Introduction to Symmetric Cryptography

Size: px

Start display at page:

Download "Introduction to Symmetric Cryptography"

Colleen Marsh
5 years ago
Views:

1 Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark

2 Practical Information Plan for today: 9:30-11:00 Introduction to Symmetric Cryptography 11:30-13:00 Secure Building Blocks 14:30-15:00 Secure Building Blocks 15:00-16:00 Finding Trails 16:30-17:30 Exercises Material

3 Introduction to Symmetric Cryptography

4 Symmetric Key Cryptography 2

5 Symmetric Key Cryptography Where does security fail? 3

6 Symmetric Key Cryptography Where does security fail? User MD5 3

7 Symmetric Key Cryptography Where does security fail? User Implementation Heartbleed 3

8 Symmetric Key Cryptography Where does security fail? User Implementation Protocols Drown Attack 3

9 Symmetric Key Cryptography Where does security fail? User Implementation Protocols Hardware Meltdown / Spectre 3

10 Symmetric Key Cryptography Where does security fail? User Implementation Protocols Hardware Cryptographic Algorithms 3

11 Symmetric Key Cryptography Hash Function MD5 Not collision resistant [WY05] Constructing a rogue CA [Ste+09] Hash Function SHA-1 Not collision resistant [WYY05] First practical collisions last year. Stream Cipher RC4 Plaintext Recovery in TLS [AlF+13]... 4

12 Symmetric Key Cryptography A long list... MIFARE Classic (Crypto 1) Bluetooth (E0) Keeloq A5/1, A5/2 DECT Kindle Cipher... 5

13 Symmetric Key Cryptography TLS ECDHE RSA WITH AES 128 GCM SHA256 Protocol Public Key Symmetric Key 6

14 Symmetric Key Cryptography What can we do with symmetric key cryptography? Encryption Authentication Hashing Random Number Generation Digital Signatures Key Exchange... 7

15 Symmetric Key Cryptography What can we do? Encryption Authentication Hashing Random Number Generation Digital Signatures Key Exchange... 8

16 Symmetric Key Cryptography Snape kills Dumbledore Snape kills Dumbledore K E K E qgwqndadcygmyoy qgwqndadcygmyoy 9

17 Symmetric Key Cryptography Snape kills Dumbledore Snape kills Dumbledore K E K E qgwqndadcygmyoy qgwqndadcygmyoy Note We need a shared secret between the parties. 9

18 Symmetric Key Cryptography Snape kills Dumbledore Snape kills Dumbledore K E K E qgwqndadcygmyoy qgwqndadcygmyoy Read Modify Send 10

19 Symmetric Key Cryptography P? E C Adversary knows specification of E only key is secret... 11

20 Symmetric Key Cryptography P? E C Adversary knows specification of E only key is secret......but only gets black-box access. 11

21 Symmetric Key Cryptography P? E measure C Adversary knows specification of E only key is secret......but only gets black-box access. Side-channel attacks 11

22 Symmetric Key Cryptography P? E uint8 t key = {0x1, 0x2, 0x3,...}; c = encrypt aes128(message, key){... C Adversary knows specification of E only key is secret......but only gets black-box access. Side-channel attacks Whitebox Cryptography 11

23 Symmetric Key Cryptography Goal of the attacker Key P E C 12

24 Symmetric Key Cryptography Goal of the attacker P C Find the secret message. 12

25 Symmetric Key Cryptography Goal of the attacker Key P 1, P 2,... E C 1, C 2,... Find the secret message. Recover the secret key. 12

26 Symmetric Key Cryptography Goal of the attacker E? qgwqnda... Random? Find the secret message. Recover the secret key. Distinguish E from random. 12

27 Symmetric Key Cryptography The adversary Eavesdrop on communication Modify transmission Delete/Insert messages......but is bound in Time (T) Available memory (M) Data (D) 13

28 Symmetric Key Cryptography How do we achieve security for an algorithm? Reduce security to a hard problem. Make it secure against all known attacks. No attack better than the generic attacks. Note We can not prove security for a primitive. 14

