Minimal Number of Active S-Boxes for AES in the SK model. Rounds. 1. 2. 3. 4 ... What would this table look like for the AES structure in the RK model ? .... Pros. â· works on DES in single-key. Drawbacks. â· Rely on non-equivalent differential.
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Jérémy Jean joint work with Pierre-Alain Fouque and Thomas Peyrin (appeared at CRYPTO 2013) École Normale Supérieure, France
Séminaire Crypto de Versailles — 27 Novembre 2013 http://www.di.ens.fr/~jean/
The End
Motivations
Algorithms
Application to AES-128
Outline
1. Motivations 2. Algorithms 3. Application to AES-128 Truncated differences Actual differences 4. Distinguishing 9R AES-128 5. The End
Distinguishing 9R AES-128
The End
Motivations
Algorithms
Application to AES-128
Outline
1. Motivations 2. Algorithms 3. Application to AES-128 Truncated differences Actual differences 4. Distinguishing 9R AES-128 5. The End
Distinguishing 9R AES-128
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
Block Ciphers Iterated SPN Block Ciphers I I I I I I
Internal Permutation : f Number of Iterations : r SPN : f = P ◦ S applies Substitution (S) and Permutation (P). Secret Key : k Key Scheduling Algorithm : k → (k0 , . . . , kr ) Ex : AES, PRESENT, SQUARE, Serpent, etc. k
Key Scheduling Algorithm k0 s0
kr −1
k1 f
s1
...
kr f
sr
sr +1
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
Advanced Encryption Standard The AES Block Cipher (Rijndael) I
SubBytes (SB) layer : applies S-Box S to all bytes
si+1
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
AES Round Function ki
SB
SR
MC
AK
si One Step I
SubBytes (SB) layer : applies S-Box S to all bytes
I
ShiftRows (SR) layer
si+1
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
AES Round Function ki
SB
SR
MC
AK
si One Step I
SubBytes (SB) layer : applies S-Box S to all bytes
I
ShiftRows (SR) layer
si+1
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
AES Round Function ki
×M
SB
SR
MC
AK
si
si+1
One Step I
SubBytes (SB) layer : applies S-Box S to all bytes
I
ShiftRows (SR) layer
I
MixColumns (MC) layer : applies MDS matrix M to all columns
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
AES Round Function ki
SB
SR
MC
si
si+1
One Step I
SubBytes (SB) layer : applies S-Box S to all bytes
I
ShiftRows (SR) layer
I
MixColumns (MC) layer : applies MDS matrix M to all columns
I
AddRoundKey (AK) xors the subkey ki to the state
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
Differentials and Differential Characteristics Differential (Characteristics) I I I
Used in differential cryptanalysis. Sequence of differences at each round for an iterated primitive. A differential is a collection of characteristics.
Examples δ1 δ3 ∆
δ δ2
δ → ∆ is a differential. δ → δ1 → δ2 → δ3 → ∆ is a differential characteristic. I P(δ → δ1 → δ2 → δ3 → ∆) is its differential probability. I I
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
Differentials and Differential Characteristics
Differential Characteristics Differential characteristics are easier to handle than differentials. =⇒ We usually focus on characteristics. I Designers’ goal : upper-bound the differential probability of characteristics. I
Example : 4-round AES 1R
1R
1R
1R
Difference No difference
4-round characteristic with 25 active S-Boxes (minimal). AES S-Box : pmax = 2−6 . I Differential probability : p ≤ 2−6×25 = 2−150 . I I
The End
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
The End
AES Design of the AES I
AES Permutation : structurally bounded diffusion for any rounds
I
Provably resistant to Single-Key (SK) differential attacks
I
Very easy to get the bounds by hand (just using the fact that the MixColumns matrix is MDS)
Minimal Number of Active S-Boxes for AES in the SK model Rounds min
1 1
2 5
3 9
4 25
5 26
6 30
7 34
8 50
9 51
10 55
Question What would this table look like for the AES structure in the RK model ?
Motivations
Algorithms
Application to AES-128
Distinguishing 9R AES-128
AES Key Schedule Design of the AES Key Schedule Ad-hoc key schedule =⇒ RK Attacks for AES-192/256 [BKN-C09], [BK-A09], [BN-E10]. I hard to analyze, so far no simple proof/analysis exist, except the computer-based ones. I
exact coefficients of the MDS matrix and the S-Box differential properties are .... exhibit a nontrivial property of the cipher when he has the freedom of the key ...
Minimal Number of Active S-Boxes for AES in the SK model. Rounds. 1 ... What would this table look like for the AES structure in the RK model ? .... Pros. â· Switch to truncated differences. =â less edges. â· Representation of trunc. differences.
Using a structural analysis, we show that the full AES-128 cannot be ... The AES block cipher [14] is currently the most interesting candidate to ... method, which was considered too costly in terms of memory in [9]. ..... number of edges eBC of GBC
Gates (1997) ruled out the presence of tetrahedral ... agreement with MÑssbauer spectroscopy (Pankhurst ..... Second, close examination of the theoretical.
Feb 24, 1984 - "Selection and Evaluation of Wood" is an excerpt from the first of a ... content reduces, wood becomes stronger in all respects and tougher or ...
ground state properties of semiconductor nanodots is a key prerequisite, not only .... bonded passivants, e.g. atomic oxygen, we found that the gap is reduced by ...
First published in Great Britain by Arnold 1996. Reprinted by Butterworth-Heinemann 2000. Q T H G Megson 1996. All rights reserved. No part of this publication ...
bacteria a truncated form of the encoded protein lacking the first 17 N-terminal ... oligomeric proteins; protein stability. Nucleoside ... To gain insight into the molecular mechanisms of action .... discussion on the quaternary structure of NDP kin
scalable shared bus schemes currently used in MCSoC implementation. ... Recently, to meet these requirements, NoC paradigm has been proposed as a ... inherited from parallel and distributed systems to interconnect. PEs in a ... importance in SoC desi
devices do not require access to the travel lane for installation, are often installed outside the right of way,. 15 .... for the collection of simultaneous video data from multiple orientations. 22 ... over the roadway orthogonal to the direction of
Jan 14, 2015 - Creativity can be defined as the capacity to produce novel, original work ..... Creativity and Innovation Management Journal, 19(2), 160-166.
erage of 55 new resources are added each week. Indexing is a decisive step for ... indexed, translation of the emerging concepts into the appro- priate controlled ..... keywords such as or ) they may be corrected through ...
ABSTRACT. Quality assessment is of major importance when designing and testing an image/video coding technique. Compression perfor- mances are usually ...
Jan 14, 2015 - examining forms of virtual creative expression (Ward & Sonneborn, 2009). In sum, this project aims to provide the best conditions for teams who ...
a scalable compression scheme efficient from low-bit rates up to lossless coding together ... This work is supported by the French National Research Agency as part of the TSAR .... Region based chromatic components coding. 2.3. Chromatic ...
appeared in Sport Aviation many times in the ... not supplying all answers to all questions, will nevertheless tell the builder a great deal about the strength .... built in such a way that in an extreme ... what "load factor" he designed his aircraf
writings and aircraft designs have appeared in Sport ... his classified ad in this issue under ... people, Alex says that load testing ... all the way up to the breaking point ... What would you say about a chair .... constant throughout the cross-se
Jun 4, 2014 - cumulate and react with phosphatidylethanolamine (PE) by a dual mechanism ... of detoxifying the main carbonyl stressor, AtR, may reduce ... the lipid part. ... (Scheme 2) could be formed when phloroglucinol is treated ... The low coupl
tients who sought treatment with a mental health clinician following their first manic .... scores for depression and mania, and Global Assessment of Functioning ...
prosody of English spoken by French speakers making use of a system of ... test the effect of visual feedback on the acquisition of prosodic patterns for English ...
transmitted in any form or by any means, electronically or mechanically, including photocopying, recording or any information storage or retrieval system, without ...
with threshold 0.2), green 'x' represent open minded opinions (8 agents with ..... We thank Jean Pierre Nadal, David Neau, Umit Guvenc, and the members of the ...
