SB
Uploaded bySrilal Buddika
PDF, PPTX494 views

Cryptanalytic timing attacks 2

This document summarizes a timing attack against the IDEA block cipher. It describes how precise timing measurements of encryptions can reveal information about the secret key. The attack analyzes timing differences between encryptions to determine when operations like multiplication involve a zero value. This leaks key bits over multiple rounds of the analysis. The attack can recover the full 128-bit key without knowledge of the plaintext.

Embed presentation

Download as PDF, PPTX
Cryptanalytic Timing Attacks against IDEA Product block cipher (Ref: "Side Channel Cryptanalysis of Product Ciphers" by John Kelsey , Bruce Schneier , David Wagner , and Chris Hall in September 1998 ) Srilal Buddika
Outline 1.Motivation 2.About IDEA 3.IDEA Block Cipher Design 4.Cryptanalytic History on IDEA 5.Timing Attack against IDEA 6.Conclusion 7.Discussion 2
3About IDEA IDEAstands for International Data Encryption Algorithm (1991) IDEA is Block Cipher Block Size : 64 bits Key Size : 128 bits 8Rounds + Output Transformation (half-round) WhyIDEA ? The algorithm was designed to achieve high data throughput for use in real-time communications system, especially for wireless communication
4IDEA Block Cipher Design (1) RoundStructure Additionmodulo216 BitwiseexclusiveOR Multiplicationmodulo216+1
IDEA Block Cipher Design (2) 5 Stage–1ofaRound
6IDEA Block Cipher Design (3) SecondStageoftheround
7IDEA Block Cipher Design (4) OutputTransformation(half-round)
8IDEA Block Cipher Design (5) KeyGeneration KeySize=128bit Sub-keySize=16bit i.e.SimplyKeydividedintoeightpieces Algorithm: 1.Take1steightsub-keys 2.Thenrotatethekey25bitstotheleft 3.Repeatthestep-1
9 Cryptanalytic History on IDEA Consideredasreallysecure BestattackcanbreakIDEAreducedto6rounds(FullIDEA=8.5rounds) WeakKeyproblemwithtoomany0-bits(ExposedtoSide-ChannelAttacks)
10 IDEAcanbecryptanalyzedwithapieceofside-channelinformation E.g.Whetheroneoftheinputsintooneofthemultiplicationsiszero Timingscanbeacquiredintwosimpleways: 1.The cryptanalyst makes extremely precise timings of each encryption (A Ciphertext-Only Timing Attack) 2.The cryptanalyst measures total time to encrypt many similar plaintext blocks at a time (An Adaptive Chosen Plaintext Timing Attack) Timing Attack against IDEA (1)
11Timing Attacks against IDEA (2) Attacking Scenario 1.Recordprecisetimingsfornencryptions.AlsostoretheresultingciphertextblocksandletT0..n-1bethetimings,andC0..n-1betheciphertextblocks. 2.Grouptheciphertextblocksandtimingsinto216subsets,basedonthelow- order16bitsoftheoutput. 3.Testtheaveragetimesofeachgroupagainsttheaveragetimesofallthegroupsstatistically,tofindwhetheroneofthesetshas(withsomeacceptablyhighprobability)aloweraveragethantheothersets. 4.Ifso,thentheinputstothelastmultiplyoftheoutputtransformationmusthavebeen0forallinputsinthatset.Hencesolveforthelastmultiplicativesub-key.
12Timing Attacks against IDEA (3) 5.Ifthereisnodifference,theneitherwe'vechosensomeparameters(i.e.,n) wrong,orthesub-keyisa0. 6.Repeatsteps2-3,above,forthehigh-order16bitsandsolvethefirstmultiplicativesub-keyoftheoutputtransformation.Wenowhave32bitsofexpandedkey. 7.Wenowattackthesecondadditivesub-keyintheoutputtransformation. Foreachpossiblevalueofthissub-key,welookatwhichciphertextblocksleadustoazerovaluegoingintothefirstmultiplicationofthelastround'sMAbox. 8.Foroneofthesesub-keyguesses,theaveragetimingshouldbelessthanforalltheothersub-keyguesses.Thisrevealstherightsub-key. 9.Ifthereisnodifference,theneitherwe'vechosensomeparameterswrong, orthefirstsub-keyintheMA-boxiszero.Wehavenowrecovered48bitsofexpandedkey.
13Timing Attacks against IDEA (4) 10.Wenowattackthefirstadditivesub-keyintheoutputtransformation,andthefirstsub-keyintheMA-box.Wedothisasfollows: Breaktheciphertextblocksandtimingsupinto216subsetsbasedonthevalueoftheleftmost(first)inputtotheMA-box Foreachpossiblesub-keyvalueforthefirstadditivesub-keyoftheoutputtransformation,breakeachsubsetupinto216sub-subsets,basedonwhatthevalueofthesecondMA-boxinputwouldbeifthisweretherightsub-key Fortherightsub-key,eachsubsetwillhaveonesub-subsetwhichhasasmallertimingvaluethanalltheothersub-subsetsinthatsubset.Wehavenowfound64bitsofsub-key Wenowchooseanythreeofthesesub-subsets,andusethemtosolveforthefirstmultiplicativesub-keyoftheMA-box.Wehavenowfound80bitsofsub- key Finally,wecanbrute-force/exhaustivesearchtheremaining48bits.(Therearealsootherwaystocontinuethisattack)
Conclusion14 ThiskindofattackmightalsobepracticalforrecoveringthekeyfromaCipherswhichalwaysencryptsunderthesameIDEAkey.Thecryptanalystortheattackerdoesnotneedtoknowanythingabouttheplaintextforthisattack,butmustalwaysknowpreciselywhentheencryptionstartedandwhenitendedwiththecollectedciphertextblocks. There'ssomethingimportanttoknowthat,thisisnottheonlysidechannelthatcandiscoverthiskindofinformationbutthingslikeradiationandpowerconsumptioncanalsoleakthismultiply-by-zerocondition.
Thank You ! 15

More Related Content

PDF
ReWArDS: Reconfigurable hardWare for Artificial intelligence and Data Science
byNECST Lab @ Politecnico di Milano
 
PPTX
Cryptanalytic timing attacks 1
bySrilal Buddika
 
PPT
Encryption Attacks Side-Channel Attack..
byMohammed_Nagieb
 
PPTX
Information and data security cryptanalysis method
byMazin Alwaaly
 
PPTX
Idea
byOuissem eddine Amir BOUDOUR
 
PDF
Introducing an Encryption Algorithm based on IDEA
byInternational Journal of Science and Research (IJSR)
 
PPTX
Idea alogorithim
bySachinMaithani1
 
PDF
Presentation about RSA
bySrilal Buddika
 
ReWArDS: Reconfigurable hardWare for Artificial intelligence and Data Science
byNECST Lab @ Politecnico di Milano
 
Cryptanalytic timing attacks 1
bySrilal Buddika
 
Encryption Attacks Side-Channel Attack..
byMohammed_Nagieb
 
Information and data security cryptanalysis method
byMazin Alwaaly
 
Idea
byOuissem eddine Amir BOUDOUR
 
Introducing an Encryption Algorithm based on IDEA
byInternational Journal of Science and Research (IJSR)
 
Idea alogorithim
bySachinMaithani1
 
Presentation about RSA
bySrilal Buddika
 

Recently uploaded

PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Workflow and decision Automation with Flowable
bychakib ch
 

Featured

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
Skeleton Culture Code
bySkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Getting into the tech field. what next
byTessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 

Cryptanalytic timing attacks 2

  • 1.
    Cryptanalytic Timing Attacksagainst IDEA Product block cipher (Ref: "Side Channel Cryptanalysis of Product Ciphers" by John Kelsey , Bruce Schneier , David Wagner , and Chris Hall in September 1998 ) Srilal Buddika
  • 2.
    Outline 1.Motivation 2.AboutIDEA 3.IDEA Block Cipher Design 4.Cryptanalytic History on IDEA 5.Timing Attack against IDEA 6.Conclusion 7.Discussion 2
  • 3.
    3About IDEA IDEAstandsfor International Data Encryption Algorithm (1991) IDEA is Block Cipher Block Size : 64 bits Key Size : 128 bits 8Rounds + Output Transformation (half-round) WhyIDEA ? The algorithm was designed to achieve high data throughput for use in real-time communications system, especially for wireless communication
  • 4.
    4IDEA Block CipherDesign (1) RoundStructure Additionmodulo216 BitwiseexclusiveOR Multiplicationmodulo216+1
  • 5.
    IDEA Block CipherDesign (2) 5 Stage–1ofaRound
  • 6.
    6IDEA Block CipherDesign (3) SecondStageoftheround
  • 7.
    7IDEA Block CipherDesign (4) OutputTransformation(half-round)
  • 8.
    8IDEA Block CipherDesign (5) KeyGeneration KeySize=128bit Sub-keySize=16bit i.e.SimplyKeydividedintoeightpieces Algorithm: 1.Take1steightsub-keys 2.Thenrotatethekey25bitstotheleft 3.Repeatthestep-1
  • 9.
    9 Cryptanalytic Historyon IDEA Consideredasreallysecure BestattackcanbreakIDEAreducedto6rounds(FullIDEA=8.5rounds) WeakKeyproblemwithtoomany0-bits(ExposedtoSide-ChannelAttacks)
  • 10.
    10 IDEAcanbecryptanalyzedwithapieceofside-channelinformation E.g.Whetheroneoftheinputsintooneofthemultiplicationsiszero Timingscanbeacquiredintwosimpleways: 1.The cryptanalyst makes extremely precise timings of each encryption (A Ciphertext-Only Timing Attack) 2.The cryptanalyst measures total time to encrypt many similar plaintext blocks at a time (An Adaptive Chosen Plaintext Timing Attack) Timing Attack against IDEA (1)
  • 11.
    11Timing Attacks againstIDEA (2) Attacking Scenario 1.Recordprecisetimingsfornencryptions.AlsostoretheresultingciphertextblocksandletT0..n-1bethetimings,andC0..n-1betheciphertextblocks. 2.Grouptheciphertextblocksandtimingsinto216subsets,basedonthelow- order16bitsoftheoutput. 3.Testtheaveragetimesofeachgroupagainsttheaveragetimesofallthegroupsstatistically,tofindwhetheroneofthesetshas(withsomeacceptablyhighprobability)aloweraveragethantheothersets. 4.Ifso,thentheinputstothelastmultiplyoftheoutputtransformationmusthavebeen0forallinputsinthatset.Hencesolveforthelastmultiplicativesub-key.
  • 12.
    12Timing Attacks againstIDEA (3) 5.Ifthereisnodifference,theneitherwe'vechosensomeparameters(i.e.,n) wrong,orthesub-keyisa0. 6.Repeatsteps2-3,above,forthehigh-order16bitsandsolvethefirstmultiplicativesub-keyoftheoutputtransformation.Wenowhave32bitsofexpandedkey. 7.Wenowattackthesecondadditivesub-keyintheoutputtransformation. Foreachpossiblevalueofthissub-key,welookatwhichciphertextblocksleadustoazerovaluegoingintothefirstmultiplicationofthelastround'sMAbox. 8.Foroneofthesesub-keyguesses,theaveragetimingshouldbelessthanforalltheothersub-keyguesses.Thisrevealstherightsub-key. 9.Ifthereisnodifference,theneitherwe'vechosensomeparameterswrong, orthefirstsub-keyintheMA-boxiszero.Wehavenowrecovered48bitsofexpandedkey.
  • 13.
    13Timing Attacks againstIDEA (4) 10.Wenowattackthefirstadditivesub-keyintheoutputtransformation,andthefirstsub-keyintheMA-box.Wedothisasfollows: Breaktheciphertextblocksandtimingsupinto216subsetsbasedonthevalueoftheleftmost(first)inputtotheMA-box Foreachpossiblesub-keyvalueforthefirstadditivesub-keyoftheoutputtransformation,breakeachsubsetupinto216sub-subsets,basedonwhatthevalueofthesecondMA-boxinputwouldbeifthisweretherightsub-key Fortherightsub-key,eachsubsetwillhaveonesub-subsetwhichhasasmallertimingvaluethanalltheothersub-subsetsinthatsubset.Wehavenowfound64bitsofsub-key Wenowchooseanythreeofthesesub-subsets,andusethemtosolveforthefirstmultiplicativesub-keyoftheMA-box.Wehavenowfound80bitsofsub- key Finally,wecanbrute-force/exhaustivesearchtheremaining48bits.(Therearealsootherwaystocontinuethisattack)
  • 14.
  • 15.