Differential Fault Analysis on DES Middle Rounds
|
|
- Alisha Porter
- 6 years ago
- Views:
Transcription
1 Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies
2 Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack Principle Fault Models Attack Simulations 3 Conclusion
3 Outline 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack Principle Fault Models Attack Simulations 3 Conclusion
4 Data Encryption Standard (DES) 64-bit block cipher using a 56-bit key K
5 Data Encryption Standard (DES) 64-bit block cipher using a 56-bit key K Iterative structure: 16 times the same round transformation F Surrounded by bit-permutations IP and FP
6 Data Encryption Standard (DES) 64-bit block cipher using a 56-bit key K Iterative structure: 16 times the same round transformation F Surrounded by bit-permutations IP and FP A ciphertext C is computed from a plaintext P as: C = FP ( 16 r=1f kr ) IP(P). where k r is a 48-bit round key derived from K.
7 Data Encryption Standard (DES) F follows a Feistel scheme: L r 1 R r 1 f k r L r R r
8 Data Encryption Standard (DES) Function f : f R r 1 E k r S 1 S 7 S 8 P L r 1 R r
9 Data Encryption Standard (DES) Function f : Can be decomposed Sbox per Sbox: f R r 1 E f i R r 1 E i k r k r,i S 1 S 7 S 8 P S i P i L r 1 f i (R r 1, k r,i ) R r
10 Introduction to Fault Analysis Fault Attacks introduced in 1996 [BonehDeMilloLipton96] Applied to Asymmetric Cryptosystems : RSA, Rabin, Fiat-Shamir and Schnorr
11 Introduction to Fault Analysis Fault Attacks introduced in 1996 [BonehDeMilloLipton96] Applied to Asymmetric Cryptosystems : RSA, Rabin, Fiat-Shamir and Schnorr Followed by a dozen of notes on this subject over the next few weeks: Improved attack on CRT RSA [Lenstra96] Attacks on several signatures schemes (ElGamal, DSA) [BaoDengHanJengNarasimhaluNgair96] A New Cryptanalytic Attack on DES [BihamShamir96] Differential Fault Analysis (DFA)...
12 DFA on DES Last Round The last round: L 15 R 15 f k 16 L 16 R 16
13 DFA on DES Last Round The last round: If a fault is induced on R 15 : L 15 R 15 L 15 R 15 f k 16 f k 16 L 16 R 16 L 16 R16
14 DFA on DES Last Round The last round: If a fault is induced on R 15 : The corresponding differential: L 15 R 15 L 15 R 15 0 R 15 R 15 f k 16 f k 16 f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 R 16 L 16 R16 L 16 L 16 R 16 R 16
15 DFA on DES Last Round The last round: If a fault is induced on R 15 : The corresponding differential: L 15 R 15 L 15 R 15 0 R 15 R 15 f k 16 f k 16 f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 R 16 L 16 R16 We thus have: f (R 15, k 16 ) f ( R 15, k 16 ) = (R 16 R 16 ) L 16 L 16 R 16 R 16
16 DFA on DES Last Round The last round: If a fault is induced on R 15 : The corresponding differential: L 15 R 15 L 15 R 15 0 R 15 R 15 f k 16 f k 16 f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 R 16 L 16 R16 We thus have: L 16 L 16 R 16 R 16 f (R 15, k 16 ) f ( R 15, k 16 ) = (R 16 R 16 ) This relation holds for each SBox independently : f i (R 15, k 16,i ) f i ( R 15, k 16,i ) = (R 16 R 16 ) i
17 DFA on DES Last Round The attack: For each i {1,, 8}, guess k 16,i {0, 1} 6 and test if 0 R 15 R 15 f i (R 15, k 16,i ) f i ( R 15, k 16,i ) = (R 16 R 16 ) i f k 16 If no, then discard k16,i By using several faulty ciphertexts, only one candidate remain. f (R 15, k 16) f ( R 15, k 16) L 16 L 16 R 16 R 16
18 DFA on DES Last Rounds The last round: L 15 R 15 f k 16 L 16 R 16
19 DFA on DES Last Rounds The last round: Fault before Round 16: L 15 R 15 L 15 R 15 f k 16 f k 16 L 16 R 16 L 16 R16
20 DFA on DES Last Rounds The last round: Fault before Round 16: The corresponding differential: L 15 R 15 L 15 R 15 L 15 L 15 R 15 R 15 f k 16 f k 16 f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 R 16 L 16 R16 L 16 L 16 R 16 R 16
21 DFA on DES Last Rounds The last round: Fault before Round 16: The corresponding differential: L 15 R 15 L 15 R 15 L 15 L 15 R 15 R 15 f k 16 f k 16 f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 R 16 L 16 R16 We thus have: L 16 L 16 R 16 R 16 f i (R 15, k 16,i ) f i ( R 15, k 16,i ) = (R 16 R 16 ) i (L 15 L 15 ) i Problem: L 15 L 15 is unknown
22 DFA on DES Last Rounds Solutions: Bit fault attack on rounds 14 and 15 [BihamShamir96]: From C C, they obtain information on (L 15 L 15) i
23 DFA on DES Last Rounds Solutions: Bit fault attack on rounds 14 and 15 [BihamShamir96]: From C C, they obtain information on (L 15 L 15) i Known Value Fault Attack on round 13 [Akkar04]: Corrupting L 13 only, we have L 15 L 15 = L 13 L 13
24 DFA on DES Middle Rounds Motivation: DFA usually targets few last rounds of DES Usual countermeasure: double the few last rounds Question: can we mount an effective DFA by disturbing rounds 12, 11, 10,...?
