New Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers
|
|
- Lorraine Johnson
- 5 years ago
- Views:
Transcription
1 New Impossible Differential earch Tool from Design and Cryptanalysis Aspects -- Revealing tructural Properties of everal Ciphers Yu asaki and Yosuke Todo Eurocrypt May 217
2 Impossible Differential (ID) Impossible Differential attack (proposed by Knudsen and Biham et al.) ΔP subkey guess Δ in Δ out subkey guess ΔC When the input difference is Δ in, it s impossible for the output difference to be Δ out. Guess subkeys in the first and last several rounds. If guessed subkeys lead to (Δ in, Δ out ), the guessed subkeys are incorrect. 2
3 Contribution of our works New MILP-based ID search tool From cryptanalysis aspect. Target Previous Ours earch Mode Remarks Midori specific -box Lilliput 8 9 specific -box Minalpher arbitrary -box ARIA 4 4 arbitrary -box improve key recovery MIB 8 8 specific -box new ID From design tool aspect. Probable security on specific pair of differences under the subkey uniform assumption. Detect the optimality of the -box choice. 3
4 New Method to Find ID
5 General Method to Find ID U-method by Kim et al. For all (Δ i, Δ o ) and r Δ i 1. Propagate Δ i in forwards to record active or inactive bits with Pr.=1 2. Propagate Δ o in backwards to record active or inactive bits with Pr.=1 3. Find contradiction 1 Δ i 2 Δ i 3 Δ i r Δ i round 1 round 2 round 3 round 4 round 5 Δ o Δ1 o Δ2 o 3 Δ o Δr o More extensions exist e.g. UID-method. 5
6 Mixed Integer Linear Programing (MILP) MILP is an optimization or feasibility program in which variables are restricted to integers. The model M consists of variables M. var, constraints M. con, and objective M. obj. M. var M. con M. obj x, y, z (binary) x + 2y + 3z 4 x + y 1 Maximize : x + y + 2z olution of M is 3. (x, y, z) = (1,,1) 6
7 Cryptanalysis Applications MILP was first introduced by Mouha et al. to guarantee the lower bound of the number of acitve -boxes. everal follow-up works. Tight differential (linear) characteristic. Differential and Linear hull. Integral attack via division property. Zero-correlation linear. Impossible differential ( New) 7
8 How to model block ciphers M. con X F X 1 F X 2 F X R M. var 8
9 How to model block ciphers imple example by toy ciphers x1 x2 x3 y1 y2 y3 z1 z2 z3 x4 x5 x6 y4 y5 y6 z4 z5 z6 x7 x8 x9 y7 y8 y9 z7 z8 z9 Every value is M. vars which takes or 1. means inactive, and 1 means active. 9
10 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * : impossible propagation * : possible propagation 1
11 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= 16 propagations become infeasible by 1 constraint. 11
12 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= 16 propagations become infeasible by 1 constraint. In total, 32 propagations are removed. 12
13 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= x1+x2+x3-y3>= 4 propagations become infeasible by 1 constraint. In total, 34 propagations are removed. 13
14 How to model block ciphers Model DDT of -box * 1 * * * * 1 * * 11 * * * * 1 * * 11 * * * * 11 * * 111 * * * * -x1+y2>= x1-y2>= x1+x2+x3-y3>= x1-x2+x3-y1-y3>=-2 x2-x3+y2+y3>= x2-y1+y2+y3>= -x2+y1+y2+y3>= -x2-x3+y1+y2>=-1 Remove 41 impossible propagations. 8 constraints are enough to remove all impossible propagations. 14
15 How to model block ciphers Model XOR y1 y7 z1 y1 y7 z1 Impossible 1 (y1+y7-z1>=) 1 (y1-y7+z1>=) (-y1+y7+z1>=) (-y1-y7-z1>=-2) 4 constraints are enough to remove all impossible propagations. 15
16 How to model block ciphers imple example by toy ciphers x1 x2 x3 y1 y2 y3 z1 z2 z3 x4 x5 x6 y4 y5 y6 z4 z5 z6 x7 x8 x9 y7 y8 y9 z7 z8 z9 The number of constraints is (3*8)+(9*4)=24+36=6. 16
17 How to earch ID fix fix X F X 1 F X 2 F X R Technique is very simple. Input and output differences are fixed to specific values. MILP search whether or not there are propagations from input to output differences. If MILP model is infeasible, the pair is impossible. Advantage of our tool. Can look the inside of -box (DDT). Don t need to care the reason of contradiction. Can share MILP model for differential characteristic search. 17
18 New results from a cryptanalysis aspect Application to Midori128
19 Midori128 Proposed at Asiacryp215 by Banik et ak. Previous impossible differential is 6 rounds. Our tool founds 7-round IDs. It well exploits the structure of B. We also manually verified the IDs. B R-like MC 19
20 8-Bit -box in Midori128 MB b MB b 1 MB b 2 MB b 3 x x x x b b b b b 1 b 1 b 1 b 1 LB x 7 LB x 7 LB x 7 LB x 7 Four 8-bit -boxes are constructed from two 4-bit -boxes. 1. Apply bit permutation p i. 2. Apply an involution 4-bit -box in parallel. 3. Apply bit permutation p i 1. 2
21 Preserved Active-Bit Positions Active-bit positions are preserved because of the involution structure of 8-bit -boxes. * * * b 1 b 1 * * * * * * b 1 b 1 * * * 21
22 Illustration of New ID on Midori128 ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd inactive ubcell hufflecell MixColumn KeyAdd (*,*,,,,,*,*) (,,*,*,*,*,,) active unknown ubcell hufflecell MixColumn KeyAdd ubcell hufflecell MixColumn KeyAdd ubcell 22
23 Illustration of New ID on Midori128 ubcell hufflecell MixColumn KeyAdd contradiction ubcell hufflecell MixColumn KeyAdd b ubcell hufflecell MixColumn KeyAdd 1 ubcell hufflecell * ubcell hufflecell MixColumn KeyAdd inactive (*,*,,,,,*,*) (,,*,*,*,*,,) active * MixColumn KeyAdd unknown * * b 1 * * ubcell hufflecell MixColumn KeyAdd ubcell 23
24 New results from a cryptanalysis aspect Application to Lilliput
25 Extended GFN and LILLIPUT Extended GFN (EGFN) by Berger et al. XORs some branches to others. LILLIPUT is an instantiation of EGFN. Previous impossible differential is 8 rounds. Our tool found 9-round IDs. F F Non-linear layer: F Linear layer: L Block shuffle Permutation layer: P 25
26 LILLIPUT pecification 64-bit block, 3 rounds X 15 X 14 X 13 X 12 X 11 X 1 X 9 X 8 RK X 7 X 6 X 5 X 4 X 3 X 2 X 1 X F L P π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 26
27 New IDs on 9-round LILLIPUT Previous IDs are straightforward. Our IDs exploit DDT. (α, ) 9 rounds α {2,3,8,9, e, f} (, α) 27
28 Illustration of 9-round ID 28
29 Analysis of Rounds 1 and 2 α Round 1 Round 2 α β π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 α π: 13, 9, 14, 8, 1, 11, 12, 15, 4, 5, 3, 1, 2, 6,, 7 α α β α β (1) 29
30 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 3
31 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 31
32 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 32
33 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 33
34 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α α α α α 34
35 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α α α α 35
36 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α β, α β (2) β α α α α When α = 9, there is no β satisfying both of (1) and (2). 36
37 Analysis of Rounds 4 and 5 (α = 9) Round 4 Round 5 α β α β α α α α β α α α α β α β, α β (2) β α α α α When α = 9, there is no β satisfying both of (1) and (2). 37
38 New results from a design aspect
39 Provable ecurity. Assumption. Round keys are always XORed before -box. Round keys are chosen from uniform random. Observation There is a subkey that is possible. Linear layer can perfectly simulated from MILP. It implies that If our tool shows is possible, there is subkeys such that the propagation is possible. 39
40 ummary of Results. There is no impossible differential in #Rounds. 4
41 Arbitrary -box The number of inequalities to represent 8-bit -box is too large. It s difficult to solve such big MILP. Arbitrary -box is reasonable solutions * 1 * * * * * * * 1 * * * * * * * 11 * * * * * * * 1 * * * * * * * 11 * * * * * * * 11 * * * * * * * 111 * * * * * * * -x1+x2+x3+y1+y2+y3>= x1-x2+x3+y1+y2+y3>= x1+x2-x3+y1+y2+y3>= x1+x2+x3-y1+y2+y3>= x1+x2+x3+y1-y2+y3>= x1+x2+x3+y1+y2-y3>= Only 2n inequalities are enough to represent n-bit arbitrary -box. 41
42 Detect the optimality of its -box. ituation. Linear layer of the block cipher was already designed. But, the design of the -box is ongoing. We can check the existence of ID before concrete design of the -box. If we found an ID on arbitrary -box, such IDs are never avoidable even if the -box is modified. If IDs on specific -box are the same as the case on arbitrary -box, we can conclude the choice of the -box is optimal from the aspect of ID attack. 42
43 ummary of Results. Midori128. There are 8-round IDs even if b1 is regarded as arbitrary -box. The choice of -box is optimal. Lilliput. There are round IDs in specific -box. There are round IDs in arbitrary -box. The choice of -box is not optimal, but it is reasonable because the number of rounds is no change. 43
44 Conclusion. New ID search tool based on MILP. The impossibility of the propagation from specific input to output differences is detected. The DDT of -box is well exploited. We don t need to care about the reason of contradiction. Cryptanalysis aspects. New IDs on Midori, Lilliput, ARIA, Minalpher, MIB. Design aspects. Provable security under the reasonable assumption. Detect the optimality of the -box choice using arbitrary -box. 44
Practical Key Recovery Attack on MANTIS 5
ractical Key Recovery Attack on ANTI Christoph Dobraunig, aria Eichlseder, Daniel Kales, and Florian endel Graz University of Technology, Austria maria.eichlseder@iaik.tugraz.at Abstract. ANTI is a lightweight
More informationMILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek 1, Yu Sasaki 2, Yosuke Todo 2, Mohamed Tolba 1 and Amr M. Youssef 1 1 Concordia Institute for
More informationBoomerang Connectivity Table: A New Cryptanalysis Tool
Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid, Tao Huang 2, Thomas Peyrin 2,3,4, Yu asaki 5, and Ling ong 2,3,6 Information ecurity Group Royal Holloway, University of London, UK carlos.cid@rhul.ac.uk
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers 1 June 2010 1 Block Ciphers 2 The tool 3 Applications 4 Conclusion Basics P Block cipher E K (P) Input: Plaintext
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationCryptanalysis of Symmetric-Key Primitives: Automated Techniques
1 / 39 Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos Tuesday, May 29, 2012 2 / 39 Outline 1 2
More informationCryptanalysis. Andreas Klappenecker Texas A&M University
Cryptanalysis Andreas Klappenecker Texas A&M University How secure is a cipher? Typically, we don t know until it is too late Typical Attacks against Encryption Algorithms Ciphertext only attack: The attacker
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationA Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationAutomatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others
Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others Alex Biryukov and Ivica Nikolić University of Luxembourg {alex.biryukov,ivica.nikolic}uni.lu
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationA General Analysis of the Security of Elastic Block Ciphers
A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationCryptanalysis of TWIS Block Cipher
Cryptanalysis of TWIS Block Cipher Onur Koçak and Neşe Öztop Institute of Applied Mathematics, Middle East Technical University, Turkey {onur.kocak,noztop}@metu.edu.tr Abstract. TWIS is a 128-bit lightweight
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationCivil Engineering Systems Analysis Lecture XIV. Instructor: Prof. Naveen Eluru Department of Civil Engineering and Applied Mechanics
Civil Engineering Systems Analysis Lecture XIV Instructor: Prof. Naveen Eluru Department of Civil Engineering and Applied Mechanics Today s Learning Objectives Dual 2 Linear Programming Dual Problem 3
More informationSecurity of Block Ciphers Beyond Blackbox Model
CRYPTCU ction Meeting November 6, 2016 ecurity of Block Ciphers Beyond Blackbox Model Takanori Isobe ONY Corporation bout Me Researcher/Engineer in ony Corporation since 2008 s a Researcher Cryptanalysis
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationKey Separation in Twofish
Twofish Technical Report #7 Key Separation in Twofish John Kelsey April 7, 2000 Abstract In [Mur00], Murphy raises questions about key separation in Twofish. We discuss this property of the Twofish key
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationPractical Complexity Differential Cryptanalysis and Fault Analysis of AES
Noname manuscript No. (will be inserted by the editor) Practical Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall the date of receipt and acceptance should be inserted later
More informationThe Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab
The Davies-Murphy Power Attack Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab Introduction Two approaches for attacking crypto devices traditional cryptanalysis Side Channel Attacks
More informationPAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis
IEICE TRANS FUNDAMENTALS VOLExx?? NOxx XXXX 2x PAPER Attacking 44 Rounds of the SHACAL-2 Block Cipher Using Related-Key Rectangle Cryptanalysis Jiqiang LU a and Jongsung KIM b SUMMARY SHACAL-2 is a 64-round
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationThe Security of Elastic Block Ciphers Against Key-Recovery Attacks
The Security of Elastic Block Ciphers Against Key-Recovery Attacks Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 2 1 Alcatel-Lucent Bell Labs, New Providence, New Jersey, USA dcook@alcatel-lucent.com
More informationWenling Wu, Lei Zhang
LBlock: A Lightweight Block Cipher Wenling Wu, Lei Zhang Institute t of Software, Chinese Academy of Sciences 09-Jun-2011 Outline Background and Previous Works LBlock: Specification Design Rationale Security
More informationKeynote: White-Box Cryptography
Keynote: White-Box Cryptography Matthieu Rivain PHIIC Workshop, 4 Oct 2016 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the scientific literature
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationAlgebraicDierential Cryptanalysis of DES
AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer Plan Introduction
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationThe SKINNY Family of Lightweight Tweakable Block Ciphers
The SKINNY Family of Lightweight Tweakable Block Ciphers Jérémy Jean joint work with: Christof Beierle Stefan Kölbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO
More informationDesign of block ciphers
Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, 2016 1 / 49 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael
More informationAnalysis of Involutional Ciphers: Khazad and Anubis
Analysis of Involutional Ciphers: Khazad and Anubis Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Leuven, Belgium abiryuko@esat.kuleuven.ac.be Abstract. In this paper we study structural
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationRecent Meet-in-the-Middle Attacks on Block Ciphers
ASK 2012 Nagoya, Japan Recent Meet-in-the-Middle Attacks on Block Ciphers Takanori Isobe Sony Corporation (Joint work with Kyoji Shibutani) Outline 1. Meet-in-the-Middle (MitM) attacks on Block ciphers
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationCompact Sets. James K. Peterson. September 15, Department of Biological Sciences and Department of Mathematical Sciences Clemson University
Compact Sets James K. Peterson Department of Biological Sciences and Department of Mathematical Sciences Clemson University September 15, 2017 Outline 1 Closed Sets 2 Compactness 3 Homework Closed Sets
More informationCryptanalysis of Lightweight Block Ciphers
Cryptanalysis of Lightweight Block Ciphers María Naya-Plasencia INRIA, France Šibenik 2014 Outline Introduction Impossible Differential Attacks Meet-in-the-middle and improvements Multiple Differential
More informationImproved Linear Cryptanalysis of Round-Reduced ARIA
Improved Linear Cryptanalysis of Round-Reduced ARIA Ahmed Abdelkhalek, Mohamed Tolba, and Amr M. Youssef (B) Concordia Institute for Information Systems Engineering, Concordia University, Montréal, Québec,
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationElastic Block Ciphers: Method, Security and Instantiations
Elastic Block Ciphers: Method, Security and Instantiations Debra L. Cook 1, Moti Yung 2, Angelos D. Keromytis 3 1 Department of Computer Science, Columbia University, New York, NY, USA dcook@cs.columbia.edu
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationMeet-in-the-Middle Attacks on 3-Line Generalized Feistel Networks
Meet-in-the-Middle Attacks on 3-Line Generalized Feistel Networks Le Dong a,b, Yongxia Mao a a chool of Mathematics and Information ciences, Henan Normal Uniersity, Henan roince, China b Henan Engineering
More informationOn Fault Injections in Generalized Feistel Networks
On Fault Injections in Generalized Feistel Networks Hélène Le Bouder 1, Gaël Thomas 2, Yanis Linge 3, Assia Tria 4 1 École Nationale Supérieure des Mines de Saint-Étienne 2 XLIM Université de Limoges 3
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationDifferential Trail Weights in AES-like Ciphers Using New Permutation Layers
Differential Trail Weights in AES-like Ciphers Using New Permutation Layers Christof Beierle Master s Thesis. September 18, 2014. Chair for Embedded Security Prof. Dr.-Ing. Christof Paar Advisor: Dr. Gregor
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationReport on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)
Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation) January 28, 2002 Masayuki Kanda, Member Symmetric-Key Cryptography Subcommittee 1 CIPHERUNICORN-A CIPHERUNICORN-A was presented
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationDESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract)
DESIGNING S-BOXES FOR CIPHERS RESISTANT TO DIFFERENTIAL CRYPTANALYSIS (Extended Abstract) CARLISLE M. ADAMS Bell-Northern Research, Ltd., P.O. Box 3511 Station C, Ottawa, Ontario, Canada, KI Y 4117 STAFFORD
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Friday, 17 April, 2015 09:59 10. Hash Function Cryptanalysis (v3) Cryptographic hash functions map messages of arbitrary size to a fixed size hash, e.g. a bitstring
More informationThe signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard
The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard Regular paper Michał Misztal Abstract There is presented the differential cryptanalysis method of attack
More informationTeam RZC: Fast Data Encipherment Algorithm (FEAL)
Team RZC: Fast Data Encipherment Algorithm (FEAL) Zachary Miller (zrm6085@rit.edu) Carlos Leonardo (cal3678@rit.edu) FEAL Algorithm FEAL [1] is a Block Cipher that normally includes eight Feistel Rounds
More informationZero-Correlation Linear Cryptanalysis of Reduced-Round SIMON
Yu XL, Wu WL, Shi ZQ et al. Zero-correlation linear cryptanalysis of reduced-round SIMON. JOURNAL O COMPUTER SCIENCE AND TECHNOLOGY 30(6): 1358 1369 Nov. 015. DOI 10.1007/s11390-015-1603-5 Zero-Correlation
More informationMike Hamburg. August 1, Abstract
Cryptanalysis of 22 1 2 rounds of Gimli Mike Hamburg August 1, 2017 Abstract Bernstein et al. have proposed a new permutation, Gimli, which aims to provide simple and performant implementations on a wide
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationDistinguisher and Related-Key Attack on the Full AES-256
Distinguisher and Related-Key Attack on the Full AES-256 Alex Biryukov, Dmitry Khovratovich, Ivica Nikolić University of Luxembourg {alex.biryukov, dmitry.khovratovich, ivica.nikolic@uni.lu} Abstract.
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun and Xuejia Lai Department of Computer Science Shanghai Jiao Tong University Shanghai, 200240, China sunsirius@sjtu.edu.cn, lai-xj@cs.sjtu.edu.cn Abstract.
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationlpsymphony - Integer Linear Programming in R
lpsymphony - Integer Linear Programming in R Vladislav Kim October 30, 2017 Contents 1 Introduction 2 2 lpsymphony: Quick Start 2 3 Integer Linear Programming 5 31 Equivalent and Dual Formulations 5 32
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationAgenda. Understanding advanced modeling techniques takes some time and experience No exercises today Ask questions!
Modeling 2 Agenda Understanding advanced modeling techniques takes some time and experience No exercises today Ask questions! Part 1: Overview of selected modeling techniques Background Range constraints
More informationWeak Keys. References
Weak Keys The strength of the encryption function E K (P) may differ significantly for different keys K. If for some set WK of keys the encryption function is much weaker than for the others this set is
More informationImproved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities
Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities Achiya Bar-On 1, Orr Dunkelman 2, Nathan Keller 1, Eyal Ronen 3, and Adi Shamir 3 1 Department of Mathematics,
More informationJordan University of Science and Technology
Jordan University of Science and Technology Cryptography and Network Security - CPE 542 Homework #III Handed to: Dr. Lo'ai Tawalbeh By: Ahmed Saleh Shatnawi 20012171020 On: 8/11/2005 Review Questions RQ3.3
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationImproved Integral Attacks on MISTY1
Improved Integral Attacks on MISTY1 Xiaorui Sun Xuejia Lai Abstract We present several integral attacks on MISTY1 using the F O Relation, which is derived from Sakurai-Zheng Property used in previous attacks.
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationHeuristics in MILP. Group 1 D. Assouline, N. Molyneaux, B. Morén. Supervisors: Michel Bierlaire, Andrea Lodi. Zinal 2017 Winter School
Heuristics in MILP Group 1 D. Assouline, N. Molyneaux, B. Morén Supervisors: Michel Bierlaire, Andrea Lodi Zinal 2017 Winter School 0 / 23 Primal heuristics Original paper: Fischetti, M. and Lodi, A. (2011).
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More information