applying milp method to searching integral distinguishers
play

Applying MILP Method to Searching Integral Distinguishers Based on - PowerPoint PPT Presentation

Jan 28, 2023 •736 likes •1.5k views

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

  1. Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016. Hanoi 1 / 74

  2. Overview Division Property 1 Combining MILP with Division Property 2 Further Study on Division Property Modeling Basic Operations Initial Division Property Objective Function Search Algorithm and Applications 3 Search Algorithm Applications 2 / 74

  3. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 3 / 74

  4. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 4 / 74

  5. Division Property Preliminary Definition (Bit-Product Function [Todo, EUROCRYPT 2015]) For any fixed u ∈ ( F n 0 2 × F n 1 n m − 1 2 × · · · × F ), 2 n m − 1 π u ( x ) :( F n 0 2 × F n 1 2 × · · · × F → F 2 ) − 2 n i − 1 m − 1 � � x i [ j ] u i [ j ] ) ( x 0 , x 1 , · · · , x m − 1 ) �− → ( i =0 j =0 Example: n = 4 , m = 2 u = ( u 0 0 || u 1 0 || u 2 0 || u 3 0 , u 0 1 || u 1 1 || u 2 1 || u 3 1 ) = (0 || 1 || 1 || 0 , 1 || 0 || 1 || 1) x = ( x 0 0 || x 1 0 || x 2 0 || x 3 0 , x 0 1 || x 1 1 || x 2 1 || x 3 1 ) = (0 || 1 || 1 || 1 , 1 || 1 || 0 || 1) π u ( x ) = (0 0 1 1 1 1 1 0 )(1 1 1 0 0 1 1 1 ) = 0 Definition ([Todo, EUROCRYPT 2015]) Define k � k ∗ if k i ≥ k ∗ i holds for all i = 0 , 1 , · · · , m − 1. Otherwise we denote k � k ∗ . 5 / 74

  6. Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. 6 / 74

  7. Division Property Definition Division Property is introduced by Todo at EUROCRYPT 2015, it’s a generalized integral property. Definition ( Division Property [Todo, EUROCRYPT 2015]) 2 ) m , and k (i) ∈ { 0 , 1 , · · · , n } m . X has the division property D n , m Let X ⊂ ( F n k (0) , k (1) , ··· , k (q − 1) , if � x ∈ X π u ( x ) = 0 for any � 2 ) m | W ( u ) � k (0) , · · · , W ( u ) � k (q − 1) � ( u 0 , u 1 , · · · , u m − 1 ) ∈ ( F n u ∈ , among which, W ( u ) = (wt( u 0 ) , wt( u 1 ) , · · · , wt( u m − 1 )) . 7 / 74

  8. Division Property Using Division Property 8 / 74

  9. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 9 / 74

  10. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . 10 / 74

  11. Division Property Using Division Property Construct an input set with division property D n , m K 0 . 1 Propagate the initial division property r rounds to get the dividion property of 2 r-round output D n , m K r . Extract some useful integral property from D n , m K r . 3 11 / 74

  12. Division Property Propagations of Division Property 12 / 74

  13. Division Property Propagations of Division Property Copy Xor And [Todo, CRYPTO 2015] [Todo, CRYPTO 2015] [Xiang, IWSEC 2016] F n F n 2 × F n F n 2 × F n F n F n 2 × F n F n − → − → − → 2 2 2 2 2 2 x �− → ( x , x ) ( x 0 , x 1 ) �− → x 0 ⊕ x 1 ( x 0 , x 1 ) �− → x 0 & x 1 X �− → Copy( X ) X �− → Xor( X ) X �− → And( X ) D n D 2 , n D n D n D n D n �− → �− → �− → k ( k 0 , k 1 ) k 0 + k 1 ( k 0 , k 1 ) max( k 0 , k 1 ) (0 , k ) , (1 , k − 1) , ··· , ( k , 0) 13 / 74

  14. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. 14 / 74

  15. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Advantages Detailed division property Longer distinguishers Better results. 15 / 74

  16. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. 16 / 74

  17. Division Property Bit-based Division Property The division property is defined and computed on ( F n 2 ) m . If n = 1, this is the bit-based division property [Todo, FSE 2016]. Disadvantages Advantages More computation Detailed division property Upper bounded by O (2 n ) Longer distinguishers Only small size cipher. Better results. How to compute bit-based division property efficiently? 17 / 74

