algebraic immunity of s boxes and augmented functions
play

Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer - PowerPoint PPT Presentation

Nov 27, 2023 •1.91k likes •2.24k views

Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23 Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application 1: Filter Generators 4

  1. Algebraic Immunity of S-boxes and Augmented Functions Simon Fischer and Willi Meier S. Fischer and W. Meier AI of Sbox and AF 1 / 23

  2. Outline 1 Algebraic Properties of S-boxes 2 Augmented Functions 3 Application 1: Filter Generators 4 Application 2: Trivium S. Fischer and W. Meier AI of Sbox and AF 2 / 23

  3. Part 1 Algebraic Properties of S-boxes S. Fischer and W. Meier AI of Sbox and AF 3 / 23

  4. The S-box Notation : F denotes GF(2), and S is the S-box S : F n → F m Input x = ( x 1 , . . . , x n ), output y = ( y 1 , . . . , y m ), and S ( x ) = y . Scenario : y is known, recover x with algebraic equations. Use equations conditioned by some fixed y : conditional equations (CE). These are equations in x , which holds for all preimages of some y . Can find optimal equation (minimum degree) for each y (Armknecht). S. Fischer and W. Meier AI of Sbox and AF 4 / 23

  5. How to Find Conditional Equations Use matrix approach to find CE’s (Courtois). Example : S-box with n = 3, assume some output y with preimages x = 100 , 110 , 011 , 001. Find linear CE. 1 x 1 x 2 x 3 preimages   1 1 0 0 x = 100 M = 1 1 1 0 x = 110     1 0 1 1 x = 011   1 0 0 1 x = 001 Solution : 0 = 1 + x 1 + x 3 holds for each preimage. S. Fischer and W. Meier AI of Sbox and AF 5 / 23

  6. How to Find Conditional Equations Use matrix approach to find CE’s (Courtois). Example : S-box with n = 3, assume some output y with preimages x = 100 , 110 , 011 , 001. Find linear CE. 1 x 1 x 2 x 3 preimages   1 1 0 0 x = 100 M = 1 1 1 0 x = 110     1 0 1 1 x = 011   1 0 0 1 x = 001 Solution : 0 = 1 + x 1 + x 3 holds for each preimage. S. Fischer and W. Meier AI of Sbox and AF 5 / 23

  7. Theoretical Background Number of preimages: 2 n − m for balanced S-box. Number of monomials: D = � d � n � for degree d . i =0 i Matrix M has 2 n − m rows, and D columns. Number of CE’s corresponds to the dimension of solution space of M . Sufficient condition for existence of CE: 2 n − m < D . If m is parameter: m > m 0 with m 0 := n − log 2 D . Weak output: CE exists though m ≪ m 0 . S. Fischer and W. Meier AI of Sbox and AF 6 / 23

  8. Algorithmic Methods Can find CE’s by setting up and solving M . Bottleneck : finding all preimages takes 2 n steps. Probabilistic algorithm : A random preimage can be found in 2 m . Solve smaller matrix M with a few random preimages . If CE exists, it holds only for fraction p of all 2 n − m preimages. With about D random preimages, p will be very large. Complexity is 2 m D + D 3 . Probabilistic algorithm is efficient for weak outputs. S. Fischer and W. Meier AI of Sbox and AF 7 / 23

  9. Part 2 Augmented Functions S. Fischer and W. Meier AI of Sbox and AF 8 / 23

  10. Situation Stream cipher with update function L , output function f . Update L is linear (e.g. in LFSR) or nonlinear (e.g. in Trivium). S-box in context of stream cipher: augmented function (AF). S m : F n → F m x �→ ( f ( x ) , f ( L ( x )) , . . . , f ( L m − 1 ( x )) S. Fischer and W. Meier AI of Sbox and AF 9 / 23

  11. New Scenarios of Algebraic Attacks Use probabilistic algorithm to find CE’s for AF, recover x . Block size : m is a natural parameter for augmented function S m . Finding preimages : In 2 m for random S-box. AF can have simple structure. Sampling methods in TMTO attacks (Biryukov-Shamir). New algebraic attacks on AF, if : 1 AF has many weak outputs (low-degree CE’s for m ≪ m 0 ). 2 Finding preimages is feasible (for output size m ). S. Fischer and W. Meier AI of Sbox and AF 10 / 23

  12. Part 3 Application: Filter Generators S. Fischer and W. Meier AI of Sbox and AF 11 / 23

  13. Situation LFSR of n bits, and Boolean function f . Algebraic Attacks : � n � f has algebraic immunity e , linearisation requires data. e Gr¨ obner bases need only about n bit data in few cases (experimental results by Faug` ere-Ars). Understand such behavior with augmented function. S. Fischer and W. Meier AI of Sbox and AF 12 / 23

  14. Existence of Equations Experiments : Consider CanFil family (as in Faug` ere-Ars) and Majority function. State of size n = 20, find linear equations where m 0 = 16. Step 1 : Existence of exact equations (by computing all preimages) Example n = 20, fixed setup, CanFil5 = x 1 + x 2 x 3 + x 2 x 3 x 4 x 5 . Output y = 000000 of m = 6 bits. There are 2 14 preimages, and D = 21 monomials in matrix M . M has rank 20, one linear equation exists. The output y = 000000 seems very weak. What about other outputs? What about other setups and functions? S. Fischer and W. Meier AI of Sbox and AF 13 / 23

  15. Exact Equations For n = 20, record overall number of equations (for all y ): Filter m Different setups CanFil1 14 0 0 0 0 0 Linear equations exist only for 15 3139 4211 3071 4601 3844 m about m 0 . CanFil2 14 0 0 0 0 0 15 2136 2901 2717 2702 2456 CanFil5 6 0 0 0 2 0 7 0 0 0 8 0 8 0 0 0 24 0 9 0 0 0 64 0 10 6 0 0 163 0 11 113 0 2 476 0 Linear equations exist already 12 960 16 215 1678 29 Majority5 9 0 0 0 2 0 for m about n/ 2. 10 1 10 1 18 1 11 22 437 40 148 56 Observation 1 : Number of equations mainly depends on filter function. Observation 2 : Experimental results are scalable with n . S. Fischer and W. Meier AI of Sbox and AF 14 / 23

  16. Probabilistic Equations Try to find equations with the probabilistic algorithm. Step 2 : Probabilistic equations (by computing a few random preimages) Example n = 20, fixed setup, CanFil5, y = 000000 of m = 6 bits. Pick instead of all 2 14 preimages only N = 80 random preimages, D = 21. Determine all solutions for much smaller matrix M . Obtained always 2 to 4 solutions, with probability p = 0 . 98 , . . . , 1. Probability impressively large → probabilistic equations useful in attacks. S. Fischer and W. Meier AI of Sbox and AF 15 / 23

  17. Sampling Step 3 : Sampling (efficient computation of random preimages) Filter inversion : Fix k inputs of filter which give correct observed output bit. Repeat for about n/k output bits, until state is unique. Complexity 2 m − n/k to find one preimage, efficient if k is small. Linear sampling : Impose linear conditions on input variables, so that f becomes linear. Solve linear system to find one preimage. With sampling, can find equations for quite large n . Example with CanFil5, n = 80, m = 40. Linear equation in 2 32 for some y . S. Fischer and W. Meier AI of Sbox and AF 16 / 23

  18. Algebraic Attacks Each new low degree equation (found by investigating AF) can serve to reduce data complexity of algebraic attacks. Have identified functions f which show resistance to this approach: Equations exist only for large m , effort of finding preimages is too large. Several other functions f shown to be weak : Many low degree equations can be determined efficiently. In some cases, data complexity can be of order n : Observe n weak outputs and set up n linear equations. S. Fischer and W. Meier AI of Sbox and AF 17 / 23

  19. Part 4 Application: Trivium S. Fischer and W. Meier AI of Sbox and AF 18 / 23

  20. Sampling State of n = 288 bits, nonlinear update, linear output of one bit. Consider AF with n input bits and m consecutive output bits. Use our framework, but how to find preimages for such a large state? Sampling : In first 66 clocks, each keystream bit is linear in initial state bits. Finding preimages for m = 66 obvious. For larger m , use linear sampling: Fix even bits of state, get linear relations in remaining variables. Can find preimages efficiently for m = n/ 2 = 144 or larger. S. Fischer and W. Meier AI of Sbox and AF 19 / 23

  21. Experimental Results Are there additional linear equations beyond the 66 known ones? Example Consider AF of Trivium with m = 144. Choose random output y and find N = 400 preimages. Set up and solve matrix M with N preimages and D = 289 monomials. Result : For different y , get always 66 linear equations. Can go further: Determine preimages for m = 150 with partial search. Still find 66 linear equations for a 150 bit output of consecutive 0’s. Trivium seems resistant against additional linear equations in AF. S. Fischer and W. Meier AI of Sbox and AF 20 / 23

  22. Conclusions S. Fischer and W. Meier AI of Sbox and AF 21 / 23

  23. Conclusions 1 The augmented function of a stream cipher should be checked for conditional equations of low degree. 2 This requires computation of preimages, can be efficient in some cases. 3 Checking successful for a class of filter generators and for Trivium. 4 Efficient algebraic attacks with lower data complexity on certain stream ciphers. Provable resistance of practical stream ciphers against algebraic attacks looks even harder than believed. S. Fischer and W. Meier AI of Sbox and AF 22 / 23

  24. Questions ? S. Fischer and W. Meier AI of Sbox and AF 23 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A New Construction of Boolean Functions with Maximum Algebraic Immunity National University of

A New Construction of Boolean Functions with Maximum Algebraic Immunity National University of

A New Construction of Boolean Functions with Maximum Algebraic Immunity National University of Defense Technology Deshuai Dong 2009-8-26 Outline Preliminaries on Boolean functions Algebraic attacks and Algebraic immunity The

465 views • 46 slides
On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group,

On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group,

On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX ICTEAM/ELEN/Crypto Group, Universit catholique de Louvain, Belgium Latincrypt 2019 Santiago de Chile Wednesday October 2 1 / 15 Table of Contents Introduction Results

670 views • 44 slides
Computing the algebraic immunity efficiently Fr ed eric Didier, Jean-Pierre Tillich INRIA,

Computing the algebraic immunity efficiently Fr ed eric Didier, Jean-Pierre Tillich INRIA,

Computing the algebraic immunity efficiently Fr ed eric Didier, Jean-Pierre Tillich INRIA, projet CODES Outline 1 Introduction 2 A first algorithm 3 A more efficient version 4 Benchmarks Part 1 Introduction Boolean functions and

579 views • 24 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Parliamentary immunity in Poland Contents Introduction immunity in the context of

Parliamentary immunity in Poland Contents Introduction immunity in the context of

Parliamentary immunity in Poland Contents Introduction immunity in the context of constitutional principles Material immunity (irresponsibility) Types of inviolability privileges Immunity procedures Parliamentary practice

733 views • 10 slides
Functions on Finite Fields, Boolean Functions, and S-Boxes Gary McGuire Claude Shannon Institute

Functions on Finite Fields, Boolean Functions, and S-Boxes Gary McGuire Claude Shannon Institute

Functions on Finite Fields, Boolean Functions, and S-Boxes Gary McGuire Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Gary McGuire Functions on Finite

566 views • 24 slides
BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME!

BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME!

BOXES BOXES PRESENTATION POP-UP GIFT CARD BOXES Boxes are made from recycled board. IMPRINT ME! Custom minimum 500. U.S. Patent #8.47 Standard hot stamping costs do not apply. Call for quote. *Lime Ice and Pearl Pillows cannot be hot

440 views • 4 slides
Portfolio of Work (9 pages) T H E N E X T R E V O L U T I O N I N R E T A I L AUGMENTED

Portfolio of Work (9 pages) T H E N E X T R E V O L U T I O N I N R E T A I L AUGMENTED

T H E N E X T R E V O L U T I O N I N R E T A I L AUGMENTED REALITY (AR) What is Augmented Reality Augmented Leads in Technology Visual Methodology Augmented Reality Forecast Multi-sided Marketing Model

280 views • 25 slides
Noncommutative functions: Algebraic and analytic results Dmitry Kaliuzhnyi-Verbovetskyi 1

Noncommutative functions: Algebraic and analytic results Dmitry Kaliuzhnyi-Verbovetskyi 1

The definition and examples of nc functions NC difference-differential calculus Algebraic and analytic results Noncommutative functions: Algebraic and analytic results Dmitry Kaliuzhnyi-Verbovetskyi 1 Department of Mathematics Drexel

463 views • 23 slides
Boolean Functions, S-Boxes and Evolutionary Algorithms Luca Mariot luca.mariot@unimib.it De

Boolean Functions, S-Boxes and Evolutionary Algorithms Luca Mariot luca.mariot@unimib.it De

University of Milano-Bicocca Department of Informatics, Systems and Communications Boolean Functions, S-Boxes and Evolutionary Algorithms Luca Mariot luca.mariot@unimib.it De Cifris Athesis Local Seminar Trento December 16, 2019 Summary

555 views • 40 slides
Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and Claude Carlet 2 1 FH Aargau, Switzerland 2 INRIA, Rocquencourt, France Overview Algebraic attacks in general ... and on LFSR-based stream

316 views • 27 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Cryptographic Criteria of Boolean Functions and S-Boxes Luca Mariot luca.mariot@unimib.it Guest

Cryptographic Criteria of Boolean Functions and S-Boxes Luca Mariot luca.mariot@unimib.it Guest

University of Milano-Bicocca Department of Informatics, Systems and Communications Cryptographic Criteria of Boolean Functions and S-Boxes Luca Mariot luca.mariot@unimib.it Guest Lecture for Digital Communication Durham March 18, 2019

581 views • 25 slides
Asymptotics of the Coefficients of Bivariate Analytic Functions with Algebraic Singularities

Asymptotics of the Coefficients of Bivariate Analytic Functions with Algebraic Singularities

Asymptotics of the Coefficients of Bivariate Analytic Functions with Algebraic Singularities Torin Greenwood June 9, 2015 AofA15 1 / 33 Overview Goal: Starting with the closed form for a generating function F ( z ), approximate [ z r ]

1.12k views • 78 slides
Physician Peer Review: Ensuring Immunity, Confidentiality and Compliance Preserving Immunity or

Physician Peer Review: Ensuring Immunity, Confidentiality and Compliance Preserving Immunity or

Presenting a live 90-minute webinar with interactive Q&amp;A Physician Peer Review: Ensuring Immunity, Confidentiality and Compliance Preserving Immunity or Leveraging Exceptions, Shielding Documentation, Complying With Statutory and JHACO

1.14k views • 50 slides
The Dynamics of Freight Car Cushioning John F. Deppen Director, Engineering End of Car

The Dynamics of Freight Car Cushioning John F. Deppen Director, Engineering End of Car

The Dynamics of Freight Car Cushioning John F. Deppen Director, Engineering End of Car Systems Amsted Rail 1 Abstract It is typical for railcars to be assembled into a train by coupling individual cars together in a marshalling yard.

553 views • 36 slides
Natural and man-made disasters assessment 1.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639

Natural and man-made disasters assessment 1.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639

GNR 639 GNR 639 : Natural Disaster And Management Lesson 1 Natural and man-made disasters assessment 1.01 Prof. R. Nagarajan, CSRE , IIT Bombay GNR 639 GNR 639 : Natural Disaster And Management Lesson 1.1 Natural and man-made disasters

685 views • 49 slides
Design patterns I : Introduction J.Serrat 102759 Software Design September 29, 2013 References

Design patterns I : Introduction J.Serrat 102759 Software Design September 29, 2013 References

Design patterns I : Introduction J.Serrat 102759 Software Design September 29, 2013 References Books Desing patterns: elements of reusable object oriented software . E. Gamma, R. Helm, R. Johnson, J. Vlissides. Addison Wesley, 1994. Patrones

484 views • 19 slides
1 Biology Fundamentals - Expression Microarrays Transcriptome: Genes Proteome: Proteins Swiss

1 Biology Fundamentals - Expression Microarrays Transcriptome: Genes Proteome: Proteins Swiss

Differential gene expression General Introduction Swiss Institute of Bioinformatics - LF 11.2010 Overview (1) Reminder of biology n Major steps in microarray analysis n Microarray preparation design, clone/probe selection RNA

741 views • 28 slides
Modeling Allocation Strategies for the Initial SARS-CoV-2 Vaccine Supply Rachel B. Slayton, PhD,

Modeling Allocation Strategies for the Initial SARS-CoV-2 Vaccine Supply Rachel B. Slayton, PhD,

Modeling Allocation Strategies for the Initial SARS-CoV-2 Vaccine Supply Rachel B. Slayton, PhD, MPH LCDR, USPHS Data, Analytics, and Modeling Task Force Advisory Committee on Immunization Practices Meeting 8/26/2020 cdc.gov/coronavirus

386 views • 17 slides
SUSTAINING WELLNESS: STRESS, COPING, IMMUNITY &amp; RESILIENCE Christopher Fagundes, Ph.D.

SUSTAINING WELLNESS: STRESS, COPING, IMMUNITY &amp; RESILIENCE Christopher Fagundes, Ph.D.

6/1/2020 SUSTAINING WELLNESS: STRESS, COPING, IMMUNITY &amp; RESILIENCE Christopher Fagundes, Ph.D. Associate Professor, Department of Psychological Sciences, Rice University Courtesy Appointments: Department of Psychiatry, Baylor College of

261 views • 14 slides
Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter

Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter

Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter corelanc0d3r Van Eeckhoutte Corelan Team www.corelan.be @corelanc0d3r Im not a CISSP,CEH,MCSE,A+,OCSE,CCNA,SSCP,CIW,GIAC,R

1.19k views • 63 slides
COVID Crisis Monumental Changes for Health Care 1 MOSHPIT MASKS OUTDOORS SOCIAL DISTANCING

COVID Crisis Monumental Changes for Health Care 1 MOSHPIT MASKS OUTDOORS SOCIAL DISTANCING

COVID Crisis Monumental Changes for Health Care 1 MOSHPIT MASKS OUTDOORS SOCIAL DISTANCING HANDWASHING PERSONAL &amp; PUBLIC RESPONSIBILITY INFORMATION TALKING TO PROFESSIONALS 2 3 Maryland Department of Health 4 UMMC 5 UMMC

350 views • 14 slides

More recommend