On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure
|
|
- Andrew Sharp
- 5 years ago
- Views:
Transcription
1 On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure Alex Biryukov, Léo Perrin University of Luxembourg January 13, / 42
2 Introduction Skipjack Block cipher released by the NSA in block = 64 bits ; key = 80 bits ; 32 rounds 2 / 42
3 Introduction Facts / Denitions F is the 8x8 F-Table (S-Box) of Skipjack Algebraic degree: 7 Cycle lengths: 2, 10, 45, 68, / 42
4 Introduction Facts / Denitions F is the 8x8 F-Table (S-Box) of Skipjack Algebraic degree: 7 Cycle lengths: 2, 10, 45, 68, 131 Distribution of the coecients in the DDT and LAT of F (Note: we remove the rst line and column from them) D δ, = #{x GF (2 8 ), F (x + δ) + F (x) = } L a,b = #{x GF (2 8 ), a x = b S(x)} / 42
5 Introduction Distributions comparison Skipjack Random AES Di. Spec max a,b 1{L a,b} / 42
6 Introduction Distributions comparison Skipjack Random AES Di. Spec max a,b 1{L a,b} F is not very impressive... Picked uniformly random? Design criteria? Hidden structure? 4 / 42
7 Introduction Question How much information can we gather from the analysis of an S-Box? Can we reverse-engineer the design process used? 5 / 42
8 Identifying the Structure of an S-Box Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 6 / 42
9 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) 7 / 42
10 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) "2-rounds public key system with S-Boxes": Attempt at public key crypto using an ASASA structure. Broken (Biham 2000). SASAS: it is possible to recover all components from a 3-rounds Substitution-Permutation Network (Biryukov, Shamir 2001). 7 / 42
11 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) "2-rounds public key system with S-Boxes": Attempt at public key crypto using an ASASA structure. Broken (Biham 2000). SASAS: it is possible to recover all components from a 3-rounds Substitution-Permutation Network (Biryukov, Shamir 2001). Fails on Skipjack: not a Substitution-Permutation Network with 3 rounds. 7 / 42
12 Identifying the Structure of an S-Box Simple Algebraic Expression Finding a simple algebraic expression Tree-search Score based on coecients in the DDT Operations:,, <<< n, k 8 / 42
13 Identifying the Structure of an S-Box Simple Algebraic Expression Finding a simple algebraic expression Tree-search Score based on coecients in the DDT Operations:,, <<< n, k Works on φ 3, φ : x 3 ((3 y 0x53) >>> 4 ) 0x8b... Fails on Skipjack: no simple algebraic structure. 8 / 42
14 Identifying the Structure of an S-Box Feistel Network Recovering Feistel functions for a Feistel Network Suppose that a n n S-Box was built using a two-branched Feistel Network (Robin, Zorro). Can we recover it? 9 / 42
15 Identifying the Structure of an S-Box Feistel Network Distinguishing attacks Against Feistel Networks r-rounds Feistel Network with two n-bits branches Luby-Racko: secure if r 4 and D << 2 n/2 Patarin showed: r 6 is enough for D << 2 n(1 ɛ) ( ) Any r: D = O(r 2 n ), T = O 2 kn2 n 10 / 42
16 Identifying the Structure of an S-Box Feistel Network Distinguishing attacks Against Feistel Networks r-rounds Feistel Network with two n-bits branches Luby-Racko: secure if r 4 and D << 2 n/2 Patarin showed: r 6 is enough for D << 2 n(1 ɛ) ( ) Any r: D = O(r 2 n ), T = O 2 kn2 n... What if D = 2 2n?... What if distinguishing is not enough?... What if modular addition is used instead of XOR? 10 / 42
17 Identifying the Structure of an S-Box Feistel Network CNF encoding Variables for each unknown S-Box: x 2 x 1 x 0 f 2 f 1 f s 0 2 s 0 1 s s 1 2 s 1 1 s s 2 2 s 2 1 s s 3 2 s 3 1 s / 42
18 Identifying the Structure of an S-Box Feistel Network CNF encoding Variables for each unknown S-Box: Encoding one round (example): x 2 x 1 x 0 f 2 f 1 f s 0 2 s 0 1 s s 1 2 s 1 1 s s 2 2 s 2 1 s s 3 2 s 3 1 s ( ) x R 2 x R 1 x R 0 = (f2 = s2) 1 xor: y R 2 = x L 2 f 2 mod. add.: y R 2 = x L 2 f 2 c 2, c 2 = Maj(c 1, x R 1, f 1 ) y L 2 = x R 2 11 / 42
