Low Complexity Differential Cryptanalysis and Fault Analysis of AES
|
|
- Muriel Harrison
- 5 years ago
- Views:
Transcription
1 Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, / 34
2 Introduction We present a survey of low complexity differential cryptanalysis and differential fault analysis of AES. We define low complexity to be: A low number of plaintext-ciphertext pairs. A feasible amount of computing power. Inspired eprint publication Bouillaguet et al. (2010). Michael Tunstall (University of Bristol) May/June, / 34
3 Preliminaries The AES is a 10-round block cipher that transforms a plaintext P = (p 1,p 2,...,p 16 ) (256) to ciphertext C = (c 1,c 2,...,c 16 ) (256) using secret key K = (k 1,k 2,...,k 16 ) (256). Arranged into a 4 4 array of bytes. p 1 p 5 p 9 p 13 p 2 p 6 p 10 p 14 p 3 p 7 p 11 p 15 p 4 p 8 p 12 p 16 c 1 c 5 c 9 c 13 c 2 c 6 c 10 c 14 c 3 c 7 c 11 c 15. c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, / 34
4 Preliminaries Each round ofthe AES consists of: AddRoundkey An XOR with a subkey. SubBytes A bytewise substitution (we will refer to a function S). ShiftRows The bytes in each row are rotated by 0, 1, 2, 3 places respectively. MixColumns A matrix multiplication with using polynomial multiplications over F 2 8 modulo the irreducible polynomial x 8 +x 4 +x 3 +x +1. Where the last round does not include the MixColumns function, but a final XOR with a last subkey. Michael Tunstall (University of Bristol) May/June, / 34
5 Observation 1 If we consider y 1 y 2 = S(x 1 ) S(x 2 ) For given XOR differences x = x 1 x 2 and y = y 1 y 2 the number of possible values for {x 1,x 2,y 1,y 2 } will be: Four with probability Two with probability Zero with probability Michael Tunstall (University of Bristol) May/June, / 34
6 Observation 2 We consider a = MixColumns(b), where a = (a 0,a 1,a 2,a 3 ), b = (b 0,b 1,b 2,b 3 ) Given any four bytes from (a 0,a 1,a 2,a 3,b 0,b 1,b 2,b 3 ) the remaining four can be computed. Trivially, this is also true if we consider the XOR differentials, since, if a = MixColumns(b) and a = MixColumns(b ) then a a = MixColumns(b b ). Michael Tunstall (University of Bristol) May/June, / 34
7 Observation 3 We consider a a = MixColumns(b b ). Given the number of input bytes that are different in b,b, the number of bytes that differ in the output will occur with probabilities: # Bytes Out(0) Out(1) Out(2) Out(3) Out(4) In(0) In(1) In(2) In(3) In(4) Michael Tunstall (University of Bristol) May/June, / 34
8 Models We consider two models. Chosen Plaintext Model Standard model for differential cryptanalysis. An attacker is able to encipher arbitrary plaintexts under a fixed unknown secret key and recover the ciphertext. The practicality of an attack is influenced by the number of chosen plaintexts required to conduct a given attack. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of the algorithm under attack. Michael Tunstall (University of Bristol) May/June, / 34
9 Models Chosen Difference Model Proposed to correspond to differential fault analysis. Able to encipher two related but unknown plaintexts. That is, an attacker is able to encipher two plaintexts with a difference of a chosen size. That is, a difference where the number and position of bytes can be controlled but not the value of the difference. The practicality of the attack is influenced by the number of pairs of ciphertexts required with a difference of a known size. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of a full 10-round AES. We also assume that the attacker has access to an oracle that can be used to test whether a given key hypothesis is correct. Michael Tunstall (University of Bristol) May/June, / 34
10 Attacking a Reduced Round AES We define attacks against reduced round implementations of AES using the aforementioned models. In each case the last round does not include the MixColumns function. Michael Tunstall (University of Bristol) May/June, / 34
11 One-Round AES: Chosen Plaintext Model There is a widely known attack on one-round AES in the chosen plaintext model. For two arbitrary plaintexts P,P producing ciphertexts C,C then we have c i c i = S(p i k i ) S(p i k i ) for i {1,...,16}. From Observation 1 we know each equation will produce approximately two possible values for each k i, leading to 2 16 hypotheses. Bouillaguet et al. (2010) note that two subkeys can be evaluated independently and have an intersection of 2 12 hypotheses. This attack does not work on the chosen difference model as the difference is itself unknown. Michael Tunstall (University of Bristol) May/June, / 34
12 Two-Round AES: Chosen Difference Model The first differential fault analysis of AES was proposed by Piret and Quisquater (2003). If, for example, there is an XOR difference in four bytes it will propagate as follows. θ 1 θ 2 θ 3 θ 4 2α β γ 3δ x 1 x 5 x 9 x α 2β γ δ α 3β 2γ δ x 2 x 6 x 10 x 14 x 3 x 7 x 11 x α β 3γ 2δ x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34
13 Two-Round AES: Chosen Difference Model If the last subkey is K = (k 1,k 2,...,k 16 ) (256) and chiphertexts C = (c 1,c 2,...,c 16 ) (256), C = (c 1,c 2,...,c 16 ) (256). We can construct four sets of equations of the form 2θ = S 1 (c 1 k 1 ) S 1 (c 1 k 1) θ = S 1 (c 8 k 8 ) S 1 (c 8 k 8 ) θ = S 1 (c 11 k 11 ) S 1 (c 11 k 11 ) 3θ = S 1 (c 14 k 14 ) S 1 (c 14 k 14), which will give 2 8 hypotheses for {k 1,k 8,k 11,k 14 }. Leading to 2 32 hypotheses for K. (Time complexity) Michael Tunstall (University of Bristol) May/June, / 34
14 Two-Round AES: Chosen Plaintext Model Bouillaguet et al. (2010) note that if the plaintext if known then there are 127 possible vales for each θ i for i {1,2,3,4} (Observation 1). Then, given 2θ = S 1 (c 1 k 1 ) S 1 (c 1 k 1) θ = S 1 (c 8 k 8 ) S 1 (c 8 k 8 ) θ = S 1 (c 11 k 11 ) S 1 (c 11 k 11 ) 3θ = S 1 (c 14 k 14 ) S 1 (c 14 k 14), will give 2 7 hypotheses for {k 1,k 8,k 11,k 14 }. Leading to 2 28 hypotheses. (Time complexity) Michael Tunstall (University of Bristol) May/June, / 34
15 Three-Round AES: Chosen Difference Model The same attack as previously can be constructed if we consider a difference in one bye. ζ θ θ θ θ α β γ 3δ x 1 x 5 x 9 x 13 3α 2β γ δ α 3β 2γ δ x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 α β 3γ 2δ x 4 x 8 x 12 x 16 Using the same technique as presented previously we can generate 2 32 key hypotheses. One can then generate 2 8 hypotheses with a time complexity of 2 32 / Michael Tunstall (University of Bristol) May/June, / 34
16 Three-Round AES: Chosen Plaintext Model Given Observation 1 we can note that θ will have 2 7 possible values rather than the 2 8 considered in the previous attack. Producing 2 7 hypotheses with a time complexity of 2 32 / Michael Tunstall (University of Bristol) May/June, / 34
17 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Bouillaguet et al. (2010) describe an attack that requires ten plaintext-ciphertext pairs. Where the plaintexts differ in four bytes. Guessing four bytes of the last subkey (K 5 ) and one byte of the penultimate key (K 4 ), we can predict X i for i {1,2,...,10}. X i ShiftRows SubBytes MixColumns 1 (K 4 ) c 1 c 5 c 9 c 13 MixColumns ShiftRows SubBytes K 5 c 2 c 6 c 10 c 14 c 3 c 7 c 11 c 15 c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, / 34
18 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack We can then compute X 1 X 2, X 2 X 3,..., X 9 X 10. This gives us the XOR differences before the XOR with the third subkey K 3. The values X 1 X 2, X 2 X 3,..., X 9 X 10 are then put in a hash table. Time complexity of / Michael Tunstall (University of Bristol) May/June, / 34
19 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Guessing four bytes of the first subkey (K 1 ) and one byte of the second key (K 2 ), we can predict Y i for i {1,2,...,10}. p 1 p 5 p 9 p 13 p 2 p 6 p 10 p 14 p 3 p 7 p 11 p 15 K 0 ShiftRows SubBytes MixColumns p 4 p 8 p 12 p 16 Y i K 1 ShiftRows SubBytes Also has a Time complexity of / Michael Tunstall (University of Bristol) May/June, / 34
20 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Again we can compute Y 1 Y 2, Y 2 Y 3,..., Y 9 Y 10. Given that this gives the difference before, and therefore after, the MixColumns function in the second round. For each i {1,2,...,9} and j = i +1. Y i Y j 2(Y i Y j ) 0 0 MixColumns 3(Y i Y j ) Y i Y j 0 Y i Y j Collisions on all 2(Y i Y j ) and X i X j give 2 8 hypotheses for four bytes of K0 and K 5 and one bytes K 1 and K 4. Michael Tunstall (University of Bristol) May/June, / 34
21 Four-Round AES: Chosen Plaintext/Difference Model Meet-in-the-Middle Attack This process can be repeated four times to produce 2 32 hypotheses for the last subkey. These hypotheses can be tested by exhaustive search, or checking the coherence with hypotheses on other subkeys. However, this attack cannot be used in the chosen difference model since the plaintexts need to be known. Michael Tunstall (University of Bristol) May/June, / 34
22 Four-Round AES: Chosen Difference Model Differential Attack For a difference in four bytes: ζ θ γ 1 γ 2 γ 3 3γ 4 0 ζ ζ 3 0 θ θ γ 1 2γ 2 γ 3 γ 4 γ 1 3γ 2 2γ 3 γ ζ 4 θ γ 1 γ 2 3γ 3 2γ 4 ǫ 1 ǫ 5 ǫ 9 ǫ 13 x 1 x 5 x 9 x 13 ǫ 2 ǫ 6 ǫ 10 ǫ 14 ǫ 3 ǫ 7 ǫ 11 ǫ 15 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 ǫ 4 ǫ 8 ǫ 12 ǫ 16 x 4 x 8 x 12 x 16 There does not appear to be a method of deriving the secret key that would be significantly quicker than an exhaustive key search. Michael Tunstall (University of Bristol) May/June, / 34
23 Four-Round AES: Chosen Difference Model Differential Attack However, if we assume that θ 4 = 0 then: ζ θ γ 1 γ 2 γ ζ ζ 3 0 θ θ γ 1 2γ 2 γ 3 0 γ 1 3γ 2 2γ ζ 4 θ γ 1 γ 2 3γ 3 0 2a 1 3a 2 a 3 2b 1 3b 2 b 3 2c 1 c 2 c 3 3d 1 d 2 d 3 a 1 2a 2 3a 3 b 1 2b 2 b 3 c 1 3c 2 c 3 2d 1 3d 2 d 3 a 1 a 2 2a 3 b 1 b 2 3b 3 c 1 2c 2 3c 3 d 1 2d 2 3d 3 3a 1 a 2 a 3 3b 1 b 2 2b 3 3c 1 c 2 2c 3 d 1 d 2 2d 3 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34
24 Four-Round AES: Chosen Difference Model Differential Attack At the end of the third round there is a difference that is a combination of three unknown bytes. Can reduce the four sets of 2 32 key hypotheses to four sets of 2 24 hypotheses. That is a total reduction from hypotheses. More pairs of ciphertexts can then be used to reduce the number of hypotheses. Four such observations would be expected to reduce hypotheses. Any remaining hypotheses can be checked by verifying the existence of the structure in the round before. Michael Tunstall (University of Bristol) May/June, / 34
25 Four-Round AES: Chosen Difference Model Differential Attack We have know way of knowing of one of θ i for i {1,2,3,4}. However, The probability of one of θ i for i {1,2,3,4} being equal to one is 1/2 6 (Observation 3). We would therefore expect to have 4 such occurrences within 256 observations. One can then search through the 4 4( 256) possible combinations. Evaluating a set of equations is approximately equivalent to 2 9 executions of AES. Overall time complexity Michael Tunstall (University of Bristol) May/June, / 34
26 Four-Round AES: Chosen Plaintext Model Differential Attack As previously, there is more information if we consider a chosen plaintext model. If we have 24 distinct plaintexts there are ( 24 2) = 276 possible ways of comparing two plaintexts. One can then conduct an attack with time complexity Michael Tunstall (University of Bristol) May/June, / 34
27 Four-Round AES: Chosen Plaintext Model Square Attack An attack described in the original specification of AES. If we consider 256 distinct plaintexts that differ in only one byte. The XOR sum of the state matrix after three rounds will sum to zero. This property persists until the SubBytes function in the subsequent round. With 256 chosen plaintexts and a four-round AES one can verify that this property holds, leaving 2 16 key hypotheses. Repeating this will another set of 256 distinct plaintexts will reduce the number of key hypotheses to one. Michael Tunstall (University of Bristol) May/June, / 34
28 Four-Round AES: Chosen Difference Model Square Attack Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. In our chosen difference model we cannot chose the values so one has to collect all 256 possible ciphertexts. An instance of the Coupon Collector s problem as described by Knuth. One would expect to need some for one set of 256 distinct ciphertexts. Requires an exhaustive search of Michael Tunstall (University of Bristol) May/June, / 34
29 Four-Round AES: Chosen Plaintext Model Impossible Differential Attack Biham and Keller (1999). If we have a XOR difference on one byte on entry to the MixColumns function, all four bytes will be different on output (Observation 3). ζ θ γ 1 γ 2 γ 3 3γ θ θ γ 1 2γ 2 γ 3 γ 4 γ 1 3γ 2 2γ 3 γ θ γ 1 γ 2 3γ 3 2γ 4 ǫ 1 ǫ 5 ǫ 9 ǫ 13 x 1 x 5 x 9 x 13 ǫ 2 ǫ 6 ǫ 10 ǫ 14 ǫ 3 ǫ 7 ǫ 11 ǫ 15 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 ǫ 4 ǫ 8 ǫ 12 ǫ 16 x 4 x 8 x 12 x 16 This property persists until the beginning of the MixColumns in the following round. Michael Tunstall (University of Bristol) May/June, / 34
30 Four-Round AES: Chosen Plaintext Model Impossible Differential Attack Hypotheses can be verified in sets of 32 bits by conducting a partial decryption and assuring that the difference before the MixColumns operation in the penultimate round contains no bytes equal to zero. MixColumns 1 (k 9 ) MixColumns ShiftRows x 1 x 5 x 9 x 13 SubBytes k 10 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34
31 Four-Round AES: Chosen Plaintext/Difference Model Impossible Differential Attack Conducting this analysis 2 11 times allows the last subkey to be determined. The time complexity of this attack is 2 32 single round decryptions per ciphertext, i.e. 2 11( 2 32 /4 ) Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. The number of acquisitions remains the same The time complexity of this attack is 2 32 single round decryptions per ciphertext, i.e. 2 11( 2 32 /10 ) Michael Tunstall (University of Bristol) May/June, / 34
32 Five-Round AES: Chosen Plaintext Model Square Attack Again, an attack described in the original specification of AES. SubBytes MixColumns 1 (k 9 ) MixColumns ShiftRows x 1 x 5 x 9 x 13 SubBytes k 10 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 One can make hypotheses on individual byes of MixColumns 1 (k 9 ) by verifying the property that 256 states have an XOR sum of zero. Requires 32-bits of k 10 to be guessed for groups of four bytes. Requires five sets of 256 plaintext-ciphertext pairs, and a time complexity of Michael Tunstall (University of Bristol) May/June, / 34
33 Five-Round AES: Chosen Difference Model Square Attack As with the four round Square attack, one requires 5 sets of 256 ciphertexts. Leading to Time complexity Michael Tunstall (University of Bristol) May/June, / 34
34 Conclusion An survey of low complexity differential cryptanalysis and fault analysis of AES. Some minor improvements are included for 1 3 round AES. A new differential cryptanalysis of four-round AES. Applicable to both the Chosen Plaintext and Chosen Difference Models. Re-evaluate the Square and Impossible Differential attacks in terms of a model corresponding to differential fault analysis. Michael Tunstall (University of Bristol) May/June, / 34
Differential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationDifferential Fault Analysis on A.E.S.
Differential Fault Analysis on A.E.S. P. Dusart, G. Letourneux, O. Vivolo 01/10/2002 Abstract We explain how a differential fault analysis (DFA) works on AES 128, 192 or 256 bits. Contents 1 Introduction
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationAkelarre. Akelarre 1
Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within
More informationCryptography: Key Issues in Security
L. Babinkostova J. Keller B. Schreiner J. Schreiner-McGraw K. Stubbs August 1, 2014 Introduction Motivation Group Generated Questions and Notation Translation Based Ciphers Previous Results Definitions
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationAlgebraic Side-Channel Collision Attacks on AES
Algebraic Side-Channel Collision Attacks on AES Andrey Bogdanov 1 and Andrey Pyshkin 2 1 Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de 2 Department of Computer
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationA Fault Attack on the LED Block Cipher
A Fault Attack on the LED Block Cipher P. Jovanovic, M. Kreuzer and I. Polian Fakultät für Informatik und Mathematik Universität Passau D-94030 Passau, Germany philipp.jovanovic,martin.kreuzer,ilia.polian@uni-passau.de
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationAutomatic Search of Attacks on round-reduced AES and Applications
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque ENS, CNRS, INRIA, 45 rue d Ulm, 75005 Paris, France {charles.bouillaguet,patrick.derbez,pierre-alain.fouque}@ens.fr
More informationRelated-Key Rectangle Attack on Round-reduced Khudra Block Cipher
Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher Xiaoshuang Ma 1,2 Kexin Qiao 1,2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationAutomatic Search of Attacks on Round-Reduced AES and Applications
Automatic Search of Attacks on Round-Reduced AES and Applications Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque ENS, CNRS, INRIA, 45 rue d Ulm, 75005 Paris, France {charles.bouillaguet,patrick.derbez,pierre-alain.fouque}@ens.fr
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationAttacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512
Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512 Charles Bouillaguet 1, Orr Dunkelman 2, Gaëtan Leurent 1, and Pierre-Alain Fouque 1 1 Département
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationRevisiting AES Related-Key Differential Attacks with Constraint Programming
Revisiting AES Related-Key Differential Attacks with Constraint Programming David Gérault, Pascal Lafourcade, Marine Minier, Christine Solnon To cite this version: David Gérault, Pascal Lafourcade, Marine
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3,5,, Virginie Lallemand 4,, Nathan Keller 1,5,, and Boaz Tsaban 1 1 Department of Mathematics,
More informationApplying Grover s algorithm to AES: quantum resource estimates
Applying Grover s algorithm to AES: quantum resource estimates Markus Grassl 1, Brandon Langenberg 2, Martin Roetteler 3 and Rainer Steinwandt 2 1 Universität Erlangen-Nürnberg & Max Planck Institute for
More informationTechnion - Computer Science Department - Ph.D. Thesis PHD Cryptanalysis of Ciphers and Protocols. Elad Pinhas Barkan
Cryptanalysis of Ciphers and Protocols Elad Pinhas Barkan Cryptanalysis of Ciphers and Protocols Research Thesis Submitted in partial fulfillment of the Requirements for the Degree of Doctor of Philosophy
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationS-box (Substitution box) is a basic component of symmetric
JOURNAL OF L A TEX CLASS FILES, VOL., NO., AUGUST 1 Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family Wentan Yi and Shaozhen Chen Abstract This paper investigates
More informationMethods and Tools for Analysis of Symmetric Cryptographic Primitives
Methods and Tools for Analysis of Symmetric Cryptographic Primitives Oleksandr Kazymyrov University of Bergen Norway 14th of October, 2014 Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationImproved Impossible Differential Attack on Reduced Version of Camellia-192/256
Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai
More informationCHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT
82 CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT 83 5.1 Introduction In a pioneering paper, Hill [5] developed a block cipher by using the modular arithmetic inverse
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationSymmetric Cryptography
Symmetric Cryptography Stanislav Palúch Fakula riadenia a informatiky, Žilinská univerzita 25. októbra 2017 Stanislav Palúch, Fakula riadenia a informatiky, Žilinská univerzita Symmetric Cryptography 1/54
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationAttacking White-Box AES Constructions
Attacking White-Box AES Constructions Brendan McMillion CloudFlare, Inc. brendan@cloudflare.com Nick Sullivan CloudFlare, Inc. nick@cloudflare.com ABSTRACT A white-box implementation of the Advanced Encryption
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationA Multiple Bit Parity Fault Detection Scheme for The Advanced Encryption Standard Galois/ Counter Mode
Western University Scholarship@Western Electronic Thesis and Dissertation Repository October 2014 A Multiple Bit Parity Fault Detection Scheme for The Advanced Encryption Standard Galois/ Counter Mode
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationApplications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012
Finite Fields and Cryptography Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012 A field is a set that 1. is associative, commutative, and distributive for
More informationImproved Algebraic Fault Analysis: A Case Study on Piccolo and with Applications to other Lightweight Block Ciphers
Improved Algebraic Fault Analysis: A Case tudy on Piccolo and with Applications to other Lightweight Block Ciphers Fan ZHANG 1, Xinjie ZHAO 2,3, hize GUO 3, Tao WANG 2, and Zhijie HI 1 1 University of
More informationImproving the Time Complexity of Matsui s Linear Cryptanalysis
Improving the Time Complexity of Matsui s Linear Cryptanalysis B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group, Université Catholique de Louvain Abstract. This paper reports on an improvement
More informationMILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers
MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers Ling Sun 1, Wei Wang 1, Meiqin Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More information«Differential Behavioral Analysis»
«Differential Behavioral Analysis» Bruno ROBISSON Pascal MANET CEA-LETI SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne, France
More informationHuman-readable Proof of the Related-Key Security of AES-128
Human-readable Proof of the Related-Key ecurity of AE-128 Khoongming Khoo 1, Eugene Lee 2, Thomas Peyrin 3,4,5 and iang Meng im 3 1 DO National Laboratories, ingapore kkhoongm@dso.org.sg 2 Raffles Institution,
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationPARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM
PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM Nabihah Ahmad Department of Electronic Engineering, Faculty of Electrical and Electronic Engineering, Universiti
More informationImpossible Differential Cryptanalysis of Reduced-Round SKINNY
Impossible Differential Cryptanalysis of Reduced-Round SKINNY Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal,
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationAdvanced differential-style cryptanalysis of the NSA's skipjack block cipher
Loughborough University Institutional Repository Advanced differential-style cryptanalysis of the NSA's skipjack block cipher This item was submitted to Loughborough University's Institutional Repository
More informationAffine Masking against Higher-Order Side Channel Analysis
Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationA Stochastic Model for Differential Side Channel Cryptanalysis
A Stochastic Model for Differential Side Channel Cryptanalysis Werner Schindler 1, Kerstin Lemke 2, Christof Paar 2 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) 53175 Bonn, Germany 2 Horst
More informationORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open
ORYX ORYX 1 ORYX ORYX not an acronym, but upper case Designed for use with cell phones o To protect confidentiality of voice/data o For data channel, not control channel o Control channel encrypted with
More informationPart (02) Modem Encryption techniques
Part (02) Modem Encryption techniques Dr. Ahmed M. ElShafee 1 Block Ciphers and Feistel cipher Dr. Ahmed M. ElShafee 2 introduction Modern block ciphers are widely used to provide encryption of quantities
More information