Structural Evaluation of AES and Chosen-Key

Minimal Number of Active S-Boxes for AES in the SK model. Rounds. 1 ... What would this table look like for the AES structure in the RK model ? .... Pros. ▷ Switch to truncated differences. =⇒ less edges. ▷ Representation of trunc. differences.
Télécharger le PDF
696KB taille 4 téléchargements 497 vues
commentaire
Report
Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Jérémy Jean joint work with Pierre-Alain Fouque and Thomas Peyrin (appeared at CRYPTO 2013) École Normale Supérieure, France

Crypto Seminar in Luxembourg — December 17, 2013 http://www.di.ens.fr/~jean/

The End

Motivations

Algorithms

Application to AES-128

Outline

1. Motivations 2. Algorithms 3. Application to AES-128 Truncated differences Actual differences 4. Distinguishing 9R AES-128 5. The End

Distinguishing 9R AES-128

The End

Motivations

Algorithms

Application to AES-128

Outline

1. Motivations 2. Algorithms 3. Application to AES-128 Truncated differences Actual differences 4. Distinguishing 9R AES-128 5. The End

Distinguishing 9R AES-128

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

Block Ciphers Iterated SPN Block Ciphers I I I I I I

Internal Permutation : f Number of Iterations : r SPN : f = P ◦ S applies Substitution (S) and Permutation (P). Secret Key : k Key Scheduling Algorithm : k → (k0 , . . . , kr ) Ex : AES, PRESENT, SQUARE, Serpent, etc. k

Key Scheduling Algorithm k0 s0

kr −1

k1 f

s1

...

kr f

sr

sr +1

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

Advanced Encryption Standard The AES Block Cipher (Rijndael) I Designed by Joan Daemen and Vincent Rijmen I Key-Alternating Cipher (round function : f ) I Block size : 128 bits — Key sizes : 128, 192 or 256 bits I Number r of iterations : 10, 12 or 14 I Substitution-Permutation Network structure

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

SB

si

SR

MC

AK

si+1

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

S SB

SR

MC

AK

si One Step I SubBytes (SB) layer : applies S-Box S to all bytes

si+1

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

SB

SR

MC

AK

si One Step I SubBytes (SB) layer : applies S-Box S to all bytes I ShiftRows (SR) layer

si+1

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

SB

SR

MC

AK

si One Step I SubBytes (SB) layer : applies S-Box S to all bytes I ShiftRows (SR) layer

si+1

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

×M

SB

SR

MC

AK

si

si+1

One Step I SubBytes (SB) layer : applies S-Box S to all bytes I ShiftRows (SR) layer I MixColumns (MC) layer : applies MDS matrix M to all columns

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

AES Round Function ki

SB

SR

MC

si

si+1

One Step I SubBytes (SB) layer : applies S-Box S to all bytes I ShiftRows (SR) layer I MixColumns (MC) layer : applies MDS matrix M to all columns I AddRoundKey (AK) xors the subkey ki to the state

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

Differentials and Differential Characteristics

Differential Characteristics I Differential characteristics are easier to handle than differentials. =⇒ We usually focus on characteristics. Designers’ goal : upper-bound the differential probability of I characteristics. Example : 4-round AES 1R

1R

1R

1R

Difference No difference

I 4-round characteristic with 25 active S-Boxes (minimal). I AES S-Box : pmax = 2−6 . I Differential probability : p ≤ 2−6×25 = 2−150 .

The End

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

The End

AES Design of the AES I AES Permutation : structurally bounded diffusion for any rounds I Provably resistant to Single-Key (SK) differential attacks I Very easy to get the bounds by hand (just using the fact that the MixColumns matrix is MDS) Minimal Number of Active S-Boxes for AES in the SK model Rounds min

1 1

2 5

3 9

4 25

5 26

6 30

7 34

8 50

9 51

10 55

Question What would this table look like for the AES structure in the RK model ?

Motivations

Algorithms

Application to AES-128

Distinguishing 9R AES-128

The End

AES Key Schedule Design of the AES Key Schedule I Ad-hoc key schedule ⇒ RK attacks for AES-192/256 [BKN-C09], [BK-A09], [BN-E10]

S

S

S