  18. Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. 18 / 74

  19. Combining MILP with Division Property Basic Strategy We will use Mixed Integer Linear Programming (MILP) method to characterize the division property propagations. Mixed Integer Linear Programming, MILP Minimize or (Maximize) : a T · x Subject To : Mx > = 0 part of or all the variables in x are restricted in integers. 19 / 74

  20. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 20 / 74

  21. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 21 / 74

  22. Combining MILP with Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 22 / 74

  23. Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . 23 / 74

  24. Combining MILP with Division Property Further Study on Division Property Division Trail Definition (Division Trail) Assume the input set to the block cipher has initial division property D n , m , and denote k the division property after i -round encryption by D n , m K i . Thus, we have the following chain of division property propagations: def f r f r f r { k } = K 0 − → K 1 − → K 2 − → · · · For ( k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i − 1 can propagate to k i for all i ∈ { 1 , 2 , · · · , r } by propagation rules, we call ( k 0 , k 1 , · · · , k r ) an r -round division trail . Proposition The set of the last vectors of all r-round division trails which start with k is equal to K r . 24 / 74

  25. Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. 25 / 74

  26. Combining MILP with Division Property Further Study on Division Property Set without Integral Property Proposition (Set without Integral Property) Assume X is a set with division property D 1 , n K , then X does not have integral property if and only if K contains all the n unit vectors. Given initial division property D n , m and round number r , there doesn’t exist r -round k distinguisher if and only if there exists n division trails which start with the initial division property and ends up with the n different unit vectors. 26 / 74

  27. Combining MILP with Division Property Further Study on Division Property Basic Strategy Two issues need to be addressed: 1 Describe the division propagations by linear (in)equalities. 2 Convert search problem to estimate the minimal value of the objective function. 27 / 74

  28. Combining MILP with Division Property Modeling Basic Operations Modeling Copy 28 / 74

  29. Combining MILP with Division Property Modeling Basic Operations Modeling Copy D n → D 2 , n k �− General Rule: (0 , k ) , (1 , k − 1) , ··· , ( k , 0) . 29 / 74

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

APPLYING THE METHOD APPLYING THE METHOD OF MOMENTS TO OF MOMENTS TO DEVELOP RELIABILITY

APPLYING THE METHOD APPLYING THE METHOD OF MOMENTS TO OF MOMENTS TO DEVELOP RELIABILITY

APPLYING THE METHOD APPLYING THE METHOD OF MOMENTS TO OF MOMENTS TO DEVELOP RELIABILITY DEVELOP RELIABILITY FUNCTION FOR RIGID FUNCTION FOR RIGID PAVEMENTS PAVEMENTS Ivan Damnjanovic & Zhanmin Zhang The University of Texas at Austin

291 views • 25 slides
A hybrid BIE-WOS (Boundary Integral Equation-Random Walk on Spheres) Method for Laplace Equations

A hybrid BIE-WOS (Boundary Integral Equation-Random Walk on Spheres) Method for Laplace Equations

A hybrid BIE-WOS (Boundary Integral Equation-Random Walk on Spheres) Method for Laplace Equations Wei Cai Dept. of Math & Stat. UNC Charlotte NIST 2015-4-15 Outline Domain Decomposition Boundary Integral Equation Probabilistic

796 views • 66 slides
The partial-fractions method for counting solutions to integral linear systems Matthias Beck,

The partial-fractions method for counting solutions to integral linear systems Matthias Beck,

The partial-fractions method for counting solutions to integral linear systems Matthias Beck, MSRI www.msri.org/people/members/matthias/ arXiv: math.CO/0309332 Vector partition functions A an ( m d ) -integral matrix b Z m x

502 views • 25 slides
Total Sport Approach What is TSA ? TSA is an effective integral method including appertaining

Total Sport Approach What is TSA ? TSA is an effective integral method including appertaining

Total Sport Approach What is TSA ? TSA is an effective integral method including appertaining hardware and software components for use of improving management of sport programs Items: - Contains a specific TSA manual - Assessment parameters,

966 views • 10 slides
Applying One-vs-One and One-vs-All Classifiers in k -Nearest Neighbour Method and Support Vector

Applying One-vs-One and One-vs-All Classifiers in k -Nearest Neighbour Method and Support Vector

Oral Presentation at MIE 2011 30th August 2011 Oslo Applying One-vs-One and One-vs-All Classifiers in k -Nearest Neighbour Method and Support Vector Machines to an Otoneurological Multi-Class Problem Kirsi Varpa, Henry Joutsijoki, Kati Iltanen,