25 DFA on DES Middle Rounds Motivation: DFA usually targets few last rounds of DES Usual countermeasure: double the few last rounds Question: can we mount an effective DFA by disturbing rounds 12, 11, 10,...? Previous work [Akkar04]: Strong adversary model: the attacker can choose the differential (L r, R r ) ( L r, R r ) hypothesis relaxed but most usual fault models not considered Suboptimal distinguisher: based on a counting strategy does not exploit the whole available information
26 DFA on DES Middle Rounds Motivation: DFA usually targets few last rounds of DES Usual countermeasure: double the few last rounds Question: can we mount an effective DFA by disturbing rounds 12, 11, 10,...? Previous work [Akkar04]: Strong adversary model: the attacker can choose the differential (L r, R r ) ( L r, R r ) hypothesis relaxed but most usual fault models not considered Suboptimal distinguisher: based on a counting strategy does not exploit the whole available information Our work: Generalization and improvement of [Akkar04] Study under various realistic fault models
27 Outline 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack Principle Fault Models Attack Simulations 3 Conclusion
28 Principle The guess function: g i (k) = f i (R 15, k) f i ( R 15, k) (R 16 R 16 ) i L 15 L 15 R 15 R 15 Principle: For k = k 16,i : g i (k) = (L 15 L 15 ) i For k k 16,i : g i (k) U({0, 1} 4 )If the distribution of (L 15 L 15 ) i is biased then we have a wrong-key distinguisher f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 L 16 R 16 R 16
29 The guess function: L 15 L 15 Principle R 15 R 15 g i (k) = f i (R 15, k) f i ( R 15, k) (R 16 R 16 ) i Principle: For k = k 16,i : g i (k) = (L 15 L 15 ) i For k k 16,i : g i (k) U({0, 1} 4 ) If the distribution of (L 15 L 15 ) i is biased then we have a wrong-key distinguisher f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 L 16 R 16 R 16
30 The guess function: L 15 L 15 Principle R 15 R 15 g i (k) = f i (R 15, k) f i ( R 15, k) (R 16 R 16 ) i Principle: For k = k 16,i : g i (k) = (L 15 L 15 ) i For k k 16,i : g i (k) U({0, 1} 4 ) If the distribution of (L15 L 15 ) i is biased then we have a wrong-key distinguisher f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 L 16 R 16 R 16
31 The guess function: L 15 L 15 Principle R 15 R 15 g i (k) = f i (R 15, k) f i ( R 15, k) (R 16 R 16 ) i Principle: For k = k 16,i : g i (k) = (L 15 L 15 ) i For k k 16,i : g i (k) U({0, 1} 4 ) If the distribution of (L15 L 15 ) i is biased then we have a wrong-key distinguisher f k 16 f (R 15, k 16) f ( R 15, k 16) L 16 L 16 R 16 R 16 Description: Collect on several pairs of correct-faulty ciphertexts (Cj, C j ) For each pair (Cj, C j ), compute g (j) i (k) (j) By assumption the sample < g i (k) > j is biased if k = k 16,i close to uniformity if k k 16,i
32 Two Wrong-Key Distinguishers If the fault model is known: The distribution of (L 15 L 15 ) i can be estimated before the attack: δ {0, 1} 4, p i (δ) = Pr [ (L 15 L ] 15 ) i = δ
33 Two Wrong-Key Distinguishers If the fault model is known: The distribution of (L 15 L 15 ) i can be estimated before the attack: δ {0, 1} 4, p i (δ) = Pr [ (L 15 L ] 15 ) i = δ A maximum likelihood approach can then be used: N d(k) = log ( ( (j) p i g i (k) )). j=1
34 Two Wrong-Key Distinguishers If the fault model is known: The distribution of (L 15 L 15 ) i can be estimated before the attack: δ {0, 1} 4, p i (δ) = Pr [ (L 15 L ] 15 ) i = δ A maximum likelihood approach can then be used: N d(k) = log ( ( (j) p i g i (k) )). j=1 Otherwise, look for the strongest biais by using the squared Euclidean imbalance ( square Euclidean distance to the uniform distribution): ( 15 #{g (j) 2 i (k) = δ} d(k) = 1. N 16) δ=0
35 Fault Models: A First Remark Where inducing a fault in a round to have the smallest impact on (L 15 L 15 )?
36 Fault Models: A First Remark Where inducing a fault in a round to have the smallest impact on (L 15 L 15 )? The attacker must inject a fault in the left part of DES internal value at the end of round r: L r L r = L r ε
37 Fault Models Kind of fault: Bit error: Byte error: (1, 0, 0,..., 0) ε = (0, 1, 0,..., 0) etc. (0xXX, 0x00, 0x00, 0x00) ε = (0x00, 0xXX, 0x00, 0x00) etc. where 0xXX U({0, 1} 8 ).
38 Fault Models Kind of fault: Bit error: Byte error: (1, 0, 0,..., 0) ε = (0, 1, 0,..., 0) etc. (0xXX, 0x00, 0x00, 0x00) ε = (0x00, 0xXX, 0x00, 0x00) etc. where 0xXX U({0, 1} 8 ). Fault position: Chosen or random among the 32 bit-positions or the 4 byte-positions.
39 Fault Models Kind of fault: Bit error: Byte error: (1, 0, 0,..., 0) ε = (0, 1, 0,..., 0) etc. (0xXX, 0x00, 0x00, 0x00) ε = (0x00, 0xXX, 0x00, 0x00) etc. where 0xXX U({0, 1} 8 ). Fault position: Chosen or random among the 32 bit-positions or the 4 byte-positions. We have 4 models: {chosen,random} position {bit,byte}-error
40 Attack Simulations Table: Number of faults to recover the 16-th round key with a 99% success rate. Bit error Byte error Round Distinguisher chosen pos. random pos. chosen pos. random pos. 12 Likelihood SEI
41 Attack Simulations Table: Number of faults to recover the 16-th round key with a 99% success rate. Bit error Byte error Round Distinguisher chosen pos. random pos. chosen pos. random pos. 12 Likelihood SEI Likelihood SEI
42 Attack Simulations Table: Number of faults to recover the 16-th round key with a 99% success rate. Bit error Byte error Round Distinguisher chosen pos. random pos. chosen pos. random pos. 12 Likelihood SEI Likelihood SEI Likelihood SEI
43 Attack Simulations Table: Number of faults to recover the 16-th round key with a 99% success rate. Bit error Byte error Round Distinguisher chosen pos. random pos. chosen pos. random pos. 12 Likelihood SEI Likelihood SEI Likelihood SEI Likelihood > 10 8 > 10 8 SEI > 10 8 > 10 8 > 10 8
44 Outline 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack Principle Fault Models Attack Simulations 3 Conclusion
45 Conclusion Extension of DFA on DES on rounds 12, 11, 10 and 9. Very efficient even in the byte fault model: 20 faults on the 12 th round 800 faults on the 11 th round Depending on the adversary, the last 7 or 8 rounds must now be protected against FA
46 The End Questions? or contact M. Rivain at
7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationA DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS
A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS FDTC2012 Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson and Assia Tria 9 SEPTEMBER 2012 INTRODUCTION Introduction
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationRecent Cryptanalysis of RC4 Stream Cipher
28 August, 2013 ASK 2013 @ Weihai, China Recent Cryptanalysis of RC4 Stream Cipher Takanori Isobe Kobe University Joint work with Toshihiro Ohigashi, Yuhei Watanabe, and Maskatu Morii Agenda This talk
More informationDifferential Fault Analysis on the families of SIMON and SPECK ciphers
Differential Fault Analysis on the families of SIMON and SPECK ciphers Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay Indian Institute of Technology, Kharagpur Abstract. In 2013, the US National
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationImproved Fault Analysis of Signature Schemes
Improved Fault Analysis of Signature Schemes Christophe Giraud 1,ErikW.Knudsen 2, and Michael Tunstall 3 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600, Pessac, France c.giraud@oberthur.com
More informationPublic Key Perturbation of Randomized RSA Implementations
Public Key Perturbation of Randomized RSA Implementations A. Berzati, C. Dumas & L. Goubin CEA-LETI Minatec & Versailles St Quentin University Outline 1 Introduction 2 Public Key Perturbation Against R2L
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationInvestigations of Power Analysis Attacks on Smartcards *
Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com
More informationAttack on Broadcast RC4
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Wednesday, 8 April, 2015 10:38 9. Differential cryptanalysis (v2) 9.1. Differential cryptanalysis In differential analysis we simultaneously consider two encryptions
More informationDependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,
More informationSecurity of the SMS4 Block Cipher Against Differential Cryptanalysis
Su BZ, Wu WL, Zhang WT. Security of the SMS4 block cipher against differential cryptanalysis. JOURNAL OF COM- PUTER SCIENCE AND TECHNOLOGY 26(1): 130 138 Jan. 2011. DOI 10.1007/s11390-011-1116-9 Security
More informationBlock Ciphers and Feistel cipher
introduction Lecture (07) Block Ciphers and cipher Dr. Ahmed M. ElShafee Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationInternal differential fault analysis of parallelizable ciphers in the counter-mode
https://doi.org/1.17/s13389-17-179- REGULAR PAPER Internal differential fault analysis of parallelizable ciphers in the counter-mode Dhiman Saha 1 Dipanwita Roy Chowdhury 1 Received: 17 March 217 / Accepted:
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationOn Multiple Linear Approximations
On Multiple Linear Approximations Alex Biryukov, Christophe De Cannière, and Michael Quisquater Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Leuven-Heverlee, Belgium
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationLinear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Luxemburg January 2017 Outline Introduction
More informationIIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67
IIT KHARAGPUR Differential Fault Analysis on the Families of SIMON and SPECK Ciphers Authors: Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) FDTC 2014 South Korea, Busan September
More informationProduct Systems, Substitution-Permutation Networks, and Linear and Differential Analysis
Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis Cryptology, lecture 3 Stinson, Section 2.7 3.4 Tuesday, February 12th, 2008 1 Composition Product 2 Substitution-Permutation
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationElliptic Curve Cryptosystems in the Presence of Faults
Elliptic Curve Cryptosystems in the Presence of Faults Marc Joye Thomson Security Labs marc.joye@thomson.net Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures Concluding
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an in-depth understanding of the
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationAlgebraic Fault Attacks
Algebraic Fault Attacks Martin Kreuzer Universität Passau martin.kreuzer@uni-passau.de Webinar Symbolic Computation and Post-Quantum Cryptography The Internet, Apr. 19, 2012 1 Contents 2 Contents 1. Algebraic
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationImpossible Differential Attacks on 13-Round CLEFIA-128
Mala H, Dakhilalian M, Shakiba M. Impossible differential attacks on 13-round CLEFIA-128. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(4): 744 750 July 2011. DOI 10.1007/s11390-011-1173-0 Impossible Differential
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationSecret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems
Secret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems Alexandre Berzati 1,2, Cécile Canovas-Dumas 1, Louis Goubin 2 1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9,
More informationAutomatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)
Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version) Shengbao Wu 1,2, Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190,
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationConcurrent Error Detection in S-boxes 1
International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan
More informationSIDE Channel Analysis (SCA in short) exploits information. Statistical Analysis of Second Order Differential Power Analysis
1 Statistical Analysis of Second Order Differential Power Analysis Emmanuel Prouff 1, Matthieu Rivain and Régis Bévan 3 Abstract Second Order Differential Power Analysis O- DPA is a powerful side channel
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationProtecting RSA Against Fault Attacks: The Embedding Method
Published in L. Breveglieri et al., Eds, Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), IEEE Computer Society, pp. 41 45, 2009. Protecting RSA Against Fault Attacks: The Embedding Method Marc
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationA Weak Cipher that Generates the Symmetric Group
A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1,2 and Bohuslav Rudolf 2,3 1 Department of Informatics, University of Bergen, N-5020 Bergen, Norway 2 Department of Algebra, Charles University in
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationA Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
A Low Data Complexity Attack on the GMR-2 Cipher Used in the atellite Phones Ruilin Li, Heng Li, Chao Li, Bing un National University of Defense Technology, Changsha, China FE 2013, ingapore 11 th ~13
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationDifferential Cache Trace Attack Against CLEFIA
Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption! Public key cryptosystem! RSA and the factorization problem! RSA in practice! Other asymmetric ciphers Asymmetric Encryption Scheme
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationData and information security: 2. Classical cryptography
ICS 423: s Data and information security: 2. Classical cryptography UHM ICS 423 Fall 2014 Outline ICS 423: s s and crypto systems ciphers ciphers Breaking ciphers What did we learn? Outline ICS 423: s
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More information