16
Distinguisher and Related-Key Attack on the Full AES-256 Presenter : Tae-Joon Kim Jong yun Jun Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009
| Date post: | 02-Jan-2016 |
| Category: |
Documents |
| Upload: | fleur-solis |
| View: | 33 times |
| Download: | 0 times |
Distinguisher and Related-Key Attack on the Full AES-256
Presenter : Tae-Joon KimJong yun Jun
Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic
CRYPTO, 2009
2
Contents
● AES-256● Distinguisher● Multicollision Distinguisher● Related-Key Attack● Conclusion
3
AES (Advanced Encryption Standard)
● Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002.
● Block cipher● Intended to replace DES and 3DES
● DES is vulnerable to differential attacks● 3DES has slow performances
4
● Simple to design (HW/SW)● High speed● Low memory cost● Variable key size ( > 128bit)
● Security● Only side-channel attacks
AES (Advanced Encryption Standard)
until this paper
5
AES-256
AES
14 RoundEncryption
P
C
K Key scheduler
Sub key
Key schedule round
Round n
Round n+1
SubBytesShiftRowsMixColumns
SubBytesShiftRowsMixColumns
6
AES-256
From wikipedia
7
Distinguisher
● Some what difference between ideal cipher and certain cipher
● The difference may be a weakness● Attacker can exploit the difference
8
Multicollision Distinguisher
● Let Ki’=Ki ΔK, Pi’=Pi ΔP
Ci = EKi(Pi), Ci’=Eki’
(Pi’)
● Ci Ci’ = constant
9
Multicollision in Ideal Cipher
● Random oracle model● Construct differential q-multicollision
needs at least queries(n : block bits)
)2()2( 2
2
nn
q
q
qOqO
10
Multicollision in AES-256
● An weakness example: Local collision● q-mult. be found
in )0 where,( 267 Pq
Let Ki’=Ki ΔK, Pi’=Pi ΔP Ci = EKi
(Pi), Ci’=Eki’(Pi’)
Ci Ci’ = constant
11
Practical Distinguisher
● Partial q-multicollision:● Reduced to
● Several hours on a PC
0P372q
12
Practical Distinguisher
● 10-multicollision, 14 round AES-256
…
13
Related-Key Attack
● Attacker can perform chosen plaintext attacks with different keys and compare the results of each
● Different keys may have some mathematical relationship
● WEP (Wired Equivalent Privacy)
14
Related-Key Attack
15
Conclusion
● q-multicollision in AES-256 can be easily constructed than ideal cipher● AES-256 cannot be modeled as an ideal
cipher
● New design criteria● Avoid local collision
(at least avoid patterns for n rounds)● Desynchronize key schedule and internal
state
16
Q & A
![SECURE AND HIDDEN TEXT USING AES CRYPTOGRAPHY AND …jestec.taylors.edu.my/Vol 14 issue 3 June 2019/14_3_24.pdf · different key lengths: AES-128, AES-192 or AES-256 [11]. A number](https://static.documents.pub/doc/80x56/5f1a8879709d8948ae6586af/secure-and-hidden-text-using-aes-cryptography-and-14-issue-3-june-201914324pdf.jpg)
