analyse de primitives sym etriques
play

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay - PowerPoint PPT Presentation

Dec 19, 2023 •321 likes •906 views

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th` ese pr epar ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et

  1. Analyse de primitives sym´ etriques Pierre Karpman a l’Inria Saclay & Rennes, l’´ Th` ese pr´ epar´ ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et Thomas Peyrin Palaiseau 2016–11–18 2016–11–18 Analyse de primitives sym´ etriques 1/53 Pierre Karpman

  2. Introduction New linear mappings for block ciphers Practical freestart collisions for the full SHA-1 Conclusion 2016–11–18 Analyse de primitives sym´ etriques 2/53 Pierre Karpman

  3. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  4. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  5. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  6. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  7. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  8. A hierarchy of cryptographic components A protocol (e.g. TLS) uses among others ▸ A key exchange algorithm (e.g. Diffie-Hellman) — “public-key” cryptography ▸ instantiated with a secure group (e.g. ANSSI FRP256V1) ▸ An authenticated-encryption mode of operation (e.g. GCM) — “symmetric-key” cryptography ▸ instantiated with a secure block cipher (e.g. the AES) ▸ A digital signature algorithm (e.g. ECDSA) — “public-key” + “symmetric-key” cryptography ▸ instantiated with a secure group and a secure hash function (e.g. SHA-3) 2016–11–18 Analyse de primitives sym´ etriques 4/53 Pierre Karpman

  9. Primitive-centered crypto in a nutshell ▸ Design new primitives ▸ Fast, lightweight, quantum-resistant (isogeny-based, etc.), ... ▸ Analyse new proposals ▸ Analyse standards ▸ AES, SHA- { 1,2,3 } , ... 2016–11–18 Analyse de primitives sym´ etriques 5/53 Pierre Karpman

  10. Focus of this thesis We studied various aspects of ▸ design ▸ analysis ▸ implementation of block ciphers and hash functions 2016–11–18 Analyse de primitives sym´ etriques 6/53 Pierre Karpman

  11. List of publications Efficient and Provable White-Box Primitives with Pierre-Alain Fouque, Paul Kirchner and Brice Minaud ASIACRYPT 2016 Freestart collision for full SHA-1 with Thomas Peyrin and Marc Stevens EUROCRYPT 2016 Key-Recovery Attacks on ASASA with Patrick Derbez, Pierre-Alain Fouque and Brice Minaud ASIACRYPT 2015 From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour ISC 2015 Practical Free-Start Collision Attacks on 76-step SHA-1 with Thomas Peyrin and Marc Stevens CRYPTO 2015 Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE with Thomas Espitau and Pierre-Alain Fouque CRYPTO 2015 Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation with Daniel Augot and Pierre-Alain Fouque SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 7/53 Pierre Karpman

  12. List of publications Efficient and Provable White-Box Primitives with Pierre-Alain Fouque, Paul Kirchner and Brice Minaud ASIACRYPT 2016 Freestart collision for full SHA-1 with Thomas Peyrin and Marc Stevens EUROCRYPT 2016 Key-Recovery Attacks on ASASA with Patrick Derbez, Pierre-Alain Fouque and Brice Minaud ASIACRYPT 2015 From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour ISC 2015 Practical Free-Start Collision Attacks on 76-step SHA-1 with Thomas Peyrin and Marc Stevens CRYPTO 2015 Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE with Thomas Espitau and Pierre-Alain Fouque CRYPTO 2015 Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation with Daniel Augot and Pierre-Alain Fouque SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 7/53 Pierre Karpman

  13. Introduction New linear mappings for block ciphers Practical freestart collisions for the full SHA-1 Conclusion 2016–11–18 Analyse de primitives sym´ etriques 8/53 Pierre Karpman

  14. Block ciphers Block cipher A block cipher is a mapping E ∶ K × M → C s.t. for all k ∈ K , E( k , ⋅ ) is invertible and E( k , ⋅ ) , E − 1 ( k , ⋅ ) are efficiently computable. In most cases: ▸ M = C = { 0 , 1 } n , n ∈ { 64 , 128 } ▸ K = { 0 , 1 } κ , κ ∈ { 64 , 80 , 128 , 256 } 2016–11–18 Analyse de primitives sym´ etriques 9/53 Pierre Karpman

  15. Security of block ciphers Ideal block cipher Key-recovery security Differential cryptanalysis (Biham and Shamir, 1990) Exploit statistical properties of x ↦ E( k , x ) ⊕ E( k , x ⊕ ∆ ) 2016–11–18 Analyse de primitives sym´ etriques 10/53 Pierre Karpman

  16. Substitution-Permutation-Network block ciphers SPN round function: R = A ○ S ▸ S is the parallel application of s b -bit S-boxes ▸ A is an affine transformation over F n 2 , n = s × b 2016–11–18 Analyse de primitives sym´ etriques 11/53 Pierre Karpman

  17. An SPN round function in a picture x / n = 7 × b / b / b / b / b / b / b / b S S S S S S S / b / b / b / b / b / b / b / n A y 2016–11–18 Analyse de primitives sym´ etriques 12/53 Pierre Karpman

  18. The wide-trail strategy (Daemen, 1995) ▸ Use structure in A and S to lower-bound the number of active S-boxes in a differential characteristic or linear approximation ▸ Introduce a notion of diffusion for a round function ▸ Canonical example: the AES (Daemen & Rijmen, 2002) 2016–11–18 Analyse de primitives sym´ etriques 13/53 Pierre Karpman

  19. New linear mappings for block ciphers Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation , with Daniel Augot and Pierre-Alain Fouque, SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 14/53 Pierre Karpman

  20. The objective ▸ Find A over F s 2 b with very good diffusion , with b small (i.e. 4) A diffusion measure: the branch number (Daemen 1995) Let M ∈ M s ( F 2 b ) , x ∈ F s 2 b and wt ( x ) be the number of non-zero coordinates of x . The differential branch number of M is x ≠ 0 ( wt ( x ) + wt ( M x )) min The linear branch number of M is x ≠ 0 ( wt ( x ) + wt ( M t x )) min 2016–11–18 Analyse de primitives sym´ etriques 15/53 Pierre Karpman

  21. Branch number & minimal distance ▸ M ∈ M s ( F 2 b ) has differential branch number d ⇔ [ I s M ] generates a [ 2 s , s , d ] F 2 b code ▸ Singleton bound: d is at most s + 1; equality ⇒ MDS code, MDS matrix ▸ MDS conjecture: there is no [ 2 s , s , s + 1 ] F 2 b MDS code with 2 s > 2 b 2016–11–18 Analyse de primitives sym´ etriques 16/53 Pierre Karpman

  22. The idea ▸ Take for A a single M with high branch number (SHARK structure, Rijmen et al., 1996) ▸ For b = 4, s ≥ 16 (block size ≥ 64), M cannot be MDS ▸ ⇒ Use Algebraic geometry codes : trade length for minimal distance (Goppa, 1981), (Tsfasman,Vl˘ adut , ,Zink, 1982) 2016–11–18 Analyse de primitives sym´ etriques 17/53 Pierre Karpman

  23. AG codes AG codes as evaluation codes: ▸ Say we want an [ n , k ] F q code 1 Let X be a smooth plane curve of genus g with # X ( F q ) > n 2 Inject F k q to L ( rP ) of dim. k with P ∈ X ( F q ) 3 C ( m ) is the evaluation of m on n distinct points of X /{ P } 4 For well-chosen n and k , r = k − 1 + g (Riemann, Roch) ⇒ wt ( C ( m ≠ 0 )) ≥ n − ( k − 1 + g ) ▸ ⇒ the min. distance is g less than MDS, but X can be chosen s.t. # X ( F q ) > q + 1 2016–11–18 Analyse de primitives sym´ etriques 18/53 Pierre Karpman

  24. A concrete AG code ▸ Let X be of equation x 5 = y 2 z 3 + yz 4 in P 2 ( F 2 4 ) ▸ It is a maximal curve of genus 2 and has 33 points ▸ ⇒ We can define a [ 32 , 16 , 15 ] F 24 code C ▸ This gives many (up to 32!) M ∈ M 16 ( F 2 4 ) of diff. branch number 15 ▸ The dual also has min. distance 15 ⇒ M has lin. branch number 15 2016–11–18 Analyse de primitives sym´ etriques 19/53 Pierre Karpman

  25. Implementation matters For M to be used as A in a block cipher, we need: ▸ Efficient implementations of multiplication by M ... ▸ ... That are “constant-time”, to protect against side-channel attacks Thus we: ▸ Defined good vectorized algorithms for × M using pshufb ▸ Optimized the structure of M for faster multiplication A cost function for × M : # pshufb ▸ Combinatorial in nature ▸ Low cost can be obtained if M is generated by a single row 2016–11–18 Analyse de primitives sym´ etriques 20/53 Pierre Karpman

  26. Tuning M for fast implementations ▸ Idea: use the automorphisms of C to find a circulant M ▸ Result: no luck, but still got M generated by 8 rows (cost 52) ▸ Second idea: randomly sample many generating matrices ( ≈ 2 38 ) ▸ Result: found many matrices of cost 43 2016–11–18 Analyse de primitives sym´ etriques 21/53 Pierre Karpman

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Metric properties of large graphs Propri et es m etriques des grands graphes PhD

Metric properties of large graphs Propri et es m etriques des grands graphes PhD

Metric properties of large graphs Propri et es m etriques des grands graphes PhD Candidate: Guillaume Ducoffe Advisor: David Coudert Universit e C ote dAzur, Inria, CNRS, I3S, France December 9 th , 2016 1 / 44 Goals for Network

925 views • 77 slides
Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM,

Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM,

Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM, Universit e de Versailles Saint-Quentin S eminaire ALGO, INRIA 26 Janvier 2004 1 manujans 1 1 summation ( a ) n = ( a ; q ) n = n 1 i =0

465 views • 24 slides
Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

JGB71E - Bioinformatique applique Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van Helden Jacques.van-Helden@univ-amu.fr Aix-Marseille Universit, France Technological Advances for Genomics and

886 views • 75 slides
Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives Xiangyong Ouyang * , David Nellans , Robert Wipfel , David Flynn , D. K. Panda * d * D id Fl D K P * The Ohio State University

335 views • 29 slides
Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization, Beverly, R., Berger, A., Xie, G., IMC 2010. Demonstrated the ability of

1.2k views • 80 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes Primitive Attributes Two different methods of attaching attributes to primitives: Graphics state attributes inherited by the primitive from the

318 views • 19 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques the Greek's used during battle L.O To analyse the main reasons for the Greek victory 5/10/20 Starter Who was Alexander the great? L.O To analyse

613 views • 40 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Introduction Primitives Extraction Problems Conclusion Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F . Le Breton and W. Puech LIRMM, Montpellier, France C4W, Montpellier, France LSIS, Arles,

1.04k views • 57 slides
2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

Week 4 Part 2 Introduction to 2D Graphics & Java 2D 2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Can be zoomed infinitively, moved

569 views • 22 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

Assessing Writing at FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students pieces of writing. Analyse assessment criteria and glossary. Practise assessing with samples of students work.

315 views • 27 slides
Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Chapter 6 User-Defined Primitives 1 Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6 User-Defined Primitives 2 Page 229 //3-input AND gate as a udp primitive udp_and3 (z1, x1, x2,

619 views • 42 slides
2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Introduction to 2D Graphics & Java 2D Can be zoomed infinitively, moved

197 views • 6 slides
Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum Confidential McAfee Internal Use Only Security Testing Confidential McAfee Internal Use Only Cost Impact m suffered a heavy The TJX Company breach, which m

429 views • 20 slides
Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires http://oasis.coralcdn.org/ Whats the replica-selection problem? mycdn ? Client needs to choose a good replica server Performance and cost

798 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective) Rijndael Security of Rijndael/AES Spreading of AES Stream ciphers: competitors? Conclusions The early years (1997)

939 views • 70 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin

Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin

UC BERKELEY Making Sense at Scale with Algorithms, Machines & People PI: Michael Franklin University of California, Berkeley Expeditions in Computing PI Meeting May 15, 2013 The Berkeley AMPLab 2 Sources

800 views • 23 slides
Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Breaking Enigma & the U-boat Codes and the Legacy of Alan Turing Tuesday 17th April 2012 Professor David Stupples Centre for Cyber Security Sciences Centre for Cyber Security Sciences Route map of our journey this evening Ciphers -

711 views • 36 slides
3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior

3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior

Slide 1 / 78 Slide 2 / 78 3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior Click on the topic to go to that section How do Animals Live? Advantages of Group Living Disadvantages of Group

602 views • 26 slides

More recommend