of iterated constructions Iterated permutations Most of the symmetric constructions (hash functions, block ciphers) are based on a permutation iterated a high number of times. Important to estimate the algebraic degree of such iterated permutations. Functions with a low degree are vulnerable to: lgebraic attacks Higher-order differential attacks and distinguishers 48 / 59
156 Bounds on the degree of iterated constructions trivial bound Proposition: Let F be a function from F n 2 into Fn 2 F n 2 into Fm 2. Then and G a function from deg(g F) deg(g)deg(f). Example: Round function R of ES is of degree 7. Then deg(r 2 ) = deg(r R) 7 2 = / 59
157 Bounds on the degree of iterated constructions Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 50 / 59
158 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in X = {x 0,...,x 15 }. 51 / 59
159 Bounds on the degree of iterated constructions x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 fter several rounds, all coordinates can be expressed as a sum of monomials. Each monomial is a product of variables in Y = {y 0,...,y 15 }. The coordinates y 0 y 3 are outputs of the same Sbox (equally for the others). What is the consequence on the degree of the product? 51 / 59
160 Bounds on the degree of iterated constructions The notion of δ k Definition : For a permutation S define δ k (S) as the maximum degree of the product of k coordinates of S. δ 1 (S) := algebraic degree of S Example: degs = 3 S k δ k S permutation of F n 2 : δ k (S) = n iff k = n. 52 / 59
161 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 1 y 3 y 8 y 9 y 10. deg(π) δ 3 (S 1 )+δ 3 (S 3 ) = / 59
162 Bounds on the degree of iterated constructions Example: Product of 6 coordinates. S 1 S 2 S 3 S 4 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 π = y 0 y 5 y 8 y 10 y 13 y 15. deg(π) δ 1 (S 1 )+δ 1 (S 2 )+δ 2 (S 3 )+δ 2 (S 4 ) = 12. The degree of the product is relatively low if many coordinates coming from the same Sbox are involved! 53 / 59
Some attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationPractical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura, Anne Canteaut, Christophe De Cannière To cite this version: Christina Boura, Anne Canteaut, Christophe De Cannière. Higher-order
More informationPart (02) Modem Encryption techniques
Part (02) Modem Encryption techniques Dr. Ahmed M. ElShafee 1 Block Ciphers and Feistel cipher Dr. Ahmed M. ElShafee 2 introduction Modern block ciphers are widely used to provide encryption of quantities
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationComputational and Algebraic Aspects of the Advanced Encryption Standard
Computational and Algebraic Aspects of the Advanced Encryption Standard Carlos Cid, Sean Murphy and Matthew Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20
More informationA survey of algebraic attacks against stream ciphers
A survey of algebraic attacks against stream ciphers Frederik Armknecht NEC Europe Ltd. Network Laboratories frederik.armknecht@netlab.nec.de Special semester on Gröbner bases and related methods, May
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationCube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)
Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationUniversity of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center
University of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center A DATABASE FOR BOOLEAN FUNCTIONS AND CONSTRUCTIONS OF GENERALIZED COMPLEMENTARY PAIRS by Mohamed
More informationCryptography Lecture 4 Block ciphers, DES, breaking DES
Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationAttacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3
Attacks on DES 1 Attacks on DES Differential cryptanalysis is an attack on DES that compares the differences (that is, XOR values between ciphertexts of certain chosen plaintexts to discover information
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationHigh Performance Computing techniques for attacking reduced version of AES using XL and XSL methods
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods Elizabeth
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information