180 likes | 345 Views
Distinguisher and Related-Key Attack on the Full AES-256. Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009. Presenter : Tae-Joon Kim Jong yun Jun. Contents. AES-256 Distinguisher Multicollision Distinguisher Related-Key Attack Conclusion.
E N D
Distinguisher and Related-Key Attack on the Full AES-256 Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic CRYPTO, 2009 Presenter : Tae-Joon Kim Jong yun Jun
Contents • AES-256 • Distinguisher • Multicollision Distinguisher • Related-Key Attack • Conclusion
AES (Advanced Encryption Standard) • Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002. • Block cipher • Intended to replace DES and 3DES • DES is vulnerable to differential attacks • 3DES has slow performances
AES (Advanced Encryption Standard) • Simple to design (HW/SW) • High speed • Low memory cost • Variable key size ( > 128bit) • Security • Only side-channel attacks until this paper
AES-256 Key schedule round SubBytes ShiftRows MixColumns Round n P AES 14 Round Encryption Key scheduler K SubBytes ShiftRows MixColumns Sub key Round n+1 C
AES-256 From wikipedia
Distinguisher • Some what difference between ideal cipher and certain cipher • The difference may be a weakness • Attacker can exploit the difference
Multicollision Distinguisher • Let Ki’=Ki ΔK, Pi’=PiΔP Ci = EKi(Pi), Ci’=Eki’(Pi’) • Ci Ci’ = constant
Multicollision in Ideal Cipher • Random oracle model • Construct differential q-multicollision needs at least queries(n : block bits)
Multicollision in AES-256 • An weakness example: Local collision • q-mult. be foundin Let Ki’=Ki ΔK, Pi’=PiΔP Ci = EKi(Pi), Ci’=Eki’(Pi’) Ci Ci’ = constant
Practical Distinguisher • Partial q-multicollision: • Reduced to • Several hours on a PC
Practical Distinguisher • 10-multicollision, 14 round AES-256 …
Related-Key Attack • Attacker can perform chosen plaintext attacks with different keys and compare the results of each • Different keys may have some mathematical relationship • WEP (Wired Equivalent Privacy)
Conclusion • q-multicollision in AES-256 can be easily constructed than ideal cipher • AES-256 cannot be modeled as an ideal cipher • New design criteria • Avoid local collision (at least avoid patterns for n rounds) • Desynchronize key schedule and internal state