Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf ·...
Transcript of Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf ·...
![Page 1: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/1.jpg)
Improved Slide AttackUCL Seminar, 19th December 20061/32
Improved Slide Attacks
Eli Biham, Orr Dunkelman, Nathan Keller
Computer Science Dept. Technion, IsraelDept. of Electrical Engineering ESATSCD/COSIC, Katholieke Universitiet Leuven, BelgiumEinstein Institute of Mathematics, Hebrew University, Israel
![Page 2: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/2.jpg)
Improved Slide AttackUCL Seminar, 19th December 20062/32
Topics of the TalkDescription of the slide attacksVarious improvementsStudying the cycle structureApplication to GOSTSummary
![Page 3: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/3.jpg)
Improved Slide AttackUCL Seminar, 19th December 20063/32
Slide Attacks [BW99]
Applied to ciphers with the same applied keyed permutation
fk
fk
fk
fk
![Page 4: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/4.jpg)
Improved Slide AttackUCL Seminar, 19th December 20064/32
Slide Attacks
Seek slid pairs (P,P') s.t.
fk
fk
fk
fk
fk
fk
fk
fk
fk
fk
PP'
P' C'C
C
![Page 5: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/5.jpg)
Improved Slide AttackUCL Seminar, 19th December 20065/32
Slide Attacks
If fk is ''simple'' enough, given one
slid pair the key k can be foundThe attack is independent of the number of times f
k is applied
simple = can be broken using two input/output pairs
![Page 6: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/6.jpg)
Improved Slide AttackUCL Seminar, 19th December 20066/32
Genreating Slid Pairs
Using birthday paradox (requires ~2n/2 KP)Identification can be done by treating each pair as a slid pair and analyzing itTime complexity 2n applications of the attack on f
k
![Page 7: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/7.jpg)
Improved Slide AttackUCL Seminar, 19th December 20067/32
Genreating Slid Pairs in Feistel Block Ciphers
For Feistel block ciphers it can be reduced to ~2n/4 CP
Pick 2n/4 CP of the form (for a fixed A)Pick 2n/4 CP of the formDue to the birthday paradox, a slid pair is expected
Identification of the slid pair is also easier
![Page 8: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/8.jpg)
Improved Slide AttackUCL Seminar, 19th December 20068/32
Making ''Simple'' More Complex
In [BW00] some advanced slide techniques were presentedThe aim of these techniques – to allow attacking ciphers with more complex round functions
![Page 9: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/9.jpg)
Improved Slide AttackUCL Seminar, 19th December 20069/32
Complementation Slide
Consider a 2round Feistel with two independent subkeys A regular slide by 1round is not possible due to the different keysHowever ... it is possible to slide with a difference, i.e., where is the key difference
![Page 10: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/10.jpg)
Improved Slide AttackUCL Seminar, 19th December 200610/32
Complementation Slide (cont.)
Assume that the subkey is XORed into the data before the nonlinear functionThen, the difference assures that the inputs to the nonlinear function is the same for all shared roundsThus,
![Page 11: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/11.jpg)
Improved Slide AttackUCL Seminar, 19th December 200611/32
Complementation Slide (cont.)
Data complexity ~2n/2 KPTime complexity ~2n/2 applications of the attack on f
k
(There are 2n possible pairs, each suggesting an n/2bit value for , which gives indication whether the ciphertexts can form a slid pair)
![Page 12: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/12.jpg)
Improved Slide AttackUCL Seminar, 19th December 200612/32
Sliding with a Twist
In the same case, encryption under is closely related to decrpytion underThus, the slid pair is generated from the encryption under one key, and decryption under the second key
![Page 13: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/13.jpg)
Improved Slide AttackUCL Seminar, 19th December 200613/32
Twisted Complemented Slide
Both improvements can be combined to attack f
k of 4round Feistel structure with
independent subkeysConsider the sequences of subkeys:
If we have a difference to the inputs in the slid pair of the form , the slid property can be preserved
![Page 14: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/14.jpg)
Improved Slide AttackUCL Seminar, 19th December 200614/32
A Different Approach
What if there is no good attack on fk
that uses only two input/output pairs?Most interesting property observed [BW00,F01]:
If (P,P') is a slid pair, then so does (E
k(P),E
k(P'))
![Page 15: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/15.jpg)
Improved Slide AttackUCL Seminar, 19th December 200615/32
Allowing More Complex ''Simple'' Functions
It is possible to use the observation to attack f
k using a KP attack (that uses m
KP)Take ~2n/2 KP, and iteratively encrypt each of them m timesTry all pairs among the 2n/2 starting pointsApply the KP attack with m pairs for each candidate slid pair (T.C. = m2n)
![Page 16: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/16.jpg)
Improved Slide AttackUCL Seminar, 19th December 200616/32
Allowing More Complex ''Simple'' Functions (cont.)Data complexity: ~m2n/2 adaptive chosen plaintextsTime complexity: 2n applications of the known plaintext attack on f
k
For Feistel Ciphers:Data complexity: ~2n/2 known plaintexts + 2m daptive chosen plaintextsTime complexity: 1 application of the attack
![Page 17: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/17.jpg)
Improved Slide AttackUCL Seminar, 19th December 200617/32
Making the Complex Real
Our technique solves two problems:Finding the slid pairs easilyAllowing chosen plaintext attacks (even ACPC)
How?
![Page 18: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/18.jpg)
Improved Slide AttackUCL Seminar, 19th December 200618/32
Making the Complex Become Real – Considering CyclesLetChoose randomlyIteratively encrypt until is obtained again
![Page 19: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/19.jpg)
Improved Slide AttackUCL Seminar, 19th December 200619/32
Making the Complex Become Real – Considering CyclesThe cycle is actually also a multiple of the cycle of f
k as well!
Let Then j*m = C*r for some constant Cif gcd(m,r)=1, then r=j
![Page 20: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/20.jpg)
Improved Slide AttackUCL Seminar, 19th December 200620/32
So You Have Cycles...So What?!
The information on the cycle can be used to find slid pairsOnce one slid pair is found, we can find as many pairs as there plaintexts in the cycleWe can use CP attacks (and even ACPC attacks) on f
k
![Page 21: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/21.jpg)
Improved Slide AttackUCL Seminar, 19th December 200621/32
Data and Time Complexities
Data complexity: ~2n known plaintexts/~2n1 adaptive chosen plaintextsTime complexity: 1 application of the attack on f
k
![Page 22: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/22.jpg)
Improved Slide AttackUCL Seminar, 19th December 200622/32
GOST
Russian encryption standard32round Feistel construction64bit block, 256bit keyRound function consists of key addition, eight 4x4 Sboxes, rotate to the left by 11Sboxes are unknown...
![Page 23: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/23.jpg)
Improved Slide AttackUCL Seminar, 19th December 200623/32
GOST
Simple key schedule:rounds 18: rounds 916: rounds 1724: rounds 2532:
![Page 24: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/24.jpg)
Improved Slide AttackUCL Seminar, 19th December 200624/32
24Round GOST in our attack
As there are 3 iterations of the same function – we can find slid pairsAll that is needed is an 8round attack on GOST, when the Sboxes are not known ...
![Page 25: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/25.jpg)
Improved Slide AttackUCL Seminar, 19th December 200625/32
8Round Attack with Unknown Sboxes
We use a 7round truncated differential (with probability 0.495) that predicts four bits.Given sufficiently enough pairs, we can use partial decryption to verify what is the probablity of the differential being satisfied.But we can't decrypt! The Sboxes are unknown!
![Page 26: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/26.jpg)
Improved Slide AttackUCL Seminar, 19th December 200626/32
8Round Attack with Unknown Sboxes (cont.)
We start by using only two entries in the Sbox S4To do so, we use only ''ciphertexts'' with a fixed value that enters this S4We also fix the bits before to be 0 (to reduce the chance of carry)
![Page 27: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/27.jpg)
Improved Slide AttackUCL Seminar, 19th December 200627/32
8Round Attack with Unknown Sboxes (cont.)
Now, we guess the outputs of the S4 in these two entriesFor a succesful guess* – the truncated differential holds with probability 0.494, otherwise 1/16
* actually, for a succesful guess of the difference in the output
![Page 28: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/28.jpg)
Improved Slide AttackUCL Seminar, 19th December 200628/32
8Round Attack with Unknown Sboxes (cont.)
Repeat for other entries of S4, and you can reconstruct S4 up to:
the keythe exact values (you know all the relative values)
Use a shifted version of the differential to find the same information on other Sboxes
![Page 29: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/29.jpg)
Improved Slide AttackUCL Seminar, 19th December 200629/32
8Round Attack with Unknown Sboxes (cont.)
Data Complexity: 263 ACPC or almost 264 KPTime Complexity: ~264
![Page 30: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/30.jpg)
Improved Slide AttackUCL Seminar, 19th December 200630/32
30Round GOST (Known Sboxes)
Guess subkey of last six roundsPartially decrypt all ciphertexts 6 roundsApply the 24round attackData Complexity: almost 264 KPTime Complexity: ~2254
![Page 31: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/31.jpg)
Improved Slide AttackUCL Seminar, 19th December 200631/32
Summary
![Page 32: Improved Slide Attacks - University of Haifa › ~orrd › crypt › UCL-ImprovedSlide.pdf · Improved Slide Attack 25/32 UCL Seminar, 19th December 2006 8Round Attack with Unknown](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0bfb187e708231d4332b7f/html5/thumbnails/32.jpg)
Improved Slide AttackUCL Seminar, 19th December 200632/32
Questions?
Thank you!