DOCSLIB.ORG

Combined Attacks — from Boomerangs to Sandwiches and Differential-Linear

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Combined Attacks — from Boomerangs to Sandwiches and Differential-Linear Introduction Boomerang Diff-Lin Summary Combined Attacks — from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman Department of Computer Science, University of Haifa June 5th, 2014 Orr Dunkelman Combined Attacks 1/ 36 Introduction Boomerang Diff-Lin Summary Outline 1 A Quick Introduction Differential Cryptanalysis Linear Cryptanalysis 2 The Boomerang Attack The Boomerang Attack The Amplified Boomerang Attack Independence Assumptions The Sandwich Attack 3 Differential-Linear Cryptanalysis The Basic Concept A Differential-Linear Attack on 8-Round DES Several Extensions to Differential-Linear Cryptanalysis 4 Summary Orr Dunkelman Combined Attacks 2/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Differential Cryptanalysis ◮ Considers the development of differences through the encryption process. ◮ The core of the attack: a differential characteristic (a prediction of the development of differences through the encryption process). ◮ Given a differential characteristic with probability p, the adversary asks for O(1/p) pairs of plaintexts (P, P∗ = P ⊕ ΩP ). ◮ The attack tries to locate “right pairs”, i.e., a pair whose corresponding ciphertexts satisfy C ∗ = C ⊕ ΩC . ◮ Information about the key can be learnt from the right pair. Orr Dunkelman Combined Attacks 3/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Differential Cryptanalysis (cont.) ◮ To attack more rounds of the cipher than in the differential characteristic: ◮ Guess subkey material in the additional rounds, ◮ Partially encrypt/decrypt the plaintext/ciphertext pairs, ◮ Count how many “right pairs” exist, ◮ The counter for the right subkey is expected to be the highest. ◮ In such attacks, we care less about “which pair is a right pair”, and more about how many such pairs exist. ◮ Hence, for this sort of attacks, we are only interested in the input and output differences. ◮ This set of (ΩP , ΩC ) and the associated probability is called a differential. Its probability is the sum of the probabilities of all differential characteristics that share ΩP and ΩC . Orr Dunkelman Combined Attacks 4/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Differential Characteristic of DES A three-round differential characteristic of DES with probability 1/16: ΩP =400800 00 04000000x A =40 08 00 00 a =04 00 00 00 p = 1 ′ x F ′ x 4 B b p ′ =0x F ′ =0x =1 C =40 08 00 00 c =04 00 00 00 p = 1 ′ x F ′ x 4 ΩT =40080000 0400 0000x Orr Dunkelman Combined Attacks 5/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Differential Characteristic of DES (cont.) A 3-round truncated differential characteristic of DES: ΩP =400000 00 00000000x A a p ′ =0 F ′ =0 =1 B W XY Z b p ′ = 00 0 0 x F ′ =40 00 00 00x =1 = P(V 0 00 00 00x ) C M c W XY Z p ′ =?? ?? ? ??x F ′ = 00 0 0 x =1 = P(0? ?? ?? 0?x ) ΩT =?? ?? M??? 00 W 0 XY 0Zx Orr Dunkelman Combined Attacks 6/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Linear Cryptanalysis ◮ Tries to approximate the cipher (or a reduced-round variant of it) as a linear equation: λP · P ⊕ λC · C = λK · K with probability 1/2+ ǫ. ◮ 2 Collect N = O(ǫ− ) known plaintext/ciphertext pairs. The majority are expected to satisfy λP · P ⊕ λC · C = λK · K (when ǫ> 0). ◮ To attack more rounds than in the linear approximation: ◮ Guess subkey material in the additional rounds, ◮ Partially encrypt/decrypt the plaintext/ciphertext pairs, ◮ Count how many times λP · P ⊕ λC · C = 0, ◮ The counter for the right subkey is expected to be more biased. Orr Dunkelman Combined Attacks 7/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Linear Cryptanalysis (cont.) ◮ The attack is actually a random process. ◮ Consider the following scenario: ◮ There are 2s possible subkeys. ◮ We want the right subkey to be among the 2a most biased ones. x ◮ Let Φ(x)= 1 e x2/2dx. √2π − −∞ ◮ A linear attackR with N = c/ǫ2 known plaintexts has a success probability of 1 a 1 Ps = Φ 2c − Φ− 1 − 2− − . To achieve a success probability of Ps , set 1 1 a 1 2 Φ− (Ps ) + Φ− (1 − 2− − ) 2 N = · ǫ− . 