Related-Key Cryptanalysis of the Full AES-192 and AES-256

Biryukov, Alex; Khovratovich, Dmitry

doi:10.1007/978-3-642-10366-7_1

Cited by 343 publications

(364 citation statements)

References 11 publications

(18 reference statements)

Supporting

Mentioning

290

Contrasting

Order By: Relevance

“…Since the original work of Knudsen and Biham, there have been many reported cases of successful related-key cryptanalysis [9,27,7], and notably of the Advanced Encryption Standard (AES) [10,11]. These results led to the consensual view that RKA resilience should be a standard design goal for lowlevel cryptographic primitives such as block ciphers and hash functions.…”

Section: Introductionsupporting

confidence: 42%

“…This vulnerability is relevant for practical applications of Feistel constructions, since many important cryptanalytic results such as those presented by Biryukov et al [10,11] can be described as utilizing related keys that are derived by xor-ing the original key with a constant. This in particular permits an attacker to selectively modify the secret key for the output round in a Feistel network and break the security of the construction.…”

Section: Introductionmentioning

confidence: 44%

See 1 more Smart Citation

The Related-Key Analysis of Feistel Constructions

Barbosa

Farshim

2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. It is well known that the classical three-and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luck's transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions.

show abstract

Section: Introductionsupporting

confidence: 42%

Section: Introductionmentioning

confidence: 44%

The Related-Key Analysis of Feistel Constructions

Barbosa

Farshim

2015

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…The key relations used in the attacks vary from fixed differences [16] to non-trivial subkey relations [7].…”

Section: Related Workmentioning

confidence: 42%

Rotational Cryptanalysis of ARX

Khovratovich

Nikolić

2010

Fast Software Encryption

Self Cite

126

View full text Add to dashboard Cite

Abstract.In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations.

show abstract

“…These attacks are independent of the number of rounds the block cipher undergoes. Even AES-192 and AES-256 can be weakened with related-key attacks [28].…”

Section: Introductionmentioning

confidence: 40%

Why Cryptography Should Not Rely on Physical Attack Complexity

Krämer

2015

T-Labs Series in Telecommunication Services

View full text Add to dashboard Cite

Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Datum Für meine Eltern AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.

show abstract

Related-Key Cryptanalysis of the Full AES-192 and AES-256

Cited by 343 publications

References 11 publications

The Related-Key Analysis of Feistel Constructions

The Related-Key Analysis of Feistel Constructions

Rotational Cryptanalysis of ARX

Why Cryptography Should Not Rely on Physical Attack Complexity

Contact Info

Product

Resources

About