distinguisher and related-key attack on the full aes-256
DESCRIPTION
Distinguisher and Related-Key Attack on the Full AES-256. Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009. Presenter : Tae-Joon Kim Jong yun Jun. Contents. AES-256 Distinguisher Multicollision Distinguisher Related-Key Attack Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/1.jpg)
Distinguisher and Related-Key Attack on the Full AES-256
Presenter : Tae-Joon KimJong yun Jun
Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic
CRYPTO, 2009
![Page 2: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/2.jpg)
2
Contents
● AES-256● Distinguisher● Multicollision Distinguisher● Related-Key Attack● Conclusion
![Page 3: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/3.jpg)
3
AES (Advanced Encryption Standard)
● Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002.
● Block cipher● Intended to replace DES and 3DES
● DES is vulnerable to differential attacks● 3DES has slow performances
![Page 4: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/4.jpg)
4
● Simple to design (HW/SW)● High speed● Low memory cost● Variable key size ( > 128bit)
● Security● Only side-channel attacks
AES (Advanced Encryption Standard)
until this paper
![Page 5: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/5.jpg)
5
AES-256
AES
14 RoundEncryption
P
C
K Key scheduler
Sub key
Key schedule round
Round n
Round n+1
SubBytesShiftRowsMixColumns
SubBytesShiftRowsMixColumns
![Page 6: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/6.jpg)
6
AES-256
From wikipedia
![Page 7: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/7.jpg)
7
Distinguisher
● Some what difference between ideal cipher and certain cipher
● The difference may be a weakness● Attacker can exploit the difference
![Page 8: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/8.jpg)
8
Multicollision Distinguisher
● Let Ki’=Ki ΔK, Pi’=Pi ΔP
Ci = EKi(Pi), Ci’=Eki’
(Pi’)
● Ci Ci’ = constant
![Page 9: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/9.jpg)
9
Multicollision in Ideal Cipher
● Random oracle model● Construct differential q-multicollision
needs at least queries(n : block bits)
)2()2( 2
2
nn
q
q
qOqO
![Page 10: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/10.jpg)
10
Multicollision in AES-256
● An weakness example: Local collision● q-mult. be found
in )0 where,( 267 Pq
Let Ki’=Ki ΔK, Pi’=Pi ΔP Ci = EKi
(Pi), Ci’=Eki’(Pi’)
Ci Ci’ = constant
![Page 11: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/11.jpg)
11
Practical Distinguisher
● Partial q-multicollision:● Reduced to
● Several hours on a PC
0P372q
![Page 12: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/12.jpg)
12
Practical Distinguisher
● 10-multicollision, 14 round AES-256
…
![Page 13: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/13.jpg)
13
Related-Key Attack
● Attacker can perform chosen plaintext attacks with different keys and compare the results of each
● Different keys may have some mathematical relationship
● WEP (Wired Equivalent Privacy)
![Page 14: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/14.jpg)
14
Related-Key Attack
![Page 15: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/15.jpg)
15
Conclusion
● q-multicollision in AES-256 can be easily constructed than ideal cipher● AES-256 cannot be modeled as an ideal
cipher
● New design criteria● Avoid local collision
(at least avoid patterns for n rounds)● Desynchronize key schedule and internal
state
![Page 16: Distinguisher and Related-Key Attack on the Full AES-256](https://reader030.vdocuments.site/reader030/viewer/2022032805/568133c6550346895d9abf3c/html5/thumbnails/16.jpg)
16
Q & A