Automatic Cryptanalysis of Block Ciphers with CP

Similar documents
Network Analysis: Minimum Spanning Tree, The Shortest Path Problem, Maximal Flow Problem. Métodos Cuantitativos M. en C. Eduardo Bustos Farías 1

The Proposal of Cadastral Value Determination Based on Artificial Intelligence

A. K. Alexandridis University of Kent. D. Karlis Athens University of Economics and Business. D. Papastamos Eurobank Property Services S.A.

Cube Land integration between land use and transportation

A Complete, Free Solution for Cadastral Map Management

RoboCup Challenges. Robotics. Simulation League Small League Medium-sized League (less interest) SONY Legged League Humanoid League

Intangibles CHAPTER CHAPTER OBJECTIVES. After careful study of this chapter, you will be able to:

Network Analysis: Minimum Spanning Tree,

METROPOLITAN COUNCIL S FORECASTS METHODOLOGY

Software Architecture Context

THE RATIONAL BUYER APPROACH FOR THE ACQUISITION OF CAPACITY-BASED ANCILLARY SERVICES OUTLINE

MAAO Sales Ratio Committee 2013 Fall Conference Seminar

86M 4.2% Executive Summary. Valuation Whitepaper. The purposes of this paper are threefold: At a Glance. Median absolute prediction error (MdAPE)

Cook County Assessor s Office: 2019 North Triad Assessment. Norwood Park Residential Assessment Narrative March 11, 2019

Multi-Paths of Colleges Performance Appraisal and Comparison Hui PENG 1,a, Lian-Sen WANG 2,3,4,b,*

The Analytic Hierarchy Process. M. En C. Eduardo Bustos Farías

What s Next for Commercial Real Estate Leveraging Technology and Local Analytics to Grow Your Commercial Real Estate Business

Collateral Underwriter, Regression Models, Statistics, Gambling with your License

The IRAM Web app. Description of the internet application of the Integrated Risk Assessment Method (IRAM)

Washington Department of Revenue Property Tax Division. Valid Sales Study Kitsap County 2015 Sales for 2016 Ratio Year.

THE VALUATION ANALYST

Prof. Derek Abbott, Yaxin Hu

Course Residential Modeling Concepts

3rd Meeting of the Housing Task Force

Regression + For Real Estate Professionals with Market Conditions Module

Regression Estimates of Different Land Type Prices and Time Adjustments

BC OnLine. Rural Property Tax Search User s Guide. Last Updated November 25, 2016

Definitions ad valorem tax Adaptive Estimation Procedure (AEP) - additive model - adjustments - algorithm - amenities appraisal appraisal schedules

EXPLANATION OF MARKET MODELING IN THE CURRENT KANSAS CAMA SYSTEM

Goods and Services Tax and Mortgage Costs of Australian Credit Unions

METROPOLITAN COUNCIL S FORECASTS METHODOLOGY JUNE 14, 2017

Scores for Valuation Reports: Appraisal Score & BPO Score. White Paper. White Paper APRIL 2012

Sorting based on amenities and income

Homeowner s Exemption (HOE)

Test and Implementation of DATR System in Hungary

Overview of OR Modeling Approach & Introduction to Linear Programming. Métodos Cuantitativos M. En C. Eduardo Bustos Farías 1

Introduction to Software Architecture (1)

Cadastral Information System of Sofia

Chart-Based Decoding

250 CMR: BOARD OF REGISTRATION OF PROFESSIONAL ENGINEERS AND LAND SURVEYORS DRAFT FOR DISCUSSION PURPOSES ONLY

HOUSING TECHNICIAN I HOUSING TECHNICIAN II

Probabilistic Escrow of Financial Transactions with Cumulative Threshold Disclosure

Optimal Apartment Cleaning by Harried College Students: A Game-Theoretic Analysis

A Note on the Efficiency of Indirect Taxes in an Asymmetric Cournot Oligopoly

Housing market and finance

A Critical Study on Loans and Advances of Selected Public Sector Banks for Real Estate Development in India

IREDELL COUNTY 2015 APPRAISAL MANUAL

GSE FOCUS. Visit WorkflowGeeks.com for more free titles. Sponsored by Mercury Network

Evaluation study on level of trust in Water Conservancy Projects Lei Guo1,2,a, Han Han 1,2,b

County Survey. results of the public officials survey in the narrative. Henry County Comprehensive Plan,

86 years in the making Caspar G Haas 1922 Sales Prices as a Basis for Estimating Farmland Value

AVM Validation. Evaluating AVM performance

1. There must be a useful number of qualified transactions to infer from. 2. The circumstances surrounded each transaction should be known.

The TAUREAN Residential Valuation System An Overview

Real Estate Reference Material

Graphical Representation of Defeasible Logic Rules Using Digraphs

The list below shows the errors that can occur during submission, as well as some details about each one.

Overview of OR Modeling Approach & Introduction to Linear Programming

Addressing the New Challenges of Silicon Test. Joe Sawicki Vice President and General Manager Design-to-Silicon Division

The Local Impact of Home Building in Douglas County, Nevada. Income, Jobs, and Taxes generated. Prepared by the Housing Policy Department

Oregon State University Extension Service

Rationale for Software Architecture Design. Definitions for Software Architecture. Rationale for Software Architecture. Common Misconceptions

SOFTWARE ARCHITECTURES:

Figure 1. The chart showing how the effort and cost of the design changes are affected as the project progresses (Anon.) Simulation tools are a key co

HOW TO CREATE AN APPRAISAL

Digitalisation of the Real Property Rights Towards Spatially enabled E-Government

Hedonic Pricing Model Open Space and Residential Property Values

Ad-valorem and Royalty Licensing under Decreasing Returns to Scale

Mr Hans Hoogervorst Chairman of the International Accounting Standards Board 30 Cannon Street London EC4M 6XH United Kingdom

Oligopoly Theory (6) Endogenous Timing in Oligopoly

concepts and techniques

DATA APPENDIX. 1. Census Variables

Edward Mitchell AIA; Yale University and Edward Mitchell Architects, New Haven CT

Ownership Data in Cadastral Information System of Sofia (CIS Sofia) from the Available Cadastral Map

Maximization of Non-Residential Property Tax Revenue by a Local Government

SOFTWARE ARCHITECTURE. Semester II (Computer Engineering) SUB CODE: MECE202. Evaluation Scheme L T P Total Credit Theory Mid Sem Exam

Profile Definition for a. Standardized Cadastral Model

Is terrorism eroding agglomeration economies in Central Business Districts?

Housing Transfer Taxes and Household Mobility: Distortion on the Housing or Labour Market? Christian Hilber and Teemu Lyytikäinen

Land Assembly with Taxes, Not Takings. Mark DeSantis Chapman University One University Dr. Orange, CA

The Impact of Internal Displacement Inflows in Colombian Host Communities: Housing

The Impact of Using. Market-Value to Replacement-Cost. Ratios on Housing Insurance in Toledo Neighborhoods

141: Cracking the Voynich manuscript code (The first draft) Ruihang Feng

Illinois Farmland Sales Database

IBM TRIRIGA Version 10 Release 5.2. Real Estate Transaction Management User Guide IBM

City of Puyallup. Parks Impact Fee Study

General Information Page

Real Estate Transaction Method And System

Developed with Xactware Data and Technology. April Best Practices

EQUIPMENT LEASING SOLUTIONS FOR PROCUREMENT

Using the REACSolutions REAC Scoring Calculator. By Michael Gantt, President, REACSolutions. Introduction

Benchmarking Cadastral Systems Results of the Working Group 7.1

Housing Price Prediction Using Search Engine Query Data. Qian Dong Research Institute of Statistical Sciences of NBS Oct. 29, 2014

Economic Impact of Commercial Multi-Unit Residential Property Transactions in Toronto, Calgary and Vancouver,

Click to edit Master title style REVENUE RECOGNITION Understanding the New Revenue Recognition Standard ASC 606

Course Commerical/Industrial Modeling Concepts Learning Objectives

CHOICE BASED LETTING (CBL) HOW TO USE THE CBL SYSTEM

The Improved Net Rate Analysis

Nonlocal methods for image processing

CAN T STAND WAITING? BOTHERED BY LONG LINES? THEN ELECTRONIC RECORDING IS FOR YOU... AND IT MAY BE COMING SOON TO A RECORDER NEAR YOU!

Transcription:

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier, Christine Solnon, Siwei Sun, Qianqian Yang, Yosuke Todo, Kexin Qiao, Lei Hu Summer school on Real Wolrd Crypto David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 1 / 21Siw

Block Ciphers K Hi Sibenik E X C Keyed permutation E : {0, 1} K {0, 1} P {0, 1} P. Generally simple function iterated n times. Expected Property Indistinguishable from a random permutation if K is unknown David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 2 / 21Siw

Attacking a block cipher Chosen plaintext f K X Oracle C f? = E or random permutation π? Distinguishing from π recovering K The attacker can encrypt messages of his choice and tries to recover the hidden key K. David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 3 / 21Siw

Related Key Model Chosen plaintext f K δk X Oracle C The attacker choses δk (but K remains hidden) Allowed by certain protocol/real life applications A block cipher should be secure in the related key model The best published attacks against AES are related key David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 4 / 21Siw

Related Key Attack X f K C δc? X = X δx f K δk C If f = π? If f = E? Distribution of δc for chosen δx, δk and random X and K... David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 5 / 21Siw

Related Key Attack X f K C δc? X = X δx f K δk C Distribution of δc for chosen δx, δk and random X and K... If f = π? Uniform If f = E? Not uniform! Distinguishing attack The attacker requires many encryptions with input difference δx, δk and observes whether there is a bias in the distribution of δc David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 5 / 21Siw

Differential characteristics The higher the bias Pr[(δX, δk) δc], the better the attack! δk δx δc SB SR MC ARK 0 δa δb δc δd δe δf Differential characteristics (i.e. propagation patterns (δx, δk) δc) with optimal probability are needed, but difficult to find! Fix δx, δk Apply known propagation rules to obtain the most likely δc avid Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 6 / 21Siw

We did it! With CP PROBLEM CONVERT TO CSP MODEL FEED TO A SOVER ONE SOLUTION SOLVER ALL SOLUTIONS OPTIMAL SOLUTION Holy Grail Constraint programming represents one of the closest approaches computer science has yet made to the holy grail of programming: the user states the problem, the computer solves it. (E. Freuder) David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 7 / 21Siw

David Gerault (LIMOS, University Feed Clermont itauvergne to the This Automatic presentation solver, Cryptanalysis inspired andofby Block let 4 papers Ciphers the written with magic with CP Pascal Summer happen... Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 8 / 21Siw CSP Variables Define variables on given domains [23..42] x bool y array [1..N,1..M] of floats δ... Constraints Define relations between these variables as constraints x + y < 5 sum(allvariables) = 10 Table: list of allowed tuples (a, b, c) {(2, 3, 4), (1, 7, 2)} Objective function (optional) Define an objective function to optimize Maximize(Sum(δ))

Why another automatic tool? Other automatic tools exist SAT Mixed Integer Linear Programming (MILP)... Question: Why yet another one? David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 9 / 21Siw

Why another automatic tool? Other automatic tools exist SAT Boolean variables Mixed Integer Linear Programming (MILP) Linear inequalities... Question: Why yet another one? Response: Generalization! CP No limitations on variables nor constraints Uses algorithms from the other methods There exist tools translating from CP to the others David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school on Marine Real Minier, Wolrd Crypto Christine Solnon, 9 / 21Siw

Related Work & Contributions: AES Problem Standard since 2000 Finding optimal RK differential characteristics on AES-128, AES-192 and AES-256 Previous work Biryukov et al., 2010 : Branch & Bound Several hours (AES-128), several weeks (AES-192) Fouque et al., 2013 : Graph traversal 30 minutes, 60 Gb memory, 12 cores (AES-128) David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 10 / 21Siw

Related Work & Contributions: AES Problem Standard since 2000 Finding optimal RK differential characteristics on AES-128, AES-192 and AES-256 Previous work Biryukov et al., 2010 : Branch & Bound Several hours (AES-128), several weeks (AES-192) Fouque et al., 2013 : Graph traversal 30 minutes, 60 Gb memory, 12 cores (AES-128) Our results 25 minutes (AES-128), 24 hours (AES-192), 30 minutes (AES-256) New (better) differential characteristics on all versions Disproved incorrect one found in previous work avid Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 10 / 21Siw

Related Work & Contributions: Midori Problem Lightweigh block cipher, 2015 Finding optimal RK differential characteristics on Midori-64 and Midori-128 Previous work Midori-64: Dong, 2016 : Custom algorithm 14 rounds (out of 16), 2 116 operations Midori-128: Not done David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 11 / 21Siw

Related Work & Contributions: Midori Problem Lightweigh block cipher, 2015 Finding optimal RK differential characteristics on Midori-64 and Midori-128 Previous work Midori-64: Dong, 2016 : Custom algorithm 14 rounds (out of 16), 2 116 operations Midori-128: Not done Our results (Indocrypt 2016) Few hours Full round for both versions Practical attacks: Midori-64: 2 35 Midori-128: 2 43 avid Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 11 / 21Siw

Other directions: FSE2017 Problem Searching for integral, zero-correlation linear, and impossible differential distinguisher on various block ciphers Results PRESENT, HIGHT, SKINNY Reproduced results from the litterature New distinguisher on SKINNY David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 12 / 21Siw

Conclusion and future challenges CP is readable and easy to use It is less error prone than custom code It performs better than other approaches It generalizes MILP and SAT Use CP! David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 13 / 21Siw

Thank you for your attention avid Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 14 / 21Siw

Other ways to improve a CP model Variable ordering: Starting with the most constrained one Value choice: If you want to minimize a sum, affecting variables to 0 first is a good idea BlackBox heuristics: domain over weighted degree, etc... Restarts: Reseed the BlackBox strategy after some time Other methods: The power of MiniZinc Parallell solving: Not trivial but can help David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 15 / 21Siw

2 steps solving Step 1: boolean abstraction Step 2: actual byte values = 0 δ = 0 = 1 δ 0 Find candidate solutions Check their consistency Step 1 Step1(n) gives an output O = ( X, K, C) and the corresponding difference propagation path, such that the number of Sboxes is minimal. Step 2 Step2(O) returns a probability and the difference values along the path if O is consistent, 0 otherwise. David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 16 / 21Siw

Modelling properly Straightforward modelling With a naive approach, more than 90 millions inconsistent step 1 solutions found for 4 rounds of AES-128 with 11 active SBoxes More elaborate modelling With a more suble approach, 0 inconsistent solution David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 17 / 21Siw

Example: XOR Constraint Byte values δ A δ B δ C = x = x (white = 0, colored 0) Boolean abstraction A B C = = Inferring equalities XORs introduce a lot of branching, but storing information about equality or difference during step 1 helps filtering a lot! David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 18 / 21Siw

Example: XOR Constraint Byte values δ A δ B δ C = x = x x y = z x x = (white = 0, colored 0) Boolean abstraction A B C = = =? =? Inferring equalities A B C 0 0 0 0 1 1 1 0 1 1 1? XORs introduce a lot of branching, but storing information about equality or difference during step 1 helps filtering a lot! David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 18 / 21Siw

With which software Specific solver: Highly customizable Fine-grained tuning: table constraint heuristics, custom constraints etc... Choco (Java) Gecode (C++) Sunny-CP (portfolio) Chuffed (Uses SAT techniques) and many more... MiniZinc: More generic CP language, compiled to FlatZinc Read by many solvers, including SAT and MILP solvers MiniZinc competition David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 19 / 21Siw

More details Choco: General structure Solver: Solver s = new Solver("Example solver"); Variables: IntVar X= VF.bounded(0, 5, s); Constraints: s.post(icf.arithm(x,!=, 3); Heuristics: s.set(isf.domoverwdeg(allvars, someseed)); Solve: s.findsolution(); MiniZinc: General structure Variables: var 0..5: X; Constraints: constraint X=5; Heuristics and solve: solve:: int_search(allvars, dom_w_deg, indomain_min, complete) satisfy; David Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 20 / 21Siw

Case study: PRESENT(Bogdanov, 2007) Problem Search for optimal differential characteristics, i.e difference propagation patterns with the highst possible probability. avid Gerault (LIMOS, University Clermont Auvergne This Automatic presentation Cryptanalysis inspired ofby Block 4 papers Ciphers written with with CP Pascal Summer Lafourcade, school onmarine Real Wolrd Minier, Crypto Christine Solnon, 21 / 21Siw

2024 © estatedocbox.com Privacy Policy | Terms of Service | Feedback