Upload
marianna-knight
View
227
Download
0
Embed Size (px)
Citation preview
2
Content• AES• Attacks on AES– Brute force Attack– Theoretical Attacks– Side channel Attacks
• Conclusion• Open problem• References
4
AES (cont.)
• The three criteria: [1]
– Resistance against all known attacks– Speed and code compactness on a wide range of
platforms– Design simplicity
• A fixed block size of 128 bits• A key size of 128, 192, or 256 bits• Number of rounds: 10, 12, 14
7
Brute force
2 256256
bit is roughly
equal to the number
of atoms in universeThe Largest successful brute force
RC 564 bit key
Distributed networks 5 years [2]
9
XSL
• Multivariate quadratic equations• Linearization (L) [3]
– Kipnis and Shamir - 1999– HFE– Too few equations
• eXtended Linearization (XL) [4]
– Courtois et al. – 2000– Complexity
Complexity estimates showed that the XL attack would not work against the
equations derived from block ciphers such as AES
10
XSL (cont.)
• eXtended Sparse Linearization (XSL) [5]
– Courtois and Pieprzyk – 2002– AES, SERPENT– The S-box of AES : algebraically simple inverse
function.– Only one or two known plaintexts– High work-factor
11
XSL (cont. )
Rijmen
The XSL attack is not an attack. It is a dream
Courtois
It will become your nightmare
Cid and Leurent - 2005 :the XSL algorithm does not provide an efficient method for solving the
AES system of equations
N!!
12
Related-Key
• Attack based on Key Scheduler weakness• Related key Attack– Biham – 1992 [6]
• Alex Biryukov – 2 119
– 2 99.5
– 2 96
– 2 35
13
Biclique
• Microsoft Research [7]
• August 2011• Results:– The full AES-128 with computational complexity 2126.1
– The full AES-192 with computational complexity 2189.7
– The full AES-256 with computational complexity 2254.4
Why you might want to rename AES-128 into AES-126 in a few minutes
14
Side channel Attacks
• Any attack based on information gained from the physical implementation of a cryptosystem– Timing information– Power consumption– Electromagnetic leaks – Sound
15
Side channel Attacks (cont. )
• AES– Cache-timing attack – 2005– Differential fault analysis – 2010
16
Cache-timing attack
• Bernstein – 2005 [8]
– A custom server that used OpenSSL's AES encryption
– 200 million chosen plaintexts– The custom server: give out as much timing
information as possible
17
Cache-timing attack (cont. )
• Dag Arne Osvik, Adi Shamir and Eran Tromer [9]
– 2005– AES key after only 800 operations– 65 milliseconds– The attacker to be able to run programs on the
same system
18
Differential fault analysis
• Dhiman Saha et al. – 2009 – India [10]
• Inducing a random fault anywhere in one of the four diagonals of the state matrix leads to the deduction of the entire AES key.
• 232
19
Conclusion
• Theoretical weaknesses on AES– Key Scheduler
• Side Channel Attacks• AES: First public algorithm for [11]
– CLASSIFIED up to SECRET : 128,192,256 bit key– TOP SECRET: 192, 256 bit key
20
Open Problems
*
Side-Channel Attacks
Cache-Timing channels
S-BOX
Power consumption
Biclique
XSLCache Games
Electromagnetic leaks
Fault analysis
Timing information
Related-Key
Key Scheduler
SP NetworkBreaking AES Theoretically
Known Plain TextChosen Plain Text
22
References• [1] Daemen, Rijmen, "AES Proposal : Rijndael", The First Advanced
Encryption Standard Candidate Conference, N.I.S.T., 1998.• [2] Ou, George (April 30, 2006). "Is encryption really crackable?".
(http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204)• [3] Cryptanalysis of the HFE Public Key Cryptosystem by
Relinearization. - Aviad Kipnis, Adi Shamir - CRYPTO '99• [4] Nicolas Courtois, Alexander Klimov, Jacques Patarin, Adi Shamir
(2000). "Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations“, LNCS 1807: 392–407
• [5] Nicolas Courtois, Josef Pieprzyk (2002). "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". LNCS 2501: 267–287
23
Reference• [6] Eli Biham, New Types of Cryptanalytic Attacks Using Related
Keys, Proceedings of Eurocrypt'93, LNCS 765• [7] Andrey Bogdanov, Dmitry Khovratovich, and Christian
Rechberger. "Biclique Cryptanalysis of the Full AES“, Microsoft Research, 2011
• [8] cr.yp.to/antiforgery/cachetiming-20050414.pdf• [9] Dag Arne Osvik1; Adi Shamir2 and Eran Tromer2. Cache Attacks
and Countermeasures: the Case of AES. Eprint 2008• [10] Dhiman Saha, Debdeep Mukhopadhyay, Dipanwita
RoyChowdhury. A Diagonal Fault Attack on the Advanced Encryption Standard. Eprint - 2009
• [11] http://en.wikipedia.org/wiki/Advanced_Encryption_Standard