502 views • 12 slides
One Method for Expanding TRIZ Application - Applying TRIZ to Products that TRIZ can Hardly be

One Method for Expanding TRIZ Application - Applying TRIZ to Products that TRIZ can Hardly be

One Method for Expanding TRIZ Application - Applying TRIZ to Products that TRIZ can Hardly be Applied to - IDEA Inc. Senior Consultant Yoshiharu Isaka The 10th Japan TRIZ Symposium 2014 Position of presentation theme Even if TRIZ is explained

462 views • 28 slides
A fluctuating boundary integral method for Brownian suspensions Yuanxun Bill Bao 1 Manas Rachh 2

A fluctuating boundary integral method for Brownian suspensions Yuanxun Bill Bao 1 Manas Rachh 2

A fluctuating boundary integral method for Brownian suspensions Yuanxun Bill Bao 1 Manas Rachh 2 Eric Keaveny 3 Leslie Greengard 1 Aleksandar Donev 1 1 Courant Institute, NYU 2 Yale University 3 Imperial College London Complex Creeping Fluids:

560 views • 22 slides
A fluctuating boundary integral method for Brownian suspensions Yuanxun (Bill) Bao Courant

A fluctuating boundary integral method for Brownian suspensions Yuanxun (Bill) Bao Courant

A fluctuating boundary integral method for Brownian suspensions Yuanxun (Bill) Bao Courant Institute, NYU Collaborators: Aleksandar Donev (Courant) Leslie Greengard (Courant) Eric Keaveny (Imperial) Manas Rachh (Yale) SIAM Computational

1.54k views • 45 slides
Applying the data nullspace projection method to a geoacoustic Bayesian inversion in a randomly

Applying the data nullspace projection method to a geoacoustic Bayesian inversion in a randomly

Applying the data nullspace projection method to a geoacoustic Bayesian inversion in a randomly fluctuating shallow-water ocean Ying-Tsong Lin, James F. Lynch and Arthur Newhall Woods Hole Oceanographic Institution, USA Introduction

488 views • 14 slides
Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 , Abhishek Kumar 2 , Eran Lambooij 1 and Somitra Kumar Sanadhya 2 1 University of Haifa, Israel 2 IIT Ropar, India 1 / 7 ISO 3103 Figure: A broken tea cup

676 views • 12 slides
Applying the Optimal Presenter Interpolation Data Assimilation Method to an S-E-I-R-D Model to

Applying the Optimal Presenter Interpolation Data Assimilation Method to an S-E-I-R-D Model to

Maya Mueller Applying the Optimal Presenter Interpolation Data Assimilation Method to an S-E-I-R-D Model to a Simulated Ebola Epidemic and to Forecast the Coronavirus Dr. Bedrich (COVID-19) Pandemic in Nigeria Sousedik Advisor Maya

359 views • 19 slides
MD/PhD Program Vision: To improve human health by applying the scientific method to prevent and

MD/PhD Program Vision: To improve human health by applying the scientific method to prevent and

MD/PhD Program Vision: To improve human health by applying the scientific method to prevent and cure disease. Mission To train the next generation of physician scientists prepared to innovate and transform health care and biomedical

541 views • 10 slides
A Method of Searching for Origins of Cosmic Rays correcting for Galactic Field Deflections and

A Method of Searching for Origins of Cosmic Rays correcting for Galactic Field Deflections and

A Method of Searching for Origins of Cosmic Rays correcting for Galactic Field Deflections and Charge Composition Martin Erdmann, Gero Mller, Martin Urban , Marcus Wirtz martin.urban@rwth-aachen.de Current status Source Searches The Pierre

362 views • 20 slides
1 1. Need a hashing function, h(k), that To provide a unique set of keys: maps key K onto an

1 1. Need a hashing function, h(k), that To provide a unique set of keys: maps key K onto an

Searching A systematic method for locating a record with a key value k j = K. Searching successful search Chapter 9 unsuccessful search sections 9.1-9.4.1 exact match query range query Maps A Simple List-Based Map A

196 views • 7 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching

Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching

Language and Computers Topic 2: Searching Introduction Text Speech Searching in a Library Catalogue Special characters Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching Operators Improving searching

597 views • 36 slides
Autonomous Mobile Robots Searching Methods By: Alex Morales Graduate Mentor : Joey Durham

Autonomous Mobile Robots Searching Methods By: Alex Morales Graduate Mentor : Joey Durham

Autonomous Mobile Robots Searching Methods By: Alex Morales Graduate Mentor : