1 / 16

Distinguisher and Related-Key Attack on the Full AES-256

Distinguisher and Related-Key Attack on the Full AES-256. Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009. Presenter : Tae-Joon Kim Jong yun Jun. Contents. AES-256 Distinguisher Multicollision Distinguisher Related-Key Attack Conclusion.

fleur-solis
Download Presentation

Distinguisher and Related-Key Attack on the Full AES-256

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Distinguisher and Related-Key Attack on the Full AES-256 Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009 Presenter : Tae-Joon Kim Jong yun Jun

  2. Contents • AES-256 • Distinguisher • Multicollision Distinguisher • Related-Key Attack • Conclusion

  3. AES (Advanced Encryption Standard) • Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002. • Block cipher • Intended to replace DES and 3DES • DES is vulnerable to differential attacks • 3DES has slow performances

  4. AES (Advanced Encryption Standard) • Simple to design (HW/SW) • High speed • Low memory cost • Variable key size ( > 128bit) • Security • Only side-channel attacks until this paper

  5. AES-256 Key schedule round SubBytes ShiftRows MixColumns Round n P AES 14 Round Encryption Key scheduler K SubBytes ShiftRows MixColumns Sub key Round n+1 C

  6. AES-256 From wikipedia

  7. Distinguisher • Some what difference between ideal cipher and certain cipher • The difference may be a weakness • Attacker can exploit the difference

  8. Multicollision Distinguisher • Let Ki’=Ki ΔK, Pi’=PiΔP Ci = EKi(Pi), Ci’=Eki’(Pi’) • Ci Ci’ = constant

  9. Multicollision in Ideal Cipher • Random oracle model • Construct differential q-multicollision needs at least queries(n : block bits)

  10. Multicollision in AES-256 • An weakness example: Local collision • q-mult. be foundin Let Ki’=Ki ΔK, Pi’=PiΔP Ci = EKi(Pi), Ci’=Eki’(Pi’) Ci Ci’ = constant

  11. Practical Distinguisher • Partial q-multicollision: • Reduced to • Several hours on a PC

  12. Practical Distinguisher • 10-multicollision, 14 round AES-256 …

  13. Related-Key Attack • Attacker can perform chosen plaintext attacks with different keys and compare the results of each • Different keys may have some mathematical relationship • WEP (Wired Equivalent Privacy)

  14. Related-Key Attack

  15. Conclusion • q-multicollision in AES-256 can be easily constructed than ideal cipher • AES-256 cannot be modeled as an ideal cipher • New design criteria • Avoid local collision (at least avoid patterns for n rounds) • Desynchronize key schedule and internal state

  16. Q & A

More Related