29 Block Ciphers

30 Block Ciphers K P? C Should be secure Should be efficient Must have a decryption function 15

31 Block Ciphers E : K P C (1) Plaintext/Ciphertext space P, C which are typically F n 2 Key space K = F k 2 Blocksize n Keysize k 16

32 Block Ciphers Keysize: 64-bit, approx. hash rate of the Bitcoin network / sec 128-bit, sufficient for most applications 256-bit, long-term, post-quantum Blocksize: 64-bit can be ok if amount of data is very limited for each key. 128-bit sufficient for most applications. 17

33 Block Ciphers Ideal Block Cipher Plaintexts Ciphertexts K =

34 Block Ciphers Ideal Block Cipher Plaintexts Ciphertexts K =

35 Block Ciphers Ideal Block Cipher Plaintexts Ciphertexts K =

36 Block Ciphers A block cipher can be seen as a family of 2 k n-bit bijections. Problem There are 2 n! bijections, we ideally want to choose 2 k uniformly at random. Example n = 128, k = 128: log 2 (2 128!) = (2) 19

37 Block Ciphers A first attempt K P? C 20

38 Block Ciphers A first attempt K P C 20

39 Block Ciphers A first attempt K P C Not secure: Chosen plaintext trivial recovery of K. C 1 = P 1 K C 2 = P 2 K (3) C 1 C 2 = P 1 P 2 20

40 Block Ciphers K P π C 21

41 Block Ciphers K P π C π is a randomly chosen permutation. Compute C = π 1 (C), becomes previous design. 21

42 Block Ciphers K K P π C 22

43 Block Ciphers K K P π C Actually secure and known as the Even-Mansour [EM97] construction......if π is a random permutation. 22

44 Block Ciphers How to construct π? Can t be linear. Needs to be efficient, can t make a huge lookup table. Should be secure. 23

45 Block Ciphers How to construct π? Can t be linear. Needs to be efficient, can t make a huge lookup table. Should be secure. Two popular constructions Feistel Network Substitution Permutation Network (SPN) 23

46 Block Ciphers Iterated construction Key Key Schedule K 1 K 2 K 3 K r P f 1 f 2 f 3 f r C 24

47 Block Ciphers Feistel Network L 0 R 0 f 1 f 2 f 3 f 4 L 4 R 4 25

48 Block Ciphers Substitution Permutation Network (SPN) S-box (S) Linear Layer (L) S S S S. L. L S S S S 26

49 Data Encryption Standard

50 Data Encryption Standard L 0 R 0 The Data Encryption Standard Developed in 1970s at IBM. Feistel Network with 16 rounds. Encrypts 64-bit blocks with 56-bit keys. Standardized in Still widely used (Triple-DES)... f 1 f 2 f 3 f 4 L 4 R 4 27

51 Data Encryption Standard Round function of DES [Jea16] R i Expansion from 32 to 48 bits 32 bits 48 bits k i S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 Reduction from 48 bits to 32 Each S-Box maps 6 bits to 4 P 32 bits XOR to L i 1 28

52 Data Encryption Standard Current state of key recovery attacks for DES 0 16 Differential Attack [BS92] Linear Cryptanalysis [Mat93; Jun01; BV17] Best attack known plaintexts, DES encryptions. There are many more attacks with different trade-offs of time/data/memory. 29

53 Advanced Encryption Standard

54 Advanced Encryption Standard The Advanced Encryption Standard (AES) Public Competition hosted by NIST ( ) Must support block size of 128 bits and key size of 128, 192 and 256 bits. CAST-256 CRYPTON DEAL DFC E2 FROG HPC LOKI97 MAGENTA MARS RC6 Rijndael SAFER+ Serpent Twofish 30

55 Advanced Encryption Standard The Advanced Encryption Standard (AES) Public Competition hosted by NIST ( ) Must support block size of 128 bits and key size of 128, 192 and 256 bits. CAST-256 CRYPTON DEAL DFC E2 FROG HPC LOKI97 MAGENTA MARS RC6 Rijndael SAFER+ Serpent Twofish 30

56 Advanced Encryption Standard AES/Rijndael Blocksize: 128-bit Keysize: 128/192/256 bits Iterated block cipher with 10/12/14 rounds. Is part of a wide-range of standards. Direct support by instructions in modern CPUs. 31

57 Advanced Encryption Standard Update 4 4 state of bytes SubBytes ShiftRows MixColumns a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 SubBytes b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 AddKey S 32

58 Advanced Encryption Standard Update 4 4 state of bytes SubBytes ShiftRows MixColumns AddKey No a a a a a a a a change 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3 ShiftRows Shift 1 a 1,0 a 1,1 a 1,2 a 1,3 a 1,1 a 1,2 a 1,3 a 1,0 Shift 2 a 2,0 a 2,1 a 2,2 a 2,3 a 2,2 a 2,3 a 2,0 a 2,1 Shift 3 a3,0 a3,1 a3,2 a3,3 a3,3 a3,0 a3,1 a3,2 32

59 Advanced Encryption Standard Update 4 4 state of bytes SubBytes ShiftRows MixColumns AddKey a 0,1 a 0,0 a 0,2 a 0,3 a a 1,1 1,0 a 1,2 a 1,3 a 2,0 a a a 2,1 2,2 2,3 a 3,0 a 3,2 a 3,3 a3,1 MixColumns b 0,1 b 0,0 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b b b 2,1 2,2 2,3 b 3,0 b 3,2 b 3,3 b3,1 32

60 Advanced Encryption Standard Update 4 4 state of bytes a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 AddRoundKey b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 SubBytes ShiftRows a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 MixColumns k 0,0 k 0,1 k 0,2 k 0,3 AddKey k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 32

61 Advanced Encryption Standard Current state of key recovery attacks for AES [Fer+00] [BKR11] 2 99 [DFJ13] [BKR11] There are many more attacks with different trade-offs of time/data/memory. 33

62 Differential Cryptanalysis

63 Differential Cryptanalysis P α = P P P 34

64 Differential Cryptanalysis P E C α = P P K β = C C P E C 34

65 Differential Cryptanalysis P E C weak E Occurence Value of β α = P P K β = C C Occurence P E C ideal E Value of β 34

66 Differential Cryptanalysis Definition A differential is a pair of differences (α, β) F n 2 Fn 2, where α is the input difference to some function f and β the output difference. The differential probability of a differential α f β is given by DP(α f β) = Pr[f (X ) f (X α) = β]. (4) X For a random function we expect DP(α f β) 2 n. 35

67 Differential Cryptanalysis Problem: How to determine DP when the blocksize is large? How to deal with the key? 36

68 Differential Cryptanalysis Definition A differential trail Q is a sequence of differences f Q = (α 0 f 0 1 f r 1 α1 αr 1 αr ). (5) k 0 k 1 k r 1 α 0 f 0 α 1 f 1... f r 1 α r 37

69 Differential Cryptanalysis Determine DP for one round: S-box small enough to analyse. Linear layer DP = 1. S S. L S S 38

70 Differential Cryptanalysis Assuming the rounds are independent r 1 f DP(Q) = DP(α i i αi+1 ). (6) i=0 Works good enough in practice for most ciphers. If we want to distinguish the cipher we don t care about the intermediate differences. 39

71 Differential Cryptanalysis From trails back to differentials: f Pr(α 0 α r ) = Pr(α 0 α 1,...,α r 1 f 0 f 1 α1 αr 1 f r 1 αr ). (7) α 0 α r 40

72 Differential Cryptanalysis We typically look at a block cipher with a fixed secret key Differential might behave very differential for the choice of key. We assume that for most keys it behaves like choosing uniformly random round keys. 41

73 Differential Cryptanalysis Experimental example: We look at two block ciphers with 64-bit block size. Encrypt 2 30 random pairs under random keys. 42

74 Differential Cryptanalysis Number of Occurences Differential with DP = for 6-round Skinny-64 Keys with x pairs Good Pairs 43

75 Differential Cryptanalysis Differential with DP = for 7-round Speck-64 Number of Occurences Keys with x pairs Good Pairs 43

76 Differential Cryptanalysis Assume we have a differential (α, β) with good probability for r 1 rounds: p f f u v f c α β k 0 k r 1 k r p f f u v f c 44

77 Differential Cryptanalysis u v f c 1. Guess (parts of) k r. 2. Decrypt c and c. 3. If v v = β, then good candidate. β k r 1 k r u v f c 45

78 Differential Cryptanalysis Key guessing: k r 1 k r u v f c 46

79 Differential Cryptanalysis Key guessing: k r 1 k r u v f c correct key 46

80 Differential Cryptanalysis Key guessing: k r 1 k r u v f c f c wrong key Hypothesis of wrong-key randomization: c is random. 46

81 Differential Cryptanalysis Attack with differential DP(Q) = q: 1. Encrypt N pairs. 2. Set of counters T = {T 0,..., T k 1 }. 3. For each pair (c, c ): 3.1 For each choice of last round key k j : Compute (v, v ) If u u = β increment T j. 4. Correct counter will have a value close to qn. 47

82 Differential Cryptanalysis Why does this work? If it was a good pair: Correct key guess always gives β. Wrong key guess gives β with probability 2 n. We need enough good pairs to distinguish these cases. Reduce noise by increasing N or filtering. 48

83 Differential Cryptanalysis Filtering Obtained pairs (c, c ) and c c = γ. Often β fr γ not possible, we can throw away this pair. K 1 K 2 K 3 K r P f 1 f 2 f 3 f r C p = DP(Q) p = 0 49

84 Linear Cryptanalysis

85 Linear Cryptanalysis K P E C Find ( ) P i i j which holds with high probability. C j ( ) = K k k (8) 50

86 Linear Cryptanalysis Overview: Only needs known plaintext. Need to find a linear expression with p 1/2. We look at the bias of this expression ɛ = p 1/2 (9) 51

87 Linear Cryptanalysis Definition A linear trail L is a sequence of masks f L = (α 0 f 0 1 f r 1 α1 αr 1 αr ). (10) k 0 k 1 k r 1 α 0 f 0 α 1 f 1... f r 1 α r 52

88 Linear Cryptanalysis Combining approximations for two rounds: Assume X, Y, Z independent: Pr[α 0 X α 1 Y = 0] = p 1 Pr[α 1 Y α 2 Z = 0] = p 2 (11) Pr[α 0 X α 2 Z = 0] = p 1 p 2 + (1 p 1 )(1 p 2 ) = 2p 1 p 2 p 1 p (12) 53

89 Linear Cryptanalysis Assume we have a linear trail (α β) with probability p: k u v f w α β Pr[(v α) (w β) = 0] = p 54

90 Linear Cryptanalysis Assume we have a linear trail (α β) with probability p: k u v f w α β Pr[(v α) (w β) = 0] = p (u α) (k α) = (v α) 54

91 Linear Cryptanalysis Assume we have a linear trail (α β) with probability p: k u v f w α β Pr[(v α) (w β) = 0] = p (u α) (k α) = (v α) (u α) (w β) = 0 with a bias of p 1/2 54

92 Linear Cryptanalysis Assume we have a linear trail (α β) with probability p: k u v f w α β Pr[(v α) (w β) = 0] = p (u α) (k α) = (v α) (u α) (w β) = 0 with a bias of p 1/2 Key will only flip sign of equation. 54

93 Linear Cryptanalysis A simple attack to learn parity of the key: We have a linear approximation with p > 1/2. Let T be the number of times our linear expression is 0 out of N plaintexts. If T > N/2, then guess K = 0, else guess K = 1. Success rate increases with ɛ and N. 55

94 Linear Cryptanalysis Similar issues as with differentical cryptanalysis arise Secret key / Average key Single trail vs. linear hull Wrong key randomization 56

95 Conclusion Differential/Linear attack Very powerful attacks. Usually high data complexity. Resistance against these attacks is an important design criteria. 57

96 57

97 Fantastic Trails and Where to Find Them

98 Differential Trails Problem We want to find Q with DP(Q) > 2 n. Is it easy to find good differential trails? Can we prove that no good trails exist for a primitve? 58

99 Differential Trails α 0 Search space is very large: 2 n 1 possible starting differences. 59

100 Differential Trails α β 0 β 1 β 2 β 3 Search space is very large: 2 n 1 possible starting differences. 59

101 Differential Trails α β 0 β 1 β 2 β γ 0 γ 1 γ 2 Search space is very large: 2 n 1 possible starting differences. 59

102 Differential Trails α β 0 β 1 β 2 β γ 0 γ 1 γ 2 Search space is very large: 2 n 1 possible starting differences. 59

103 Differential Trails α β 0 β 1 β 2 β γ 0 γ 1 γ 2 Search space is very large: 2 n 1 possible starting differences. 59

104 Differential Trails α β 0 β 1 β 2 β γ 0 γ 1 γ 2 Search space is very large: 2 n 1 possible starting differences. 59

105 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

106 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

107 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

108 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

109 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

110 Differential Trails Easy for some designs like AES Look at active S-boxes. MixColumns has branch number 5. SB SR MC SB 60

111 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

112 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

113 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

114 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

115 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

116 Differential Trails AES 4-round Trail min. 25 active S-boxes. Max. DP of S-box: 2 6. Max. DP 4-round Trail: SB SR MC SB SR MC SB SR MC SB SR MC 61

117 Differential Trails Matsui s Algorithm [Mat94] Branch and bound algorithm. Originally used for DES. Find best trail for n rounds given bounds B 1,..., B n 1. 62

118 Differential Trails α 0 Round 1 Round 2 Guess Initial Bound: B n. B n Round n 1 Round n α n 63

119 Differential Trails α 0 p 1 Round 1 For all choices of α 0 α 1 : if p 1 B n 1 B n continue B n B n 1 Round 2 Round n 1 Round n α n 63

120 Differential Trails α 0 p 1 Round 1 For all choices of α 1 α 2 : if p 1 p 2 B n 2 B n continue B n p 2 Round 2 B n 2 Round n 1 Round n α n 63

121 Differential Trails α 0 p 1 Round 1 For all choices of α n 1 α n : if p 1... p n B n B n p 1... p n B n p 2 Round 2 p n 1 Round n 1 p n Round n α n 63

122 Differential Trails Branch and Bound Large search tree can make this computationally infeasible. Cut of bad branches. Restrict to counting active S-boxes. For instance AES only 2 16 patterns compared to possible differences. 64

123 Differential Trails Reduce it to a different problem Mixed Integer Linear Programming (MILP) Satisfiability (SAT) Constraint Programming (CP)... 65

124 Differential Trails MILP min x 1 + x 2 +x 3 x 4 + 2x 5 subject to x i {0, 1} x 2 + x 3 1 x 4 2x 3 0 x 1 + 2x 5 x

125 Differential Trails Constructing the model for AES: Represent state as binary variables (active/non-active) x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 (13) Model conditions for propagating patterns of active S-boxes. Minimize sum of active S-boxes. 67

126 Differential Trails Conditions for MixColumns in AES Let a 0,..., a 15 be the state before MixColumns and b 0,..., b 15 the state after MixColumns and d 0,..., d 3 binary variables. a 0 + a 1 + a 2 + a 3 + b 0 + b 1 + b 2 + b 3 5 d 0 0 d 0 a 0 0 d 0 a 1 0 d 0 a 2 0 d 0 a 3 0 d 0 b 0 0 d 0 b 1 0 d 0 b 2 0 d 0 b 3 0 (14) 68

127 Differential Trails Satisfiability (SAT) Definition Is there an assignment to x 0,..., x n such that the boolean formula (x 0 x 1...) (x 1 x 3...)... becomes true. Satisfiability Modulo Theories (SMT) SAT + theories E.g. integers, data structures, lists, bit vectors,... 69

128 Differential Trails Constructing model: Represent state as binary variables. Create clauses which are only satisfiable if they represent a valid transition of differences. Additional variables to calculate the probability p. Check if there is an assignment that is satisfiable for given p. 70

