1 / 24

Impossible Differential Cryptanalysis of Mini-AES

Impossible Differential Cryptanalysis of Mini-AES. Daniel R. Cloutier. 13 May 2004. Agenda. Mini-AES vs. S-AES 4 Round Impossible Differential Attacking 5 Round Mini-AES Conclusion Questions.

cotten
Download Presentation

Impossible Differential Cryptanalysis of Mini-AES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impossible Differential Cryptanalysis of Mini-AES Daniel R. Cloutier 13 May2004

  2. Agenda • Mini-AES vs. S-AES • 4 Round Impossible Differential • Attacking 5 Round Mini-AES • Conclusion • Questions Based on: “Impossible Differential Cryptanalysis of Mini-AES,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 27, No. 4, Oct 2003

  3. Structure of Mini-AES • Same Basic Setup as S-AES • 16 Bit Input/Output/Round Key • 2x2 Matrices • Nibble Sub • Shift Rows • Mix Columns • Add Round Key • Add Round Key Prior to Round 1 • No Mix Columns in Last Round P = P0 P1 P2 P3

  4. Definitions • Impossible Differential • P vs. C • Passive vs. Active Nibbles • Ex. P = 0100 0011 1110 1001 P’ = 1110 0011 1110 1001

  5. Impact on Active Nibbles: Nibble Sub P = 0100 0011 1110 1001 P’ = 1110 0011 1110 1001 After Nibble Sub… P = 1110 1111 0110 0111 P’ = 0100 1111 0110 0111

  6. Impact on Active Nibbles:Shift Rows P = 1110 1111 0110 0111 P’ = 0100 1111 0110 0111 After Shift Rows… P = 11100111 0110 1111 P’ = 01000111 0110 1111

  7. Impact on Active Nibbles:Mix Cols P = 1110 0111 0110 1111 P’ = 0100 0111 0110 1111 After Mix Cols… P = 1111 0110 0111 1110 P’ = 0010 0001 0111 1110

  8. Impact on Active Nibbles:Add Round Key P = 1111 0110 0111 1110 P’ = 0010 0001 0111 1110 After Add Round Key P = P Ä Ki = P0P1P2P3 P’ = P’ Ä Ki = P’0P’1P’2P’3

  9. Trace First Two Rounds 4 Round Mini-AES P = 0101 1111 0110 1100 P’ = 0100 1111 0110 1100 Round 0: K0 = 0101 1010 1100 0011 • Add Round Key: P = 0000 0101 1010 1111 P’ = 0001 0101 1010 1111

  10. Round 1 P = 0000 0101 1010 1111 P’ = 0001 0101 1010 1111 • Nibble Sub P = 1110 1111 0110 0111 P’ = 0100 1111 0110 0111 • Shift Rows P = 11100111 0110 1111 P’ = 01000111 0110 1111

  11. Round 1 - Continued P = 1110 0111 0110 1111 P’ = 0100 0111 0110 1111 • Mix Cols P = 1111 0110 0111 1110 P’ = 0010 0001 0111 1110 • Add Round Key: K1 = 1100 0011 0101 1010 P = 00110101 0010 0100 P’ = 11100010 0010 0100

  12. Round 2 P = 0011 0101 0010 0100 P’ = 1110 0010 0010 0100 • Nibble Sub P = 0001 1111 1101 0010 P’ = 0000 1101 1101 0010 • Shift Rows P = 00010010 1101 1111 P’ = 00000010 1101 1101

  13. Round 2 - Continued P = 0001 0010 1101 1111 P’ = 0000 0010 1101 1101 • Mix Cols P = 0111 0100 1001 1011 P’ = 0100 0110 1101 1101 • Add Round Key: K2 = 1111 0010 1011 1100 P = 1000 0110 0010 0111 P’ = 1011 0100 0110 0001

  14. Trace Last 2 Rounds In Reverse C = 0100 0011 1001 0101 C’ = 1110 0011 1001 1110 • Inverse Key Add: K4 = 0010 1011 1100 0111 C = 0110 1000 0101 0010 C’ = 1100 1000 0101 1001

  15. Round 4 - Continued C = 0110 1000 0101 0010 C’ = 1100 1000 0101 1001 • Inverse Shift Rows C = 0110 0010 0101 1000 C’ = 1100 1001 0101 1000 • Inverse Nibble Sub C = 1010 0100 1100 0111 C’ = 1011 1101 1100 0111

  16. Round 3 C = 1010 0100 1100 0111 C’ = 1011 1101 1100 0111 • Inv Key Add: K3 = 1011 1100 0111 1101 C = 0001 1000 1011 1010 C’ = 0000 0001 1011 1010 • Inverse Mix Cols C = 0000 1001 1001 1000 C’ = 0010 0011 1001 1000

  17. Round 3 - Continued C = 0000 1001 1001 1000 C’ = 0010 0011 1001 1000 • Inverse Shift Rows C = 00001000 1001 1001 C’ = 00101000 1001 0011 • Inverse Nibble Sub C = 1110 0111 1101 1101 C’ = 0100 0111 1101 1000

  18. After Round 2 P = 1000 0110 0010 0111 P’ = 1011 0100 0110 0001 C = 1110 0111 1101 1101 C’ = 0100 0111 1101 1000

  19. Attacking 5 Round Mini-AES:Setting Up the Attack • Obtain 213 plaintexts, P • Obtain 213 plaintexts, P’ • P’ differs from P in the 1st and 4th nibble • Obtain C and C’ for each P, P’ • Discard C/C’ pairs w/o exactly one active nibble in each row and column. • Probability for usable C/C’ pair: (2-4 x 2-4) + (2-4 x 2-4) = 2-7 • Number of usable C/C’ pairs: 213 x 2-7 = 26

  20. Attacking 5 Round Mini-AES:Performing the Attack • For each of the 26 pairs… • Compute X and X’ for each K (28 values) X = Encrypt P through Mix Cols in Round 1 X’ = Encrypt P’ through Mix Cols in Round 1 • Discard K if X/X’ have only one active nibble in the first column. • Probability = 2-4 x 2 = 2-3

  21. Attacking 5 Round Mini-AES:Analyzing the Results • Probability that a random key never gets rejected: • (1 – 2-3)2^6 • Wrong Keys Remaining: • 28(1-2-3)2^6 ≈ 0 • Only the correct value of K0 remains

  22. Conclusion • Impossible Differential Attack is good for theory. • Too Many Known Plaintexts! • Especially effective for AES because of the key schedule.

  23. References • “Impossible Differential Cryptanalysis of Mini-AES,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 27, No. 4, Oct 2003 • “Mini Advanced Encryption Standard (Mini-AES): A Testbed for Cryptanalysis Students,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 26, No. 4, October 2002

  24. Questions

More Related