Dedicated Cryptanalysis of Lightweight Block Ciphers

Similar documents
Meet-in-the-Middle Attacks on Reduced-Round Midori-64

Finding the key in the haystack

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

DES Data Encryption standard

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

FIDES: Lightweight Authentication Cipher with Side-Channel Resistance for Constrained Hardware

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

Cryptanalysis on short messages encrypted with M-138 cipher machine

Classical Cryptography

Chapter 4 The Data Encryption Standard

Constructing TI-Friendly Substitution Boxes using Shift-Invariant Permutations. Si Gao, Arnab Roy, and Elisabeth Oswald

CDMA Physical Layer Built-in Security Enhancement

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Introduction to Cryptography

Methodologies for power analysis attacks on hardware implementations of AES

Cryptanalysis of Ladder-DES

LOSSLESS CRYPTO-DATA HIDING IN MEDICAL IMAGES WITHOUT INCREASING THE ORIGINAL IMAGE SIZE THE METHOD

Power Analysis an overview. Agenda. Measuring power consumption. Measuring power consumption (2) Benedikt Gierlichs, KU Leuven - COSIC.

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

Power Analysis Attacks on SASEBO January 6, 2010

SOME OBSERVATIONS ON AES AND MINI AES. Hüseyin Demirci TÜBİTAK UEKAE

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

DUBLIN CITY UNIVERSITY

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR. Pieter Robyns

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

An on-chip glitchy-clock generator and its application to safe-error attack

When Failure Analysis Meets Side-Channel Attacks

arxiv: v1 [nlin.cd] 29 Oct 2007

Classification of Ciphers

DUBLIN CITY UNIVERSITY

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Generation of AES Key Dependent S-Boxes using RC4 Algorithm

Cryptanalysis of HMAC/NMAC-Whirlpool

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

Generic Attacks on Feistel Schemes

SHA-3 and permutation-based cryptography

Network Security: Secret Key Cryptography

A Novel Encryption System using Layered Cellular Automata

Differential Cryptanalysis of REDOC III

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Side-Channel Leakage through Static Power

Generic Attacks on Feistel Schemes

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Correlation Power Analysis of Lightweight Block Ciphers

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Study of Perfect Shuffle for Image Scrambling

DATA SECURITY USING ADVANCED ENCRYPTION STANDARD (AES) IN RECONFIGURABLE HARDWARE FOR SDR BASED WIRELESS SYSTEMS

Variety of scalable shuffling countermeasures against side channel attacks

Design of a High Throughput 128-bit AES (Rijndael Block Cipher)

Lecture 1: Introduction

Threshold Implementations. Svetla Nikova

Hardware Bit-Mixers. Laszlo Hars January, 2016

Chapter 4 MASK Encryption: Results with Image Analysis

From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

Dr. V.U.K.Sastry Professor (CSE Dept), Dean (R&D) SreeNidhi Institute of Science & Technology, SNIST Hyderabad, India. P = [ p

Recommendations for Secure IC s and ASIC s

DPA Leakage Models for CMOS Logic Circuits

Reversible Data Hiding in Encrypted Images based on MSB. Prediction and Huffman Coding

GENERIC CODE DESIGN ALGORITHMS FOR REVERSIBLE VARIABLE-LENGTH CODES FROM THE HUFFMAN CODE

Interference: An Information Theoretic View

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

TMA4155 Cryptography, Intro

Bitmap Steganography:

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Some Cryptanalysis of the Block Cipher BCMPQ

Published in: Proceedings of the 3rd International Conference on Information Systems Security and Privacy

Telemetry Vibration Signal Trend Extraction Based on Multi-scale Least Square Algorithm Feng GUO

V.Sorge/E.Ritter, Handout 2

Bit-plane Oriented Image Encryption through Prime-Nonprime based Positional Substitution (BPIEPNPS)

A Faster Method for Accurate Spectral Testing without Requiring Coherent Sampling

Centralized busbar differential and breaker failure protection function

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /VETECF.2011.

Stream Ciphers And Pseudorandomness Revisited. Table of contents

M.E(I.T) Student, I.T Department, L.D College Of Engineering, Ahmedabad, Gujarat, India

AN EFFICIENT ALGORITHM FOR THE REMOVAL OF IMPULSE NOISE IN IMAGES USING BLACKFIN PROCESSOR

SECURITY OF CRYPTOGRAPHIC SYSTEMS. Requirements of Military Systems

Block Ciphers Security of block ciphers. Symmetric Ciphers

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

The Genetic Algorithm

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

Reversible Data Hiding in Encrypted color images by Reserving Room before Encryption with LSB Method

A New Compression Method for Encrypted Images

Towards Optimal Pre-processing in Leakage Detection

Audio Watermarking Based on Multiple Echoes Hiding for FM Radio

A Blueprint for Civil GPS Navigation Message Authentication

OVER THE REAL-TIME SELECTIVE ENCRYPTION OF AVS VIDEO CODING STANDARD

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

Chaos Encryption Method Based on Large Signal Modulation in Additive Nonlinear Discrete-Time Systems

Watermarking patient data in encrypted medical images

Design and Analysis of Adders using Nanotechnology Based Quantum dot Cellular Automata

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Information Security Theory vs. Reality

Frugal Sensing Spectral Analysis from Power Inequalities

CS434/534: Topics in Networked (Networking) Systems

Transcription:

Dedicated Cryptanalysis of Lightweight Block Ciphers María Naya-Plasencia INRIA, France Šibenik 2014

Outline Introduction Impossible Differential Attacks Meet-in-the-middle and improvements Multiple Differential Attacks Dedicated attacks (examples)

Outline Introduction Dedicated attacks (examples): Importance of dedicated attacks: PRINTcipher Importance of reduced-round attacks: KLEIN-64

Importance of Dedicated Cryptanalysis

Lightweight Dedicated Analysis Lightweight: more risky design, lower security margin, simpler components. Often innovative constructions: dedicated attacks 1/28

Lightweight Dedicated Analysis Normally, designers should have already analyzed the cipher with respect to known attacks......though not always!, or not always that straightforward. Dedicated attacks: New! 2/28

PRESENT and PRINTcipher

PRESENT [BKLPPRSV 07] One of the most popular ciphers, proposed in 2007, and now ISO/IEC standard is PRESENT. Very large number of analysis published (over 20). Best attacks so far: multiple linear attacks (26r/31r). 3/28

PRESENT Block n = 64 bits, key 80 or 128 bits. S15 S14 S13 S12 S11 S10 S 9 S 8 S 7 S 6 S 5 S 4 S 3 S 2 S 1 S 0 31 rounds + 1 key addition. 4/28

PRESENT Linear cyptanalysis: because of the Sbox, a linear approximation 1 to 1 with bias 2 3 per round[ohk. 09]. Multiple linear attacks: consider several possible approxs simultaneously up to 26 rounds out of 31 [Cho 10]. 5/28

PRINTcipher Many PRESENT-like ciphers proposed: Maya, Puffin, PRINTcipher Usually, weaker than the original. PRINTcipher[KLPR 10]: first cryptanalysis: invariant subspace attack[laaz 11]. 6/28

PRINTcipher 48rounds. 7/28

The Invariant Subspace Attack [LAAZ 11] With probability 1: Not a key recovery, but a very bad property for 2 51 weak keys... 8/28

KLEIN-64: from reduced-round to full-version

KLEIN [GNL 11] KLEIN-64 with 12 rounds. 64-bit plaintext K r AddRoundKey SubNibbles 1round RotateNibbles MixNibbles K NbR AddRoundKey 64-bit ciphertext 9/28

KLEIN SubNibbles x 0 1 2 3 4 5 6 7 8 9 a b c d e f S[x] 7 4 a 9 1 f b 0 c 3 2 6 8 e d 5 10/28

KLEIN RotateNibbles 11/28

KLEIN MixNibbles 12/28

Previous Cryptanalysis Version Source Rounds Data Time Memory Attack [Yu, Wu, Li, Zhang, Inscrypt11 ] 7 2 34.3 2 45.5 2 32 integral KLEIN-64 [Yu, Wu, Li, Zhang, Inscrypt11 ] 8 2 32 2 46.8 2 16 truncated [Aumasson, Naya-Plasencia, Saarinen, Indocrypt11 ] 8 2 35 2 35 - differential [Nikolic, Wang, Wu, eprint iacr 2013 ] 10 1 2 62 2 60 mitm [Ahmadian, Salmasizadeh, Reza Aref eprint iacr 2013 ] 12 2 39 2 62.84 2 4.5 biclique 13/28

Main Ideas From Previous Analysis All layers except MixNibbles do not mix higher nibbles with lower nibbles. MixColumn: inactive higher nibbles input same output pattern if the MSB of the 4 LN differences are equal (2 3 ). MixColumn 14/28

Main Ideas From Previous Analysis KeySchedule algorithm: lower nibbles and higher nibbles are not mixed. ««+ + i S S S S 15/28

7-round attack Truncated differential path of probability 2 28.08 < 2 32, 64-bit key recovered with 2 33 operations. PlTxt 1 RN 2 RN 3 RN 4 RN 5 RN 6 RN 7 RN CTxt 16/28

7-round attack 1.Generate data 2.Keep the pairs with 1 (CT xt) that have higher nibbles inactive 3.Guess the lower nibbles of the key 4.Test it by checking the difference obtained when inverting of round 6 6 RN ARK 7 key guess RN ARK 17/28

7-round attack Last round condition for a random pair 2 32 < 2 28.08. a pair with HN inactive difference in last round is a conforming one. Each conforming pair gives a 6-bit filter. Repeating the procedure, we can recover the correct value for the LN of the key. 18/28

New Atack [LNP 14] Use more MixNibble steps to discard more keys. ARK RN???????? We want the difference output at the previous invert an entire LN round in values and diff. need only lower (key) nibbles to invert RN, and ARK. how to invert? 19/28

Inverting one MixColumn 1 (a, b, c, d) Let a = (a 0, a 1, a 2, a 3, a 4, a 5, a 6, a 7 ) be the binary decomposition of a byte. Given the input lower nibbles, we require 3 information bits from the higher nibbles: a 1 + a 2 + b 2 + c 0 + c 1 + c 2 + d 0 + d 2 a 1 + b 0 + b 1 + c 1 + d 0 + d 1 a 0 + a 1 + a 2 + b 0 + b 2 + c 1 + c 2 + d 2 a 6-bit guess per round 20/28

Inverting one round ARK RN???????? 6-bit guess Compute the LN state and check the difference shape by inverting (a certain probability). 2 6 computations. In the iterative part (probability 2 6 ), just one guess remains. 21/28

12 rounds of KLEIN-64 PlTxt 1 2 3 4 5 6 7 8 9 RN RN RN RN RN RN RN RN RN 10RN 11RN 12RN CTxt 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 3 bit guess 2 16 2 36 2 13 2 20 2 6 2 6 2 6 2 6 2 6 2 6 2 6 2 6 3 bit guess 3 bit guess 2 22/28 32

Attack on KLEIN-64 Generate enough data (path probability 2 69.5 ). Keep pairs with higher nibbles inactive before the last. For each iterative rounds: LN key guess and first round to discard some. Invert round by round with a 6-bit guess and check if the difference obtained before is as wanted: 1 guess over 2 6 remains. 23/28

First rounds to discard candidates At the end of the attack, 2 8 candidates remain. Higher nibbles search discards the bad ones. Other differential paths are possible, offering different trade-offs data/time/memory. 24/28

Some Improvements Use structures to limit data complexity. Invert with a 2 4 complexity (instead of 2 6 ). Use MixColumn independence to reduce the cost of the lower nibbles key guess in the first round. Higher nibbles search can be speeded up using the information from the 6-bit guesses. 25/28

Attack Complexities on KLEIN-64 Case Data Time Memory 1 2 54.5 2 57 2 16 2 2 56.5 2 62 2 4 3 2 35 2 63.8 2 32 4 2 46 2 62 2 16 26/28

KLEIN results First attack on full KLEIN-64. Verified experimentally on reduced-round versions (first practical attack on 9 rounds). Permits reaching 13 rounds over 16 of KLEIN-80 and 14 rounds over 20 of KLEIN-96. 27/28

Conclusion

To Sum Up 1 Classical attacks, but also new dedicated ones exploiting the originality of the designs. Importance of reduced-round analysis to re-think security margin, or as first steps of further analysis. A lot of ciphers to analyze/ a lot of work to do! 1 Thank you to Valentin Suder, Virginie Lallemand and Christina Boura for their help with the figures 28/28

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback