Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Similar documents
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Human-readable Proof of the Related-Key Security of AES-128

Complementing Feistel Ciphers

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Subspace Trail Cryptanalysis and its Applications to AES

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Linear Cryptanalysis

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction to Symmetric Cryptography

Analysis of AES, SKINNY, and Others with Constraint Programming

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Type 1.x Generalized Feistel Structures

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Lecture 12: Block ciphers

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

The Hash Function JH 1

Mixed-integer Programming based Differential and Linear Cryptanalysis

Cryptanalysis of the SIMON Family of Block Ciphers

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Revisiting AES Related-Key Differential Attacks with Constraint Programming

Fast Lattice-Based Encryption: Stretching SPRING

Some attacks against block ciphers

Cube Attacks on Stream Ciphers Based on Division Property

Quantum Differential and Linear Cryptanalysis

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Module 2 Advanced Symmetric Ciphers

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Improbable Differential Cryptanalysis and Undisturbed Bits

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Data Complexity and Success Probability for Various Cryptanalyses

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

FFT-Based Key Recovery for the Integral Attack

Impossible Differential Cryptanalysis of Reduced-Round SKINNY

Differential-Linear Cryptanalysis of Serpent

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Block Cipher Cryptanalysis: An Overview

How Fast can be Algebraic Attacks on Block Ciphers?

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Public-key Cryptography: Theory and Practice

Practical Free-Start Collision Attacks on full SHA-1

Revisiting AES Related-Key Differential Attacks with Constraint Programming

New Attacks against Standardized MACs

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Recovering Private Keys Generated With Weak PRNGs

Impossible Differential Attacks on 13-Round CLEFIA-128

The Improbable Differential Attack. Cryptanalysis of Reduced Round CLEFIA

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

On related-key attacks and KASUMI: the case of A5/3

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Lecture 4: DES and block ciphers

New Birthday Attacks on Some MACs Based on Block Ciphers

Block Ciphers and Systems of Quadratic Equations

Building Secure Block Ciphers on Generic Attacks Assumptions

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Practical Free-Start Collision Attacks on 76-step SHA-1

Akelarre. Akelarre 1

Solution of Exercise Sheet 7

Differential Analaysis of Block Ciphers SIMON and SPECK

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Invariant Subspace Attack Against Full Midori64

Linear Cryptanalysis of Reduced-Round Speck

EME : extending EME to handle arbitrary-length messages with associated data

Security of the AES with a Secret S-box

Rebound Attack on Reduced-Round Versions of JH

Block Ciphers that are Easier to Mask: How Far Can we Go?

Towards Provable Security of Substitution-Permutation Encryption Networks

Zero-Sum Partitions of PHOTON Permutations

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Symmetric Crypto Systems

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Extended Criterion for Absence of Fixed Points

Specification on a Block Cipher : Hierocrypt L1

New attacks on Keccak-224 and Keccak-256

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Efficient and Provable White-Box Primitives

Automatic Search of Attacks on round-reduced AES and Applications

Block Ciphers and Feistel cipher

Algebraic Techniques in Differential Cryptanalysis

Symmetric Crypto Systems

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications

Transcription:

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang Technological University, Singapore CRYPTO 2013 August 19, 2013 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 1/18

Block Ciphers Iterated SPN Block Ciphers Internal Permutation : f Number of Iterations : r SPN : f = P S applies Substitution (S) and Permutation (P) layers. Secret Key : k Key Scheduling Algorithm : k (k 0,..., k r ) Ex : AES, PRESENT, SQUARE, Serpent, etc. k Key Scheduling Algorithm k 0 k 1 k r 1 k r s 0 f... s f s r+1 1 s r CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 2/18

Differentials and Differential Characteristics Differential Characteristics Used in differential cryptanalysis Sequence of differences at each round for an iterated primitive The success probability of a differential attack depends on the differential with maximal differential probability p. Example : 4-round AES 1R 1R 1R 1R Difference No difference 4-round characteristic with 25 active S-Boxes (minimal). AES S-Box : p max = 2 6. Differential probability : p 2 6 25 = 2 150. CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 3/18

AES Design of the AES AES Permutation : structurally bounded diffusion for any rounds Provably resistant to non-rk differential attacks Ad-hoc key schedule = RK Attacks [BKN-C09], [BK-A09], [BN-E10]. Minimal Number of Active S-Boxes for AES Rounds 1 2 3 4 5 6 7 8 9 10 min 1 5 9 25 26 30 34 50 51 55 Question : Similar numbers for AES structure in the RK model? CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 4/18

Our Contributions We propose an algorithm finding all the smallest RK characteristics It improves previous works : runs in time linear in the number of rounds We focus on AES-128 We provide a distinguisher for 9-round AES-128 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 5/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Tree Example p j i def = P( i j ) Traverse a tree of depth 2 for 2R Pruning possible (A optim.) CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Pruning possible (A optim.) Tree Example p 2 1 p j i def = P( i j ) 2 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Tree Example p j i def = P( i j ) 2 p 4 2 p 6 2 4 6 Pruning possible (A optim.) p 2 1 p 1 2 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Pruning possible (A optim.) Tree Example p 2 1 p 3 1 p j i def = P( i j ) 2 p 4 2 p 6 2 p 1 2 p 1 3 3 7 p 7 3 4 6 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Pruning possible (A optim.) Tree Example p 2 1 p 3 1 p j i def = P( i j ) 2 p 4 2 p 6 2 p 1 2 p 1 3 3 7 p 7 3 4 6 p 4 1 4 4 p 4 4 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Pruning possible (A optim.) Tree Example p 2 1 p 3 1 p j i def = P( i j ) 2 p 4 2 p 6 2 p 1 2 p 1 3 3 7 p 7 3 4 6 p 4 1 4 4 p 4 4 p 5 1 p 8 5 8 5 p 9 5 9 p 1 5 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (1/2) Matsui s Algorithm (e.g., for DES) Pros Works by induction : derive best n-round char. from best chars. on 1,..., n 1 rounds Compute best char. for 1R Traverse a tree of depth 2 for 2R Pruning possible (A optim.) Very efficient on DES Tree Example p 2 1 p 3 1 p j i def = P( i j ) 2 p 4 2 p 6 2 p 1 2 p 1 3 3 7 p 7 3 4 6 Drawbacks Rely on non-equivalent differential probabilities Need for dominant characteristic(s) Poor performances for AES Differences visited several times p 5 1 p 4 1 4 4 p 4 4 5 p 8 5 p 9 5 p 1 5 8 9 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 6/18

Existing Algorithms (2/2) Biryukov-Nikolic [BN-E10] Adapt Matsui s algorithm Different algos for several Tree Example p j i def = P( i j ) p 4 2 4 Pros 2 p 6 2 6 No need for a predominant char. Switch to truncated differences = less edges Representation of trunc. differences = handle branching in the Work on AES p 5 1 p 2 1 p 3 1 p 4 1 p 1 2 p 1 3 3 7 p 7 3 4 4 p 4 4 Cons Differences visited several times 5 p 8 5 p 9 5 8 9 Nodes visited exponential in the number of rounds p 1 5 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 7/18

Our Algorithm Algorithm Switch to a graph representation Graph Example 2 4 6 3 4 7 8 5 9 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 8/18

Our Algorithm Algorithm Switch to a graph representation Merge equal diff. of the same round Graph Example 2 4 6 3 4 7 8 5 9 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 8/18

Our Algorithm Algorithm Switch to a graph representation Merge equal diff. of the same round Graph traversal similar as Dijkstra Dynamic programming approach Graph Example 2 4 6 3 4 7 8 5 9 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 8/18

Our Algorithm Algorithm Switch to a graph representation Merge equal diff. of the same round Graph traversal similar as Dijkstra Dynamic programming approach Pros Path search seen as Markov process Each difference in each round is visited only once Numbers of nodes and edges are linear in the number of rounds A optimization still applies Notes Only partial information propagated Need to adapt the Markov process Graph Example 2 3 4 5 4 6 7 8 9 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 8/18

Different Levels of Analysis Truncated Differences Basic Markov process Apply to any SPN cipher : we focus on AES-like ciphers Provide a structural evaluation of the cipher in regard to RK attacks For AES, similar results as the seminal work [DR-02] (for non-rk) Actual Differences Enhanced Markov process : More complete representation of differences Add information for local system resolutions Need to be adapted to a particular cipher For AES, recover all the truncated results from [BN-E10] Full instantiation of characteristics while maximizing its probability Running time linear in the number of rounds In reality : Mixing the two concepts CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 9/18

Application to the Structure of AES-128 Structural Analysis We ignore the semantic definition of the S-Box and the MDS matrix We count the number of active S-Boxes (truncated differences) Do not apply to AES-128 with the instantiated S and P Give an estimation of the structural quality of the AES family Related-Key Model (XOR difference of the keys) Rounds 1 2 3 4 5 6 7 8 9 10 min 0 1 3 9 11 13 15 21 23 25 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 10/18

Impossibility Results for the Structure of AES-128 (1/2) There exists a characteristic on 10 rounds with only 25 active S-Boxes = best RK differential attack in p 25 max computations. Result 1 It is impossible to prove the security of the full AES-128 against related-key differential attacks without considering the differential property of the S-Box. Notes With a random S-Box, p 25 max might be smaller than 2 128 = when p max 2 5 AES structure on its own not enough for RK security For a specified S-Box with bounded p max 2 6 = security against RK attacks CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 11/18

Impossibility Results for the Structure of AES-128 (2/2) There exists a characteristic on 8 rounds with only 21 active S-Boxes = best RK differential attack in p 21 max computations. Result 2 Notes It is impossible to prove the security of 8-round AES-128 against related-key differential attacks without considering both the differential property of the S-Box and the P layer. With a random S-Box, same reason as before For a specified S-Box with bounded p max 2 6 : Best attack might be 2 6 21 = 2 126 2 128 For AES, we have exhausted all the possible attacks, no valid one P layer and introduce linear dependencies in the characteristic P can be chosen such that there is/isn t solutions CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 12/18

Related-Key attacks on AES-128 RK attacks against AES-128 After 6 rounds, there is no RK characteristic for AES-128 with a probability greater than 2 128. For 1,..., 5 rounds, our algorithm has found the best characteristics Same truncated characteristics as [BN-E10] Best instantiations of differences : maximal probabilities. Best RK attacks on AES-128 Rounds 1 2 3 4 5 #S-Boxes 0 1 5 13 17 [BN-E10] 0-6 -30-78 -102 max log 2 (p) 0-6 -31-81 -105 CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 13/18

Distinguishing model [KR-A07, BKN-C09] Solve Open-Problem We can use the best 5-round characteristic to construct a chosen-key distinguisher for 9-round AES-128. Let E k be the 9-round AES-128 block cipher using key k. Limited Birthday Problem [GP-FSE10] Given find a fully instantiated difference δ in the key, a partially instantiated difference IN in the plaintext, a partially instantiated difference OUT in the ciphertext, a key k, a pair of messages (m, m ), such that : m m IN and : E k (m) E k δ (m ) OUT. CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 14/18

9-Round characteristic for AES-128 Construction of the characteristic Take the best 5-round characteristic for AES-128 we have found. IN δ AK0 1 2 3 SR MC AK1 SR MC AK2 SR S start S start MC AK3 4 5 6 SR MC AK4 SR MC AK5 SR S end MC AK6 7 8 9 SR MC AK7 SR MC AK8 SR MC AK9 OUT CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 15/18

9-Round characteristic for AES-128 Construction of the characteristic Prepend three rounds to be controlled by the Superox technique. IN δ AK0 AK3 AK6 Controlled by Superox 1 2 3 SR MC AK1 SR MC AK2 SR S start S start 4 5 6 SR MC AK4 SR MC AK5 SR MC S end 7 8 9 SR MC AK7 SR MC AK8 SR MC AK9 MC OUT CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 15/18

9-Round characteristic for AES-128 Construction of the characteristic Prepend one other round, as inactive as possible. IN δ AK0 AK3 AK6 Controlled by Superox 1 2 3 SR MC AK1 SR MC AK2 SR S start S start 4 5 6 SR MC AK4 SR MC AK5 SR MC S end 7 8 9 SR MC AK7 SR MC AK8 SR MC AK9 MC OUT CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 15/18

9-Round CK Distinguisher for AES-128 IN δ AK0 AK3 AK6 1 2 3 SR MC AK1 SR MC AK2 SR S start S start 4 5 6 SR MC AK4 SR MC AK5 SR MC S end 7 8 9 SR MC AK7 SR MC AK8 SR MC AK9 MC Controlled by Superox OUT Distinguishing algorithm Generate a valid pair of keys (about 2 27 of them, since P = 2 101 ) Store the ith Superox from S start to S end in T i For all 5 differences at S start, check the tables and : Check backward direction : p = 2 7 (a single S-Box) Check forward direction : p = 2 6 8 = 2 48 (6 S-Boxes) CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 16/18

Time complexity Complexity of the distinguishing algorithm Check probability : 2 7 48 = 2 55 Time complexity : 2 15 (2 32 + 2 40 ) 2 55 computations For 2 15 different pairs of keys : Construct the Superoxes in 2 32 operations Try all values for the 5 byte-differences in 2 40 operations Generic time complexity Limited-Birthday Problem [GP-FSE10] Input space ( IN ) of size 4 8 + 7 = 39 bits Output space ( OUT ) of size 3 7 = 21 bits Time complexity : 2 68 encryptions CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 17/18

Conclusion New algorithm for SPN ciphers Graph-based approach : Dijkstra and A optimization Search the best truncated differential characteristics Instantiation = best differential characteristics Time complexity linear in the number of rounds considered Applications to the structure of AES-128 : Impossibility results for related-key attacks Impossibility results for the hash function setting Chosen-key distinguisher for 9-rounds AES-128 Solve open problem Time Complexity : 2 55 encryptions Generic Complexity : 2 68 encryptions More details in the paper and its extended version (eprint/2013/366) CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 18/18

Conclusion New algorithm for SPN ciphers Graph-based approach : Dijkstra and A optimization Search the best truncated differential characteristics Instantiation = best differential characteristics Time complexity linear in the number of rounds considered Applications to the structure of AES-128 : Impossibility results for related-key attacks Impossibility results for the hash function setting Chosen-key distinguisher for 9-rounds AES-128 Solve open problem Time Complexity : 2 55 encryptions Generic Complexity : 2 68 encryptions More details in the paper and its extended version (eprint/2013/366) Thank you! Thanks to the organizing committee and sponsors for waiving my registration fee. CRYPTO 13 P-A. Fouque, J. Jean, T. Peyrin Structural Evaluation of AES and CK Dist. of 9R AES-128 18/18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback