Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers
|
|
- Horace Arnold
- 6 years ago
- Views:
Transcription
1 Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers Kaisa Nyberg Aalto University School of Science Luxemburg January 2017
2 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 2/37
3 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 3/37
4 Introduction Linear cryptanalysis on block ciphers based on iterated structures Theory for long-key block ciphers well developed [Nyberg 1994, Daemen 1994, Daemen-Rijmen 2006, Blondeau-Nyberg 2015] Statistics estimates based on signal-noise model [Bogdanov-Tischhauser 2013] Key-schedulings that imitate long-key properties [Leander 2016, Blondeau-Nyberg 2015] Focus of this presentation: extreme key-schedulings such as known-key ciphers We discuss how to apply known properties of long-key ciphers to permutation based ciphers such as EM ciphers 4/37
5 Permutation-Based Cipher K 1 P K 2 Figure : 1-EM cipher with permutation P and encryption key (K 1, K 2 ) Key-recovery attacks use some property over P. Problem. How to determine and evaluate a property over P? We present an approach to answer this problem for linear cryptanalysis and a permutation based on an iterated permutation. We make use of the noise-based statistical model of correlation. 5/37
6 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 6/37
7 Iterated Long-Key Cipher E (x; k 0, k 2... k r ) = g r ( (g 2 (g 1 (x + k 0 ) + k 1 ) + k 2 ) ) + k r where x, k 0, k 1,..., k r F n 2 and g i : F n 2 Fn 2 Iteration over r rounds 7/37
8 Key Scheduling Any r -round key-alternating cipher in F n 2 can be seen as an application of such E using key-scheduling KS : F L 2 F(r +1)n 2 which is an injective function that maps the initial key K F L 2 to (k 0, k 1,..., k r ). Then the cipher BC can be presented as where X is the plaintext. BC (X, K ) E (x; KS (K )) 8/37
9 Permutation by Iteration Any r -round permutation in F n 2 P(x) = g r ( (g 2 (g 1 (x))) ) can also been seen as an application of a long-key cipher E (X; k 0, k 2,..., k r ) = g r ( (g 2 (g 1 (X + k 0 ) + k 1 )+k 2 ) )+k r by setting k 0 = k 1 =... = k r = 0 9/37
10 Examples Typical key-alternating ciphers: (DES), AES, PRESENT, Simon,... Permutation-based ciphers: EM constructions, in practice, based on dedicated large permutations, or cipher with known fixed key. Example. Key-schedule of single-key 1-EM where permutation based on iterated long-key cipher KS (K ) = (K 1, 0, 0,..., 0, K 2 ) 10/37
11 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 11/37
12 Key-Recovery Setting k 0 k 1 k 2 k r 1 g 1 g 2 g r 1 g r k r Figure : Key-alternating block cipher of r rounds with round functions g i and expanded encryption key (k 0, k 1,..., k r ) Key guesses over some first and last rounds. Then the long-key cipher E is reduced to r rounds; denote it by E. x k i0 k i0 +1 k i0 +2 k i0 +r 1 g i0 +1 g i0 +2 g i0 +r 1 g i0 +r k i 0 +r y Figure : Property of key-alternating block cipher over r rounds with round functions g i and expanded encryption key (k i0, k i0 +1,..., k i0 +r ) 12/37
13 Linear Property u v n-bit mask on x n-bit mask on y BC r rounds of BC KS r rounds of KS Known linear property u x + v y with correlation c BC (K ) where c BC (K ) = #{ x u x + v BC(x, K ) = 0 } 13/37
