19 research outputs found
Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES
At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES -- based on the “multiple-of-8” property -- has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher.
In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AES-like ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).
Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher -- which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) -- can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the
distinguisher and of the attack.
As a second contribution, we show how to combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up new 5-round distinguishers, that exploit properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix. As a result, while a “classical” truncated differential distinguisher exploits the probability that a couple of texts satisfies or not a given differential trail independently of the others couples, our distinguishers work with sets of N >> 1 (related) couples of texts. In particular, our new 5-round AES distinguishers exploit the fact that such sets of texts satisfy some properties with a different probability than a random permutation.
Even if such 5-round distinguishers have higher complexity than e.g. the “multiple-of-8” one present in the literature, one of them can be used as starting point to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt -- believed to be hard to exploit - can be used to set up a key-recovery attack
Truncated Differential Properties of the Diagonal Set of Inputs for 5-round AES
In the last couple of years, a new wave of results appeared, proposing and exploiting new properties of round-reduced AES.
In this paper we survey and combine some of these results (namely, the multiple-of-n property and the mixture differential cryptanalysis) in a systematic way in order to answer more general questions regarding the probability distribution of encrypted diagonal sets.
This allows to analyze this special set of inputs, and report on new properties regarding the probability distribution of the number of different pairs of corresponding ciphertexts are equal in certain anti-diagonal(s) after 5 rounds.
An immediate corollary of the multiple-of-8 property is that the variance of such a distribution can be shown to be higher
than for a random permutation. Surprisingly, also the mean of the distribution is significantly different from
random, something which cannot be explained by the multiple-of-8 property.
We propose a theoretical explanation of this, by assuming an APN-like assumption on the S-Box which closely resembles the AES-Sbox.
By combining the multiple-of-8 property, the mixture differential approach, and the results just mentioned about the mean and the variance, we are finally able to formulate the probability distribution of the diagonal set after 5-round AES as a sum of independent binomial distributions
General Classification of the Authenticated Encryption Schemes for the CAESAR Competition
An Authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the ``Competition for Authenticated Encryption: Security, Applicability, and Robustness\u27\u27) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes
that offer advantages over AES-GCM and are suitable for widespread adoption.
The first round started with 57 candidates in March 2014; and nine of these
first-round candidates where broken and withdrawn from the competition. The
remaining 48 candidates went through an intense process of review, analysis
and comparison. While the cryptographic community benefits greatly from the
manifold different submission designs, their sheer number
implies a challenging amount of study. This paper provides
an easy-to-grasp overview over functional aspects, security parameters, and
robustness offerings by the CAESAR candidates, clustered by their underlying
designs (block-cipher-, stream-cipher-, permutation-/sponge-,
compression-function-based, dedicated). After intensive review and analysis of all 48 candidates by the community, the CAESAR committee selected only 30 candidates for the second round. The announcement for the third round candidates was made on 15th August 2016 and 15 candidates were chosen for the third round
Cryptanalysis of Haraka
In this paper, we describe attacks on the recently proposed Haraka hash
functions. First, for the two hash functions Haraka-256/256 and Haraka-512/256
in the family, we show how two colliding messages can be constructed in about
216 function evaluations. Second, we invalidate the preimage security claim for
Haraka-512/256 with an attack finding one preimage in about 2192 function
evaluations. These attacks are possible thanks to symmetries in the internal state
that are preserved over several rounds
Cryptanalysis of Simpira v1
Simpira v1 is a recently proposed family of permutations, based on the AES round function. The design includes recommendations for using the Simpira permutations in block ciphers, hash functions, or authenticated ciphers. The designers\u27 security analysis is based on computer-aided bounds for the minimum number of active S-boxes. We show that the underlying assumptions of independence, and thus the derived bounds, are incorrect. For family member Simpira-4, we provide differential trails with only 40 (instead of 75) active S-boxes for the recommended 15 rounds. Based on these trails, we propose full-round collision attacks on the proposed Simpira-4 Davies-Meyer hash construction, with complexity for the recommended full 15 rounds and a truncated 256-bit hash value, and complexity for 16 rounds and the full 512-bit hash value. These attacks violate the designers\u27 security claims that there are no structural distinguishers with complexity below
Simpira v2: A Family of Efficient Permutations Using the AES Round Function
International audienceThis paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128*b bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For b=1, Simpira corresponds to 12-round AES with fixed round keys, whereas for b>=2, Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 2^128, and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b≤4 and b=6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b=32 (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than 13% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired
Linear Biases in AEGIS Keystream
AEGIS is an authenticated cipher introduced at SAC 2013, which takes advantage of AES-NI instructions to reach outstanding speed in software. Like LEX, Fides, as well as many sponge-based designs, AEGIS leaks part of its inner state each round to form a keystream. In this paper, we investigate the existence of linear biases in this keystream. Our main result is a linear mask with bias on the AEGIS-256 keystream. The resulting distinguisher can be exploited to recover bits of a partially known message encrypted times, regardless of the keys used. We also consider AEGIS-128, and find a surprising correlation between ciphertexts at rounds and , although the biases would require data to be detected. Due to their data requirements, neither attack threatens the practical security of the cipher
Abstraction Model of Probing and DFA Attacks on Block Ciphers
A thread of physical attacks that try to obtain secret information from cryptographic modules has been of academic and practical interest. One of the concerns is determining its efficiency, e.g., the number of attack trials to recover the secret key. However, the accurate estimation of the attack efficiency is generally expensive because of the complexity of the physical attack on a cryptographic algorithm. Based on this background, in this study, we propose a new abstraction model for evaluating the attack efficiency of the probing and DFA attacks. The proposed model includes an abstracted attack target and attacker to determine the amount of leaked information obtained in a single attack trial. We can adapt the model flexibly to various attack scenarios and can get the attack efficiency quickly and precisely. In the probing attack on AES, the difference in the attack efficiency is only approximately 0.3% between the model and experimental values, whereas that of a previous model is approximately 16%. We also apply the probing attack on DES, and the results show that DES has a high resistance to the probing attack. Moreover, the proposed model works accurately also for the DFA attack on AES
Research on performance enhancement for electromagnetic analysis and power analysis in cryptographic LSI
制度:新 ; 報告番号:甲3785号 ; 学位の種類:博士(工学) ; 授与年月日:2012/11/19 ; 早大学位記番号:新6161Waseda Universit
Recommended from our members
Combinatorial Optimization (hybrid meeting)
Combinatorial Optimization deals with optimization problems defined on combinatorial structures such as graphs and networks. Motivated by diverse practical problem setups, the topic has developed into a rich mathematical discipline with many connections to other fields of Mathematics (such as, e.g., Combinatorics, Convex Optimization and Geometry, and Real Algebraic Geometry). It also has strong ties to Theoretical Computer Science and Operations Research. A series of Oberwolfach Workshops have been crucial for establishing and developing the field. The workshop we report about was a particularly exciting event - due to the depth of results that were presented, the spectrum of developments that became apparent from the talks, the breadth of the connections to other mathematical fields that were explored, and last but not least because for many of the particiants it was the first opportunity to exchange ideas and to collaborate during an on-site workshop since almost two years