129 Differential Trails Example: XOR (a b = c): a b c Valid Pr We have to add the following clauses: (a b c) (a b c) ( a b c) ( a b c) (15) 71

130 Differential Trails Example: AND (a b = c): a b c Valid Pr We have to add the following clause: Probability for valid transitions is 2 (a b ). (a b c) (16) 72

131 Differential Trails SAT/SMT Widely applicable, but performance can be an issue. Useful to generate proof that no trail with DP > p i exists. Example: CryptoSMT

132 Advanced Differential Attacks

133 Advanced Differential Attacks Truncated differentials [Knu94] Idea Only determine difference partially S

134 Advanced Differential Attacks Truncated differentials [Knu94] Idea Only determine difference partially S 1*** 74

135 Advanced Differential Attacks Truncated differentials Use as distinguisher directly. Often useful to filter good pairs in differential attack. 75

136 Advanced Differential Attacks Impossible differentials [Knu98; BBS99] Idea Utilize differentials with DP = 0. Can be very difficult to find. Often constructed using truncated differential with probability 1. 76

137 Advanced Differential Attacks Finding impossible differentials (Miss-in-the-Middle) K 1 K 2 K 3 K r P f 1 f 2 f 3 f r C p = 1 p = 1 p = 0 77

138 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

139 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

140 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

141 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

142 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

143 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

144 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

145 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

146 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

147 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

148 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

149 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

150 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

151 Advanced Differential Attacks Example AES: SB SR MC SB SR MC SB SR MC 78

152 Advanced Differential Attacks Idea Use multiple differentials for key recovery. Allows to recover different parts of the key. Increase the success rate. Data complexity might be an issue. 79

153 Advanced Differential Attacks Use structure to reduce data complexity x α x α α α α x α α x α 80

154 Conclusion Very powerful techniques Every new design should have strong argument against these attacks. Finding good trails is an interesting problem. Assumptions have to be taken carfefully Finding probability of a differential is difficult. Bound from single trail might be too optimistic. Influence of the key not well understood. 81

155 81

156 References i Nadhem J. AlFardan et al. On the Security of RC4 in TLS. In: Proceedings of the 22th USENIX Security Symposium. 2013, pp Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In: EUROCRYPT. Vol Lecture Notes in Computer Science. Springer, 1999, pp Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique Cryptanalysis of the Full AES. In: Advances in Cryptology - ASIACRYPT , pp Eli Biham and Adi Shamir. Differential Cryptanalysis of the Full 16-Round DES. In: CRYPTO. Vol Lecture Notes in Computer Science. Springer, 1992, pp Andrey Bogdanov and Philip S. Vejre. Linear Cryptanalysis of DES with Asymmetries. In: ASIACRYPT (1). Vol Lecture Notes in Computer Science. Springer, 2017, pp

157 References ii Patrick Derbez, Pierre-Alain Fouque, and Jérémy Jean. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting. In: Advances in Cryptology - EUROCRYPT , pp Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. In: J. Cryptology 10.3 (1997), pp doi: /s url: Niels Ferguson et al. Improved Cryptanalysis of Rijndael. In: Fast Software Encryption, 7th International Workshop, FSE , pp Jérémy Jean. TikZ for Cryptographers Pascal Junod. On the Complexity of Matsui s Attack. In: Selected Areas in Cryptography. Vol Lecture Notes in Computer Science. Springer, 2001, pp

158 References iii Lars R. Knudsen. Truncated and Higher Order Differentials. In: FSE. Vol Lecture Notes in Computer Science. Springer, 1994, pp Lars R. Knudsen. DEAL-a 128-bit block cipher. In: complexity (1998), p Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. In: EUROCRYPT. Vol Lecture Notes in Computer Science. Springer, 1993, pp Mitsuru Matsui. On Correlation Between the Order of S-boxes and the Strength of DES. In: EUROCRYPT. Vol Lecture Notes in Computer Science. Springer, 1994, pp Marc Stevens et al. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Advances in Cryptology - CRYPTO , pp

159 References iv Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In: Advances in Cryptology - EUROCRYPT , pp Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In: Advances in Cryptology - CRYPTO , pp

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography