Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
Alfonso De Gregorio wrote: The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 On 7/21/10 at 11:49 AM, d...@cs.berkeley.edu (David Wagner) wrote, with some drastic editing which I hope doesn't change David's meaning: For what it's worth, I read Vincent Rijmen's paper ... as written with tongue embedded firmly in cheek: I took it as a serious argument, hidden behind some gentle humor. ... Personally, I found it an effective communication style. I thought the point came across very clearly. And, I have to admit I enjoyed seeing someone having a spot of fun with what can otherwise be a somewhat dry topic. I thought it was brilliantly done. My favorite paper in this style is one which has not (yet) been published. It turns out that at one time there were at least three Mark Millers active in computer science. One of them, cced above, wanted to publish a paper: Global Names Considered Harmful by Mark Miller, Mark Miller, and Mark Miller And the paper really doesn't need to go any further than this. Cheers - Bill --- Bill Frantz| I like the farmers' market | Periwinkle (408)356-8506 | because I can get fruits and | 16345 Englewood Ave www.pwpconsult.com | vegetables without stickers. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
Alfonso De Gregorio wrote: > The last Thursday, Vincent Rijmen announced a new clever attack on > AES (and KASUMI) in a report posted to the Cryptology ePrint > Archive: Practical-Titled Attack on AES-128 Using Chosen-Text > Relations, http://eprint.iacr.org/2010/337 Jonathan Katz wrote: > Err...I read that paper by Rijmen as a bit of a joke. I think he was > poking fun at some of these unrealistic attack models. Alfonso De Gregorio wrote: > Now, I expect the unusual nature of the attack model might stir up a > lively discussion. My post was soliciting comments in this regard. For what it's worth, I read Vincent Rijmen's paper in the same way as Jonathan Katz. I don't think it's intended to be taken at face value; if you took it seriously, one of us needs to read it again. Rather, I saw it as written with tongue embedded firmly in cheek: I took it as a serious argument, hidden behind some gentle humor. Vincent Rijmen could have written a sober, systematic critique of the direction some of the field has gone in, carefully explaining in great detail why some recent attack models are unrealistic. That would have been the safe, standard, and somewhat boring way to present such an argument. But instead Rijmen wrote a one-page lighthearted piece that implicitly makes its point -- without ever having to come out and say it -- by taking this research direction to its absurd extreme and showing us all where it leads to. It follows in a long intellectual tradition of saying the opposite of what you mean -- of arguing with a straight face what is self-evidently a ridiculous position -- and trusting in the intelligence of the reader to draw the obvious conclusions. Personally, I found it an effective communication style. I thought the point came across very clearly. And, I have to admit I enjoyed seeing someone having a spot of fun with what can otherwise be a somewhat dry topic. I thought it was brilliantly done. Sorry to be unable to provide any lively discussion. I think Vincent Rijmen's paper makes the point well, and I don't have anything to add. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
Quoting Jonathan Katz : On Mon, 14 Jun 2010, Alfonso De Gregorio wrote: The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 Err...I read that paper by Rijmen as a bit of a joke. I think he was poking fun at some of these unrealistic attack models. Dear Jonathan, Thanks for your email. It is the only comment received so far and is greatly appreciated! I've been off the net for a much needed holiday and unable to reply within the time I would have liked to. I'm sorry. I can't speak for him, of course. Only Rijmen can tell and I'm adding his address in cc. Yet, I believe his emphasis was on the existence of zero-query attacks on a symmetric encryption primitives -- he says the attack to be zero-query as the adversary does not need to observe the ciphertext the encryption oracle would output. Now, I expect the unusual nature of the attack model might stir up a lively discussion. My post was soliciting comments in this regard. Still, I would like to respectfully disagree wrt the objectives given to the paper, as to me the chosen-text relations model of analysis appears to be interesting and relevant. There are two scenario worth to be investigated: Zero query The first one is the plausibility and power of the chosen-text relations model of analysis as presented in his paper. I believe there might be applications endangered by zero-query attacks. I claim this might be the case of white-box implementations; and I could be wrong. No roll back The second scenario arise when we consider the avenues of analysis provided by chosen-text relations if we revoke the adversary ability to roll back the encryption. If we do that, we restore the analysis model to a variant of the DFA, where the attacker can query both oracles. So, no zero-query but still chosen-text relations to be exploited. In the fault attacks setting, we expect from encryption primitives secure under related-key attacks resistance to attempts to recover the secret key by attackers tampering with the stored secret and observing the outputs of cryptographic primitive under the modified key (interesting in this regard the paper by Bellare and Cash to the upcoming Crypto on PRFs and PRPs providing RKA-security). In a similar way, it would be fascinating to have symmetric encryption primitives secure under related plaintext attacks (RPA). They would provide resistance to attackers tampering with interim data, observing faulty ciphertext and querying the decryption oracle, before engaging in the key extraction step. (Of course, from the implementation side, fault tolerance techniques could be employed to protect crypto modules from attacks exploiting chosen-text relations.) Thanks again. Cheers, alfonso -- Alfonso De Gregorio, http://Crypto.lo.gy - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
On Mon, 14 Jun 2010, Alfonso De Gregorio wrote: The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 Err...I read that paper by Rijmen as a bit of a joke. I think he was poking fun at some of these unrealistic attack models. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack
The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337 I believe the related-subkey model is an interesting model to look at and, with this email, I would like to solicit comments from the community about chosen-text relations attacks and their implications. For example, this model might be pretty relevant while attacking white-box implementations of the target encryption algorithm with embedded secret key, assuming the ability to tamper with at least 1bit of the round output (debugging...). A Fault Attack In order to further solicit comments, I would like to contribute a fault attack construction based on chosen-text relations attack. First, it is worth to note how the zero-query attack provided by chosen-text-relations-in-the-middle can be transformed into an attack with a single-query to both the encryption and decryption oracles. It is possible to do so by resuming the interrupted encryption after applying the specific difference delta to the state (ie, no rollback anymore) and querying the decryption oracle. More specifically: - halt the computer in the middle of execution of an encryption routine; - apply the specific difference delta to the state; - resume the encryption and output the ciphertext c*; - query the decryption oracle with c* and retrieve the modified plaintext p*- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com