Impossible-Differential and Boomerang Cryptanalysis of
Round-Reduced Kiasu-BC
Christoph Dobraunig1, Eik List2
2
1
IAIK at TU Graz, Austria
Bauhaus-Universität Weimar, Germany
Cryptographers’ Track at the RSA Conference
February 2017
TU Graz, Bauhaus-Universität Weimar
Feb 2017
1/33
Section 1
Motivation
TU Graz, Bauhaus-Universität Weimar
Feb 2017
2/33
The TWEAKEY Constructions
Jean, Nikolić, and Peyrin, ASIACRYPT’14
Set of AES-round-function-based tweakable block ciphers
Deoxys-BC
128-bit state, 256-/384-bit tweakey
14/16 rounds
AES MixColumns operation (also in final round)
Joltik-BC
Nibble-based, 64-bit state, 128-/192-bit tweakey
Piccolo’s S-box, 24/32 rounds for 128/192-bit tweakey
Custom MDS matrix (also in final round)
Kiasu-BC
128-bit state, 128-bit key, 64-bit tweak
10 rounds; equivalent to the AES if tweak is all-zeroes
T K i = K i ⊕ T for all rounds
AES key schedule
TU Graz, Bauhaus-Universität Weimar
Feb 2017
3/33
Kiasu-BC
Same 64-bit tweak T = (T0 k T1 k . . . k T7 ) XORed to the state at every occurrence of
AddKey
Tweak size and position result of “careful security analysis” by designers (tools for max.
rounds of related-tweakey differential trails)
Ki
T
T0 T2 T4 T6
T1 T3 T5 T7
Si
0
1
2
3
4
5
6
7
8 12
9 13 SB
10 14
11 15
TU Graz, Bauhaus-Universität Weimar
i
SSB
i
SSR
SR
i
SMC
i
SAK
S i+1
MC
Feb 2017
4/33
Why Kiasu-BC?
Can fully reuse existing AES implementations
Profits from deep analysis of AES
=⇒ Attractive as primitive for instantiations based on tweakable block ciphers
Unclear how additional tweak input really impacts security
TU Graz, Bauhaus-Universität Weimar
Feb 2017
5/33
Section 2
Preliminary Cryptanalysis
TU Graz, Bauhaus-Universität Weimar
Feb 2017
6/33
Preliminary Cryptanalysis on Kiasu-BC
Designers’ Analysis [Jean et al.’14]
Differential attacks:
“the current choice in Kiasu-BC assures that no such high probability
characteristics exist on more than 6 rounds and no boomerang characteristics on
more than 7 rounds” [KIASU CAESAR Submission, Sec. 4.3]
MitM:
“the same [MitM] attacks existing for AES-128 appl[y] to Kiasu-BC” [KIASU
CAESAR Submission, Sec. 4.3]
Further single-key attacks:
“the security level of Kiasu-BC against the remaining types of attacks stays the
same” [KIASU CAESAR Submission, Sec. 4.3]
Not fully correct: Dobraunig et al.’16 already extended integral attacks by 1 round
compared to AES
TU Graz, Bauhaus-Universität Weimar
Feb 2017
7/33
Section 3
Approaches of Cryptanalysis
TU Graz, Bauhaus-Universität Weimar
Feb 2017
8/33
Approaches of Cryptanalysis
Impossible-differential attack on round-reduced Kiasu-BC
Idea: Use pairs with tweak difference
=⇒ tweak could cancel state difference
Up to 8 rounds in the single-key model
Boomerangs
Idea: The tweak difference
=⇒ can cancel state difference twice (in top and bottom trail)
Up to 8 rounds in the single-key model
Splice-and-Cut MitM/Biclique-Based Accelarated Exhaustive Search
Idea: Independent bicliques base on related-key trails
=⇒ Tweak can cancel key difference
=⇒ Extends biclique size by +1 round
Use pairs with key and tweak difference to have the tweak cancel out key difference to cover
round for free
TU Graz, Bauhaus-Universität Weimar
Feb 2017
9/33
Section 4
Impossible-Differential Attack
TU Graz, Bauhaus-Universität Weimar
Feb 2017
10/33
Impossible-Differential Attack
Base: Attack on AES-128 by Bahrak and Aref’07
Additional single-byte tweak difference
Goal: Cancel difference after Round 1 =⇒ Round 2 for free
TU Graz, Bauhaus-Universität Weimar
Feb 2017
11/33
Impossible-Differential Attack
Impossible Differential
S2
SB
SB
SR
K3
T
S3
K4
T
S4
T
S5
MC
SR
MC
Contradiction
S4
K5
SB
SR
MC
S5
M
SB
TU Graz, Bauhaus-Universität Weimar
SR
No difference
Always different
Can be different
Feb 2017
12/33
Impossible-Differential Attack
Wrapping Rounds
S0
T
S1
MC
K0
SB
SR
T
S1
K2
T
S2
S6
MC
T
S6
S7
MC
T
S7
MC
3
SR
SB
K1
MC
Impossible Differential
S6
SR
K6
S6
AK
MC
K7
SB
SR
S8
SB
SB
S7
AK
MC
K8
SR
S8
AK
T
S8
Impossible-Differential Attack
Structures
P01
Pj1
P00
Pi0
P2032 −1
.