19 Identifying the Structure of an S-Box Feistel Network High level algorithm 1 Assume a sequence (e.g. {a, b, c, a, c}) 2 Generate variables for each assumed S-Box (e.g. 3 sets) 3 For all c = S(p): 1 For all rounds: 1 For all inputs x R : encode the S-Box output 2 Encode y R = x L S r (x R ) or y R = x L S r (x R ) 3 Encode the equality of y L and x R 2 Encode that 1st input is p and last output is c 4 Solve with SAT-solver 5 If CNF is satisable 6 Else 1 Recover S-Boxes from assignment 2 return "Feistel" return "not a Feistel" 12 / 42
20 Identifying the Structure of an S-Box Feistel Network Results 4-rounds Feistel S-Boxes (, ): Dimensions 8x8 10x10 12x12 Time decomposing < Time discarding Time Decomposing < 1 s < 30 s < 10 min Decomposing more rounds depends on the sequence (e.g. "ababab" is easy) 13 / 42
21 Identifying the Structure of an S-Box Feistel Network Results 4-rounds Feistel S-Boxes (, ): Dimensions 8x8 10x10 12x12 Time decomposing < Time discarding Time Decomposing < 1 s < 30 s < 10 min Decomposing more rounds depends on the sequence (e.g. "ababab" is easy) Skipjack's F is not: a -Feistel (odd parity) a -Feistel with 4 independent rounds a -Feistel with 8 identical rounds 13 / 42
22 Ruling out Randomness Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 14 / 42
23 Ruling out Randomness Jackson Pollock Pattern Recognition Jackson Pollock Pattern Recognition Use the eye! 15 / 42
24 Ruling out Randomness Jackson Pollock Pattern Recognition Jackson Pollock Pattern Recognition Use the eye! (and redecorate your living-room with abstract crypto-art) 15 / 42
25 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of the AES S-Box 16 / 42
26 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of φ 2 17 / 42
27 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of the Gold S-Box 18 / 42
28 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of Skipjack's F-Table 19 / 42
29 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of the AES S-Box 20 / 42
30 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of CLEFIA's S-Box 0 21 / 42
31 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Iceberg's S-Box 22 / 42
32 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of SAFER+'s S-Box 23 / 42
33 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Zorro's S-Box 24 / 42
34 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Zorro's S-Box (ltered) 25 / 42
35 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Skipjack's F-Table 26 / 42
36 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure 27 / 42
37 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure Fails on Skipjack: no "visible" structure. 27 / 42
38 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure Fails on Skipjack: no "visible" structure.... It would denitely look nice in your living room. > 27 / 42
39 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern 28 / 42
40 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern Maybe it was picked uniformly at random after all? 28 / 42
41 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern Maybe it was picked uniformly at random after all? Breakthrough The distribution of the coecients in the DDT and LAT of random S-Boxes is xed ( 2 16 samples from xed distribution). 28 / 42
42 Ruling out Randomness Looking Back at the Tables Comparing the distributions of {D δ, } δ, 1 29 / 42
43 Ruling out Randomness Looking Back at the Tables Comparing the distributions of {L a,b} a,b 1 30 / 42
44 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P / 42
45 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P / 42
46 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P Mismatch in the dierential properties explained by the linear one: D δ, = 2 2 2n ( 1) a δ b L 2. a,b a GF (2 8 ) b GF (2 8 ) 31 / 42
47 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P Mismatch in the dierential properties explained by the linear one: D δ, = 2 2 2n ( 1) a δ b L 2. a,b a GF (2 8 ) b GF (2 8 ) Success (at last) Skipjack's F was not chosen uniformly at random 31 / 42
48 Skipjack's F-Table's Design Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 32 / 42
