Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    Practical-Titled Attack On AES-128 Using Chosen-Text Relations

    Uploaded by

    Ichan Cer Scuze
    Vincent Rijmen presents a new zero-query attack on AES-128 that reduces the entropy of the key from 128 to 32 bits. The attack chooses a plaintext p and defines another plaintext p* that is uniquely related to p via a difference δ. An equation involving the SubBytes transformation of p and p* with the key k has at most 232 solutions for k. All solutions can be enumerated quickly without any encryption queries. This practical-complexity attack endangers applications where an attacker can modify the encryption state in specific ways to obtain the required plaintexts. A similar attack is possible on the KASUMI cipher.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Practical-Titled Attack On AES-128 Using Chosen-Text Relations

    Uploaded by

    Ichan Cer Scuze
    6 views1 page
    Vincent Rijmen presents a new zero-query attack on AES-128 that reduces the entropy of the key from 128 to 32 bits. The attack chooses a plaintext p and defines another plaintext p* that is uniquely related to p via a difference δ. An equation involving the SubBytes transformation of p and p* with the key k has at most 232 solutions for k. All solutions can be enumerated quickly without any encryption queries. This practical-complexity attack endangers applications where an attacker can modify the encryption state in specific ways to obtain the required plaintexts. A similar attack is possible on the KASUMI cipher.

    Original Description:

    kriptografi

    Original Title

    337

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Vincent Rijmen presents a new zero-query attack on AES-128 that reduces the entropy of the key from 128 to 32 bits. The attack chooses a plaintext p and defines another plaintext p* that is uniquely related to p via a difference δ. An equation involving the SubBytes transformation of p and p* with the key k has at most 232 solutions for k. All solutions can be enumerated quickly without any encryption queries. This practical-complexity attack endangers applications where an attacker can modify the encryption state in specific ways to obtain the required plaintexts. A similar attack is possible on the KASUMI cipher.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views1 page

    Practical-Titled Attack On AES-128 Using Chosen-Text Relations

    Uploaded by

    Ichan Cer Scuze
    Vincent Rijmen presents a new zero-query attack on AES-128 that reduces the entropy of the key from 128 to 32 bits. The attack chooses a plaintext p and defines another plaintext p* that is uniquely related to p via a difference δ. An equation involving the SubBytes transformation of p and p* with the key k has at most 232 solutions for k. All solutions can be enumerated quickly without any encryption queries. This practical-complexity attack endangers applications where an attacker can modify the encryption state in specific ways to obtain the required plaintexts. A similar attack is possible on the KASUMI cipher.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    Practical-Titled Attack on AES-128

    Using Chosen-Text Relations


    Vincent Rijmen

    Introduction
    Related-key attacks on AES-192 and AES-256 have been presented at Crypto 2009 and Asiacrypt 2009. Although these results are already quite spectacular, they have been extended
    to practical-complexity attacks on AES variants with 10 rounds at Eurocrypt 2010.
    These advances in cryptanalysis are enabled by the introduction of a new type of related
    keys. Let the secret key be denoted by k, the round keys by ki and describe the action of the
    key schedule of an arbitrary AES variant by: ki = i (k), i = 1, 2 . . . The AES-256 adversary
    specifies two key-differences-in-the-middle , and queries the AES-256 implementation using
    the following related keys:
    k (a,b) = 3.5 ( 2.5 ((k) + a) + b), a, b {0, 1}.

    Chosen-text relations
    Borrowing the powerful concept of chosen-key-relations-in-the-middle, I present here a new
    attack on AES-128. Note that strengthening AES-128 by adopting the AES-256 key schedule
    would not increase the resistance against the attack.
    of AES. Furthermore,
    let denote
    The attack: Let Rk (x) denote the round transformation

    1
    1

    any 16-byte string and define = ShiftRows


    MixColumns () . Let {p, p } denote the
    pair of plaintexts chosen by the adversary, where p is selected arbitrarily and p is uniquely
    defined by:
    p = Rk 1 (Rk (p) + ) .
    It can easily be verified that k is a solution of
    SubBytes(p + k) + SubBytes(p + k) = .
    If all bytes of are nonzero, then this equation has at most 232 solutions. All solutions can
    be enumerated in a few seconds on a standard PC.
    Observe that this adversary doesnt need to see the ciphertexts. The entropy of the key is
    reduced from 128 to 32 bits without making a single query to the encryption oracle. As far
    as I know, this is the first zero-query attack on a symmetric encryption primitive.

    Conclusions
    This attack clearly endangers all practical applications where an attacker can halt the computer in the middle of the execution of an encryption routine, apply the specific difference
    to the state, and roll back the interrupted encryption and obtain the modified plaintext p .
    A similar attack can be mounted on KASUMI.

    You might also like