Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Similar documents
Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Division Property: a New Attack Against Block Ciphers

Lecture 12: Block ciphers

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Subspace Trail Cryptanalysis and its Applications to AES

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Block Cipher Cryptanalysis: An Overview

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Structural Evaluation by Generalized Integral Property

Some attacks against block ciphers

A Five-Round Algebraic Property of the Advanced Encryption Standard

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Subspace Trail Cryptanalysis and its Applications to AES

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Extended Criterion for Absence of Fixed Points

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Symmetric Crypto Systems

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Known and Chosen Key Differential Distinguishers for Block Ciphers

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Key Difference Invariant Bias in Block Ciphers

Symmetric Crypto Systems

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Table Of Contents. ! 1. Introduction to AES

Linear Cryptanalysis of Reduced-Round PRESENT

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Introduction to Symmetric Cryptography

Module 2 Advanced Symmetric Ciphers

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Security of the AES with a Secret S-box

Akelarre. Akelarre 1

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 4: DES and block ciphers

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

DD2448 Foundations of Cryptography Lecture 3

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Public-key Cryptography: Theory and Practice

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Introduction to symmetric cryptography

Differential-Linear Cryptanalysis of Serpent

MATH3302 Cryptography Problem Set 2

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Introduction to Side Channel Analysis. Elisabeth Oswald University of Bristol

Impossible Differential Cryptanalysis of Reduced-Round SKINNY

LOOKING INSIDE AES AND BES

FFT-Based Key Recovery for the Integral Attack

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Type 1.x Generalized Feistel Structures

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Cryptanalysis of SP Networks with Partial Non-Linear Layers

The Advanced Encryption Standard

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

ECS 189A Final Cryptography Spring 2011

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Complementing Feistel Ciphers

Public Key Cryptography

Chosen Plaintext Attacks (CPA)

Algebraic Techniques in Differential Cryptanalysis

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Block Ciphers and Feistel cipher

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

S-box (Substitution box) is a basic component of symmetric

BLOCK CIPHERS KEY-RECOVERY SECURITY

Symmetric Cryptography

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Chapter 2 Balanced Feistel Ciphers, First Properties

Similarities between encryption and decryption: how far can we go?

Invariant Subspace Attack Against Full Midori64

Provably Secure Higher-Order Masking of AES

Cryptography: Key Issues in Security

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

MATH 509 Differential Cryptanalysis on DES

Improbable Differential Cryptanalysis and Undisturbed Bits

Differential Attack on Five Rounds of the SC2000 Block Cipher

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Analysis of cryptographic hash functions

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Part (02) Modem Encryption techniques

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Transcription:

Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33

Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33

Classical Model of Symmetric Cryptography Classical Model of Symmetric Cryptography Alice and Bob exchange the secret key through a secure channel. 3 / 33

Block Cipher Block Cipher A block of plaintext p encrypt to a block of ciphertext c under the action of the key k: E : {0, 1} n {0, 1} κ {0, 1} n (p, k) E(p, k) = c k p E c 4 / 33

Block Cipher Block Cipher(cont.) Each key induces a permutation between the plaintexts and the ciphertexts P 1 C 1 P 1 C 1 P 2 C 2 P 2 C 2 P 3 C 3 P 3 C 3 P 4 C 4 P 4 C 4 P 5 C 5 P 5 C 5 P 2 n C 2 n P 2 n C 2 n Under key K 1 Under key K 2 5 / 33

Iterated Block Cipher Iterated Block Cipher Iterate a round function f several times: Master Key Key Schedule k 1 k 2 k r p F F... F c 6 / 33

Round Function How to build the round function? Two typical approaches: Feistel Network Substitution Permutation Network (SPN) 7 / 33

Substitution Permutation Network (SPN) Substitution Permutation Network (SPN) Plaintext Substitution Permutation k 0 Substitution Permutation k 1......... k 2 Substitution Permutation k r Ciphertext 8 / 33

Substitution Permutation Network (SPN) Substitution Permutation Network (SPN) 9 / 33

Cryptanalysis of block ciphers Cryptanalysis of block ciphers In symmetric key cryptography, security proofs are partial and insufficient An algorithm is secure as long there is no attack against it Make it secure against all known attacks. The more an algorithm is analysed without being broken, the more reliable it is. What is a broken cipher? If a block cipher encrypts messages with a k-bit key, no attack with time complexity less than 2 k should be known Otherwise, the cipher is considered as broken (even if the complexity of the attack is not practical). 10 / 33

Distinguisher Attack Distinguisher Attack of the weakest cryptographic attack. one simulates the block cipher for which the cryptography key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. 11 / 33

Yoyo Game Introduction The Yoyo game was introduced by Biham et al. against Skipjack (Feistel block cipher) Yoyo Game: Suppose a plaintext pair has (or has not) a specific property. It is possible to generate other plaintext pairs that has (or has not) the same property by exchanging a specific word of their ciphertexts and decrypt new ciphertext pair. Open problem: How to do this for SPN ciphers and in particular for AES 12 / 33

Generic block cipher Generic SPN block cipher Let α = (α 0, α 1,..., α n 1 ) F n q denote the state of a block cipher. Let q = 2 k and let s(x) be a kxk permutation s-box. The S-box working on a state is defined by S(α) = (s(α 0 ), s(α 1 ),..., s(α n 1 )) Let L be a linear layer in the block cipher We consider SPNs of the form: two rounds: S L S 13 / 33

The yoyo operation The yoyo operation Definition For a vector c F n 2 and a pair of states α, β Fn q define a new state ρ c (α, β) by { ρ c α i if c i = 1, (α, β) i = β i if c i = 0. Example Let c = (0110) and α = (α 0, α 1, α 2, α 3 ) and β = (β 0, β 1, β 2, β 3 ). Then α = ρ (0110) (α, β) = (β 0, α 1, α 2, β 3 ) and β = ρ (0110) (β, α) = (α 0, β 1, β 2, α 3 ) Call (α, β ) = (ρ c (α, β), ρ c (β, α)) a yoyo pair. 14 / 33

Properties of the yoyo operation Properties of the yoyo operation Lemma Let α = ρ c (α, β) and β = ρ c (β, α). a) α β = α β b) S(α ) S(β ) = S(α) S(β) c) L(S(α )) L(S(β )) = L(S(α)) L(S(β)) Proof. a) b) ρ c (α, β) i ρ c (β, α) i = s(ρ c (α, β) i ) s(ρ c (β, α) i ) = { α i β i if c i = 1, β i α i if c i = 0 { s(α i ) s(β i ) if c i = 1, s(β i ) s(α i ) if c i = 0 c) the result follows from the linearity of L. 15 / 33

The zero difference pattern The zero difference pattern Definition (Zero difference pattern) Let α = (α 0, α 1,..., α n 1 ) F n q. Define ν(α) = (z 0, z 1,..., z n 1 ) F n 2 where z i = { 1 if α i is zero, 0 otherwise. Example Let α = (α 0, α 1, 0, α 3 ). Then ν(α) = (0, 0, 1, 0) Lemma Let α = ρ c (α, β) and β = ρ c (β, α). a) ν(α β) = ν(s(α) S(β)) 16 / 33

Typical use of yoyo operation Typical use of yoyo operation p 0 p 1 = ν p 0 p 1 S S 1 S(p 0 ) S(p 1 ) = L 1 (S 1 (c 0 )) L 1 (S 1 (c 1 )) L L 1 L(S(p 0 )) L(S(p 1 )) = S 1 (c 0 ) S 1 (c 1 ) S S 1 c 0 c 1 ρ c c 0 c 1 Adaptive a) Pick two plaintexts p 0 and p 1 with a zero difference ν(p 0 p 1 ). b) Encrypt p 0 and p 1 to c 0 and c 1. c) Make two new ciphertexts c 0 = ρ c (c 0, c 1 ) and c 1 = ρ c (c 1, c 2 ). d) Decrypt c 0 and c 1. e) ν(p 0 p 1 ) = ν(p 0 p 1 ) 17 / 33