49 Skipjack's F-Table's Design A Possible Design Criteria Measuring how good the LAT coe. dist. is We dene R(S) for an S-Box S with LAT L as: R(S) = l 0 N l 2 l, N l = #{x LAT, x = l} 33 / 42
50 Skipjack's F-Table's Design A Possible Design Criteria Measuring how good the LAT coe. dist. is We dene R(S) for an S-Box S with LAT L as: R(S) = l 0 N l 2 l, N l = #{x LAT, x = l} Optimising R (outline): 1 Generate S at random 2 Compute LAT(S) 3 Identify the set X (l) of all inputs contributing to one of the high coecients l 4 Find (x, y) X (l) 2 such that R(S ) < R(S) where S (x) = S(y), S (y) = S(x). 5 Return S We can stop when the algorithm fails or when R is below some threshold. 33 / 42
51 Skipjack's F-Table's Design A Possible Design Criteria Results when imitating F Figure: Threshold = 10 10, R(F ) / 42
52 Skipjack's F-Table's Design A Possible Design Criteria Results for full optimization Figure: Threshold: 35 / 42
53 Skipjack's F-Table's Design A Possible Design Criteria Results when only using max value Figure: R(S) = (max(l), N max(l) ) 36 / 42
54 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F / 42
55 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. 37 / 42
56 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. Still, the shape of the curve is hard to imitate (slight bump, cli, small maximum). 37 / 42
57 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. Still, the shape of the curve is hard to imitate (slight bump, cli, small maximum). Success (kind of) They have likely used a similar criteria (low sum of number of high values, high weight for high values) and optimized for it. 37 / 42
58 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 38 / 42
59 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 38 / 42
60 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 38 / 42
61 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 38 / 42
62 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 1995, Sep: Schneier analyses S-1 and quotes: The enclosed Informal Technical Report revises the F-table in SKIPJACK 3. No other aspect of the algorithm is changed. 38 / 42
63 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 1995, Sep: Schneier analyses S-1 and quotes: The enclosed Informal Technical Report revises the F-table in SKIPJACK 3. No other aspect of the algorithm is changed. 1998, May 20: Skipjack ocially released by NSA 38 / 42
64 Conclusion Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 39 / 42
65 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. 40 / 42
66 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. Skipjack's F was not random Linear properties optimized, perhaps using something similar to R 4, / 42
67 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. Skipjack's F was not random Linear properties optimized, perhaps using something similar to R 4,22. NSA's "Cryptolog" (internal crypto newspaper) mentions Matsui and Yamagishi's paper. Change made in 2 months? Is it badly optimized from lack of time? Or was linear cryptanalysis known before hand? 40 / 42
68 Conclusion Open Questions How can we build a large S-Box or a small program in such a way as to hide the simple structure used to generate it? 41 / 42
69 Conclusion Open Questions How can we build a large S-Box or a small program in such a way as to hide the simple structure used to generate it? Motivations: Build large S-Boxes from smaller ones? Implementation? Masking? Hide malicious property? White-Box crypto? Assymetric proof of work? Something else? 41 / 42
70 Conclusion Challenge! 3 S-Boxes, 3 structures. Can you decompose them? 42 / 42
On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure
On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure Alex Biryukov and Léo Perrin alex.biryukov@uni.lu, leo.perrin@uni.lu University of Luxembourg, SnT Abstract. S-Boxes are the key
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationStructural Cryptanalysis of SASAS
J. Cryptol. (2010) 23: 505 518 DOI: 10.1007/s00145-010-9062-1 Structural Cryptanalysis of SASAS Alex Biryukov University of Luxembourg, FSTC, Campus Kirchberg, 6, rue Richard Coudenhove-Kalergi, 1359 Luxembourg-Kirchberg,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationBlock Ciphers and Systems of Quadratic Equations
Block Ciphers and Systems of Quadratic Equations Alex Biryukov and Christophe De Cannière Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationSiwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song
Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationNew Combined Attacks on Block Ciphers
New Combined Attacks on Block Ciphers Eli Biham 1, Orr Dunkelman 1,, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2 Einstein Institute
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationA Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms Alex Biryukov, Christophe De Cannière, An Braeken, and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationMATH 509 Differential Cryptanalysis on DES
MATH 509 on DES Department of Mathematics, Boise State University Spring 2012 MATH 509 on DES MATH 509 on DES Feistel Round Function for DES MATH 509 on DES 1977: DES is approved as a standard. 1 1 Designers:
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationDifferential Analaysis of Block Ciphers SIMON and SPECK
1 / 36 Differential Analaysis of Block Ciphers SIMON and SPECK Alex Biryukov, Arnab Roy, Vesselin Velichkov 2 / 36 Outline Introduction Light-Weight Block Ciphers: SIMON and SPECK Differential Anlaysis
More informationThe rest of this paper is organized as follows. In x2 we explain how both detectable and undetectable trapdoors can be built into S-boxes. x3 deals wi
A Family of Trapdoor Ciphers Vincent Rijmen? Bart Preneel?? Katholieke Universiteit Leuven, Department Electrical Engineering-ESAT/COSIC K. Mercierlaan 94, B-3001 Heverlee, Belgium fvincent.rijmen,bart.preneelg@kuleuven.ac.be
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationStatistical and Algebraic Properties of DES
Statistical and Algebraic Properties of DES Stian Fauskanger 1 and Igor Semaev 2 1 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway 2 Department of Informatics, University of
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationCorrelation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.
Correlation Attack to the Block Cipher RC5 and the Simplied Variants of RC6 Takeshi Shimoyama 3, Kiyofumi Takeuchi y, Juri Hayakawa y 3 Fujitsu Laboratories LTD. 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationSTP Models of Optimal Differential and Linear Trail for S-box Based Ciphers
STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers Yu Liu 1,2, Huicong Liang 1, Muzhou Li 1, Luning Huang 1, Kai Hu 1, Chenhe Yang 1, and Meiqin Wang 1,3 1 Key Laboratory of Cryptologic
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures
Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes
More informationImpossible Boomerang Attack for Block Cipher Structures
Impossible Boomerang Attack for Block Cipher Structures Jiali Choy and Huihui Yap DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali, yhuihui@dso.org.sg Abstract. Impossible
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationKFC - The Krazy Feistel Cipher
KFC - The Krazy Feistel Cipher Thomas Baignères and Matthieu Finiasz EPFL CH-1015 Lausanne Switzerland http://lasecwww.epfl.ch Abstract. We introduce KFC, a block cipher based on a three round Feistel
More informationOn Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds
On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds Taizo Shirai 1, and Bart Preneel 2 1 Sony Corporation, Tokyo, Japan taizo.shirai@jp.sony.com 2 ESAT/SCD-COSIC, Katholieke Universiteit
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationOn Pseudo Randomness from Block Ciphers
SCIS96 The 1996 Symposium on Cryptography and Information Security Komuro, Japan, January 29-31, 1996 The Institute of Electronics, Information and Communication Engineers SCIS96-11C On Pseudo Randomness
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationSubstitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
J. Cryptology (1996) 9: 1 19 1996 International Association for Cryptologic Research Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis Howard M. Heys and Stafford E.
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationChapter 2 - Differential cryptanalysis.
Chapter 2 - Differential cryptanalysis. James McLaughlin 1 Introduction. Differential cryptanalysis, published in 1990 by Biham and Shamir [5, 6], was the first notable cryptanalysis technique to be discovered
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationof the Data Encryption Standard Fauzan Mirza
Linear and S-Box Pairs Cryptanalysis of the Data Encryption Standard Fauzan Mirza Third Year Undergraduate Project October 1996 { April 1997!()+, -./01 23456 Department ofcomputerscience Egham, Surrey
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationWell known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne
Design of SAC/PC(l) of order k Boolean functions and three other cryptographic criteria Kaoru Kurosawa 1 and Takashi Satoh?2 1 Dept. of Comper Science, Graduate School of Information Science and Engineering,
More informationhold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies
Dierential cryptanalysis o eistel ciphers and dierentially uniorm mappings Anne Canteaut INRIA Projet codes Domaine de Voluceau BP 105 78153 Le Chesnay Cedex rance Abstract In this paper we study the round
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationBLOCK ciphers are widely used in the field of information
Construction of High Quality Key-dependent S-boxes Tianyong Ao, Jinli Rao, Kui Dai, and Xuecheng Zou Abstract High quality key-dependent S-boxes can break the preconditions of many cryptanalysis technologies,
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCryptanalysis of the SIMON Family of Block Ciphers
Cryptanalysis of the SIMON Family of Block Ciphers Hoda A. Alkhzaimi and Martin M. Lauridsen DTU Compute Section for Cryptology Department of Applied Mathematics and Computer Science Matematiktorvet, building
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationTechnion - Computer Science Department - Technical Report CS0816.revised
How to Strengthen DES Using Existing Hardware Eli Biham? Alex Biryukov?? Abstract Dierential, linear and improved Davies' attacks are capable of breaking DES faster than exhaustive search, but are usually
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationCryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan E Minnehaha Parkway 1098 VA Amsterdam, Nethe
Cryptanalysis of Akelarre Niels Ferguson Bruce Schneier DigiCash bv Counterpane Systems Kruislaan 9 0 E Minnehaha Parkway 098 VA Amsterdam, Netherlands Minneapolis, MN 559, USA niels@digicash.com schneier@counterpane.com
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationMultiplicative Complexity Reductions in Cryptography and Cryptanalysis
Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH 25-29 MAY/2015 1 Presentation Overview Linearity
More informationSymmetric key cryptography over non-binary algebraic structures
Symmetric key cryptography over non-binary algebraic structures Kameryn J Williams Boise State University 26 June 2012 AAAS Pacific Conference 24-27 June 2012 Acknowledgments These results are due to collaboration
More informationAlgebraic Immunity of S-boxes and Augmented Functions
Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application
More informationFeistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 2004 paper) Nicolas T. Courtois
Feistel Schemes and Bi-Linear Cryptanalysis (Long extended version of Crypto 004 paper) Nicolas T. Courtois Axalto Smart Cards Crypto Research, 36-38 rue de la Princesse, BP 45, F-78430 Louveciennes Cedex,
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationA Unified Method for Finding Impossible Differentials of Block Cipher Structures
A Unified Method for inding Impossible Differentials of Block Cipher Structures Yiyuan Luo 1,2, Zhongming Wu 1, Xuejia Lai 1 and Guang Gong 2 1 Department of Computer Science and Engineering, Shanghai
More informationHardware Design and Analysis of Block Cipher Components
Hardware Design and Analysis of Block Cipher Components Lu Xiao and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland St.
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationSmart Hill Climbing Finds Better Boolean Functions
Smart Hill Climbing Finds Better Boolean Functions William Millan, Andrew Clark and Ed Dawson Information Security Research Centre Queensland University of Technology GPO Box 2434, Brisbane, Queensland,
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More information