14 Observed Correlation Given D, a data sample of size N of pairs (x, y), we call ĉ(d, K ) = 2 N #{(x, y)) D u x + v y = 0} 1 = 2 N Z (D, K ) 1 the observed correlation where we denoted For any fixed key K, Z (D, K ) = #{(x, y)) D u x + v y = 0} Z (D, K ) B(N, p(k )), where p(k ) is some apriori probability. By the normal approximation of the binomial distribution, we obtain that for any fixed K ĉ(d, K ) N (c(k ), 1 N (1 c(k )2 )) N (c(k ), 1 N ) where c(k ) = 2p(K ) 1. 14/37
15 Cipher and Random 1. y = BC(x, K ) = E(x; KS(K )) (cipher): Then c(k ) = c BC (K ) The parameters Exp K c BC (K ) and Var K c BC (K ) must be determined from the cipher in offline analysis. 2. y E(x; KS(K )) (random): Wrong-key randomization hypothesis: for each K, the bits u x + v y are computed from a random linear approximation, that is, see [Daemen-Rijmen 2006], Exp K c(k ) = 0 Var K c(k ) = 2 n. 15/37
16 Statistics of Observed Correlation ĉ(d, K ) c(k ) N ( 0, 1 ), for any fixed K. N In the right key (cipher) case, the distribution of the observed correlation has parameters Exp D,K ĉ(d, K ) = Exp K c BC (K ) Var D,K ĉ(d, K ) = 1 N + Var K c BC (K ) For random ĉ(d, K ) N (0, 1N ) + 2 n 16/37
17 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 17/37
18 Linear Approximations and Correlations u v τ n-bit mask on x n-bit mask on y L-bit mask on the key K Given r rounds of a cipher (x, K ) E(x; KS(K )) we define c(u, τ, v) = cor x,k (u x + v E(x; KS(K )) + τ K ). This is the trail correlation for trail τ. Then c(u, τ, v) = 2 L ( 1) τ K cor x (u x + v E(x; KS(K )). K 18/37
19 Correlation via Trail Correlations We have c BC (K ) = cor x (u x + v E(x; KS(K )) Taking the inverse Fourier transform we get c BC (K ) = τ ( 1) τ K c(u, τ, v) where the trail correlations c(u, τ, v) are independent of K, but hard to evaluate for a general iterated block cipher. But trail correlations can be evaluated for the corresponding long-key cipher. 19/37
20 Trail Correlations from Long-Key Cipher c(u, τ, v) = cor x,k (u x + v E(x; KS(K )) + τ K ) = cor K (τ K + W KS(K ))cor x,ki0...k (u x + v E(x; k i0 +r i 0... k i0 +r ) + W (k i0... k i0 +r W = cor K (τ K + W KS(K ))c E (u, W, v), W where c E (u, W, v) = cor x,ki0...k i0 +r (u x + v E(x; k i 0... k i0 +r ) + W (k i0... k i0 +r )) are the trail correlations of the iterated long-key cipher E over r rounds with (r + 1)n-bit masks W. 20/37
21 Correlation for Cipher BC This gives c BC (K ) = τ ( 1) τ K c(u, τ, v) = τ,w( 1) τ K cor Z (τ Z + W KS(Z ))c E (u, W, v) = W ( 1) W KS(K ) c E (u, W, v) 21/37
22 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 22/37
23 Trails over Long-Key Cipher E c BC (K ) = W ( 1) W KS(K ) c E (u, W, v) where c E (u, W, v) = r ( cor z wi0 +j 1 z + w i0 +j g i0 +j(z) ) j=1 W = (w i0, w i0 +1,..., w i0 +r ), and and u = w i0 and v = w i0 +r Use Matsui s algorithm to search for such trails over E that have correlation c E (u, W, v) of high absolute value. 23/37
24 Modelling the Correlation Noise-based approach [Bogdanov-Tischhauser 2013, Vejre et al. 2016] for long-key cipher E: There is a set S of identified (dominant) trails c E (k i0, k i k i0 +r ) = cor(u x + v E(x; k i0, k i k i0 +r ) = w S( 1) w (k i 0,k i k i0 +r ) c E (u, w, v) + R E (k i0, k i k i0 +r ) where R E (k i0, k i k i0 +r ) is normally distributed with mean zero. This approach has been tested in experiments for scaled PRESENT variants, and it seems to work. That is, cryptanalyst can collect many trails such that the remainder R E (k i0, k i0 +1,..., k i0 +r ) behaves like random and has variance 2 n. 24/37
25 Dominant Trails Over Cipher Our approach: Use the same set S also for the cipher BC with key-scheduling KS to estimate c BC (K ) = W ( 1) W KS(K ) c E (u, W, v) = W S( 1) W KS(K ) c E (u, W, v) + R BC (K ) What can we assume about the behaviour of R BC (K )? 25/37
26 Typical Key-Alternating Cipher... has a strong key-scheduling. Note. Here strong means something which behaves like the long-key cipher. Then one can use the estimated variance of to estimate the variance of c BC (K ) c E (k i0, k i k i0 +r ) Var K c BC (K ) w S c E (u, w, v) n This approach has been tested with scaled versions of SMALLPRESENT, see [Vejre et al 2016] and (with different key schedules) [Blondeau-Nyberg 2017] 26/37
27 Outline Introduction Iterated Permutation Linear Attack Estimating Statistics of Cipher Correlation Examining Trail Correlations Applications to EM Ciphers 27/37
28 Permutation-Based 1-EM Cipher Assume the permutation is based on an iterated structure E. Then the cipher has an can be represented like BC (x, K ) = E (x; K 1, k 1... k r 1, K 2 ) where K is the secret key and k 1... k r 1 are known constants (e.g. zero). Again we use the properties of E to examine the correlations of linear approximations of the cipher c BC (K ) = W ( 1) W (k i 0...k i0 +r ) c E (u, W, v) = W S( 1) W (k i 0...k i0 +r ) c E (u, W, v) + R BC (k i0... k i0 +r ), Given c E (u, W, v), W S, the sum over S has a fixed value, say c, which can be computed. The remainder R BC (k i0... k i0 +r ) also has a fixed value, but cannot be computed. 28/37
29 Modelling the Uncomputable Remainder We model the uncomputable remainder R BC (k i0... k i0 +r ) according to R E (k i0... k i0 +r ) Then we get Exp K c BC (K ) = c Var K c BC (K ) = 2 n This model should work when the permutation is based on a known-key PRESENT. Linear key-recovery attack with success probability > 1/2 and advantage > 1 possible if c 0. 29/37
30 Permutation-Based 2-EM Cipher K 1 P K P K 2 Figure : 2-EM block cipher with permutation P Assume the two instances of permutation P are based on an iterated structure with long keys, as before. After peeling off some first and last rounds, we consider linear properties over the following cipher BC(x, K ) = P 2 (P 1 (x; RK 1 ) K ; RK 2 ) where RK 1 and RK 2 are known constants. Now the underlying long-key cipher E is E(x; RK 1, K, RK 2 ) = P 2 (P 1 (x; RK 1 ) K ; RK 2 ) 30/37
31 Correlations over 2-EM Cipher Again we use the properties of E to examine the correlations of linear approximations of the cipher c BC (K ) = ( 1) W1 RK1+w K +W2 RK2 c E (u; W 1, w, W 2 ; v), W 1,w,W 2 where c E (u; W 1, w, W 2 ; v) = c P1 (u; W 1 ; w)c P2 (w; W 2 ; v). is independent of K. Hence Exp K c BC (K ) = 0 and Var K c BC (K ) = Exp K (c BC (K ) 2 ) 31/37
32 Variance Estimation Taking the noise-based approach, assume there exist sets S, S 1 S 2 and a random and independent remainder R such that c(rk 1, K, RK 2 ) = ( 1) W1 RK1+w K +W2 RK2 c P1 (u; W 1 ; w)c P2 (w; W 2 ; v) + R W 1 S 1,w S,W 2 S 2 = ( 1) w K ( 1) W1 RK1 c P1 (u; W 1 ; w) ( 1) W2 RK2 c P2 (w; W 2 ; v) w S W 1 S 1 W 2 S 2 +R... to obtain Var K c BC (K ) = 2 ( 1) W 1 RK 1 c P1 (u; W 1 ; w) 2 ( 1) W 2 RK 2 c P2 (w; W 2 ; v) + 2 n w S W 1 S 1 W 2 S 2 = c 1 (w) 2 c 2 (w) n w S 32/37
