The Invariant Set Attack 26th January 2017

Similar documents
BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Nonlinear Invariant Attack

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers

Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Subspace Trail Cryptanalysis and its Applications to AES

Count November 21st, 2017

Block Cipher Invariants as Eigenvectors of Correlation Matrices

Invariant Subspace Attack Against Full Midori64

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

A Five-Round Algebraic Property of the Advanced Encryption Standard

Division Property: a New Attack Against Block Ciphers

Related Key Differential Cryptanalysis of Midori

Revisit and Cryptanalysis of a CAST Cipher

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

FFT-Based Key Recovery for the Integral Attack

Block Ciphers and Side Channel Protection

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Statistical and Algebraic Properties of DES

Lecture 12: Block ciphers

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

AES side channel attacks protection using random isomorphisms

Non-Separable Cryptographic Functions

Linear Cryptanalysis of Reduced-Round Speck

Multiplicative complexity in block cipher design and analysis

Block Cipher Cryptanalysis: An Overview

Thesis Research Notes

How Biased Are Linear Biases

Invariant Hopping Attacks on Block Ciphers

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Provable Security Against Differential and Linear Cryptanalysis

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Towards Provable Security of Substitution-Permutation Encryption Networks

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

S-box (Substitution box) is a basic component of symmetric

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Provable Security Against Differential and Linear Cryptanalysis

Cube Attacks on Stream Ciphers Based on Division Property

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

How Fast can be Algebraic Attacks on Block Ciphers?

Quadratic Equations from APN Power Functions

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

On Distinct Known Plaintext Attacks

Analysis of SHA-1 in Encryption Mode

Linear Approximations for 2-round Trivium

A New Algorithm to Construct. Secure Keys for AES

A Brief Comparison of Simon and Simeck

Open problems related to algebraic attacks on stream ciphers

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Affine equivalence in the AES round function

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Linear Cryptanalysis

Differential Attack on Five Rounds of the SC2000 Block Cipher

Algebraic Side-Channel Collision Attacks on AES

Key Difference Invariant Bias in Block Ciphers

Linear Cryptanalysis of Reduced-Round PRESENT

Differential Fault Analysis on the families of SIMON and SPECK ciphers

Invariant Hopping Attacks on Block Ciphers

Smart Hill Climbing Finds Better Boolean Functions

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Algebraic Techniques in Differential Cryptanalysis

On related-key attacks and KASUMI: the case of A5/3

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

Differential-Linear Cryptanalysis of Serpent

On Correlation Between the Order of S-boxes and the Strength of DES

Time-Memory-Data Trade-Off Attack on Stream Ciphers Based on Maiorana-McFarland Functions

Algebraic Aspects of Symmetric-key Cryptography

Algebraic Analysis of the Simon Block Cipher Family

jorge 2 LSI-TEC, PKI Certification department

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Third-order nonlinearities of some biquadratic monomial Boolean functions

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

A Weak Cipher that Generates the Symmetric Group

Fast Correlation Attacks: an Algorithmic Point of View

Another view of the division property

Improved Linear Distinguishers for SNOW 2.0

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Mixed-integer Programming based Differential and Linear Cryptanalysis

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

A Stochastic Model for Differential Side Channel Cryptanalysis

IIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

New Results in the Linear Cryptanalysis of DES

New Constructions for Resilient and Highly Nonlinear Boolean Functions

Quantum Differential and Linear Cryptanalysis

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Cryptanalysis of the Stream Cipher DECIM

Transcription:

The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1

Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Paper Todo, Leander, and Sasaki [TLS16] at AsiaCrypt 16 Structural attack, breaks SCREAM, iscream and Midori64 (surprise, surprise) 1 in the weak key setting Organisation The paper in 50 words: 1 Overview 2 The Context 3 The Attack 4 The Results 1 Useless L A T E X Fact: Did you know that \time is an anagram of \item? Friedrich Wiemer The Invariant Set Attack 26th January 2017 2

Context or: similar attacks? Linear Statistical Invariant Set Differential Symmetric Cryptanalysis Structural Invariant Subspace Algebraic Slide Friedrich Wiemer The Invariant Set Attack 26th January 2017 3

Context or: similar attacks? Linear Statistical Invariant Set Differential Symmetric Cryptanalysis Structural Invariant Subspace Algebraic Slide Friedrich Wiemer The Invariant Set Attack 26th January 2017 3

Context or: similar attacks? Linear Statistical Invariant Set Differential Symmetric Cryptanalysis Structural Invariant Subspace Algebraic Slide Friedrich Wiemer The Invariant Set Attack 26th January 2017 3

Context or: similar attacks? Linear Statistical Invariant Set Differential Symmetric Cryptanalysis Structural Invariant Subspace Algebraic Slide Friedrich Wiemer The Invariant Set Attack 26th January 2017 3

Linear Cryptanalysis Taking the fun out of it invented by Matsui [Mat93] broke DES together with Differential Cryptanalysis best studied attack on block ciphers Image: http://www.isce2009.ryukoku.ac.jp/eng/keynote_address.html Friedrich Wiemer The Invariant Set Attack 26th January 2017 4

Linear Cryptanalysis Taking the fun out of it Core Idea Given a block cipher E k : F n 2 F n 2, find an input mask α Fn 2 and an output mask β F n 2, s. t. α, x β, E k (x) = c holds with high probability for a constant c. α E k β is called a linear approximation of E k much more to deal with: we have to keep the distribution over k in mind and so on and so forth Friedrich Wiemer The Invariant Set Attack 26th January 2017 4

Invariant Subspace Attack Almost there invented by Leander et al. [Lea+11] broke PRINTCIPHER Illustration F F -1 Image: http://www.lightsec.org/2013/images/gregor_leander.jpg Friedrich Wiemer The Invariant Set Attack 26th January 2017 5

Invariant Subspace Attack Almost there Core Idea Given a block cipher E k : F n 2 F n 2, s. t. E k(x) = E(x k), assume that there exists a subspace U F n 2, s. t. for two constants c, d. E(U c) = U d A key k = u c d is called weak, if u U. For a weak key: E k (U d) = E((U d) (u c d)) = E(U c) = U d. We thus can distinguish encryptions under a weak key. Friedrich Wiemer The Invariant Set Attack 26th January 2017 5

Invariant Set Attack or: Nonlinear Invariant Attack Core Idea Given a block cipher E k : F n 2 F n 2, s. t. E k(x) = E(x k), find an efficiently computable nonlinear Boolean function g : F n 2 F 2, s. t. g(e(x k)) = g(x k) c = g(x) g(k) c (1) for a constant c and many k. g is called nonlinear invariant keys for which Eq (1) holds are called weak keys Friedrich Wiemer The Invariant Set Attack 26th January 2017 6

Invariant Set Attack Step-by-Step Typical block cipher construction: key-alternating function Let F : F n 2 F n 2 and E k 1,k 2,...,k r : F n 2 F n 2 be of the form E k (x) = F( F(x k 1 ) k r ). Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Step-by-Step Notation: we write y 0 = x, y i = F(y i 1 k i ), and thus y r = E k (x). Nonlinear invariant for the round function Assume there exists a nonlinear invariant g for F, s. t. all keys k i are weak. Then: Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Step-by-Step Notation: we write y 0 = x, y i = F(y i 1 k i ), and thus y r = E k (x). Nonlinear invariant for the round function Assume there exists a nonlinear invariant g for F, s. t. all keys k i are weak. Then: g(e k (x)) = g(y r ) Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Step-by-Step Notation: we write y 0 = x, y i = F(y i 1 k i ), and thus y r = E k (x). Nonlinear invariant for the round function Assume there exists a nonlinear invariant g for F, s. t. all keys k i are weak. Then: g(e k (x)) = g(y r ) = g(f(y r 1 k r )) Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Step-by-Step Notation: we write y 0 = x, y i = F(y i 1 k i ), and thus y r = E k (x). Nonlinear invariant for the round function Assume there exists a nonlinear invariant g for F, s. t. all keys k i are weak. Then: g(e k (x)) = g(y r ) = g(f(y r 1 k r )) = g(y r 1 ) g(k r ) c r Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Step-by-Step Notation: we write y 0 = x, y i = F(y i 1 k i ), and thus y r = E k (x). Nonlinear invariant for the round function Assume there exists a nonlinear invariant g for F, s. t. all keys k i are weak. Then: g(e k (x)) = g(y r ) = g(f(y r 1 k r )) = g(y r 1 ) g(k r ) c r. = g(x) r g(k i ) c 1 i=1 Friedrich Wiemer The Invariant Set Attack 26th January 2017 7

Invariant Set Attack Weak Keys It seems quite unlikely that Eq (1) holds for many k? Example nonlinear invariant g : F 4 2 F 2 (x 4, x 3, x 2, x 1 ) x 4 x 3 x 3 x 2 x 1 Friedrich Wiemer The Invariant Set Attack 26th January 2017 8

Invariant Set Attack Weak Keys It seems quite unlikely that Eq (1) holds for many k? Example nonlinear invariant g : F 4 2 F 2 (x 4, x 3, x 2, x 1 ) x 4 x 3 x 3 x 2 x 1 g is nonlinear invariant for key xor and has 4 weak keys: Split g in a nonlinear part f and a linear part l: g(x 4, x 3, x 2, x 1 ) = f(x 4, x 3 ) l(x 2, x 1 ) All k of the form k = (0, 0, k 2, k 1 ) are weak and these are exactly four possible keys. Friedrich Wiemer The Invariant Set Attack 26th January 2017 8

Results Attack Complexities # Weak k max. # Recovered Bits SCREAM 2 96 32 bits iscream 2 96 32 bits Midori64 2 64 32h bits Data Complexity Time Complexity SCREAM 33 ciphertexts 32 3 iscream 33 ciphertexts 32 3 Midori64 33h ciphertexts 32 3 h Friedrich Wiemer The Invariant Set Attack 26th January 2017 9

Questions? Thank you for your attention! Mainboard & Questionmark Images: flickr Friedrich Wiemer The Invariant Set Attack 26th January 2017 10

References I [Lea+11] G. Leander, M. A. Abdelraheem, H. AlKhzaimi, and E. Zenner. A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack. In: CRYPTO. Vol. 6841. LNCS. Springer, 2011, pp. 206 221. [Mat93] M. Matsui. Linear Cryptanalysis Method for DES Cipher. In: EUROCRYPT. Vol. 765. LNCS. Springer, 1993, pp. 386 397. [TLS16] Y. Todo, G. Leander, and Y. Sasaki. Nonlinear Invariant Attack - Practical Attack on Full SCREAM, iscream, and Midori64. In: ASIACRYPT (2). Vol. 10032. LNCS. 2016, pp. 3 33. Friedrich Wiemer The Invariant Set Attack 26th January 2017 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback