Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | fleur-solis |
View: | 33 times |
Download: | 0 times |
Distinguisher and Related-Key Attack on the Full AES-256
Presenter : Tae-Joon KimJong yun Jun
Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic
CRYPTO, 2009
2
Contents
● AES-256● Distinguisher● Multicollision Distinguisher● Related-Key Attack● Conclusion
3
AES (Advanced Encryption Standard)
● Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002.
● Block cipher● Intended to replace DES and 3DES
● DES is vulnerable to differential attacks● 3DES has slow performances
4
● Simple to design (HW/SW)● High speed● Low memory cost● Variable key size ( > 128bit)
● Security● Only side-channel attacks
AES (Advanced Encryption Standard)
until this paper
5
AES-256
AES
14 RoundEncryption
P
C
K Key scheduler
Sub key
Key schedule round
Round n
Round n+1
SubBytesShiftRowsMixColumns
SubBytesShiftRowsMixColumns
6
AES-256
From wikipedia
7
Distinguisher
● Some what difference between ideal cipher and certain cipher
● The difference may be a weakness● Attacker can exploit the difference
8
Multicollision Distinguisher
● Let Ki’=Ki ΔK, Pi’=Pi ΔP
Ci = EKi(Pi), Ci’=Eki’
(Pi’)
● Ci Ci’ = constant
9
Multicollision in Ideal Cipher
● Random oracle model● Construct differential q-multicollision
needs at least queries(n : block bits)
)2()2( 2
2
nn
q
q
qOqO
10
Multicollision in AES-256
● An weakness example: Local collision● q-mult. be found
in )0 where,( 267 Pq
Let Ki’=Ki ΔK, Pi’=Pi ΔP Ci = EKi
(Pi), Ci’=Eki’(Pi’)
Ci Ci’ = constant
11
Practical Distinguisher
● Partial q-multicollision:● Reduced to
● Several hours on a PC
0P372q
12
Practical Distinguisher
● 10-multicollision, 14 round AES-256
…
13
Related-Key Attack
● Attacker can perform chosen plaintext attacks with different keys and compare the results of each
● Different keys may have some mathematical relationship
● WEP (Wired Equivalent Privacy)
14
Related-Key Attack
15
Conclusion
● q-multicollision in AES-256 can be easily constructed than ideal cipher● AES-256 cannot be modeled as an ideal
cipher
● New design criteria● Avoid local collision
(at least avoid patterns for n rounds)● Desynchronize key schedule and internal
state
16
Q & A