.
.
.
.
.
T0
T1
P0255
Pj255
.
.
.
...
P2132 −1
P2255
32 −1
T 255
Structure:
28 sets T i of 232 plaintexts-tweak tuples (P i , T i )
Each set has tweak T [0] = i
Each set iterates over plaintext bytes 0, 5, 10, 15
Valid pairs (P, P ′ ) need different tweak T 6= T ′
Each structure forms 256
× (232 × 232 ) ≈ 279 pairs of plaintext-tweak tuples
2
S0
T
K0
S1
MC
SB
SR
MC
K1
T
S1
Impossible-Differential Attack
Offline Phase
1:
2:
3:
4:
1
1
1
for all pairs SMC
[0 − 3], S ′ MC [0 − 3] that differ only in SMC
[0] do
−1
−1
−1
1
Compute P [0, 5, 10, 15] = SB ◦ SR ◦ MC (SMC [0, 1, 2, 3])
Compute P ′ [0, 5, 10, 15] analogously
Store the 4-byte pairs in a hash table Hprecomp
1
1
224 × 216 = 240 possible pairs for the 224 values of SMC
[1, 2, 3] and the 216 pairs SMC
[0].
Hprecomp has 232 buckets: 240 /232 = 28 pairs/bucket
TU Graz, Bauhaus-Universität Weimar
Feb 2017
15/33
Impossible-Differential Attack
Online Phase
1
Choose 2n structures with 2n+79 pairs. For each structure:
Ti
Ask for the corresponding ciphertexts Ci ← EK
(Pi ).
8
Invert the XOR with the final tweak: SAK ← Ci ⊕ Ti .
8
Filter for eight zero bytes in ∆SAK
Expect 2n+79 × 2−64 = 2n+15 pairs
S0
T
K0
S1
MC
SB
TU Graz, Bauhaus-Universität Weimar
SR
K1
T
S1
MC
Feb 2017
16/33
Impossible-Differential Attack
Online Phase
2
3
7
Guess K 8 [3, 6, 9, 12] to obtain SMC
[12, 13, 14, 15]. Only consider pairs with difference
7
SMC [12, 13, 14, 15] = (0, ∗, 0, 0).
Filter of 2−24 =⇒ Expect 2n+15−24 = 2n−9 remaining pairs
Can be implemented with a look-up table (Lu et al.’08)
7
Guess K 8 [0, 7, 10, 13] to obtain SMC
[0, 1, 2, 3]. Only consider pairs with difference
7
SMC [0, 1, 2, 3] = (∗, 0, 0, 0).