2 Orr Dunkelman Combined Attacks 8/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Linear Approximation of DES A three-round linear approximation of DES with bias 20 2 25 1/2+2 · ( 64 ) =1/2+ 128 : λT =21040080 00008000x 20 A′ =21 04 00 80 a′ =00 00 80 00 1/2 − x F x 64 = P(00 00 F 0 00x ) B =0 b =0 1/2+1/2 ′ F ′ C =21 04 00 80 c =00 00 80 00 1/2 − 20 ′ x F ′ x 64 = P(00 00 F 0 00x ) λC = λT =2104 0080 00008000x Orr Dunkelman Combined Attacks 9/ 36 Introduction Boomerang Diff-Lin Summary Differential Linear Some General Comments ◮ Finding good differential characteristics/linear approximation is a hard task. ◮ Some automatic tools exist (Matsui’s method), but it is better to study the algorithm. ◮ Sometimes, a better attack is obtained when using differentials (approximations) of lower probability (bias). ◮ Many optimizations for both attacks exist. Consider differential cryptanalysis: ◮ Structures of plaintexts, ◮ Discarding wrong pairs (early abort), ◮ Using multiple differentials, Orr Dunkelman Combined Attacks 10/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Boomerang Attack ◮ Introduced by [W99]. P1 P3 ◮ Targets ciphers with good short α α P P differentials, but bad long ones. 2 4 ◮ The core idea: Treat the cipher as a E0 γ cascade of two sub-ciphers. Where T1 T3 β β in the first sub-cipher a differential γ E0 T T α −→ β exists, and a differential 2 4 E γ −→1 δ exists for the second. ◮ E1 The process starts with a pair of C1 C3 plaintexts: P1, P2 = P1 ⊕ α. δ C C ◮ 2 4 After the first sub-cipher, δ T1 ⊕ T2 = β. ◮ ButOrr the Dunkelman encryptionCombined process Attacks 11/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Boomerang Attack — Some Details ◮ If the probability of the first differential is p, and of the second differential is q, the total probability of the boomerang quartet is Pr[α → β]2 · Pr[γ → δ]2 =(pq)2. ◮ Note that we use three out of the four differentials in the backward direction. ◮ For regular differentials, the probability is the same. ◮ However, for truncated differentials, the probability is not necessarily the same. Orr Dunkelman Combined Attacks 12/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Boomerang Attack — Some More Details ◮ A right boomerang quartet discloses information about the key. ◮ At the same time, the attack is an adaptive chosen plaintext and ciphertext attack. ◮ This prevents us from using many of the cryptanalytic techniques that were proposed over the years. ◮ To overcome this, we need to transform the attack into a chosen plaintext attack. Orr Dunkelman Combined Attacks 13/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Amplified Boomerang Attack ◮ Pi Pj Introduced by [KKS00]. 1 1 ◮ Similar idea to the boomerang α α Pi Pj attack, but in a chosen plaintext 2 2 scenario. ◮ E0 γ Again, assume the existence of two T i T j 1 1 E0 β β differentials: α −→ β for the first γ E T i T j sub-cipher and γ −→1 δ for the 2 2 second. ◮ E1 Take many pairs of plaintext with C i C j 1 1 i i i δ difference α: P1, P2 = P1 ⊕ α. C i C j ◮ 2 2 After the first sub-cipher, for some δ i i of them T1 ⊕ T2 = β. ◮ If weOrr haveDunkelman manyCombined pairs Attacks 14/ 36 ii i Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Amplified Boomerang Attack — Some Details ◮ If the probability of the first differential is p, and of the second differential is q, the total probability of the amplified boomerang quartet is 2 2 n 2 n Pr[α → β] ·Pr[γ → δ] ·2− =(pq) ·2− . ◮ In other words, the probability is less than 2−n! Orr Dunkelman Combined Attacks 15/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Amplified Boomerang Attack — Some Details (cont.) ◮ If we take N pair with input difference α, we obtain about N2/2 quartets. ◮ Hence, we expect 2 2 n N /2 · (pq) · 2− right amplified boomerang quartets. ◮ Start with N = O(2n/2/pq) pairs. ◮ n/2 As long as (pq) > 2− , we can have enough data to run the attack. ◮ Which is the same condition as for the boomerang attack. Orr Dunkelman Combined Attacks 16/ 36 Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich The Rectangle Attack — Three Improvements i i j j 1 If the quartet ((P1, P2), (P1, P2)) is not a right quartet, i i j j then maybe ((P1, P2), (P2, P1)) is a right one? i i j j 2 If T1 ⊕ T2 = β′, but so does T1 ⊕ T2 = β′, we can still get a right quartet. i j i j 3 If T1 ⊕ T1 = γ′, but so does T2 ⊕ T2 = γ′, we can still get a right quartet. Expected number of right quartets starting with N pairs: 2 n+1 2 N · 2− · (pq) 2 n 2 N · 2− · (pq) 2 n E0 2 2 N · 2− · Pr[α −→ β′] q ′ ! Xβ 2 n E0 2 E1 2 N · 2− · Pr[α −→ β′] · Pr[γ′ −→ δ] Orr Dunkelman Combined′ Attacks ! ′ ! 17/ 36 Xβ Xγ Introduction Boomerang Diff-Lin Summary Boomerang Amp. Boom. Independence Sandwich A Technical Problem... ◮ In the boomerang attack the quartet is fully known. ◮ In the amplified boomerang attack, one needs to find the quartets among all possible ones.
Load more

Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • Hash Functions and the (Amplified) Boomerang Attack
    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
    [Show full text]
  • Boomerang Analysis Method Based on Block Cipher
    International Journal of Security and Its Application Vol.11, No.1 (2017), pp.165-178 http://dx.doi.org/10.14257/ijsia.2017.11.1.14 Boomerang Analysis Method Based on Block Cipher Fan Aiwan and Yang Zhaofeng Computer School, Pingdingshan University, Pingdingshan, 467002 Henan province, China { Fan Aiwan} [email protected] Abstract This paper fused together the related key analysis and differential analysis and did multiple rounds of attack analysis for the DES block cipher. On the basis of deep analysis of Boomerang algorithm principle, combined with the characteristics of the key arrangement of the DES block cipher, the 8 round DES attack experiment and the 9 round DES attack experiment were designed based on the Boomerang algorithm. The experimental results show that, after the design of this paper, the value of calculation complexity of DES block cipher is only 240 and the analysis performance is greatly improved by the method of Boomerang attack. Keywords: block cipher, DES, Boomerang, Computational complexity 1. Introduction With the advent of the information society, especially the extensive application of the Internet to break the traditional limitations of time and space, which brings great convenience to people. However, at the same time, a large amount of sensitive information is transmitted through the channel or computer network, especially the rapid development of e-commerce and e-government, more and more personal information such as bank accounts require strict confidentiality, how to guarantee the security of information is particularly important [1-2]. The essence of information security is to protect the information system or the information resources in the information network from various types of threats, interference and destruction, that is, to ensure the security of information [3].
    [Show full text]
  • Report on the AES Candidates
    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Cryptanalysis of Block Ciphers
    Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds.
    [Show full text]
  • Differential-Linear Cryptanalysis Revisited
    Differential-Linear Cryptanalysis Revisited C´elineBlondeau1 and Gregor Leander2 and Kaisa Nyberg1 1 Department of Information and Computer Science, Aalto University School of Science, Finland fceline.blondeau, [email protected] 2 Faculty of Electrical Engineering and Information Technology, Ruhr Universit¨atBochum, Germany [email protected] Abstract. Block ciphers are arguably the most widely used type of cryptographic primitives. We are not able to assess the security of a block cipher as such, but only its security against known attacks. The two main classes of attacks are linear and differential attacks and their variants. While a fundamental link between differential and linear crypt- analysis was already given in 1994 by Chabaud and Vaudenay, these at- tacks have been studied independently. Only recently, in 2013 Blondeau and Nyberg used the link to compute the probability of a differential given the correlations of many linear approximations. On the cryptana- lytical side, differential and linear attacks have been applied on different parts of the cipher and then combined to one distinguisher over the ci- pher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. In this paper we take the natural step and apply the theoretical link between linear and differential cryptanalysis to differential-linear cryptanalysis to develop a concise theory of this method. We give an exact expression of the bias of a differential-linear approximation in a closed form under the sole assumption that the two parts of the cipher are independent. We also show how, under a clear assumption, to approximate the bias effi- ciently, and perform experiments on it.
    [Show full text]
  • Boomerang Connectivity Table: a New Cryptanalysis Tool
    Boomerang Connectivity Table: A New Cryptanalysis Tool Carlos Cid1, Tao Huang2, Thomas Peyrin2;3;4, Yu Sasaki5, and Ling Song2;3;6 1 Information Security Group Royal Holloway, University of London, UK [email protected] 2 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected] [email protected] [email protected] 3 Temasek Laboratories, Nanyang Technological University, Singapore 4 School of Computer Science and Engineering Nanyang Technological University, Singapore 5 NTT Secure Platform Laboratories, Japan [email protected] 6 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China Abstract. A boomerang attack is a cryptanalysis framework that re- gards a block cipher E as the composition of two sub-ciphers E1 ◦E0 and builds a particular characteristic for E with probability p2q2 by combin- ing differential characteristics for E0 and E1 with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for E0 and E1 can be chosen independently. In- deed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers ob- served that the probability can be improved to p or q around the bound- ary between E0 and E1 by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as E1 ◦ Em ◦ E0, where Em sat- isfies some differential propagation among four texts with probability r, and the entire probability is p2q2r.
    [Show full text]
  • The Retracing Boomerang Attack
    The Retracing Boomerang Attack Orr Dunkelman1, Nathan Keller2, Eyal Ronen3;4, and Adi Shamir5 1 Computer Science Department, University of Haifa, Israel [email protected] 2 Department of Mathematics, Bar-Ilan University, Israel [email protected] 3 School of Computer Science, Tel Aviv University, Tel Aviv, Israel [email protected] 4 COSIC, KU Leuven, Heverlee, Belgium 5 Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Israel [email protected] Abstract. Boomerang attacks are extensions of differential attacks, that make it possible to combine two unrelated differential properties of the first and second part of a cryptosystem with probabilities p and q into a new differential-like property of the whole cryptosystem with probability p2q2 (since each one of the properties has to be satisfied twice). In this paper we describe a new version of boomerang attacks which uses the counterintuitive idea of throwing out most of the data (including poten- tially good cases) in order to force equalities between certain values on the ciphertext side. This creates a correlation between the four proba- bilistic events, which increases the probability of the combined property to p2q and increases the signal to noise ratio of the resultant distin- guisher. We call this variant a retracing boomerang attack since we make sure that the boomerang we throw follows the same path on its forward and backward directions. To demonstrate the power of the new technique, we apply it to the case of 5-round AES. This version of AES was repeatedly attacked by a large variety of techniques, but for twenty years its complexity had remained stuck at 232.
    [Show full text]
  • SKINNY-AEAD and SKINNY-Hash Specification
    SKINNY-AEAD and SKINNY-Hash v1.1 Christof Beierle1;4, J´er´emy Jean2, Stefan K¨olbl3, Gregor Leander4, Amir Moradi4, Thomas Peyrin5, Yu Sasaki6, Pascal Sasdrich4;7, and Siang Meng Sim5 1 SnT, University of Luxembourg, Luxembourg [email protected] 2 ANSSI, Paris, France [email protected] 3 Cybercrypt A/S, Denmark [email protected] 4 Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨atBochum, Germany [email protected] 5 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected], [email protected] 6 NTT Secure Platform Laboratories, Japan [email protected] 7 Rambus Cryptography, The Netherlands Table of Contents 1 Introduction...........................................................3 2 Specification..........................................................5 2.1 Notations........................................................5 2.2 Parameter Sets....................................................5 2.3 The Tweakable Block Ciphers SKINNY-128-256 and SKINNY-128-384 ....6 2.4 The AEAD Scheme SKINNY-AEAD....................................9 2.5 The Hash Functionality SKINNY-Hash ................................ 26 3 Security Claims........................................................ 29 4 Design Rationale....................................................... 31 4.1 Rationale for the Tweakable Block Ciphers........................... 31 4.2 Rationale for the AEAD scheme..................................... 33 4.3 Rationale for the Hash Function Scheme............................
    [Show full text]