Cryptography Reference
In-Depth Information
This shows that the vector is in the correct dual state before being interpreted
by the
T
-box in the round
r
+ 1 and holds for
r
in [1
..
9]. We can show similarly
that the vector being interpreted by the
T
-boxes of the first round is in the
correct dual state.
We ignored the input encodings and the output decodings implemented by
type IV tables because the input decodings before type II tables cancel the
output encodings after type III tables.
5 Security Analysis
5.1 Attacking Our Implementation
Billet et al. attack supposes that classical AES constants in
or
InvSubBytes
coecients are known. Knowing
parameters is
InvMixColumns
InvSubBytes
helpful for computing
A
0
whereas
coecients, which are based
InvMixColumns
on the four numbers
, are helpful for determining (
L, c
)and
the constants
q
i
. Furthermore, an attacker that is able to guess mappings
Q
i
for a round
r
gets only a shued round subkey. To recover the decryption key,
the attacker has to guess the mappings for two consecutive rounds. In our im-
plementation, the subkeys for two consecutive rounds are not related anymore
and were derived from algorithms that use different algebraic structures. Indeed,
InvSubBytes
,
,
,
0x0b
0x0d
0x0e
0x09
coecients as well as constants in
the key schedule algorithm differ for any two rounds depending on the dual
cipher used amongst the 61200 possible ones.
An attacker who observes the inputs of all tables in this implementation would
have access to the encoded version
y
i
=
Δ
σ
r
(
x
i
) of each byte state value
x
i
,
i
=0
,...,
15. Here
Δ
σ
r
constants and
InvMixColumns
is a secret linear mapping used as input encoding for
the
T
-boxes
T
σ
r
i,j
. To reconstruct the byte in the standard AES state, all the
combinations have to be checked by calculating
z
i
=
Δ
−
1
k
(
y
i
),
i
=0
,...,
15 and
k
=1
,...,
61200. Then the attacker repeats the attack of Billet et al. twice for
all 61200 possible vector states (
z
0
,...,z
15
). This raises the attack complexity to
at least 2
16
more computation steps, which makes the complexity of the attack
to be 2
46
.
In the context of a Michiels et al. attack, our implementation makes the
diffusion operator to be a variable and thus prevents its vulnerability. Indeed
the diffusion operator depends on the varying dual ciphers, which make steps 2
and 3 of the attack more dicult, i.e. it is more dicult to find out what are the
cascaded
T
i
and
b
r
as well as the ane relation between
T
i
and
IS
i
by using
a linear equivalence solver for matrices. This way the attacker needs to discover
more information to realize a successful attack.
5.2
Improving the Resistance
We give in the following a generalization of our construction that provides a
better resistance against the attacks. We have shown in Section 4 how to imple-
ment 10 different dual ciphers in the same white-box implementation. Indeed, we
Search WWH ::
Custom Search