Filter of 2−24 =⇒ Expect 2n−9−24 = 2n−33 remaining pairs
Also implementable with a look-up table
S6
SR
S8
SB
TU Graz, Bauhaus-Universität Weimar
K6
S6
AK
S6
MC
T
S6
K7
S7
AK
S7
MC
T
S7
K8
S8
AK
T
S8
Feb 2017
17/33
Impossible-Differential Attack
Online Phase
4
6
Guess K 7 [0, 13] to obtain SAK
[0, 1]. Determine the difference in
6
6
6
SMC
[0, 1, 2, 3] = M C −1 (SAK
[0, 1]). Only consider pairs with one zero byte in SMC
[1, 2, 3]
Filter of 2−8 × 3 ≈ 2−6.4 =⇒ Expect 2n−33−6.4 ≈ 2n−39.4 remaining pairs
S6
SR
S8
SB
TU Graz, Bauhaus-Universität Weimar
K6
S6
AK
S6
MC
T
S6
K7
S7
AK
S7
MC
T
S7
K8
S8
AK
T
S8
Feb 2017
18/33
Impossible-Differential Attack
Online Phase
5
Initialize list K of the 232 values of K 0 [0, 5, 10, 15]
For each of the remaining pairs:
Compute ∆P [0, 5, 10, 15] = Pi [0, 5, 10, 15] ⊕ Pj [0, 5, 10, 15].
Access the bucket P ′ in Hprecomp , and for each pair (x, y) in the bucket with
x ⊕ y = T i ⊕ T j , remove from K the key entry Pi [0, 5, 10, 15] ⊕ x.
6
If K is not empty, output the values in K along with the guess of K 8 [0, 3, 6, 7, 9, 10, 12, 13].
TU Graz, Bauhaus-Universität Weimar
Feb 2017
19/33
Impossible-Differential Attack
Data Complexity
Boura et al.’15:
cin Bit conditions in in-path (32)
cout Bit conditions in out-path (24 + 24 + 6.4)
|kin ∪ kout | Key bits used in in- and out- path (112)
D #pairs per structure
D
<
D
≤ 2−112
1 − 2−(cin +cout )
1
2|kin ∪kout |
So, we need
1 − 2−86.4
2n+15 = D = 93 =⇒ 278 structures of 240 texts or 2118 chosen plaintexts
TU Graz, Bauhaus-Universität Weimar
Feb 2017
20/33
Impossible-Differential Attack
Time Complexity
Offline phase: 2 × 240 /8 · 4/16 ≈ 236 single-round decryptions
Step 1: 2n+40 encryptions.
Step 2: 255 · 2n+15 ≈ 2n+23 MA (table for K 8 [3, 6, 9, 12])
Step 3: 255 · 255 · 2n+15 ≈ 231 MA (table for K 8 [3, 6, 9, 12] and K 8 [0, 7, 10, 13])
b 7 [0, 13])
Step 4: 264 · 2n−33 · 3 · 255 ≈ 3 · 2n+39 MA (264 guesses of K 8 and lookup table for K
Step 5: 3 × 2n−41 remaining pairs: 1 MA to Hprecomp + 1 MA to K on average. This step is
repeated 280 times (for each guess of K 8 and K 6 , 3 · 2n−41 · 2 · 280 = 3 · 2n+40 MA
Exhaustive Step: Find remaining 8 bytes of K 8 : 264 encryptions
For n = 78:
T ≈ (2n+40 + 233 ) Enc + (2n+23 + 2n+31 + 3 · 2n+39 + 3 · 2n+40 ) MA
≈ 2118 Enc + 2120.2 MA.
TU Graz, Bauhaus-Universität Weimar
Feb 2017
21/33
Impossible-Differential Attack
Data/Memory Complexity
Hprecomp : 2 · 240 · (4 + 4 + 1) < 245 bytes
Lu et al.: Perform attack for each key guess after Step 2
Alternative: 2n Structures with 240 texts
2n+23 = 2101 suggestions of 2 · 16 plaintexts
Memory = 245 + 2101+5 ≈ 2106 bytes or 2102 states.