AES Advanced Encryption Standard (AES) Byte-oriented Substitution-Permutation Network. Block size of 128 bits, key size of 128, 192, 256 bits. Number of rounds depend on key size 10, 12, 14 rounds resp. 128 bits of block size, seen as a 4 4 matrix of bytes. 18 / 33

AES An round of AES Each round is a composition of four byte-oriented transformations: SubBytes ShiftRows MixColumns AddRoundKey 19 / 33

SubBytes SubBytes y i = s(x i ) 20 / 33

ShiftRows ShiftRows SR 21 / 33

MixColumns MixColumns C M C M = x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x 22 / 33

AddRoundKey AddRoundKey 23 / 33

Super-box representation of 2 rounds of AES Super-box representation of 2 rounds of AES R 2 = AK SR AK SR. Rewrite the operations : R 2 = AK SR ( AK ) SR. Then: Super-box = AK Figure: Super-box of AES 24 / 33

4 Rounds of AES Four Rounds of AES Figure: S L S in AES 25 / 33

Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. 1 Select p 0 p 1 that differ in only one word 2 ask for encryption c 0 and c 1 of p 0 and p 1 p 0 p 1 S L S c 0 c 1 26 / 33

Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. 1 Select p 0 p 1 that differ in only one word 2 ask for encryption c 0 and c 1 of p 0 and p 1 3 construct c 3 = ρ c (c 0, c 1 ), c 4 = ρ c (c 1, c 0 ) p 0 p 1 S L S ρ c (c i, c i+1 (mod 2) ) c 0 c 1 c 3 c 4 27 / 33

Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. 1 Select p 0 p 1 that differ in only one word 2 ask for encryption c 0 and c 1 of p 0 and p 1 3 construct c 3 = ρ c (c 0, c 1 ), c 4 = ρ c (c 1, c 0 ) 4 get plaintexts p 3, p 4. p 0 p 1 p 3 p 4 S S 1 L L 1 S S 1 ρ c (c i, c i+1 (mod 2) ) c 0 c 1 c 3 c 4 28 / 33

Four Round AES Yoyo Distinguisher Four Round AES Yoyo Distinguisher Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair. 1 Select p 0 p 1 that differ in only one word 2 ask for encryption c 0 and c 1 of p 0 and p 1 3 construct c 3 = ρ c (c 0, c 1 ), c 4 = ρ c (c 1, c 0 ) 4 get plaintexts p 3, p 4. p 0 p 1 p 3 p 4 S S 1 5 if AES, then same zero difference pattern (prob for random = 2 96 ) L L 1 S S 1 ρ c (c i, c i+1 (mod 2) ) c 0 c 1 c 3 c 4 29 / 33

Results Results Table: Secret-Key Distinguishers for AES Property Rounds Data Cost Trun. Diff. 3 2 4.3 CP 2 11.5 XOR Integral 3 2 8 CP 2 8 XOR Yoyo 3 3 ACC 1 XOR Imp. Diff. 4 2 16.25 CP 2 22.3 M Integral 4 2 32 CP 2 32 XOR Yoyo 4 4 ACC 1 XOR Struct. Diff. 5 2 33 2 36.6 M Imp. Diff. 5 2 98.2 CP 2 107 M Integral 5 2 128 CC 2 128 XOR Yoyo 5 2 25.8 ACC 2 24.8 XOR Yoyo 6 2 122.83 ACC 2 121.83 XOR 30 / 33

Results Results Table: Comparison of key-recovery on 5 rounds of AES Attack Rounds Data Computation Memory MitM 5 8 CP 2 64 2 56 Imp. Polyt. 5 15 CP 2 70 2 41 Integral 5 2 11 CP 2 45.7 small Imp. Diff. 5 2 31.5 CP 2 33 2 38 Boomerang 5 2 39 ACC 2 39 2 33 Yoyo 5 2 11.3 ACC 2 29 small 31 / 33

Conclusion Conclusion new records 3-6 round distinguishers AES new record 5 round key recovery can be applied directly to similar designs as well can be improved (more rounds) for lightweight designs results published at Asiacrypt 2017 32 / 33

Conclusion Thanks for your attention! 33 / 33

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback