Add to collection(s) Add to saved
  1. Math

Slide - FSE 2014

advertisement 
Probabilistic Slide Cryptanalysis and Its
Applications to LED-64 and Zorro
Hadi Soleimany
Department of Information and Computer Science,
Aalto University School of Science, Finland
FSE 2014
1 / 21
Outline
Introduction
Slide Cryptanalysis
Even-Mansour Scheme with a Single Key
Probabilistic Slide Cryptanalysis
Applications on LED-64 and Zorro
Conclusion
2 / 21
Introduction
Slide Cryptanalysis
Even-Mansour Scheme with a Single Key
Probabilistic Slide Cryptanalysis
Applications on LED-64 and Zorro
Conclusion
3 / 21
Iterated Block Cipher
Block cipher:
EK (P) : {0, 1}k × {0, 1}n → {0, 1}n
Iterated block cipher:
P
Rk1
Rk2
Rk3
Rk4
···
Rkn−1
Rkn
C
C = Rkn ◦ · · · ◦ Rk2 ◦ Rk1 (P)
4 / 21
Iterated Block Cipher with Periodic Subkeys
P
Rk1
···
Rkm
Rk1
···
Rkm
···
Rk1
···
Rkm
C
5 / 21
Iterated Block Cipher with Periodic Subkeys
Rk1
···
Rkm
Rk1
···
Rkm
···
Rk1
···
Rkm
C
{
{
{
P
Fk
I
Fk
Fk
The cipher can be presented as a cascade of identical
functions Fk .
5 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
C0
6 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
C0
P 0 = Fk (P)
6 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
P 0 = Fk (P)
=⇒
C 0 = Fk (C)
C0
(Slid pair)
6 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
P 0 = Fk (P)
Pr[P 0 = Fk (P)] = 2−n
=⇒
C 0 = Fk (C)
C0
(Slid pair)
Pr[C = Fk−1 (C 0 ), P 0 = Fk (P)] = 2−n > 2−2n
=⇒ 2n pairs ((P, C), (P 0 , C 0 )) are expected to find a slid pair.
6 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
P 0 = Fk (P)
Pr[P 0 = Fk (P)] = 2−n
=⇒
C 0 = Fk (C)
C0
(Slid pair)
Pr[C = Fk−1 (C 0 ), P 0 = Fk (P)] = 2−n > 2−2n
=⇒ 2n pairs ((P, C), (P 0 , C 0 )) are expected to find a slid pair.
Typical countermeasures: Key-schedule or round constants.
6 / 21
Slide Cryptanalysis [Biryukov Wagner 99]
P
Fk
Fk
···
Fk
Fk
C
P0
Fk
Fk
···
Fk
Fk
P 0 = Fk (P)
Pr[P 0 = Fk (P)] = 2−n
=⇒
C 0 = Fk (C)
C0
(Slid pair)
Pr[C = Fk−1 (C 0 ), P 0 = Fk (P)] = 2−n > 2−2n
=⇒ 2n pairs ((P, C), (P 0 , C 0 )) are expected to find a slid pair.
Typical countermeasures: Key-schedule or round constants.
This Work:
Probabilistic technique to overcome round constants in block
ciphers based on the Even-Mansour scheme with a single key.
6 / 21
Even-Mansour Scheme with a Single Key
K
P
K
F1
K
···
K
Fi
K
···
K
Fs
C
7 / 21
Even-Mansour Scheme with a Single Key
K
K
F1
P
K
···
RRCj
K
···
Fi
RRCj+1
K
···
K
Fs
C
RRCj+m
Known as Step
I
Block ciphers like LED-64, PRINCEcore , Zorro and
PRINTcipher.
7 / 21
LED-64
AddConstants
⊕
⊕
⊕
⊕
⊕
⊕
⊕
⊕
SubCells
S
S
S
S
S
S
S
S
S
S
S
S
ShiftRows
MixColumns
S
S
S
S
I
Presented at CHES 2011 [Guo et al 11]
I
64-bit block cipher and supports 64-bit key
I
6 steps
I
Each step consists of four rounds.
8 / 21
Zorro
SubCells
AddConstants
S S S S
⊕⊕⊕⊕
ShiftRows
MixColumns
I
Presented at CHES 2013 [Gérard et al 13]
I
128-bit block cipher and supports 128-bit key
I
6 steps
I
Each step consists of four rounds
9 / 21
Introduction
Slide Cryptanalysis
Even-Mansour Scheme with a Single Key
Probabilistic Slide Cryptanalysis
Applications on LED-64 and Zorro
Conclusion
10 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
But it is limited to the ciphers with identical rounds.
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
But it is limited to the ciphers with identical rounds.
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
But it is limited to the ciphers with identical rounds.
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
I
But it is limited to the ciphers with identical rounds.
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
Related-key differential usually has less active S-boxes
and applicable on more rounds [Kelsey et al 97].
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
I
But it is limited to the ciphers with identical rounds.
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
Related-key differential usually has less active S-boxes
and applicable on more rounds [Kelsey et al 97].
I
But usually it is not a realistic model.
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
I
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
Related-key differential usually has less active S-boxes
and applicable on more rounds [Kelsey et al 97].
I
I
But it is limited to the ciphers with identical rounds.
But usually it is not a realistic model.
Probabilistic reflection attack is applicable on block ciphers
with almost symmetric rounds [Soleimany et al 13].
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
I
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
Related-key differential usually has less active S-boxes
and applicable on more rounds [Kelsey et al 97].
I
I
But it is limited to the ciphers with identical rounds.
But usually it is not a realistic model.
Probabilistic reflection attack is applicable on block ciphers
with almost symmetric rounds [Soleimany et al 13].
I
But its application is limited to involutional block ciphers.
11 / 21
Overview of Previous Attacks
I
Slide cryptanalysis requires known plaintexts.
I
I
Differential cryptanalysis is usually applicable on any round
functions [Biham Shamir 90].
I
I
But there exists a lower bound for active S-boxes and it
usually requires chosen plaintexts.
Related-key differential usually has less active S-boxes
and applicable on more rounds [Kelsey et al 97].
I
I
But it is limited to the ciphers with identical rounds.
But usually it is not a realistic model.
Probabilistic reflection attack is applicable on block ciphers
with almost symmetric rounds [Soleimany et al 13].
I
But its application is limited to involutional block ciphers.
This Work
Exploit previous ideas to take advantage of the positive
properties and overcome the negative aspects!
11 / 21
Probabilistic Slide Distinguisher
K
K
F1
P
K
∆0
P0
K
Fs−1
···
F2
K
K
Fs
∆s-2
∆1
F1
K
K
···
F2
K
C
∆s-1
Fs−1
K
K
Fs
C0
K
I
Assume there exists a sequence of differences
D = {∆0 , . . . , ∆s−1 } such that
Pr[Fr (x) ⊕ Fr −1 (x ⊕ ∆r −2 ) = ∆r −1 ] = 2−pr −1 where 0 ≤ pr .
I
A differential-type characteristic with input difference
∆in = ∆0 and output difference ∆out = ∆s−1 can be
−pr .
obtained with probability 2−p = Πs−1
r =1 2
12 / 21
Probabilistic Slide Distinguisher
K
P
K
F1
K
K
···
F2
K
Fs−1
K
Fs
C
∆in
∆out
P0
F1
K
···
F2
K
K
Fs−1
K
Fs
K
C0
K
P 0 ⊕ F1 (P ⊕ K ) = ∆in
12 / 21
Probabilistic Slide Distinguisher
K
P
K
F1
K
K
···
F2
K
Fs−1
K
Fs
C
∆in
∆out
P0
F1
K
P 0 ⊕ F1 (P ⊕ K ) = ∆in
···
F2
K
K
probability 2−p
=⇒
Fs−1
K
K
Fs
C0
K
C ⊕ Fs−1 (C 0 ⊕ K ) = ∆out
12 / 21
Probabilistic Slide Distinguisher
K
P
K
F1
K
K
···
F2
K
Fs−1
K
Fs
C
∆in
∆out
P0
F1
K
P 0 ⊕ F1 (P ⊕ K ) = ∆in
···
F2
K
K
probability 2−p
=⇒
Fs−1
K
K
Fs
C0
K
C ⊕ Fs−1 (C 0 ⊕ K ) = ∆out
Pr[P 0 ⊕ F1 (P ⊕ K ) = ∆in ] = 2−n
Pr[C ⊕ Fs−1 (C 0 ⊕ K ) = ∆out , P 0 ⊕ F1 (P ⊕ K ) = ∆in ] = 2−n−p
=⇒ 2(n+p) pairs ((P, C), (P 0 , C 0 )) are expected to find a right slid pair
12 / 21
Key Recovery
I
The right slid pair satisfies the relation
C 0 ⊕ Fs (C ⊕ ∆out ) = K = P ⊕ F1−1 (∆in ⊕ P 0 , )
13 / 21
Key Recovery
I
The right slid pair satisfies the relation
C 0 ⊕ F1−1 (∆in ⊕ P 0 ) = P ⊕ Fs (C ⊕ ∆out ).
13 / 21
Key Recovery
I
The right slid pair satisfies the relation
C 0 ⊕ F1−1 (∆in ⊕ P 0 ) = P ⊕ Fs (C ⊕ ∆out ).
For given 2(n+p)/2 known (P, C):
Step 1 For all pairs (P, C) compute C ⊕ F1−1 (P ⊕ ∆in ) and store
the computed value with C in the hash table T1 .
13 / 21
Key Recovery
I
The right slid pair satisfies the relation
C 0 ⊕ F1−1 (∆in ⊕ P 0 ) = P ⊕ Fs (C ⊕ ∆out ).
For given 2(n+p)/2 known (P, C):
Step 1 For all pairs (P, C) compute C ⊕ F1−1 (P ⊕ ∆in ) and store
the computed value with C in the hash table T1 .
Step 2 For all pairs (P, C) compute P ⊕ Fs (∆out ⊕ C) and store
the computed value with C in the hash table T2 .
13 / 21
Key Recovery
I
The right slid pair satisfies the relation
C 0 ⊕ F1−1 (∆in ⊕ P 0 ) = P ⊕ Fs (C ⊕ ∆out ).
For given 2(n+p)/2 known (P, C):
Step 1 For all pairs (P, C) compute C ⊕ F1−1 (P ⊕ ∆in ) and store
the computed value with C in the hash table T1 .
Step 2 For all pairs (P, C) compute P ⊕ Fs (∆out ⊕ C) and store
the computed value with C in the hash table T2 .
Step 3 For each collision in T1 and T2 find corresponding
ciphertexts C and C 0 then compute a key candidate
K = C 0 ⊕ Fs (C ⊕ ∆out ).
13 / 21
More Output Differences
K
K
F1
P
K
K
···
F2
K
K
Fs−1
Fs
C
∆iout
∆in
P0
F1
K
···
F2
K
P 0 = F1 (P ⊕ ∆in )
K
Fs−1
K
Fs
K
C0
K
C 0 = Fs (C ⊕ ∆iout ), 1 ≤ i ≤ L
Pr[P 0 = F1 (P ⊕ ∆in )] = 2−n
Pr[P 0 = F1 (P ⊕ ∆in ), C 0 = Fs (C ⊕ ∆iout )] = 2−n
PL
−pi
i=1 2
I
Decrease the data requirement by increasing the total
probability.
I
This comes with the cost of repeating the attack algorithm
L times.
14 / 21
Introduction
Slide Cryptanalysis
Even-Mansour Scheme with a Single Key
Probabilistic Slide Cryptanalysis
Applications on LED-64 and Zorro
Conclusion
15 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b
1
0
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
AC
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
1
0
0
0
0 SC
0
0
0
0
0
0
c
0
0
0
0
d
0
0
0
0 SR
0
0
0
0
0
0
c
d
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
8
2
7
2
0
0
0
0
0
0
0
0
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
AC
AC
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
1
0
0
0
0 SC
0
0
0
0
0
0
c
0
0
0
0
d
0
0
0
0 SR
0
0
0
0
0
0
c
d
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
8
2
7
2
0
0
0
0
0
0
0
0
0
0
0
0
f
0
0
0
0
0
0
0
0
0 SC
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 SR
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
4
8
b
2
0
0
0
0
0
0
0
0
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
AC
AC
AC
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
1
0
0
0
0 SC
0
0
0
0
0
0
c
0
0
0
0
d
0
0
0
0 SR
0
0
0
0
0
0
c
d
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
8
2
7
2
0
0
0
0
0
0
0
0
0
0
0
0
f
0
0
0
0
0
0
0
0
0 SC
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 SR
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
4
8
b
2
0
0
0
0
0
0
0
0
0
0
0
0
2
c
d
6
0
0
0
0
0
0 SC
0
0
0
0
0
0
5
5
2
b
0
0
0
0
0
0 SR
0
0
0
5
0
0
5
0
0
0
0
0
0
b
0
0 MC
2
0
5
d
3
a
7
e
1
e
5
7
c
9
4
a
7
d
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
AC
AC
AC
I
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
1
0
0
0
0 SC
0
0
0
0
0
0
c
0
0
0
0
d
0
0
0
0 SR
0
0
0
0
0
0
c
d
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
8
2
7
2
0
0
0
0
0
0
0
0
0
0
0
0
f
0
0
0
0
0
0
0
0
0 SC
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 SR
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
4
8
b
2
0
0
0
0
0
0
0
0
0
0
0
0
2
c
d
6
0
0
0
0
0
0 SC
0
0
0
0
0
0
5
5
2
b
0
0
0
0
0
0 SR
0
0
0
5
0
0
5
0
0
0
0
0
0
b
0
0 MC
2
0
5
d
3
a
7
e
1
e
5
7
c
9
4
a
7
d
Thanks to cancellation, the characteristic has 13 active S-boxes
while normal differential characteristic has at least 25 S-boxes.
16 / 21
Slide Cryptanalysis of LED-64
0
0
3
0
2
6
3
7
5
0
0
0
0
b AC
1
0
AC
AC
AC
I
0
0
3
0
1
0
0
1
5
0
0
0
0
b SC
1
0
0
0
6
0
7
0
0
9
c
0
0
0
0
8 SR
7
0
0
0
0
0
7
0
7
0
c
8
6
9
0
0 MC
0
0
0
0
0
0
1
5
7
5
0
1
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
1
0
0
0
0 SC
0
0
0
0
0
0
c
0
0
0
0
d
0
0
0
0 SR
0
0
0
0
0
0
c
d
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
8
2
7
2
0
0
0
0
0
0
0
0
0
0
0
0
f
0
0
0
0
0
0
0
0
0 SC
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 SR
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0 MC
0
0
0
0
0
0
4
8
b
2
0
0
0
0
0
0
0
0
0
0
0
0
2
c
d
6
0
0
0
0
0
0 SC
0
0
0
0
0
0
a1
a2
a3
a4
0
0
0
0
0
0 SR
0
0
0 a1 0 0
a2 0 0 0 MC
0 0 0 a3
0 0 a4 0
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
ai ∈ Ai where A1 = {3, 5, 6, a, c, d, e}, A2 = {2, 5, 7, 8, 9, a, e},
A3 = {1, 2, 3, 4, 7, a, b} and A4 = {2, 6, 8, b, c, f}
16 / 21
Slide Cryptanalysis of Zorro
State
∆in = X5I ⊕ P 0
X5S ⊕ X10S
X5A ⊕ X1A
X5R ⊕ X10R
..
.
Difference
00000000d52c6f72120a92b50c8c2eee
00000000d52c6f72120a92b50c8c2eee
04040420d52c6f72120a92b50c8c2eee
040404202c6f72d592b5120aee0c8c2e
..
.
A ⊕ X 0A
X16
12
R ⊕ X 0R
X16
12
M ⊕ X 0M
∆out = X16
12
1c17980d447ad32bfbc96dc0a06a35cc
1c17980d7ad32b446dc0fbc9cca06a35
1720c72a9351b2f0f3a4e09fb071b7f0
I
Differential characteristic for 3 steps (probability 2−119.24 ).
I
Key-recovery cryptanalysis on 4 steps.
I
This result improves the best cryptanalysis presented by
the designers one step (four rounds).
17 / 21
Results
Cipher
Zorro
LED-64
Attack Type
Steps
Data
Time
Memory
Source
Impossible differential
Meet-in-the-middle
Probabilistic slide
Probabilistic slide
Internal differential†
Differential
2.5
3
4
4
6
6
2115 CP
2115
2115
22 KP
2123.62 KP
2121.59 KP
254.25 CP
2112.4 CP
2104
2123.8
2124.23
254.25
2108
-
[Gérard et al 13]
[Gérard et al 13]
2123.62
2121.59
254.25
-
Meet-in-the-middle
Generic
Meet-in-the-middle
Meet-in-the-middle
Probabilistic slide
Probabilistic slide
Generic
2
2
2
2
2
2
3
28 CP
245 KP
216 CP
248 KP
245.5 KP
241.5 KP
249 KP
256
260.1
248
248
246.5
251.5
260.2
211
260
217
248
246.5
242.5
260
This work
This work
[Guo et al 13]
[Wang et al 13]
[Isobe et al 12]
[Dinur et al 13]
[Dinur et al 14]
[Dinur et al 14]
This work
This work
[Dinur et al 13]
† – this attack is applicable just on 264 keys (out of 2128 ), CP – Chosen
Plaintexts, KP – Known Plaintext.
18 / 21
Introduction
Slide Cryptanalysis
Even-Mansour Scheme with a Single Key
Probabilistic Slide Cryptanalysis
Applications on LED-64 and Zorro
Conclusion
19 / 21
Conclusion and Future Work
Conclusion
I
Framework of probabilistic slide cryptanalysis on EMS
which requires known-plaintext in the single-key model.
I
The relation between round constants should be taken into
account .
I
Applications of the probabilistic slide cryptanalysis on
LED-64 and Zorro.
Future Work
I
Application on other EMS block ciphers.
I
Improve the results on Zorro and LED-64 by exploiting
differential instead of differential characteristic.
20 / 21
Thanks for your attention!
21 / 21
Related documents
ICISC 2010 program - +=+ International Conference on
ICISC 2010 program - +=+ International Conference on
DOC
DOC
Cryptanalysis
Cryptanalysis
More Cryptography and Cryptanalysis Concepts
More Cryptography and Cryptanalysis Concepts
Recruiting mathematicians as codebreakers
Recruiting mathematicians as codebreakers
Download
advertisement