Etude d hypothèses algorithmiques et attaques de primitives cryptographiques
|
|
- Claud Alexander
- 5 years ago
- Views:
Transcription
1 Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011
2 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption ŒŒŒŒŒŒ Conclusion
3 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption ŒŒŒŒŒŒ!!! Conclusion
4 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6??? Conclusion
5 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6??? Conclusion
6 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6 K K??? Conclusion
7 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis A (Very Brief) Introduction to Cryptography: Encryption 5c14ff5cc3225fb9e5ae e23b6 K K????? Conclusion
8 Secret-Key and Public-key Cryptography Alice and Bob used symmetric encryption They have the same secret key K
9 Secret-Key and Public-key Cryptography Alice and Bob used symmetric encryption They have the same secret key K In the late 70s, invention of public-key cryptography
10 Public-key Cryptography PK bob SK bob The Public Key is sufficient to encrypt web page, public directory,... The Secret Key is necessary to decrypt personal!
11 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob Conclusion
12 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob PK bob? Conclusion
13 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public SKbob PK bob =0 x4a 1... PK bob? Conclusion
14 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public PKbob SKbob PK bob =0 x4a 1... PK bob? Conclusion
15 Introduction Modes of Operation AES Cryptanalysis Multivariate Cryptanalysis Sharing Secrets in Public 5c14ff5cc3225fb9e5ae e23b6 PKbob SKbob PK bob =0 x4a 1... PK bob? Conclusion
16 Public-key Cryptography PK bob SK bob The Public Key is sufficient to encrypt web page, public directory,... The Secret Key is necessary to decrypt personal! (Computationally) impossible to extract Secret Key from Public Key Need hard problems from mathematics
17 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users H
18 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users H 0x1d66ca77ab361c6f
19 Hash Functions Hash functions compute fingerints Various uses Oblivious to most users No Keys! H 0x1d66ca77ab361c6f
20 An Ideal Hash Function: the Random Oracle Public Random Function (a.k.a. the Random Oracle ) Generate new answers (uniformly) at random Remembers its previous answers
21 Security goals Preimage attack F 0xb58bff99? Given y, find M such that H(M) = y. Ideal security: 2 n trials.
22 Security goals Second-preimage attack F = 0xf46cc414? F Given M 1, find M 2 = M 1 such that H(M 1 ) = H(M 2 ). Ideal security: 2 n trials.
23 Security goals Collision attack? F =?? F Find M 1 = M 2 such that H(M 1 ) = H(M 2 ). Ideal security: 2 n/2 trials (birthday paradox).
24 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems
25 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems
26 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7
27 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7
28 Hash Functions are Iterated Constructions = M 0 M 1 M 2 M 3 M 4 M 5 M 6 M 7
29 Hash Functions are Iterated Constructions = M 1 M 2 M 3 M 4 M 5 M 6 M 7
30 Hash Functions are Iterated Constructions = M 1 M 2 M 3 M 4 M 5 M 6 M 7
31 Hash Functions are Iterated Constructions = M 2 M 3 M 4 M 5 M 6 M 7
32 Hash Functions are Iterated Constructions = M 2 M 3 M 4 M 5 M 6 M 7
33 Hash Functions are Iterated Constructions = M 3 M 4 M 5 M 6 M 7
34 Hash Functions are Iterated Constructions = M 4 M 5 M 6 M 7
35 Hash Functions are Iterated Constructions = M 5 M 6 M 7
36 Hash Functions are Iterated Constructions = M 6 M 7
37 Hash Functions are Iterated Constructions = M 7
38 Hash Functions are Iterated Constructions =
39 Hash Functions are Iterated Constructions = 0x8d90f5bc447d7bdd767a68b98e37e785
40 The Merkle-Damgård Mode of Operation Iterate a small compression function f. Cut the message in chunks M 0,..., M k Include size of M in last block h i = f(h i 1, M i ) H f (M) = h k M 0 M 1 M 2 M 3 f f f f IV h 0 h 1 h 2 h 3 Provable Security Result Collision in H f = collision in f
41 Merkle-Damgård: a Timeline Merkle-Damgård
42 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA
43 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA nd Preimages SHA
44 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA-2 Multicollisions 2nd Preimages Herding nd Preimages
45 Merkle-Damgård: a Timeline Merkle-Damgård MD4 MD5 SHA-0 SHA SHA-2 Multicollisions 2nd Preimages Herding nd Preimages 2nd Preimages Trojan Message
46 The Multicollision Attack of Joux (2004) Main Idea k collisions 2 k -multicollision. Find two colliding blocks from previous chaining value 2 k paths between IV and h k m 1 m 2 m 3 IV h 1 h 2 h 3 h k m 1 m 2 m 3
47 The Second Preimage Attack of Kelsey-Schneier (2005) Main Idea multicollision with messages of all possible sizes (an exandable message) From h i, collision between a single block and a (2 i + 1)-block message m 1 =2 m 2 =3 m 3 =5 m 1 m 2 m 3 IV h 1 h 2 h 3 m 1 m 2 m 3 m 1 =1 m 2 =1 m 3 =1 All sizes between k and 2 k
48 The Second Preimage Attack of Kelsey-Schneier (2005) M ex h IV M H(M)
49 The Second Preimage Attack of Kelsey-Schneier (2005) M ex h f ( h, m ) = h i m IV M h i H(M)
50 The Second Preimage Attack of Kelsey-Schneier (2005) P h f ( h, m ) = h i m IV M h i H(M)
51 The Second Preimage Attack of Kelsey-Schneier (2005) P h f ( h, m ) = h i m M IV M h i M i+1,..., M l H(M)
52 The Herding Attack of Kelsey-Kohno (2006) Objective Commit to h, then receive P, find S such that H(P S) = h. Main Idea Build a Collision Tree (a.k.a. Diamond Structure ) x 3 x 1 Binary tree of height l 2 l x 4 x 5 m h Nodes chaining values Edges message blocks x 6 m x 2 Commit to h
53 The Herding Attack of Kelsey-Kohno (2006): Online Phase x 3 IV P h P 2 l x 4 x 5 x 1 h x 2 x 6
54 The Herding Attack of Kelsey-Kohno (2006): Online Phase IV P h P m x 3 x 4 x 5 x 1 h f ( hp, m ) = x j x j x 6 x 2
55 The Herding Attack of Kelsey-Kohno (2006): Online Phase IV P h P m x 3 x 4 x 5 x 1 h f ( hp, m ) = x j x j x 6 x 2
56 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree 2 l x 3 x 4 x 5 x 6 x 1 x 2 h IV M H(M)
57 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 2 l x 4 x 5 h x 2 x 6 f ( h, m ) = h i m IV M h i H(M)
58 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 h x 5 x 2 x 6 P h P f ( h, m ) = h i m IV M h i H(M)
59 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 m x 5 h x 2 x 6 P h P f ( h, m ) = h i m IV f ( h P, m ) = x j M h i H(M)
60 A New, More Flexible, Generic Second Preimage Attack Main Idea Kelsey and Schneier s attack with a collision tree x 3 x 1 x 4 m x 5 h x 2 x 6 P h P f ( h, m ) = h i m IV f ( h P, m ) = x j M h i M i+1,..., M l H(M)
61 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state M 0 M 1 M 2 M 3 IV f f f f h 0 h 1 h 2 h 3
62 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: larger internal state M 0 M 1 M 2 M 3 IV 2n f 2n f 2n f 2n f 2n Trunc n h 0 h 1 h 2 h 3
63 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: position-dependent hashing M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3
64 How to Repair the Merkle-Damgård Mode of Operation? Problems, because the attacker can: 1 Find internal collisions 2 Copy-and-Paste message blocks 3 Control the internal state counter-measure: several passes M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f
65 Position-Dependent Hashing Additional input z? M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3
66 Position-Dependent Hashing Additional input z? M 0 M 1 M 2 M 3 z 0 z 1 z 2 z 3 IV f f f f h 0 h 1 h 2 h 3 Rivest s Proposal (2005): Abelian Square-Free Dithering 2-bit additional input (a,b,c,d) z = abcacdcbcdcadcdbdabaca... Kills the Kelsey-Schneier attack
67 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h IV M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... H(M)
68 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... h i H(M)
69 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M h i must be the same H(M) abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...
70 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l must be the same x 3 x 4 x 5 x 6 x 1 x 2 h f ( h, ω l+1, m ) = h i m ω l+1 IV M h i must be the same H(M) abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...
71 Extending the New 2nd-Preimage Attack to Dithered Hashing ω 1 ω l 1 ω l x 3 x 4 x 5 x 6 x 1 x 2 h IV ω ω ω ω ω ω ω ω H(M) M abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba...
72 Rivest s Dithering Sequence in Detail z = abcacdcbcdcadcdbdabacabadbabcbdbcbacbcdcacba... Does it have Frequent factors? An infinite (abelian) square-free sequence over 4 letters! Fixed point of a (uniform) morphism over the free monoid Theorem (Cobham,1972) The number of different factors of size l in z is linear in l. There is a very low number of different factors in z At least one of them occur frequently (freq. 0.2%).
73 Extending the New 2nd-Preimage Attack to Several Passes M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f
74 Extending the New 2nd-Preimage Attack to Several Passes M ex h M 0 M 1 M 2 M 3 IV f f f f M 0 M 1 M 2 M 3 f f f f
75 Extending the New 2nd-Preimage Attack to Several Passes IV M ex multicollision h H(M)
76 Conclusion 1 Rivest s Dithering A Broken A by new 2nd preimage attack 2 Several Passes A Broken A by new 2nd preimage attack 3 Round counter provably secure against generic 2nd preimage attacks 4 Larger internal state provably secure against all generic attacks
77 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems
78 Block-Cipher Cryptanalysis The Object: a Block Cipher E : {0, 1} k }{{} key The Subject: an Attacker {0, 1} n }{{} plaintext {0, 1} n }{{} ciphertext Objective: recover the secret key Resources: Time: less than 2 k encryptions Data: less than 2 n plaintext/ciphertext pairs
79 Block Cipher Cryptanalysis Plaintext k 0 Round k 1 Round K Key Schedule k 2 Round k r Round Ciphertext
80 Block Cipher Cryptanalysis First weaken it Then break it Plaintext k 0 Round k 1 Round K Key Schedule k 2 Round k r Round Ciphertext
81 Block Cipher Cryptanalysis First weaken it (reduce number of rounds) Then break it Plaintext k 0 Round k 1 Round K Key Schedule k 2 k 3 Round Round Ciphertext
82 Adversarial Model Low Data Complexity Attacks Must be faster than exhaustive search Only very few plaintext/ciphertext pairs available Why? Rather unexplored territory What is harder in practice? performing 2 50 elementary operations? or acquiring 50 Plaintext/Ciphertext pairs?
83 Target Block Cipher: the Advanced Encryption Standard Designed by Rijmen and Daemen Winner of AES competition in 2001 One of the most widely used encryption primitive AES basic structures Substitution-Permutation network Block size: 128 bits key lengths: 128, 192 or 256 bits 10 rounds for the 128-bit version
84 Description of the AES k i AES Round x i x i+1
85 Description of the AES S k i x i x i+1
86 Description of the AES k i x i x i+1
87 Description of the AES k i x i x i+1
88 Description of the AES M k i x i x i+1
89 Description of the AES k i + x i x i+1
90 The AES Has a Clean Description over F 256 y i [l] = S(x i [l]) y i [0] y i [4] y i [8] y i [12] x i+1 = y i [5] y i [9] y i [13] y i [1] y i [10] y i [14] y i [2] y i [6] + k i y i [15] y i [3] y i [7] y i [11] Is it a Problem? Concerns about the AES s algebraic simplicity have been expressed several times But so far, no attack directly exploited this property......until now
91 Working With the Equations Algebraic Cryptanalysis: the Direct Approach Equations Solver (SAT, Gröbner) Key
92 Working With the Equations Algebraic Cryptanalysis: the Direct Approach Equations Solver (SAT, Gröbner) Key Time complexity? No interesting result at this point
93 Our Approach to Solve Systems of AES-like equations Expected complexity of Solver Equations C++ 1 Tools look at the equations 2 Searches a (good) solver 3 C++ code of the solver is generated 4 Solver finds actual solution(s) Compiler Solver The Algebraic Simplicity of the AES allows Automatic search procedures (for some classes of attacks) Non-trivial results automatically found
94 Harnessing The Algebraic Simplicity: Guess-and-Determine Attacks The equations are sparse All terms known except one: knowledge propagation e.g. x i + S(z j ) + 03 z k = 0 The equations are linear over F 256 in x i and S (x i ) Gaussian elimination allows more knowledge propagation: e.g. x i + S(z j ) +03 z k +7f u l = 0 3d x j +56 z k +S(v r ) +9a u l = 0 c2 y s +84 z k +cf S(v r ) = 0 All terms known except one in a linear combination
95 Harnessing The Algebraic Simplicity: Guess-and-Determine Attacks A Tentative Guess-and-determine Attack Search Procedure For all possible subset X of the variables Assume X is known While knowledge propagation gives a new variable y do X X {y} If X contains all the variables, then report possible solver. When done (or timeout) return best solver found so far Actual Implementation More sophisticated (backtracking, sparse linear algebra,... ) 5000 lines of Ocaml
96 Harnessing The Algebraic Simplicity: Meet-in-the-Middle Attacks Idea: Partition the Set of Variables in Two F(x, y, z, t, u, v) = 0 G(x, y, z) = H(t, u, v) G H x, y, z t, u, v Meet-in-the-Middle Solver for all x, y, z, store G(x, y, z) (x, y, z) in a hash table for all u, v, t, look-up H(u, v, t) in the hash table On average one value of (x, y, z) per value of (u, v, t).
97 Harnessing The Algebraic Simplicity: Meet-in-the-Middle Attacks Idea: Partition the Set of Variables in Two F(x, y, z, t, u, v) = 0 G(x, y, z) = H(t, u, v) G H x, y, z t, u, v Meet-in-the-Middle Solver for all x, y, z, store G(x, y, z) (x, y, z) in a hash table for all u, v, t, look-up H(u, v, t) in the hash table On average one value of (x, y, z) per value of (u, v, t).
98 Harnessing The Algebraic Simplicity: Recursive Meet-in-the-Middle Objective: Find partition such that G 1 (x, y, z) = H 1 (t, u, v) F(x, y, z, t, u, v) = 0 G 2 (x, y, z) = 0 0 = H 2 (t, u, v) Improved Solving Algorithm for all (x, y, z) such that G 2 (x, y, z) = 0 Store G 1 (x, y, z) (x, y, z) in a hash table for all (u, v, t) such that H 2 (u, v, t) = 0 Look-up H 1 (u, v, t) in the hash table Same problem Smaller instanc Each collision suggests a complete solution A solver for the full problem can be constructed recursively from two solvers for smaller sub-problems.
99 Harnessing The Algebraic Simplicity: Recursive Meet-in-the-Middle In Practice: Bottom-Up Saturation Procedure 1: function BESTSOLVER(E, T up ) 2: G { BaseSolver(x) : x X } 3: P { (G i, G j ) : 1 i < j G } 4: while P = do 5: Pick (A 1, A 2 ) P and remove it from P 6: C A 1 A 2 7: if T(C) T up then UPDATE-QUEUE(G, P, C) 8: end while 9: return G 10: end function Design,Implementation, Improvements, Tricks,... by Patrick Derbez lines of C
100 Results (Reduced AES) Attacks on round reduced version of the AES-128 Tool-found Human-found #Rounds Data Time Time 1 1 KP KP KP CP KP CP KP CP CP CP KP The attacks that are practical have been implemented and verified
101 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o 4 keyless AES rounds i o
102 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o
103 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o
104 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o
105 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o
106 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o
107 Results: Pelican-MAC Pelican-MAC Building Block: 4 keyless AES rounds Attack Plan Query the MAC, find Internal Collision Recover Internal state, by solving: AES 4 (x i ) = AES 4 (x) o SB+SR MC SB+SR MC SB+SR MC SB+SR i o 4 Hash Tables to build: ops. Isolate 2 32 possible internal states
108 Conclusion New process to solve equations describing the AES Automatically find the best known low data complexity attacks on round-reduced AES, Pelican-MAC, LEX Can generate C++ code of the attacks Tool publicly available at:
109 Outline 1 Introduction 2 Modes of Operation for Hash Functions The Merkle-Damgård Mode of Operation and its Problems Previous Generic Attacks Attempts to Fix it and their Problems 3 Computer-Assisted Cryptanalysis of the AES Algebraic Structure Automated Tools Results 4 Multivariate Cryptanalysis The MQ Problem Polynomial Equivalence Problems
110 The Hard Problem Underlying Multivariate Cryptography RSA Encryption: y = x e mod N, with x, y Z/NZ Multivariate Quadratic Encryption: y 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x y 2 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x y 3 = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x 2 4 y 4 = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 with x, y ( ) n F q Rationale Solving MQ Polynomial Systems is NP-hard over any field
111 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations ψ A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)
112 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations T ψ S A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)
113 Multivariate Quadratic Trapdoor One-Way Functions A trapdoor must be embedded in the equations PK = A Common Construction: Obfuscation 1 Non-linear function ψ : ( ) n F q ( ) n F q easily invertible, can be public (as in SFLASH) 2 Express it as multivariate polynomials over ( ) n F q 3 Obfuscate ψ: compose with secret matrices S and T 4 PK = T ψ S (the obfuscated representation of ψ)
114 Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way Even though ψ is not Hardness of (a special case of) MQ ciphertext plaintext
115 Multivariate Quadratic Trapdoor One-Way Functions Is it Secure? 1 Public-key must be one-way Even though ψ is not Hardness of (a special case of) MQ 2 Retrieving S and T must be (very) hard Hardness of Polynomial Linear Equivalence ciphertext plaintext ψ T S
116 Solving Multivariate Quadratic Equations Problem: Find (x 1,..., x n ) ( F q ) n such that 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x 4 0 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 Exhaustive search costs O (q n ) Gröbner basis O (α n ) Conclusion Exhaustive search is (often) faster on very small fields (F 2 )
117 Exhaustive Search for MQ over F 2 Let V = (F 2 ) n, and f : V V be a quadratic map. f(x) = Naive Exhaustive Search n n i=1 j=i a ij x i x j + n i=1 1: for i from 1 to 2 n do 2: x V[i] 3: y f(x) 4: if y = 0 then Report x as solution 5: end for n(n + 3) Evaluating f costs XORs 2 Full exhaustive search = O ( n 2 2 n) b i x i + c
118 Exhaustive Search for MQ over F 2 : Improvement #1 Idea Suppose I know y = f(x) y 1 = x x 1 x 3 + x 2 x 3 + x 2 x 4 + x x 3 x 4 y 2 = x x 1 x 2 + x 1 x 3 + x x 2 x 4 + x x 2 4 y 3 = x 1 x 2 + x 1 x 4 + x 2 x 3 + x 2 x 4 + x x 3 x 4 + x 2 4 y 4 = x 1 x 2 + x 1 x 3 + x x 2 x 3 + x 3 x 4 To flip x 2, only recompute n terms per polynomial f x 2 (y) = f(y) + f(y + x 2 ) is affine evaluates in O (n) ops.
119 A (Folklore) More Efficient Exaustive Search i GRAY(i) b 1 (i) Improved Exhaustive Search 1: x 0 2: y f(0) 3: for i from 0 to 2 n 1 do 4: k b 1 (i + 1) 5: z DOTPRODUCT (x, D k ) 6: y y z 7: if y = 0 then Report x as solution 8: x x e k 9: end for DOTPRODUCT costs n XORs Full exhaustive search = O (n 2 n )
120 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z DOTPRODUCT (x, D k ) differ in two bits z DOTPRODUCT (x, D k ) equal
121 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z DOTPRODUCT (x, D k ) z DOTPRODUCT (x + 2 bits, D k )
122 Exhaustive Search for MQ over F 2 : Improvement #2 i GRAY(i) b 1 (i) Theorem If i and j are consecutive integers s.t. b 1 (i) = b 1 (j), then GRAY(i) and GRAY(j) differ in two bits. z k DOTPRODUCT (x, D k ) z k z k + DOTPRODUCT (2 bits, D k )
123 A New, Even More Efficient Exaustive Search Even More Improved Exhaustive Search 1: x 0 2: y f(0) 3: initialize the z[i] 4: for i from 0 to 2 n 1 do 5: k 1 b 1 (i + 1) 6: k 2 b 2 (i + 1) 7: z[k 1 ] z[k 1 ] D k1 [k 2 ] 8: y y z[k 1 ] 9: if y = 0 then Report GRAY(i) as solution 10: end for Each iteration costs 2 XORs Full exhaustive search = O (2 n )
124 Efficient Implementation(s) # core GHz cycles/iteration n = 48? 1h35 2h22 21 min
125 What About 80-bit Security? 80-bit Security Not so long ago, it was considered a decent level 80 quadratic eq. in 80 F 2 -variables offer 80 bits of security world 3rd fastest computer Nat. Center for Comp. Sciences GHz Solves the problem in 18 years Better results possible with more ad hoc hardware
126 Polynomial Equivalence Problems vectors of n multivariate quadratic polynomials in n variables Secret invertible matrices = T ψ S The Problem: ψ? T S
127 Polynomial Equivalence Problems vectors of n multivariate quadratic polynomials in n variables Secret invertible matrices T 1 = ψ S The Problem: ψ? T S
128 Complexity-Theoretic Status of PLE Could PLE be Solvable in Deterministic Polynomial Time? Courtois-Goubin-Patarin, 1998 : Graph Isomorphism PLE Transform instances of GI into PLE % sure that PLE / P Is it NP-hard? Courtois-Goubin-Patarin, Faugère-Perret, 2006 : No!
129 Easy and Hard Cases Inhomogeneous Case Homogeneous Case ψ ψ f(x) = n n i=1 j=i a ij x i x j + n i=1 b i x i + c f(x) = n n i=1 j=i a ij x i x j Gröbner-based = O ( n 9) Differential = O ( n 6) Inversion-free To-n-Fro = O ( n 3)
130 Dehomogenization T = ψ S ζ ζ (z) = ζ(z + x) ψ (z) = ψ(z + S x) T ζ = ψ S
131 Finding the Image of S on One Point Efficient Algorithms available Once the image of S is known on one point Exhaustive Search q n trials... Natural approach: birthday paradox y x S? Try pairs (x, y) Assume y = S x Dehomogenize Solution found?
132 Finding the Image of S on One Point Efficient Algorithms available Once the image of S is known on one point Exhaustive Search q n trials... Natural approach: birthday paradox y S? x Try pairs (x, y) Assume y = S x Dehomogenize Solution found?
133 Machinery A Key Tool for Multivariate Cryptanalysis Given a quadratic map φ : ( F q ) n ( F q ) n, its differential is: Dφ : ( Fq ) n ( F q ) n ( F q ) n (x, y) φ(x + y) φ(x) φ(y) + φ(0) Dφ is a symmetric bilinear map. From any Quadratic Map φ We Define a Undirected Graph G ψ : Vertices: ( F q ) n {0} Edges: { x y Dφ(x, y) = 0 }
134 Machinery
135 Machinery A Key Tool for Multivariate Cryptanalysis Given a quadratic map φ : ( F q ) n ( F q ) n, its differential is: Dφ : ( Fq ) n ( F q ) n ( F q ) n (x, y) φ(x + y) φ(x) φ(y) + φ(0) Dφ is a symmetric bilinear map. From any Quadratic Map φ We Define a Undirected Graph G ψ : Vertices: ( F q ) n {0} Edges: { x y Dφ(x, y) = 0 } If T ζ = ψ S, then... S is a Graph Isomorphism that sends G ζ to G ψ.
136 Topological Hashing S is a Graph Isomorphism that sends G ζ to G ψ x and (S x) have neighborhoods of the same shape G ζ TOPOLOGY(x) TOPOLOGY(y) G ψ Topological Meet-in-the middle Algorithm Sample random points x in G ζ, store TOPOLOGY(x) x Sample random points y in G ψ, store TOPOLOGY(y) y for all colliding pairs, assume y = S x, dehomogenize, etc.
137 Topological Hashing S is a Graph Isomorphism that sends G ζ to G ψ x and (S x) have neighborhoods of the same shape G ζ TOPOLOGY(x) TOPOLOGY(y) G ψ Topological Meet-in-the middle Algorithm Sample random points x in G ζ, store TOPOLOGY(x) x Sample random points y in G ψ, store TOPOLOGY(y) y for all colliding pairs, assume y = S x, dehomogenize, etc.
138 Topological Hashing: Extracting Little Information Problem Deterministically extract topological information? Simple Solution TOPOLOGY(x) #adjacent vertices Sample q n/3 points in both G ζ and G φ Running time O ( q 2n/3), success probability close to 1
139 Topological Hashing: Extracting Much More Information Graphs are very sparse Tree-like (besides the small triangles) Kill the triangles actual tree (BFS, no backwards edges) The topology of trees is easy to encode
140 Topological Hashing: Extracting Much More Information Complicated Solution TOPOLOGY(x) Tree-encoding (depth n log n) Sample q n/2 points with deep neighborhoods Theorem If the trees are random and independent, then O (1) collisions (prob. of accidental collision negligible, even with exponentially many trees) Running time O ( q n/2), success probability close to 1
141 Conclusion 1 The MQ problem Faster exhaustive search over F 2 O ( n 2 2 n) O (n 2 n ) O (2 n ) 80-bit challenge not strictly out of reach 2 The PLE problem Faster polynomial algorithms for the inhomogeneous case O ( n 9) O (n 6) O ( n 3) First working birthday algorithm for the homogeneous case O ( q 3n) ( O (q n ) O q 2n/3) O (q n/2) Currently known to work over F 2, extension seems easy The obfuscation technique is probably a bad idea
142 My contributions: Hash Functions Modes of Operations New Generic 2nd-Preimage Attack and Applications Second Preimage Attacks on Dithered Hash Functions Andreeva, B., Fouque, Hoch, Kelsey, Shamir, Zimmer [Eurocrypt 08] Herding, Second Preimage and Trojan Message Attacks Beyond Merkle-Damgård Andreeva, Bouillaguet, Dunkelman, Kelsey [SAC 09] Provable Security Against 2nd-Preimage Attacks Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound Bouillaguet, Fouque [submitted to IPL] Provable Second Preimage Resistance:an Impossibility Result Bouillaguet [submitted to CT-RSA 12] Indifferentiability in the Presence of Distinguishers Security Analysis of SIMD Bouillaguet, Fouque, Leurent [SAC 10]
143 My contributions: Symmetric Cryptanalysis Low-Data Complexity Attacks on the AES Low Data Complexity Attacks on AES [submitted to IEEE IT] Bouillaguet, Derbez, Dunkelman, Fouque, Keller, Rijmen Automatic Search of Attacks on round-reduced AES and Applications Bouillaguet, Derbez, Fouque Other Results [Crypto 11] Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques Bouillaguet, Fouque [SAC 08] Another Look at the Complementation Property Bouillaguet, Dunkelman, Fouque, Leurent Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHA-losh Bouillaguet, Dunkelman, Fouque, Leurent New Insights on Impossible Differential Cryptanalysis Bouillaguet, Dunkelman, Fouque, Leurent [FSE 10] [SAC 10] [SAC 11]
144 My contributions: Multivariate Cryptanalysis Attacks Against Multivariate Schemes A Family of Weak Keys in HFE and the Corresponding Practical Key-Recovery Bouillaguet, Fouque, Joux, Treger [J.Math.Crypto] Practical Key-recovery For All Possible Parameters of SFLASH Bouillaguet, Fouque, Macario-Rat [Asiacrypt 11] Algorithms for Multivariate Hard Problems Fast Exhaustive Search for Polynomial Systems in F 2 B., Chen, Cheng, Chou, Niederhagen, Shamir, Yang [CHES 10] Practical Cryptanalysis of the Identification Scheme Based on the Isomorphism of Polynomial With One Secret Problem Bouillaguet, Faugère, Fouque, Perret [PKC 11]
145 And... Thank You
146 Introduction Modes of Operation AES Cryptanalysis And Now The Part We Were All Waiting For Multivariate Cryptanalysis Conclusion
147
New Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSecond Preimage Attacks on Dithered Hash Functions
Second Preimage Attacks on Dithered Hash Functions Charles Bouillaguet 1, Pierre-Alain Fouque 1, Adi Shamir 1,2, and Sebastien Zimmer 1 1 École normale supérieure Département d Informatique 45, rue d Ulm
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1,Jérémy Jean 1(B),Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationAttacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512
Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512 Charles Bouillaguet 1, Orr Dunkelman 2, Gaëtan Leurent 1, and Pierre-Alain Fouque 1 1 Département
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More information