Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley."— Presentation transcript:

1 Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley

2 In this talk: Survey of cryptanalysis of block ciphers Steps towards a unifying view of this field Algebraic attacks How do we tell if a block cipher is secure? How do we design good ones?

3 x Ek(x)Ek(x) k What’s a block cipher? E k : X → X bijective for all k

4 When is a block cipher secure?  x  (x) random permutation k E x Ek(x)Ek(x) block cipher Answer: when these two black boxes are indistinguishable.

5 So many cryptanalytic attacks… truncated d.c. differential crypt. complementation props. linear factors linear crypt. l.c. with multiple approximations impossible d.c. higher-order d.c. boomerang yo-yo sliding integrals interpolation attacks MITM interpolation rational interpol. probabilistic interpol. prob. rational interpol. How do we unify them?

6 How to attack a product cipher 1. Identify local properties of its round functions 2. Piece these together into global properties of the whole cipher X X EkEk X X X X f1f1 fnfn =

7 Motif #1: projection Identify local properties using commutative diagrams:  ’’ X X fkfk where: f k = original round function Y Y g k’ g k’ = reduced round function and: g k’ ○  =  ’ ○ f k

8 Composing local properties Build global commutative diagrams out of local ones:  ’’ X X f1f1 Y Y g1g1 ’’ ”” X X f2f2 Y Y g2g2 +  XY ’’ X f1f1 Y g1g1 ”” X f2f2 Y g2g2 =

9 Exploiting global properties Use global properties to build a known-text attack:  ’’ X X EkEk Y Y g The distinguisher: Let (x, y) be a plaintext/ciphertext pair If g(  (x)) =  ’(y), it’s probably from E k Otherwise, it’s from 

10 Example: linearity in Madryga Madryga leaves parity unchanged –Let  (x) = parity of x –We see  (E k (x)) =  (x) This yields a distinguisher –Pr[  (  (x)) =  (x)] = ½ –Pr[  (E k (x)) =  (x)] = 1 GF(2) 64 f1f1 fnfn GF(2) id    

11 Motif #2: statistics Suffices to find a property that holds with large enough probability A first attempt: probabilistic commutative diagrams? –Turns out to be too weak  ’’ X X EkEk Y Y g Prob. p where p = Pr[  (E k (x)) = g(  (x))]

12 A more general formulation: Markov processes Stochastic commutative diagrams: E k, ,  ’ induce a Markov process M, M(i,j) = Pr[  ’(E k (x)) = j |  (x) = i] , ,  ’ induce M’ Pick a distance measure, e.g., d(M, M’) = ||M – M’|| ∞ Best distinguisher of E k from  has advantage 0.5 ||M – M’|| ∞ [Vaudenay] Also, ~ 1/(||M – M’|| ∞ ) 2 known texts suffice for a distinguishing attack  ’’ X X EkEk Y Y M  ’’ X X  Y Y M’ stochastic

13 Example: Linear cryptanalysis Matsui’s linear cryptanalysis –Set X = GF(2) 64, Y = GF(2) –Cryptanalyst chooses linear maps ,  ’ cleverly to make ||M – M’|| ∞ as large as possible –Note: M is a 2×2 matrix of the form shown to the right, and 1/  2 known texts break the cipher  ’’ X X EkEk Y Y M ½+  ½–½– ½–½– [] M = and ||M – M’|| ∞ = 2  stochastic

14 Motif #3: higher-order attacks Use many encryptions to find better properties:  ’’ X ×X ÊkÊk Y Y M  Here we’ve defined Ê k (x,x’) = (E k (x), E k (x’)) stochastic

15 Example: Complementation Complementation properties are a simple example:   X ×X ÊkÊk X X M  Take  (x,x’) = x’ – x  Suppose M(Δ,Δ) = 1 for some cleverly chosen Δ  Then we obtain a complementation property  We can distinguish with just 2 chosen texts, since ||M – M’|| ∞ ≈ 1 stochastic

16 Example: Differential cryptanalysis Differential cryptanalysis:   X ×X ÊkÊk X X M  Set X = GF(2) n, and take  (x,x’) = x’ – x  If p = M(Δ,Δ’) >> 2 -n for some clever choice of Δ,Δ’, we can distinguish with 2/p chosen plaintexts stochastic

17 Example: Impossible differentials Impossible differential cryptanalysis:   X ×X ÊkÊk X X M  Set X = GF(2) n, and take  (x,x’) = x’ – x  If M(Δ,Δ’) = 0 for some clever choice of Δ,Δ’, we can distinguish with 2 n chosen texts stochastic

18 Example: Truncated diff. crypt. Truncated differential cryptanalysis: 11 22 X ×X ÊkÊk Y Y M  Set X = GF(2) n, Y = GF(2) m, cleverly choose linear maps φ 1, φ 2 : X → Y, and take  i (x,x’) = φ i (x’ – x)  If M(Δ,Δ) >> 2 -m for some clever choice of Δ, Δ’, we can distinguish stochastic

19 Generalized truncated d.c. Generalized truncated differential cryptanalysis: 11 22 X ×X ÊkÊk Y1Y1 Y2Y2 M  Take X, Y i,  i as before; then ||M – M’|| ∞ measures the distinguishing advantage of the attack  Generalizes d.c., trunc d.c., l.c., diff-linear crypt.,... stochastic

20 The attacks, compared generalized truncated diff. crypt. truncated d.c. differential crypt. complementation props. linear factors linear crypt. l.c. with multiple approximations impossible d.c. higher-order d.c. boomerang yo-yo sliding integrals

21 Summary (1) A few leitmotifs generate many known attacks –Many other attack methods can also be viewed this way (higher-order d.c., slide attacks, mod n attacks, d.c. over other groups, diff.-linear attacks, algebraic attacks, etc.) –Are there other powerful attacks in this space? –Can we prove security against all commutative diagram attacks? We’re primarily exploiting linearities in ciphers –E.g., the closure properties of GL(Y, Y)  Perm(X) –Are there other subgroups with useful closure properties? –Are there interesting “non-linear’’ attacks? –Can we prove security against all “linear” comm. diagram attacks?

22 Part 2: Algebraic attacks

23 Example: Interpolation attacks Express cipher as a polynomial in the message & key: id X X EkEk X X p  Write E k (x) = p(x), then interpolate from known texts  Generalization: MITM interpolation: p’(E k (x)) = p(x)  Generalization: probabilistic interpolation attacks  They use noisy polynomial reconstruction, decoding Reed-Solomon codes

24 Example: Rational inter. attacks Express the cipher as a rational polynomial: id X X EkEk X X p/q  If E k (x) = p(x)/q(x), then:  Write E k (x) × q(x) = p(x), and apply linear algebra  Note: rational poly’s are closed under composition  Q: Are probabilistic rational interpolation attacks feasible?

25 A generalization: resultants A possible direction: bivariate polynomials:  The small diagrams commute if p i (x, f i (x)) = 0 for all x X X f1f1 X p1p1 X p2p2 X f2f2  The small diagrams can be composed, yielding a large diagram q(.,.) = 0  Let q(x, z) = Res y (p 1 (x, y), p 2 (y, z)); then we have q(x, f 2 (f 1 (x))) = 0, i.e., the large diagram commutes X q

26 Bivariate attacks generalize polynomial & rational interpolation id X X EkEk X X p X q1q1 X X EkEk where q 1 (x, y) = p(x) – y → id X X EkEk X X p/p’ X q2q2 X X EkEk q 2 (x, y) = p’(x) × y – p(x) →

27 Algebraic attacks, compared probabilistic bivariate attacks bivariate attacks interpolation attacks MITM interpolation rational interpol. probabilistic interpol. prob. rational interpol.

28 Summary (2) Many cryptanalytic methods can be understood, and compared, by expressing them as a combination of only a few basic ideas Commutative diagrams are a powerful way to think about cryptanalysis Questions?

Download ppt "Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Analysis and design of symmetric ciphers David Wagner University of California, Berkeley.

Analysis and design of symmetric ciphers David Wagner University of California, Berkeley.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Announcements: Quiz grades entered Quiz grades entered Homework 4 updated with more details. Homework 4 updated with more details. Discussion forum is.

Announcements: Quiz grades entered Quiz grades entered Homework 4 updated with more details. Homework 4 updated with more details. Discussion forum is.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.

Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.

Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.
A few open problems in computer security David Wagner University of California, Berkeley.

A few open problems in computer security David Wagner University of California, Berkeley.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.

FEAL FEAL 1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

Similar presentations

Ads by Google