33 Attack Based on Variance Var K c BC (K ) = c 1 (w) 2 c 2 (w) n w S where c 1 (w) and c 1 (w) are the evaluated parts of the linear hull. This gives Exp D,K ĉ(d, K ) = 0 Var D,K ĉ(d, K ) = 1 N + c 1 (w) 2 c 2 (w) n w S N (0, σ 2 W ) 1.2 N (0, σ 2 R ) Example distribution of ĉ(d, K ) 1.4 Θ Θ Acceptance region Acceptance region for random (red solid line) and right key (blue dotted line) /37
34 On the Choice of Trails Question: When is S (or S S 1 S 2 ) sufficiently large? Possible answers: When Var ki0...k i0 +r (R E(k i0,..., k i0 +r )) = 2 n. How do we know if this has been reached? For permutation-based ciphers, when the value c is stable, that is, adding trails to S does not (essentially) change the value ( 1) w (k i 0...k i0 +r ) c E (u, w, v) w S 34/37
35 Security of 1-EM vs. 2-EM Assume 1-EM vs. 2-EM have the same total number r of rounds 2-EM has a secret key K after round r /2 while in 1-EM it is fixed to a known k r /2 Assume the same identified set S 1 S S 2 of trails over r rounds is used for both 2-EM q 2 EM (K ) = w S( 1) w K c 1 (w)c 2 (w) 1-EM q 1 EM = w S( 1) w k r /2 c1 (w)c 2 (w) = q 2 EM (k r /2) 35/37
36 Security of 1-EM vs. 2-EM It may be possible (?) to select k r /2 such that q 1 EM = 0 for all strong linear approximations (u, v). If this cannot be done, it may happen that the attacker finds a (u, v) such that q 1 EM = q 2 EM (k r /2) 0 or even more, For the c defined earlier, it holds Exp K (q 2 EM (K ) 2 ) < q 2 EM (k r /2) 2 c = q 1 EM Further denote σ = Exp K (q 2 EM (K ) 2 ) 36/37
37 Linear Attack on 1-EM vs. 2-EM a advantage N number of known plaintext-ciphertext pairs Φ standard normal Success probabilities: 1-EM P S = Φ ( c N Φ 1 (1 2 a ) ) 1 + N2 n 2-EM ( ) 1 + N2 P S = 2Φ Φ 1 (1 2 a 1 n ) 1 + N2 n + Nσ 2 For c = σ the attack on 1-EM is much stronger. 37/37
Wieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Wieringa, Celine; Nyberg, Kaisa Improved
More informationOn Distinct Known Plaintext Attacks
Céline Blondeau and Kaisa Nyberg Aalto University Wednesday 15th of April WCC 2015, Paris Outline Linear Attacks Data Complexity of Zero-Correlation Attacks Theory Experiments Improvement of Attacks Multidimensional
More informationLinks Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT
Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France TOOLS for Cryptanalysis - 23th June 2010 C.Blondeau
More informationLinear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015
Kaisa Nyberg Department of Computer Science Aalto University School of Science s 2 r t S3, Sackville, August 11, 2015 Outline Linear characteristics and correlations Matsui s algorithms Traditional statistical
More informationMultivariate Linear Cryptanalysis: The Past and Future of PRESENT
Multivariate Linear Cryptanalysis: The Past and Future of PRESENT Andrey Bogdanov, Elmar Tischhauser, and Philip S. Vejre Technical University of Denmark, Denmark {anbog,ewti,psve}@dtu.dk June 29, 2016
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationStatistical and Linear Independence of Binary Random Variables
Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.
More informationLinear Cryptanalysis of DES with Asymmetries
Linear Cryptanalysis of DES with Asymmetries Andrey Bogdanov and Philip S. Vejre Technical University of Denmark {anbog,psve}@dtu.dk Abstract. Linear cryptanalysis of DES, proposed by Matsui in 1993, has
More informationLinear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander, Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr University Bochum Block Cipher Design k KS m
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round LBlock
Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationData complexity and success probability of statisticals cryptanalysis
Data complexity and success probability of statisticals cryptanalysis Céline Blondeau SECRET-Project-Team, INRIA, France Joint work with Benoît Gérard and Jean-Pierre Tillich aaa C.Blondeau Data complexity
More informationand Céline Blondeau October 8, 2012 joint work with Benoît Gérard and Kaisa Nyberg Multiple differential cryptanalysis using LLR and October, 8 1/27
Multiple differential cryptanalysis using LLR and Céline Blondeau joint work with Benoît Gérard and Kaisa Nyberg October 8, 2012 1/27 Outline Introduction Block Ciphers Differential Cryptanalysis Last
More informationSymmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway
Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationLinear Cryptanalysis Using Multiple Linear Approximations
Linear Cryptanalysis Using Multiple Linear Approximations Miia HERMELIN a, Kaisa NYBERG b a Finnish Defence Forces b Aalto University School of Science and Nokia Abstract. In this article, the theory of
More informationMultiple Differential Cryptanalysis: Theory and Practice
Multiple Differential Cryptanalysis: Theory and Practice Céline Blondeau, Benoît Gérard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.Gérard. Multiple differential cryptanalysis
More informationImprobable Differential Cryptanalysis and Undisturbed Bits
Improbable Differential Cryptanalysis and Undisturbed Bits Institute of Applied Mathematics Department of Cryptography Middle East Technical University September 5, 2013 Leuven, Belgium A (Very) Short
More informationZero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA
Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA Andrey Bogdanov, Meiqin Wang Technical University of Denmark, Shandong University, China ESC 2013,
More informationLinks Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities
Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities Céline Blondeau and Kaisa Nyberg Department of Information and Computer Science,
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationOn the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2
On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2 Andrey Bogdanov 1 and Elmar Tischhauser 2 1 Technical University of Denmark anbog@dtu.dk 2 KU Leuven and iminds, Belgium
More informationCryptanalysis of the Full DES and the Full 3DES Using a New Linear Property
Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationThe Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA
: Cryptanalysis of Reduced Round CLEFIA École Polytechnique Fédérale de Lausanne, Switzerland (This work was done at) Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey INDOCRYPT
More informationRevisiting the Wrong-Key-Randomization Hypothesis
Revisiting the Wrong-Key-Randomization Hypothesis Tomer Ashur, Tim Beyne, and Vincent Rijmen ESAT/COSIC, KU Leuven and iminds, Leuven, Belgium [tomer.ashur,vincent.rijmen] @ esat.kuleuven.be [tim.beyne]
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationCryptanalysis of PRESENT-like ciphers with secret S-boxes
Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationKey Difference Invariant Bias in Block Ciphers
Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationDK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,
The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Aalto University School of Science and Nokia, Finland kaisa.nyberg@aalto.fi Abstract. In this invited talk, a brief survey on
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationLinear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques
Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationDifferential Attacks: Using Alternative Operations
Differential Attacks: Using Alternative Operations Céline Blondeau 1, Roberto Civino 2, and Massimiliano Sala 2 1 Aalto University, School of Science, Finland celine.blondeau@aalto.fi 2 University of Trento,
More informationExperimenting Linear Cryptanalysis
Experimenting Linear Cryptanalysis Baudoin Collard, François-Xavier Standaert UCL Crypto Group, Microelectronics Laboratory, Université catholique de Louvain. Place du Levant 3, B-1348, Louvain-la-Neuve,
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationHermelin, Miia; Cho, Joo Yeon; Nyberg, Kaisa Multidimensional Linear Cryptanalysis
Powered by TCPDF (www.tcpdf.org) This is an electronic reprint of the original article. This reprint may differ from the original in pagination and typographic detail. Hermelin, Miia; Cho, Joo Yeon; Nyberg,
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationData Complexity and Success Probability for Various Cryptanalyses
Data Complexity and Success Probability for Various Cryptanalyses Céline Blondeau, Benoît Gérard and Jean Pierre Tillich INRIA project-team SECRET, France Blondeau, Gérard and Tillich. Data Complexity
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationLinear Cryptanalysis Using Multiple Approximations
Linear Cryptanalysis Using Multiple Approximations Burton S. Kaliski Jr. and M.J.B. Robshaw RSA Laboratories 100 Marine Parkway Redwood City, CA 94065, USA Abstract. We present a technique which aids in
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationLinear Cryptanalysis Using Low-bias Linear Approximations
Linear Cryptanalysis Using Low-bias Linear Approximations Tomer Ashur 1, Daniël Bodden 1, and Orr Dunkelman 2 1 Dept. Electrical Engineering, COSIC-imec, KU Leuven, Belgium [tashur,dbodden]@esat.kuleuven.be
More informationLinear Cryptanalysis
Linear Cryptanalysis Linear cryptanalysis is a powerful method of cryptanalysis introduced by Matsui in 1993 [11]. It is a known plaintext attack in which the attacker studies the linear approximations
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationDifferential Fault Analysis on DES Middle Rounds
Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack
More informationImpossible Differential Cryptanalysis of Mini-AES
Impossible Differential Cryptanalysis of Mini-AES Raphael Chung-Wei Phan ADDRESS: Swinburne Sarawak Institute of Technology, 1 st Floor, State Complex, 93576 Kuching, Sarawak, Malaysia. rphan@swinburne.edu.my
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationChapter 1 - Linear cryptanalysis.
Chapter 1 - Linear cryptanalysis. James McLaughlin 1 Introduction. Linear cryptanalysis was first introduced by Mitsuru Matsui in [12]. The cryptanalyst attempts to find a linear equation x 1... x i =
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationCryptanalysis of SP Networks with Partial Non-Linear Layers
Cryptanalysis of SP Networks with Partial Non-Linear Layers Achiya Bar-On 1, Itai Dinur 2, Orr Dunkelman 3, Nathan Keller 1, Virginie Lallemand 4, and Boaz Tsaban 1 1 Bar-Ilan University, Israel 2 École
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National
More informationIntegrals go Statistical: Cryptanalysis of Full Skipjack Variants
Integrals go Statistical: Cryptanalysis of ull Skipjack Variants Meiqin Wang mqwang@sdu.edu.cn Joint Work with Tingting Cui, Huaifeng Chen, Ling Sun, Long Wen, Andrey Bogdanov Shandong University, China;
More informationMenu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation
Lecture : Use and nalysis Menu Today s manifest: on line only Review Modes of Operation ttacks CS: Security and rivacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans
More informationA New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information
More informationIntegral and Multidimensional Linear Distinguishers with Correlation Zero
Integral and Multidimensional Linear Distinguishers with Correlation Zero Andrey Bogdanov 1, regor Leander 2, Kaisa yberg 3, Meiqin Wang 4 1 KU Leuven, ESAT/SCD/COSIC and IBBT, Belgium 2 Technical University
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationImpossible differential and square attacks: Cryptanalytic link and application to Skipjack
UCL Crypto Group Technical Report Series Impossible differential and square attacks: Cryptanalytic link and application to Skipjack Gilles Piret Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/
More informationjorge 2 LSI-TEC, PKI Certification department
Linear Analysis of reduced-round CAST-28 and CAST-256 Jorge Nakahara Jr, Mads Rasmussen 2 UNISANTOS, Brazil jorge nakahara@yahoo.com.br 2 LSI-TEC, PKI Certification department mads@lsitec.org.br Abstract.
More informationImproved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, France Abstract. In this work we study the security of Chaskey, a recent lightweight MAC designed by
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationNew Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya iu 1, eibo i 2,3, Dawu Gu 1, Xiaoyun Wang 2,3,4, Zhiqiang iu 1, Jiazhe Chen 2,3, Wei i 5,6 1 Department of Computer
More informationCryptanalysis of a Generalized Unbalanced Feistel Network Structure
Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li, Bing Sun, Chao Li, Longjiang Qu National University of Defense Technology, Changsha, China ACISP 2010, Sydney, Australia 5
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationBit-Pattern Based Integral Attack
Bit-Pattern Based Integral Attack Muhammad Reza Z aba 1,Håvard Raddum 2,,MattHenricksen 3, and Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane,
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More information