TU Graz, Bauhaus-Universität Weimar
Feb 2017
22/33
Section 5
Boomerang Attack
TU Graz, Bauhaus-Universität Weimar
Feb 2017
23/33
Boomerang on 8 Rounds
Upper and Lower Trails
1
SSB
K1
T
4
SSR
S1
MC
SR
SR
MC
SB
SR
MC
SB
SR
T
S4
K5
T
S5
K6
T
S6
MC
K2
SB
K4
K3
T
T
5
SSB
S2
SB
SR
MC
SB
SR
MC
SB
SR
MC
S3
4
SSR
Probability:
Round 3: 2−7 for 2nd pair
Round 4: (2−3.5 )4 per pair
Round 5: (2−3.5 )4 per pair
Round 7: 2−6 per pair
K7
7
SAK
Pr = 2−7 · 2−28 · 2−28 · 2−12 = 2−75
279 · 2−32 = 247 pairs per structure
=⇒ 2n = 231 structures for 23 quartets
Boomerang
Wrapping Operations
S0
K0
1
SSB
T
SB
Boomerang
K8
SB
TU Graz, Bauhaus-Universität Weimar
7
SAK
T
T
S7
S8
SR
Feb 2017
25/33
Boomerang Attack
Steps
Choose δ ′ ∈ {0, 1}8 s.t. ∃ differential 0x01 → δ ′ with probability 2−6 through S and derive
δ = MC((δ ′ , 0, 0, 0))
1
Choose 2n structures of 240 plaintext-tweak tuples (P, T ) each, and request their ciphertexts C
2
Initialize list for all K 0 [0, 5, 10, 15] and K 8 [0, 7, 10, 13]
3
For each of 2n structures and for each key guess K 8 [0, 7, 10, 13]:
a) For each (C, TC ), derive TD [1, . . . , 7] = TC [1, . . . , 7] and TD [0] = TC [0] ⊕ 0x1.
Decrypt final round for C, apply δ-shift, and reencrypt to obtain D
b) Ask for the plaintexts Q of all 2n+40 shifted ciphertexts (D, TD ).
c) Filter the 2n+40 plaintexts (Q, TD , D, P ) by 12 non-zero bytes
Q[1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14]
2n+79 · 2−96 ≈ 2n−17 false-positive colliding pairs (Q, Q′ ) for each candidate K 8
TU Graz, Bauhaus-Universität Weimar
Feb 2017
26/33
Boomerang Attack
Steps
d) For each potential quartet (P, P ′ , Q, Q′ ), derive K 0 [0, 5, 10, 15] s.t. both pairs collide after Rd. 1
Filter of 2−24 =⇒ for each K 8 , expect 232 · 2n−17 · 2−24 = 2n−9 quartets on average
For 2n = 231 structures: Can expect 23 correct quartets and 222 false positives
Correct quartets suggest same 64 bits K 8 [0, 7, 10, 13] and K 0 [0, 5, 10, 15], but 222 false-positive
quartets are uniformly distributed
Expect only the correct 64 bits of K 8 [0, 7, 10, 13] and K 0 [0, 5, 10, 15] be suggested at least
four times. So, we output the candidate(s) with the highest counters
TU Graz, Bauhaus-Universität Weimar
Feb 2017
27/33
Boomerang Attack
Time Complexity
Step 1: 2n+40 encryptions
Step 3a: 2 · 232 · 2n+40 · 4/16 · 1/8 = 2n+68 en- and decryptions (232 values for K 8 , 4/16
bytes, 1/8 rounds)
Step 3b: 232 · 2n+40 = 2n+72 full decryptions
Step 3c: 232 · 2n+40 = 2n+72 MA
Step 3d: 232 · 4 · 2n−17 · 4/16 = 2n+15 single-round decryptions + 2n−9 + 2n+3 MA
Exhaustive step: 296 encryptions
The time complexity is given by approximately
(2n+40 + 2n+68 + 2n+72 + 2n+12 + 296 ) Enc + 2n+72 MA ≈ 2103.1 Enc + 2103 MA.
TU Graz, Bauhaus-Universität Weimar
Feb 2017
28/33
Boomerang Attack
Data and Memory Complexity
Data Complexity:
n = 31 =⇒ 2n+40 = 271 CP + 232 · 271 = 2103 adaptively chosen ciphertexts
Memory Complexity:
240 states plus 264 single-byte key counters = 260 states
TU Graz, Bauhaus-Universität Weimar
Feb 2017
29/33
Section 6
Results
TU Graz, Bauhaus-Universität Weimar
Feb 2017
30/33
Results
Computations
Rds. Attack Type
7
7
8
8
7
7
8
8
10
Encr.
MA
82
Integral
Integral
MitM
Imposs. Diff.
2
248.5
2116
2118
Rectangle
Boomerang
Imposs. Diff.
Boomerang
Bicliques
79
2
265
2116.1
2103.1
2125.34
Data
40
2125.2
80
2
266.6
2120.2
2103
2
243.6
2116
2117.6
79
2
265
2118
2103
288
(CP)
(CP)
(CP)
(CP)
(CP)
(CP)
(ACC)
(CP)
(ACC)
(CC)
Memory
41
2
241.7
286
2101.6
278
260
2102
260
262
Ref.
[Dobraunig
[Dobraunig
[Tolba
[Abdelkhalek
et
et
et
et
al.’16]
al.’16]
al.’16]
al.’16]
This work (full version)
This work (full version)
This work
This work
This work (full version)
Table: ACC = chosen plaintexts and adaptive chosen ciphertexts; CP = #chosen plaintexts; (A)CC =
#(adaptive) chosen ciphertexts; Encr. = #Encryption equivalents; MA = #Memory accesses.
TU Graz, Bauhaus-Universität Weimar
Feb 2017
31/33
Conclusion
Boomerang attacks on 8 rounds
Kiasu-BC possesses at least one round less security than AES-128
Impossible-differential attack on 8 rounds
Support that Kiasu-BC does NOT have same security level as AES-128 for all
non-standard differential attacks
TU Graz, Bauhaus-Universität Weimar
Feb 2017
32/33
Questions?
Weak Keys for AEZ,
and the External Key Padding Attack
Bart Mennink
KU Leuven (Belgium) and Radboud University (The Netherlands)
CT-RSA 2017
February 16, 2017
1 / 16
Authenticated Encryption
A
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
B
2 / 16
Authenticated Encryption
←−−−−−
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
−−−−−→
A
B
2 / 16
Authenticated Encryption
←−−−−−
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
−−−−−→
A
B
Encryption
•
No outsider can learn anything about data
2 / 16
Authenticated Encryption
←−−−−−
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
−−−−−→
A
B
Encryption
•
No outsider can learn anything about data
Authentication
•
No outsider can manipulate data
2 / 16
Authenticated Encryption
K
A, M
C, T
AE
N
•
Ciphertext
•
Tag
T
C
encryption of message
authenticates associated data
M
A
and message
M
3 / 16
Authenticated Encryption
K
A, M
C, T
AE
N
•
Ciphertext
•
Tag
•
Nonce
T
C
encryption of message
authenticates associated data
N
M
A
and message
M
randomizes the scheme
3 / 16
Robust Authenticated Encryption
K
.
.
A, M
AE
C, T
←−−−−→
N
4 / 16
Robust Authenticated Encryption
K
.
.
A, M
AE
C, T
←−−−−→
N
Traditional AE
N −→
•
Fresh nonce
•
What if nonce gets misused?
random output
4 / 16
Robust Authenticated Encryption
K
.
.
A, M
AE
C, T
←−−−−→
N
Traditional AE
N −→
•
Fresh nonce
•
What if nonce gets misused?
random output
Robust AE
•
Uniform random output for every
(N, A, M )
4 / 16
AEZ
•
By Hoang, Krovetz, Rogaway (2014)
•
3rd round CAESAR submission
•
Proven to be a Robust AE
5 / 16
AEZ
•
By Hoang, Krovetz, Rogaway (2014)
•
3rd round CAESAR submission
•
Proven to be a Robust AE
(not named after the
wheel, by the way)
5 / 16
Hoang, Krovetz, and Rogaway
AEZ v4
AEZ
M1’
M1
’
Mm
Mm
1, 1
Mu
X
∆
1, m
0, 0
0, 0
X1
S
0, 4
Xu
0, 1
Xv
0, 5
-1, 1
Xm
S
2, m
-1, 4
0, 0
0, 0
0, 4
1, 1
1, m
2, 1
S
-1, 5
S
S
...
Y1
C1
Ym
C1’
Cm
Yu
0, 5
Yv
-1, 2
0, 2
’
Cm
Cu
Tm - 1
∆⊕ 0
Tm
∆⊕ 1
i+2, m −1
i+2, 1
∆⊕ 3
∆i
T1
Tm - 1
Tm 10*
i+2, 1
i+2, m −1
i+2, 0
...
∆⊕ 4
0, 6
0, 6
∆⊕ 7
∆⊕ 2
0, 6
0, 6
∆⊕ 5
R
0, 6
0, 6
i+2, m
...
∆
Y
Cy
Cx
Cv
L
T1
My
Mx
Mv
∆⊕ 6
0, 6
0, 6
∆i
L*
R*
Figure 5: Illustration of AEZ enciphering. Rectangles with pairs of numbers are tweakable blockciphers,
the pair being that tweak (the key, always K, is not shown). Top row: enciphering a message M of (32
or more bytes) with AEZ-core. The i-block (top left) is used for the bulk of the message, but the xy-block
6 / 16
Hoang, Krovetz, and Rogaway
AEZ v4
AEZ
M1’
M1
’
Mm
Mm
1, 1
Mu
X
∆
1, m
0, 0
0, 0
X1
S
0, 4
Xu
0, 1
Xv
0, 5
-1, 1
Xm
S
2, m
-1, 4
0, 0
0, 0
0, 4
1, 1
1, m
2, 1
S
-1, 5
S
S
...
Y1
C1
Ym
C1’
Cm
Yu
0, 5
Yv
-1, 2
0, 2
’
Cm
Cu
Tm - 1
∆⊕ 0
Tm
∆⊕ 1
i+2, m −1
i+2, 1
∆⊕ 3
∆i
T1
Tm - 1
Tm 10*
i+2, 1
i+2, m −1
i+2, 0
...
∆⊕ 4
0, 6
0, 6
∆⊕ 7
∆⊕ 2
0, 6
0, 6
∆⊕ 5
R
0, 6
0, 6
i+2, m
...
∆
Y
Cy
Cx
Cv
L
T1
My
Mx
Mv
∆⊕ 6
0, 6
0, 6
∆i
L*
R*
5: Illustration of AEZ enciphering. Rectangles with pairs of numbers are tweakable blockciphers,
•Figure
uses(the
tweakable
theInternally
pair being that tweak
key, always K, isblockcipher
not shown). Top row: enciphering a message M of (32
or more bytes) with AEZ-core. The i-block (top left) is used for the bulk of the message, but the xy-block
6 / 16
017
genblanknotweak
Tweakable Blockciphers
K
E
X
Y
7 / 16
15
genblank
Tweakable Blockciphers
K
e
E
Y
X
T
•
Tweak: exibility to the cipher
•
Each tweak gives dierent permutation
•
Applications: OCBx and 18 CAESAR submissions
7 / 16
·
16
genblank2
Tweakable Blockcipher in AEZ
K = IkJkL
X
Y
T = (j, i)
8 / 16
1
genAES
Tweakable Blockcipher in AEZ
K = IkJkL
f0 (K, T )
f1 (K, T )
SB
SR
MC
X
fr−1 (K, T )
SB
SR
MC
fr (K, T )
SB
SR
MC
······
Y
T = (j, i)
• r -round
• r
AES with subkeys derived from
depends on tweak value
(K, T )
j
8 / 16
3
genAES4-w11
Weak Keys for
e,
E
Part 1
K = IkJkL
i·I
J
SB
SR
MC
X
I
SB
SR
MC
L
SB
SR
MC
0
SB
SR
MC
Y
T = (0, i)
•
Consider
e
E
for tweak
T = (0, i), i ∈ [0..7]
9 / 16
4
genAES4-w12
Weak Keys for
e,
E
Part 1
K = 0kJkL
i·I
J
SB
SR
MC
X
I
SB
SR
MC
L
SB
SR
MC
0
SB
SR
MC
Y
T = (0, i)
•
Consider
•
Assume weak key
e
E
for tweak
T = (0, i), i ∈ [0..7]
K = 0kJkL
9 / 16
5
genAES4-w13
Weak Keys for
e,
E
Part 1
K = 0kJkL
i·0
J
SB
SR
MC
X
0
SB
SR
MC
L
SB
SR
MC
0
SB
SR
MC
Y
T = (0, i)
•
Consider
•
Assume weak key
e
E
for tweak
T = (0, i), i ∈ [0..7]
K = 0kJkL
9 / 16
6
genAES4-w14
Weak Keys for
e,
E
Part 1
K = 0kJkL
0
J
SB
SR
MC
X
0
SB
SR
MC
L
SB
SR
MC
0
SB
SR
MC
Y
T = (0, i)
•
Consider
•
Assume weak key
e 0,i
• E
0kJkL
e
E
for tweak
T = (0, i), i ∈ [0..7]
K = 0kJkL
is independent of
i
9 / 16
7
genAES4-w21
Weak Keys for
e,
E
Part 2
K = IkJkL
2j−3 · L
J
SB
SR
MC
X
I
SB
SR
MC
2j−3 · L
L
SB
SR
MC
SB
SR
MC
Y
T = (j, 0)
•
Consider
e
E
for tweak
T = (j, 0), j ≥ 3
10 / 16
8
genAES4-w22
Weak Keys for
e,
E
Part 2
K = IkJk0
2j−3 · L
J
SB
SR
MC
X
I
SB
SR
MC
2j−3 · L
L
SB
SR
MC
SB
SR
MC
Y
T = (j, 0)
•
Consider
•
Assume weak key
e
E
for tweak
T = (j, 0), j ≥ 3
K = IkJk0
10 / 16
9
genAES4-w23
Weak Keys for
e,
E
Part 2
K = IkJk0
2j−3 · 0
J
SB
SR
MC
X
I
SB
SR
MC
2j−3 · 0
0
SB
SR
MC
SB
SR
MC
Y
T = (j, 0)
•
Consider
•
Assume weak key
e
E
for tweak
T = (j, 0), j ≥ 3
K = IkJk0
10 / 16
10
genAES4-w24
Weak Keys for
e,
E
Part 2
K = IkJk0
0
J
SB
SR
MC
X
I
SB
SR
MC
0
SB
SR
MC
0
SB
SR
MC
Y
T = (j, 0)
•
Consider
•
Assume weak key
e j,0
• E
IkJk0
e
E
for tweak
T = (j, 0), j ≥ 3
K = IkJk0
is independent of
j
10 / 16
11
genAES-w31
Weak Keys for
e,
E
Part 3
K = IkJkL
i·J
I
SB
SR
MC
X
L
SB
SR
MC
······
I
SB
SR
MC
Y
T = (−1, i)
•
Consider
e
E
for tweak
T = (−1, i), i ∈ [0..7]
11 / 16
12
genAES-w32
Weak Keys for
e,
E
Part 3
K = Ik0kL
i·J
I
SB
SR
MC
X
L
SB
SR
MC
······
I
SB
SR
MC
Y
T = (−1, i)
•
Consider
•
Assume weak key
e
E
for tweak
T = (−1, i), i ∈ [0..7]
K = Ik0kL
11 / 16
13
genAES-w33
Weak Keys for
e,
E
Part 3
K = Ik0kL
i·0
I
SB
SR
MC
X
L
SB
SR
MC
······
I
SB
SR
MC
Y
T = (−1, i)
•
Consider
•
Assume weak key
e
E
for tweak
T = (−1, i), i ∈ [0..7]
K = Ik0kL
11 / 16
14
genAES-w34
Weak Keys for
e,
E
Part 3
K = Ik0kL
0
I
SB
SR
MC
X
L
SB
SR
MC
······
I
SB
SR
MC
Y
T = (−1, i)
•
Consider
•
Assume weak key
e −1,i
• E
Ik0kL
e
E
for tweak
T = (−1, i), i ∈ [0..7]
K = Ik0kL
is independent of
i
11 / 16
Weak Key Attacks on AEZ
Weak key for
e =⇒
E
weak key for AEZ
In Case of Weak Keys
•
Some tweakable blockcipher calls are identical
•
Weakness of
•
Attacks on AEZ
e
E
propagates to AEZ
• in 2 queries if I = 0
• in 1 query if J = 0
• in 2 queries if K = 0
•
AEZ can be broken in
5
queries
12 / 16
Weak Key Attack on AEZ (J
•
= 0)
AEZ encryption for
4
data blocks
Mu Mv Mx My :
• J =0
13 / 16
Weak Key Attack on AEZ (J
•
= 0)
AEZ encryption for
4
data blocks
Mu Mv Mx My :
=
e −1,4 = E
e −1,5
• J = 0 =⇒ E
Ik0kL
Ik0kL
13 / 16
Weak Key Attack on AEZ (J
•
= 0)
AEZ encryption for
4
data blocks
Mu Mv Mx My :
=
e −1,4 = E
e −1,5
• J = 0 =⇒ E
Ik0kL
Ik0kL
• Mu ⊕ C u = M v ⊕ C v
13 / 16
Weak Key Attack on AEZ (J
•
= 0)
AEZ encryption for
4
data blocks
Mu Mv Mx My :
=
e −1,4 = E
e −1,5
• J = 0 =⇒ E
Ik0kL
Ik0kL
• Mu ⊕ C u = M v ⊕ C v
•
Unlikely to hold for Robust AE
13 / 16
External Key Padding
←−−−−−−→
←−−−−−−→
A
L
B
I
O
C
B
E
←−−−−−−→
←−−−−−−→
14 / 16
External Key Padding
key establishment
←−−−−−−→
settle some key
K ∈ {0, 1}∗
←−−−−−−→
A
B
I
−−−→
L
O
C
AEZ
B
K
E
←−−−−−−→
←−−−−−−→
14 / 16
External Key Padding
key establishment
←−−−−−−→
settle some key
K ∈ {0, 1}∗
←−−−−−−→
A
B
I
−−−→
L
O
C
AEZ
B
K
E
←−−−−−−→
IkJkL ←−
(
K
|K| = 384
BLAKE2b(K) otherwise
if
Evaluate AEZ for subkey
←−−−−−−→
IkJkL
14 / 16
External Key Padding
key establishment
←−−−−−−→
A
settle some key
K ∈ {0, 1}∗
. . . and pad it to
bits
B
I
−−−→
L
384
←−−−−−−→
O
C
AEZ
B
K
E
←−−−−−−→
IkJkL ←−
(
K
|K| = 384
BLAKE2b(K) otherwise
if
Evaluate AEZ for subkey
←−−−−−−→
IkJkL
14 / 16
External Key Padding
key establishment
←−−−−−−→
A
settle some key
K ∈ {0, 1}∗
. . . and pad it to
bits
B
I
−−−→
L
384
←−−−−−−→
O
C
AEZ
B
K
E
←−−−−−−→
IkJkL ←−
(
K
|K| = 384
BLAKE2b(K) otherwise
if
Evaluate AEZ for subkey
←−−−−−−→
IkJkL
14 / 16
External Key Padding
key establishment
←−−−−−−→
settle some key
A
I
. . . and pad it to
L=0
−−→
−−
−−−
←−−−−−−→
IkJk0 ←−
B
AEZ
B
K
|K| ≤ 256
E
bits
O
if originally
C
384
←−−−−−−→
−−−→
L
K ∈ {0, 1}∗
(
|K| = 384
BLAKE2b(K) otherwise
K
if
Evaluate AEZ for subkey
←−−−−−−→
IkJk0
14 / 16
External Key Padding
key establishment
←−−−−−−→
settle some key
A
I
. . . and pad it to
L=0
−−→
−−
−−−
←−−−−−−→
IkJk0 ←−
B
AEZ
B
K
|K| ≤ 256
E
bits
O
if originally
C
384
←−−−−−−→
−−−→
L
K ∈ {0, 1}∗
(
|K| = 384
BLAKE2b(K) otherwise
K
if
Evaluate AEZ for subkey
←−−−−−−→
IkJk0
Weak key attack applies if key establishment is weak
14 / 16
ROB
UST
15 / 16
ROB
UST
Robustness characterizes the ability of a construct to be
pushed right to the edge of its intended use case (and
possibly beyond).
Barwell, Page, Stam (IMACC, 2015)
15 / 16
Conclusion
Weak Keys for AEZ
2128 )
•
Rare (around 3 per
•
Show structural unsoundness of underlying TBC
•
Practical attacks in case of weak key
but present
Robustness?
•
Robust AE goes beyond Misuse Resistant AE
•
External key padding attack uses AEZ as black-box
•
What does robustness mean?
Thank you for your attention!
16 / 16