Results 1  10
of
82
Relatedkey Cryptanalysis of the Full AES192 and AES256
, 2009
"... In this paper we present two relatedkey attacks on the full AES. For AES256 we show the first key recovery attack that works for all the keys and has 2 99.5 time and data complexity, while the recent attack by BiryukovKhovratovichNikolić works for a weak key class and has much higher complexity ..."
Abstract

Cited by 50 (3 self)
 Add to MetaCart
In this paper we present two relatedkey attacks on the full AES. For AES256 we show the first key recovery attack that works for all the keys and has 2 99.5 time and data complexity, while the recent attack by BiryukovKhovratovichNikolić works for a weak key class and has much higher
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
Examples of differential multicollisions for 13 and 14 rounds of AES256
"... Here we present practical differential qmulticollisions for AES256. In our paper [1] qmulticollisions are found with complexity q · 2 67. We relax conditions on the plaintext difference ∆P allowing some bytes to vary and find multicollisions for 13 and 14 round AES with complexity q · 2 37. Even ..."
Abstract
 Add to MetaCart
Here we present practical differential qmulticollisions for AES256. In our paper [1] qmulticollisions are found with complexity q · 2 67. We relax conditions on the plaintext difference ∆P allowing some bytes to vary and find multicollisions for 13 and 14 round AES with complexity q · 2 37. Even with the relaxation there is still a large complexity gap between our algorithm and the lower bound that we have proved in Lemma 1. Moreover we believe that in practice finding even two fixeddifference collisions for a good cipher would be very challenging. The multicollision sets, presented in the tables below, are obtained using the technique described in our original paper. Our search algorithm for 13 and 14 rounds of AES256 can be described as: 1. Build a differential trail for 14 rounds of AES256. The trail specifies the admissible values of the active Sboxes in these rounds. 2. Using the triangulation algorithm produce one pair that satisfies all the conditions for the Sboxes in the rounds 3–7. 3. If this pair satisfies the conditions for the rounds 814 as well then goto step
Biclique Cryptanalysis of the Full AES
 In ASIACRYPT 2011, volume 7073 of LNCS
, 2011
"... Abstract. Since Rijndael was chosen as the AdvancedEncryption Standard (AES), improving upon 7round attacks on the 128bit key variant (out of 10 rounds) or upon 8round attacks on the 192/256bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis ..."
Abstract

Cited by 44 (8 self)
 Add to MetaCart
Abstract. Since Rijndael was chosen as the AdvancedEncryption Standard (AES), improving upon 7round attacks on the 128bit key variant (out of 10 rounds) or upon 8round attacks on the 192/256bit key variants (out of 12/14 rounds) has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper, we present the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: – The first key recovery method for the full AES128 with computational complexity 2 126.1. – The first key recovery method for the full AES192 with computational complexity 2 189.7. – The first key recovery method for the full AES256 with computational complexity 2 254.4. – Key recovery methods with lower complexity for the reducedround versions of AES not considered before, including cryptanalysis of 8round AES128 with complexity 2 124.9. – Preimage search for compression functions based on the full AES versions faster than brute force. In contrast to most shortcut attacks on AES variants, we do not need to assume relatedkeys. Most of our techniques only need a very small part of the codebook and have low memory requirements, and are practically verified to a large extent. As our cryptanalysis is of high computational complexity, it does not threaten the practical use of AES in any way.
Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds
"... Abstract. AES is the best known and most widely used block cipher. Its three versions (AES128, AES192, and AES256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES128, there is no known attack which is fa ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
Abstract. AES is the best known and most widely used block cipher. Its three versions (AES128, AES192, and AES256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES128, there is no known attack which is faster than the 2 128 complexity of exhaustive search. However, AES192 and AES256 were recently shown to be breakable by attacks which require 2 176 and 2 119 time, respectively. While these complexities are much faster than exhaustive search, they are completely nonpractical, and do not seem to pose any real threat to the security of AESbased systems. In this paper we describe several attacks which can break with practical complexity variants of AES256 whose number of rounds are comparable to that of AES128. One of our attacks uses only two related keys and 2 39 time to recover the complete 256bit key of a 9round version of AES256 (the best previous attack on this variant required 4 related keys and 2 120 time). Another attack can break a 10 round version of AES256 in 2 45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2 172 time). While neither AES128 nor AES256 can be directly broken by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES128 along with the larger key size from AES256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems. 1
Rotational Cryptanalysis of ARX
"... Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal f ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations.
Feasible Attack on the 13round AES256
"... Abstract. In this note we present the first attack with feasible complexity on the 13round AES256. The attack runs in the relatedsubkey scenario with four related keys, in 276 time, data, and memory. 1 ..."
Abstract
 Add to MetaCart
Abstract. In this note we present the first attack with feasible complexity on the 13round AES256. The attack runs in the relatedsubkey scenario with four related keys, in 276 time, data, and memory. 1
unknown title
"... Hi, A new optimized C version of EdonR hash function can be downloaded from: ..."
Abstract
 Add to MetaCart
Hi, A new optimized C version of EdonR hash function can be downloaded from:
First Analysis of Keccak
"... Abstract. We apply known automated cryptanalytic tools to the Keccakf[1600] permutation, using a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the algebraic description of the reduced Keccakf[1600]. The applicability of our tools was notably limited by ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We apply known automated cryptanalytic tools to the Keccakf[1600] permutation, using a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the algebraic description of the reduced Keccakf[1600]. The applicability of our tools was notably limited by the strength of the inverse permutation. Unless otherwise stated, we consider the Keccak permutation used in the Keccak submission to SHA3, that is, the function called Keccakf[1600] in [2]. 1 Solving the CICO problem 1.1 Preliminaries Assume we try to detect nonrandomness in a function f with nbit input and mbit output. Consider the following problem: find a solution to f(x) = y (1) such that first q bits of x and y are zero, q ≤ min(n, m). Bruteforce search, which works for any f, requires about 2 q computations of f. This bound remains the same even if n = m and f is invertible. One expects that for a “good ” hash transformation, this problem should have the same workload. Although nontrivial solutions do not imply collision and preimage weaknesses, they are a first sign of nonideal
Block ciphers that are easier to mask: How far can we go?
 PROC. OF CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS (CHES
, 2013
"... The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize different performance figures. However, since these block ciphers are dedicated to lowcost embedded devices, their implementati ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize different performance figures. However, since these block ciphers are dedicated to lowcost embedded devices, their implementation is also a typical target for sidechannel adversaries. As preventing such attacks with countermeasures usually implies significant performance overheads, a natural open problem is to propose new algorithms for which physical security is considered as an optimization criteria, hence allowing better performances again. We tackle this problem by studying how much we can tweak standard block ciphers such as the AES Rijndael in order to allow efficient masking (that is one of the most frequently considered solutions to improve security against sidechannel attacks). For this purpose, we first investigate alternative Sboxes and round structures. We show that both approaches can be used separately in order to limit the total number of nonlinear operations in the block cipher, hence allowing more efficient masking. We then combine these ideas into a concrete instance of block cipher called Zorro. We further provide a detailed security analysis of this new cipher taking its design specificities into account, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest). Eventually, we conclude the paper by evaluating the efficiency of masked Zorro implementations in an 8bit microcontroller, and exhibit their interesting performance figures.
Results 1  10
of
82