[145359] in cryptography@c2.net mail archive
Re: A Fault Attack Construction Based On Rijmen's Chosen-Text
daemon@ATHENA.MIT.EDU (Alfonso De Gregorio)
Wed Jul 21 13:03:41 2010
Date: Tue, 20 Jul 2010 22:45:59 +0200
From: Alfonso De Gregorio <adg@crypto.lo.gy>
To: Jonathan Katz <jkatz@cs.umd.edu>
Cc: cryptography@metzdowd.com, Vincent.Rijmen@esat.kuleuven.be
In-Reply-To: <Pine.GSO.4.64.1007091422330.13420@ringding.cs.umd.edu>
Quoting Jonathan Katz <jkatz@cs.umd.edu>:
> On Mon, 14 Jun 2010, Alfonso De Gregorio wrote:
>
>> The last Thursday, Vincent Rijmen announced a new clever attack on =20
>> AES (and KASUMI) in a report posted to the Cryptology ePrint =20
>> Archive: Practical-Titled Attack on AES-128 Using Chosen-Text =20
>> Relations, http://eprint.iacr.org/2010/337
>
> Err...I read that paper by Rijmen as a bit of a joke. I think he was
> poking fun at some of these unrealistic attack models.
Dear Jonathan,
Thanks for your email. It is the only comment received so far and is =20
greatly appreciated!
I've been off the net for a much needed holiday and unable to reply =20
within the time I would have liked to. I'm sorry.
I can't speak for him, of course. Only Rijmen can tell and I'm adding =20
his address in cc.
Yet, I believe his emphasis was on the existence of zero-query attacks =20
on a symmetric encryption primitives -- he says the attack to be =20
zero-query as the adversary does not need to observe the ciphertext =20
the encryption oracle would output.
Now, I expect the unusual nature of the attack model might stir up a =20
lively discussion. My post was soliciting comments in this regard.
Still, I would like to respectfully disagree wrt the objectives given =20
to the paper, as to me the chosen-text relations model of analysis =20
appears to be interesting and relevant. There are two scenario worth =20
to be investigated:
Zero query
The first one is the plausibility and power of the chosen-text
relations model of analysis as presented in his paper. I believe
there might be applications endangered by zero-query attacks.
I claim this might be the case of white-box implementations; and I =20
could be wrong.
No roll back
The second scenario arise when we consider the avenues of
analysis provided by chosen-text relations if we revoke the
adversary ability to roll back the encryption. If we do that, we
restore the analysis model to a variant of the DFA, where the
attacker can query both oracles. So, no zero-query but still
chosen-text relations to be exploited.
In the fault attacks setting, we expect from encryption primitives =20
secure under related-key attacks resistance to attempts to recover the =20
secret key by attackers tampering with the stored secret and observing =20
the outputs of cryptographic primitive under the modified key =20
(interesting in this regard the paper by Bellare and Cash to the =20
upcoming Crypto on PRFs and PRPs providing RKA-security).
In a similar way, it would be fascinating to have symmetric encryption =20
primitives secure under related plaintext attacks (RPA). They would =20
provide resistance to attackers tampering with interim data, observing =20
faulty ciphertext and querying the decryption oracle, before engaging =20
in the key extraction step. (Of course, from the implementation side, =20
fault tolerance techniques could be employed to protect crypto modules =20
from attacks exploiting chosen-text relations.)
Thanks again.
Cheers,
alfonso
--=20
Alfonso De Gregorio, http://Crypto.lo.gy
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
