Cube Analysis of KATAN Family of Block Ciphers

Similar documents
Fault Analysis of the KATAN Family of Block Ciphers

Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cube Attacks on Stream Ciphers Based on Division Property

Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers

Cube attack in finite fields of higher order

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

On the Security of NOEKEON against Side Channel Cube Attacks

Linear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION

Algebraic Immunity of S-boxes and Augmented Functions

Enhancing the Signal to Noise Ratio

Algebraic Aspects of Symmetric-key Cryptography

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Key Recovery with Probabilistic Neutral Bits

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

The Advanced Encryption Standard

Optimized Interpolation Attacks on LowMC

Design of a New Stream Cipher: PALS

On the Design of Trivium

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

Numerical Solvers in Cryptanalysis

A New Distinguisher on Grain v1 for 106 rounds

Differential Fault Analysis of Trivium

Block Cipher Cryptanalysis: An Overview

The Hash Function JH 1

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Some Randomness Experiments on TRIVIUM

Algebraic attack on stream ciphers Master s Thesis

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Analysing Relations involving small number of Monomials in AES S- Box

Quantum Differential and Linear Cryptanalysis

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Analysis of Modern Stream Ciphers

Deterministic Cube Attacks:

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Division Property: a New Attack Against Block Ciphers

Algebraic Techniques in Differential Cryptanalysis

A survey of algebraic attacks against stream ciphers

ECS 189A Final Cryptography Spring 2011

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Algebraic Analysis of the Simon Block Cipher Family

Advanced Algebraic Attack on Trivium November 26, 2015 Frank-M. Quedenfeld 1 and Christopher Wolf 2 1 University of Technology Braunschweig, Germany

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

ARMADILLO: a Multi-Purpose Cryptographic Primitive Dedicated to Hardware

How Fast can be Algebraic Attacks on Block Ciphers?

Extended Criterion for Absence of Fixed Points

Structural Cryptanalysis of SASAS

Searching Cubes for Testing Boolean Functions and Its Application to Trivium

Essential Algebraic Structure Within the AES

Algebraic Techniques in Differential Cryptanalysis

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Block Ciphers and Systems of Quadratic Equations

Stream Ciphers: Cryptanalytic Techniques

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Revisit and Cryptanalysis of a CAST Cipher

ACORN: A Lightweight Authenticated Cipher (v3)

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Dynamic Cube Attack on 105 round Grain v1

Lecture 10 - MAC s continued, hash & MAC

A Five-Round Algebraic Property of the Advanced Encryption Standard

Table Of Contents. ! 1. Introduction to AES

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Differential properties of power functions

New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Linear Approximations for 2-round Trivium

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Efficient Hamming Weight-based Side-Channel Cube Attacks on PRESENT

AES side channel attacks protection using random isomorphisms

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis

Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

Matrix Power S-Box Construction

Algebraic Precomputations in Differential and Integral Cryptanalysis

Algebraic Attacks and Stream Ciphers

Computational and Algebraic Aspects of the Advanced Encryption Standard

Functions on Finite Fields, Boolean Functions, and S-Boxes

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium

On the Complexity of the Hybrid Approach on HFEv-

Comparison of cube attacks over different vector spaces

Leakage Resilient ElGamal Encryption

New Directions in Cryptanalysis of Self-Synchronizing Stream Ciphers

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Algebraic properties of SHA-3 and notable cryptanalysis results

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Invariant Subspace Attack Against Full Midori64

Fast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

New Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Transcription:

Cube Analysis of KATAN Family of Block Ciphers Speaker: Bingsheng Zhang University of Tartu, Estonia This talk covers partial results of the paper Algebraic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers by Gregory V. Bard, Nicolas T. Courtois, Jorge Nakahara Jr, Pouyan Sepehrdad and Bingsheng Zhang S

Outline S Introduction to AIDA/Cube attacks S KATAN family of block ciphers S Cube attack on reduced-round KATAN family S Side-channel attack against KATAN32 S Conclusion and further work

Introduction to Cube Attacks S Cube attack (see eprint.iacr.org/2008/385) is also claimed to be a remake of AIDA (Algebraic IV Differential Attack, see eprint.iacr.org/2007/413) S In this talk, we refer to Dinur and Shamir s version. S Cube attack is generic key-recovery attack that can be applied to cryptosystems in a black-box setting, i.e. the internal structure of the target cipher is unknown.

Introduction to Cube Attacks S A cryptosystem can be represented as multivariable polynomial over GF(2) in Algebraic Normal Form (ANF). x 1...x n k1. p i (x 1,...,x n,k 1,...,k m )=y i k m y 1...y n

Introduction to Cube Attacks S In chosen-plaintext/chosen-iv setting, the adversary can query p i (x 1,...,x n,k 1,...,k m )=y i with arbitrary public variables and fixed secret key variables, obtaining y i. x i S On the other hand, the polynomials can be decomposed as: p(x 1,...,x n,k 1,...,k m )=t I q I + r(x 1,...,x n,k 1,...,k m ) where t I = Y x i, for i 2 I [n] i q I does not contain x i as they are factored out. (x 2 i = x i )

Introduction to Cube Attacks S For example, let polynomial p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 )= x 2 x 3 k 3 + x 1 x 2 k 1 + x 2 k 4 + x 1 x 3 k 2 k 3 + x 1 x 2 k 2 +1 S Let I = {1, 2}, so that t I = x 1 x 2 and we have: p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 )=x 1 x 2 q I + r where q I = k 1 + k 2 and r = x 2 x 3 k 3 + x 2 k 4 + x 1 x 3 k 2 k 3 +1

Introduction to Cube Attacks S Main observation of cube attack: sum over GF(2) of all evaluations of p by assigning all possible binary values to the variables in I (and fixed value, usually 0, to all the public M variables not in I) is exactly q I. p(x 1,x 2,x 3,k 1,k 2,k 3,k 4 ) = p(0, 0,x 3,k 1,k 2,k 3,k 4 )+ x i,i2i p(0, 1,x 3,k 1,k 2,k 3,k 4 )+ p(1, 0,x 3,k 1,k 2,k 3,k 4 )+ p(1, 1,x 3,k 1,k 2,k 3,k 4 ) = k 1 + k 2 = q I

Introduction to Cube Attacks S Offline phase: S Gathering enough linear equations for key variables. S Linearity Test: S Extract the equations. f(0) + f(a)+f(b) =f(a + b) S Online phase: S Query the gathered equations S Perform some cheap computations to recover the key.

KATAN Cipher Family S KATAN is a family of lightweight, hardware-oriented block ciphers. S Three variants: 32, 48, 64 (block size). S 80-bit key and 254 rounds. S The design was inspired by Trivium.

KATAN Cipher Family S KATAN consists of two LFSR s, called L 1 and L 2. S Two nonlinear Boolean functions, f a and f b. S For KATAN48, f a and f b are applied twice per round, but the same pair of key bits are reused. S For KATAN64, f a and f b are applied 3 times.

KATAN Cipher Family f a (L 1 )=L 1 [x 1 ]+L 1 [x 2 ]+(L 1 [x 3 ] L 1 [x 4 ]+L 1 [x 5 ] IR + k a ) f b (L 2 )=L 2 [y 1 ]+L 2 [y 2 ]+(L 2 [y 3 ] L 2 [y 4 ]+L 2 [y 5 ] L 2 [y 6 ]+k b )

KATAN Cipher Family

KATAN Cipher Family S Key Schedule is a linear mapping that expands 80-bit key to 508 subkey bits according to ( K i, for 0 apple i apple 79 k i = k i 80 + k i 61 + k i 50 + k i 13, otherwise S The subkey of i-th round is k a k b = K 2i K 2i+1 S At least 40 rounds is needed before complete key diffusion.

Cube Attack Results Cipher # Rounds Time Data Attack KATAN32 50 2 34 2 25.42 CP AIDA/Cube 60 2 39 2 30.28 CP AIDA/Cube KATAN48 40 2 49 2 24.95 CP AIDA/Cube KATAN64 30 2 35 2 20.64 CP AIDA/Cube Table 1: AIDA / Cube attack complexities on KATAN family.

Cube Attack Results Maxterm Degree Cube equation Cipher bit 0CB0C29808C10001 16 k 5 c 44 2E2128800020305A 16 k 4 c 7 10E2002920014471 16 k 1 + k 5 + k 12 c 47 0A12042100446263 16 k 8 + k 10 + k 19 c 12 029290CC02C10140 16 k 2 c 5 AE0C032002100492 16 k 9 c 9 4241092108534C00 16 k 1 c 44 0E0864A20828A800 16 k 0 c 56 4104901087403083 16 k 7 c 8 44010B12812A0124 16 k 3 c 49 0200A0D00305E08A 16 k 3 + k 10 c 48 041102168238A802 16 k 6 c 9 439C00A810940044 16 k 3 + k 8 + k 17 c 9 60910A0B93000802 16 k 1 + k 8 c 47 018C084049C98003 16 k 0 + k 1 + k 2 + k 8 + k 11 c 8 3C1500040080C097 16 k 4 + k 15 c 48 0800FD4900016180 16 k 5 + k 9 + k 18 c 54

Side-channel Attack Against KATAN32 S Side-channel model S We use the side-channel cube attack model of Shamir. S Internal cipher data leaks after r round, r<254 S The data is supposed to be captured by some side channel information, such as power, timing analysis or electromagnetic emanations (a strong assumption). S We need only one bit of intermediate state. (Bit 19 after 40 rounds of KATAN32)

Side-channel Attack Against KATAN32 Cipher # Rounds Time Data Attack KATAN32 254 2 51 2 23.80 CP Side-Channel Table 1: Side-Channel attack on KATAN32

Side-channel Attack Against KATAN32 Maxterm Degree Cube equation Cipher bit 41356548 12 k 4 c 19 2464E14C 12 k 15 c 19 1EA26848 12 k 5 +1 c 19 E3516900 12 k 1 + k 16 c 19 4A8E6888 12 k 0 + k 17 +1 c 19 EBD02900 12 k 3 + k 10 +1 c 19 A0867A0C 12 k 14 + k 17 +1 c 19 C0C34C43 12 k 4 + k 10 + k 19 c 19 E2A54302 12 k 11 + k 15 + k 23 c 19 9C045983 12 k 2 + k 7 + k 11 + k 16 + k 24 + k 26 c 19 bd30cb11 15 k 13 c 19 7c366259 16 k 18 c 19 2cd5f264 16 k 6 + k 15 +1 c 19 b7351759 18 k 3 + k 18 + k 23 c 19

Strange Phenomena S Breaking 77 rounds of KATAN32 is much easier than 76 rounds. S attack on 76 rounds: 5.64 times faster than brute force. S attack on 77 rounds: 67.87 times faster than brute force. S attack on 78 rounds: 3.49 times faster than brute force.

Conclusion and further work S Cube attacks for reduced-round KATAN32, KATAN48 and KATAN64. S Side-channel attack against full-round KATAN32. S After the acceptance of our paper, we tried to similar attack methods against KTANTAN block ciphers. S More rounds are broken since the key schedule is weaker.

Acknowledgement S Thanks for useful comments from reviewers, e.g. On page 3, you write close to be(ing) overdefined : that means, in fact, underdefined? It sounds to me like the girl who is a little bit pregnant.

Thanks

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback