Data Complexity and Success Probability for Various Cryptanalyses
|
|
- Marilyn Sims
- 5 years ago
- Views:
Transcription
1 Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 1 / 47
2 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 2 / 47
3 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 3 / 47
4 Context We focus on symmetric cryptography. Block cipher Block of ciphertext are function of block of plaintext and key. Stream cipher Bits of ciphertext are obtained by a XOR between bits of plaintext and bits of pseudo random keystream. Hash function Arbitrary block of data are reduced to a fixed-size bit string. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 4 / 47
5 Statistical Attacks Some statistical attacks against stream ciphers and hash functions. Some known statistical cryptanalyses against block ciphers: linear cryptanalysis [Matsui 93]; differential cryptanalysis [Biham Shamir 91]; truncated differential cryptanalysis [Knudsen 94]; higher order differential cryptanalysis [Knudsen 94]; impossible differential cryptanalysis [Biham Biryukov Shamir 99];... Statistical Attacks More generally a statistical attack aims at distinguishing two probability distributions to obtain information on the key of the cipher. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 5 / 47
6 Linear Cryptanalysis Approximation of the form: π I (I) π K (K) = π O (O) F Probability of a linear approximation: 1 + ε with ε small. 2 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 6 / 47
7 Differential Cryptanalysis I I 1 I 2 Equation of the form F(x) + F(x + I ) = O K F O 1 O 2 O Probability of a differential equation: c with c large. 2s Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 7 / 47
8 Truncated Differential Cryptanalysis 1?10?..?1 I 1 I 2 Equation of the form a such that π I (a) = A π O (F(x) + F(x + a)) = b K F O 1 O 2 0???0..?? Probability of a truncated differential equation c with c small. 2t Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 8 / 47
9 Notation We have N samples: S 1,, S N. The composition of the sample depends on the type of cryptanalysis: One couple of known plaintext ciphertext (linear cryptanalysis). Two couples of chosen plaintext ciphertext (differential cryptanalysis).... Subkey: Studied bits of the key. Candidate: A possible subkey. n: Number of candidates k 0...k n 1. k 0 : The good candidate. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 9 / 47
10 Steps of Statistical Attacks 1 Distillation phase: some statistic Σ is extracted from the available data. 2 Analysis phase: from Σ, the likelihood of each possible subkey is computed and a list L of the likeliest keys is suggested. 3 Search phase: for each subkey in L, all the possible corresponding master keys are exhaustively tried until the good one is found. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 10 / 47
11 Using a Characteristic Let χ be some characteristic on a given cipher. { 1 if χ occurs in sample Si, X i = 0 otherwise. N samples k = k 0 k k 0 differential, linear differential-linear truncated differential, impossible differential,... Characteristic (X 1,...X N ) P(X i = 1 k = k 0) = p 0 (X 1,...X N ) P(X i = 1 k k 0) = p S k0 = N i=1 X i follows a binomial law of parameters (N, p 0 ). k k 0, S k = N i=1 X i follows a binomial law of parameters (N, p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 11 / 47
12 Problematic Important quantities in statistical cryptanalysis: N: Data Complexity P S : Success Probability l = #L: Size of the list of kept keys Aim Evaluate the data complexity, the success probability and relate both quantities. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 12 / 47
13 Paradigm Fixed threshold (T) Fixed size of list (l) L = {k i, S ki > T }. l def = #L, k L, k / L S k > S k α def = Pr[k 0 L]. β def = Pr[k k 0, k L]. P S def = Pr[k 0 L]. l/n: ratio of kept keys. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 13 / 47
14 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 14 / 47
15 Gaussian Approximation of Binomial Tails P [S k T] T/N 1 e N(x p) 2πNp(1 p) 2 2p(1 p) dx Classically used in linear cryptanalysis: [Matsui 93,94]; [Gilbert 97]; [Junod 01,03,05]; [Selçuk 08] But not accurate for any N p. For instance, when N p is too small as in differential cryptanalysis [Selçuk 08]. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 15 / 47
16 Poisson Approximation of Binomial Tails P [S k T] T i=0 e Np (Np)i i! Implicitly used in differential cryptanalysis: [Biham Shamir 91,93]; [Gilbert 97]; [Selçuk 08] But not accurate for any N p. For instance, when N p is too big as in linear cryptanalysis. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 16 / 47
17 Good Approximation of Binomial Tails Binomial tail: P [S k Nτ] = Nτ i=0 ( ) N p i (1 p) N i i Theorem P(S k Nτ) N p 1 τ (p τ) 2πNτ 2 N D(τ p). Where the Kullback-Leibler divergence is defined by: D (p q) def = p log 2 ( p q ) + (1 p)log 2 ( 1 p 1 q ). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 17 / 47
18 Comparison Exact Poisson Gaussian Ours Lin Crypt: p = 0.5 p 0 = Diff Crypt: p = 2 27 p 0 = 2 20 Trunc Diff(1): p = 2 4 p 0 = Trunc Diff(2): p = 2 15 p 0 = β α β α β α β α Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 18 / 47
19 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 19 / 47
20 Fixed Threshold Method Neyman-Pearson (optimal) test: Accept a candidate k if P(X 1, X 2,...,X N k = k 0 ) P(X 1, X 2,...,X N k k 0 ) > t. This (likelihood) ratio only depends on S k = N i=1 X i, p 0 and p and is increasing in S k. Thus, the acceptance condition becomes, for some threshold 0 < T < N, If S k T then k L else k / L Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 20 / 47
21 Error Probabilities Non-detection error probability p 0 1 τ P(k 0 / L) = P(S k0 < T) N (p 0 τ) 2πNτ 2 N D(τ p0) ; False alarm error probability (1 p) τ k k 0 P(k L) = P(S k T) N (τ p) 2πN(1 τ) 2 N D(τ p). τ def = T/N: Relative threshold Aim Finding N minimal such that it exists T such that P(S k0 < T) α and P(S k T, k k 0 ) β for given values of α and β. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 21 / 47
22 Algorithm for finding N (1/2) Some properties: For a fixed τ = T, error probabilities decrease when N increases. N For a fixed N, non-detection error increases with τ. For a fixed N, false alarm error decreases when τ increases. Idea Dichotomic search for τ. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 22 / 47
23 Algorithm for finding N (2/2) Input: (α,β) and (p 0,p) Output: N and τ the minimum number of samples and the corresponding relative threshold to reach error probabilities less than (α,β). τ min p and τ max p 0. repeat τ τ min + τ max. 2 Compute N nd such that N > N nd, P(S k0 < Nτ) α. Compute N fa such that N > N fa, P(S k Nτ, k k 0 ) β. if N nd > N fa then τ max = τ else τ min = τ until N nd = N fa. return N and τ. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 23 / 47
24 Approximation of the Data Complexity (1) Aim: Finding a simple formula to estimate the data complexity. Fixing τ = p 0 simplifies the problem. Thus α is close to 50%. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 24 / 47
25 Approximation of the Data Complexity (2) β = (1 p) p 0 (p 0 p) 2πN(1 p 0 ) 2 N D(p 0 p). N = f (N) = log(λβ N) D (p 0 p) where λ = (p 0 p) 2π(1 p 0 ) (1 p) p 0. N i+1 = f (N i ), N 1 = 1 Theorem [ ( ) ] N 3 = N 1 λβ = log log ( log(λβ)) D (p 0 p) D (p0 p) Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 25 / 47
26 Approximation of the Data Complexity (3) Theorem with θ = N N N [ 1 + [ log(λβ) log ( log(λβ) D(p 0 p))] 1. ] (θ 1)log(θ) log(n, ) This is a good approximation of N when β tends to 0. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 26 / 47
27 Experimental Results (1) log 2 (N) Our Gauss Poisson N log 2 (N) Our Gauss Poisson N log 2 (β) log 2 (β) Differential cryptanalysis of DES Linear cryptanalysis of DES p 0 = , p = 2 64 p 0 = , p = 0.5 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 27 / 47
28 Experimental Results (2) Our N 22.5 Our N log 2 (N) log 2 (β) log 2 (N) log 2 (β) Truncated differential (1) Truncated differential (2) p 0 = , p = 2 4 p 0 = , p = 2 15 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 28 / 47
29 Simplified Formula for the Data Complexity Recall that: [ ( ) ] N 1 λβ = log log ( log(λβ)) D (p 0 p) D (p0 p) Using Taylor series, 1 D (p0 p) 2 π λ. Theorem N N N = log(2 πβ) D (p 0 p). Rule The best cryptanalysis is the one with the largest D (p 0 p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 29 / 47
30 Behavior of the Data Complexity for Statistical Attacks (1) Attack Classical results 1 D (p 0 p) Linear Differential Differential-linear 1 1 (p 0 p) 2 2(p 0 p) p 0 p 0 log 2 (p 0 /p) p (p 0 p) 2 2(p 0 p) 2 Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 30 / 47
31 Behavior of the Data Complexity for Statistical Attacks (2) Attack Classical results 1 D (p 0 p) Truncated differential unknown 2p (p 0 p) 2 Impossible differential implicitly: 1 p 1 p k-th order differential 1 1 log 2 p Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 31 / 47
32 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 32 / 47
33 Notation We have n possible candidates: k 0, the correct one; k 1,...,k n 1. For all random variables, S kj { B(N, p0 ) if j = 0, B(N, p) if j 0. P s = P(k 0 L) Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 33 / 47
34 Order Statistic Tools We want to keep a list L of size l which contains the most likely candidates. k / L, k L S k < S k We sort S k1,...,s kn 1 in decreasing order S k 1,...S k n 1. P S = P[k 0 L] = P[S k l < S k0 ]. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 34 / 47
35 [Selçuk 2008] s Result Using a normal approximation: S k0 S k0 def N(Np 0, Np 0 (1 p 0 )), density ϕ 0 (t) k k 0, S k S k def N(Np, Np(1 p)), density ϕ(t) P S Φ 1 (1 l/n) ϕ 0 (t) dt. Φ(u) def = u ϕ(t)dt, Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 35 / 47
36 Our Result Without approximation: S k0 B(N, p 0 ), k k 0 S k B(N, p). Theorem N P S P[S k0 = i]. i=f 1 (1 (l 1)/(n 2)) Where F 1 (y) def = min x N {P[S k k 0 x] y}. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 36 / 47
37 Comparison Using a normal approximation: P S P( S k0 > τ) where P( S k < τ) = 1 l n. Without approximation: P S P(S k0 > τ) where P(S k < τ) = 1 l 1 n 2. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 37 / 47
38 Experimental Result and Comparison with Selçuk Type of Parameters Experimental cryptanalysis N = 2 48 n = 2 20 results Ours Selcuk Linear l = Linear l = Differential l = Differential l = Linear: p = 0.5 and p 0 = Differential: p = 2 64 and p 0 = Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 38 / 47
39 Sketch of Proof (1/2) S k 1,...S k n 1 : Order statistics P S = P[S k l < S k0 ]. For j 0, F(x) def = P[S kj x]. The function F is increasing: P S = P [ F(S k l ) < F(S k0 ) ]. And, F(S kj ) U([0; 1]) = F(S k l ) Beta(n l 1, l 1). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 39 / 47
40 Sketch of Proof (2/2) g(t) def = (n 1) ( ) l 1 t n l 1 (1 t) l 1. n 2 P S = N P[S k0 = i] i=0 F(i) 0 g(t) dt. P[X0 = i] F(i) 0 g(t) dt The maximum of g is reached in t 0 = 1 l 1 n 2. Step in the figure at point i = F 1 (t 0 ). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 40 / 47
41 Error Term P[X0 = i] F(i) 0 g(t) dt Selçuk: no error term δ def = F 1 (1 l 1 n 2 ) 1 i=0 P[S k0 = i] Theorem ( ) ln(l/δ P S = 1 δ + O δ 2 ) + 1 l l n Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 41 / 47
42 Outline 1 Introduction 2 Approximations of Binomial Tails 3 On the Data Complexity 4 On the Success Probability 5 Relationship between Data Complexity and Success Probability Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 42 / 47
43 Data Complexity With fixed threshold method, we obtain: An accurate algorithm A formula with an error estimate [ ( ) ] N 1 λβ = log log ( log(λβ)), D (p 0 p) D (p0 p) A simpler formula N = log(2 πβ) D (p 0 p). Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 43 / 47
44 Success Probability With a list of fixed size method, we obtain: a generalization of Selçuk s formula; an error term. ( ) ln(l/δ P S = 1 δ + O δ 2 ) + 1 l l n δ def = F 1 (1 l 1 n 2 ) 1 i=0 P[S k0 = i], Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 44 / 47
45 Link Idea β probability to kept a bad key. l/n ratio of kept keys. Taking N with N = c ( log 2 π l ) n. D (p 0 p) Link between P S and N We notice that using N of the previous form, gives us that P S only depends on the constant c. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 45 / 47
46 Experimental Results c = 1 c = 1.5 l l L L TD TD D D Success probability express in percent for: Linear, Differential and Truncated Differential cryptanalysis Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 46 / 47
47 Conclusion Removing the Gaussian or Poisson assumption, this work provides: An accurate algorithm for computing the data complexity; The asymptotic formula of the data complexity; The asymptotic behavior of the data complexity for some statistical attacks; A general formula expressing the success probability; A link between the data complexity and the success probability. Perspectives: Generalizing this work to other distributions than Bernoulli; Studying stream ciphers and hash functions. Blondeau, Gérard and Tillich. Data Complexity and Success Probability for Various Cryptanalyses 47 / 47
Data complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationMultiple Differential Cryptanalysis: Theory and Practice
Multiple Differential Cryptanalysis: Theory and Practice Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.Gérard. Multiple differential cryptanalysis
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationOn Correlation Between the Order of S-boxes and the Strength of DES
On Correlation Between the Order of S-boxes and the Strength of DES Mitsuru Matsui Computer & Information Systems Laboratory Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationAnother Look at Normal Approximations in Cryptanalysis
Another Look at Normal Approximations in Cryptanalysis Subhabrata Samajder and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T.Road, Kolkata, India - 700108. {subhabrata r,palash}@isical.ac.in
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationComputing the biases of parity-check relations
Computing the biases of parity-check relations Anne Canteaut INRIA project-team SECRET B.P. 05 7853 Le Chesnay Cedex, France Email: Anne.Canteaut@inria.fr María Naya-Plasencia INRIA project-team SECRET
More informationOn Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers
On Data Complexity of Distinguishing Attacks vs. Message Recovery Attacks on Stream Ciphers Goutam Paul Souvik Ray Abstract We revisit the different approaches used in the literature to estimate the data
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationHermelin, Miia; Cho, Joo Yeon; Nyberg, Kaisa Multidimensional Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Hermelin, Miia; Cho, Joo Yeon; Nyberg,
More informationOn Distinct Known Plaintext Attacks
Céline Blondeau and Kaisa Nyberg Aalto University Wednesday 15th of April WCC 2015, Paris Outline Linear Attacks Data Complexity of Zero-Correlation Attacks Theory Experiments Improvement of Attacks Multidimensional
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationOn the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2
On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 Andrey Bogdanov 1 and Elmar Tischhauser 2 1 Technical University of Denmark anbog@dtu.dk 2 KU Leuven and iminds, Belgium
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationRevisiting the Wrong-Key-Randomization Hypothesis
Revisiting the Wrong-Key-Randomization Hypothesis Tomer Ashur, Tim Beyne, and Vincent Rijmen ESAT/COSIC, KU Leuven and iminds, Leuven, Belgium [tomer.ashur,vincent.rijmen] @ esat.kuleuven.be [tim.beyne]
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationAlgebraic Attack Against Trivium
Algebraic Attack Against Trivium Ilaria Simonetti, Ludovic Perret and Jean Charles Faugère Abstract. Trivium is a synchronous stream cipher designed to provide a flexible trade-off between speed and gate
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationLinear Cryptanalysis Using Multiple Linear Approximations
Linear Cryptanalysis Using Multiple Linear Approximations Miia HERMELIN a, Kaisa NYBERG b a Finnish Defence Forces b Aalto University School of Science and Nokia Abstract. In this article, the theory of
More informationAttack on Broadcast RC4
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationCorrelations in Populations: Information-Theoretic Limits
Correlations in Populations: Information-Theoretic Limits Don H. Johnson Ilan N. Goodman dhj@rice.edu Department of Electrical & Computer Engineering Rice University, Houston, Texas Population coding Describe
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationNew Results in the Linear Cryptanalysis of DES
New Results in the Linear Cryptanalysis of DES Igor Semaev Department of Informatics University of Bergen, Norway e-mail: igor@ii.uib.no phone: (+47)55584279 fax: (+47)55584199 May 23, 2014 Abstract Two
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationStream Ciphers: Cryptanalytic Techniques
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic
More informationPublication VII Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.
Publication VII Miia Hermelin and Kaisa Nyberg. 2010. Dependent linear approximations: The algorithm of Biryukov and others revisited. In: Josef Pieprzyk (editor). Topics in Cryptology. Proceedings of
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationChapter 2. Binary and M-ary Hypothesis Testing 2.1 Introduction (Levy 2.1)
Chapter 2. Binary and M-ary Hypothesis Testing 2.1 Introduction (Levy 2.1) Detection problems can usually be casted as binary or M-ary hypothesis testing problems. Applications: This chapter: Simple hypothesis
More informationA New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent
A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg Helsinki University of Technology, Department of Information
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationDistinguishing Attacks on T-functions
Distinguishing Attacks on T-functions Simon Künzli 1, Pascal Junod 2, and Willi Meier 1 1 FH Aargau, 5210 Windisch, Switzerland, 2 Nagravision SA (Kudelski Group), 1033 Cheseaux, Switzerland Abstract.
More informationExperimenting Linear Cryptanalysis
Experimenting Linear Cryptanalysis Baudoin Collard, François-Xavier Standaert UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationCryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE
Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80 Achterbahn [Gammel-Göttfert-Kniffler05]...
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationFast Correlation Attacks: An Algorithmic Point of View
Fast Correlation Attacks: An Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof, F-92131 Issy-les-Moulineaux cedex, France, Philippe.Chose@ens.fr,
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationAbstract Differential and linear cryptanalysis, two of the most important techniques in modern block cipher cryptanalysis, still lack a sound, general
On Probability of Success in Differential and Linear Cryptanalysis Ali Ayd n Selοcuk 1 Network Systems Lab, Department of Computer Science, and Center for Education and Research in Information Assurance
More informationWieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Wieringa, Celine; Nyberg, Kaisa Improved
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationDifferential Cryptanalysis and Boomerang Cryptanalysis of LBlock
Differential Cryptanalysis and Boomerang Cryptanalysis of LBlock Jiageng Chen, Atsuko Miyaji To cite this version: Jiageng Chen, Atsuko Miyaji. Differential Cryptanalysis and Boomerang Cryptanalysis of
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationLecture 8: Information Theory and Statistics
Lecture 8: Information Theory and Statistics Part II: Hypothesis Testing and I-Hsiang Wang Department of Electrical Engineering National Taiwan University ihwang@ntu.edu.tw December 23, 2015 1 / 50 I-Hsiang
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationGENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay
Volume X, No. 0X, 0xx, X XX doi:0.3934/amc.xx.xx.xx GENERALIZED NONLINEARITY OF -BOXE ugata Gangopadhyay Department of Computer cience and Engineering, Indian Institute of Technology Roorkee, Roorkee 47667,
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationRelated-Key Statistical Cryptanalysis
Related-Key Statistical Cryptanalysis Darakhshan J. Mir Department of Computer Science, Rutgers, The State University of New Jersey Poorvi L. Vora Department of Computer Science, George Washington University
More informationChosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers
Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers Simon Fischer 1, Shahram Khazaei 2, and Willi Meier 1 1 FHNW and 2 EPFL (Switzerland) AfricaCrypt 2008, Casablanca - June 11-14
More informationMachine learning - HT Maximum Likelihood
Machine learning - HT 2016 3. Maximum Likelihood Varun Kanade University of Oxford January 27, 2016 Outline Probabilistic Framework Formulate linear regression in the language of probability Introduce
More informationRelated-Key Rectangle Attack on 42-Round SHACAL-2
Related-Key Rectangle Attack on 42-Round SHACAL-2 Jiqiang Lu 1, Jongsung Kim 2,3, Nathan Keller 4, and Orr Dunkelman 5 1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20
More informationCS Lecture 19. Exponential Families & Expectation Propagation
CS 6347 Lecture 19 Exponential Families & Expectation Propagation Discrete State Spaces We have been focusing on the case of MRFs over discrete state spaces Probability distributions over discrete spaces
More informationPractically Secure against Differential Cryptanalysis for Block Cipher SMS4
Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 Zhang MeiLing 1, Liu YuanHua 1, Liu JingMei 2,3, Min XiangShen 1 1. School of communication and information engineering, Xi an
More informationIf there exists a threshold k 0 such that. then we can take k = k 0 γ =0 and achieve a test of size α. c 2004 by Mark R. Bell,
Recall The Neyman-Pearson Lemma Neyman-Pearson Lemma: Let Θ = {θ 0, θ }, and let F θ0 (x) be the cdf of the random vector X under hypothesis and F θ (x) be its cdf under hypothesis. Assume that the cdfs
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationRevisiting Roos Bias in RC4 Key Scheduling Algorithm
Revisiting Roos Bias in RC4 Key Scheduling Algorithm Santanu Sarkar, Ayineedi Venkateswarlu To cite this version: Santanu Sarkar, Ayineedi Venkateswarlu. Revisiting Roos Bias in RC4 Key Scheduling Algorithm.
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationDistinguishing Attack on Common Scrambling Algorithm
410 The International Arab Journal of Information Technology, Vol. 12, No. 4, July 2015 Distinguishing Attack on Common Scrambling Algorithm Kai Zhang and Jie Guan Zhengzhou Information Science and Technology
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationDifferential Analaysis of Block Ciphers SIMON and SPECK
1 / 36 Differential Analaysis of Block Ciphers SIMON and SPECK Alex Biryukov, Arnab Roy, Vesselin Velichkov 2 / 36 Outline Introduction Light-Weight Block Ciphers: SIMON and SPECK Differential Anlaysis
More informationThe peculiarities of the model: - it is allowed to use by attacker only noisy version of SG C w (n), - CO can be known exactly for attacker.
Lecture 6. SG based on noisy channels [4]. CO Detection of SG The peculiarities of the model: - it is alloed to use by attacker only noisy version of SG C (n), - CO can be knon exactly for attacker. Practical
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationOn the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010
Introduction Boolean functions 2nd order nonlinearity Summary ARXH PROSTASIAS_APOLOGISMOS 2010.indd 1 20/04/2011 12:54 ΜΜ On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ
More informationProbability Distributions - Lecture 5
Probability Distributions - Lecture 5 1 Introduction There are a number of mathematical models of probability density functions that represent the behavior of physical systems. In this lecture we explore
More information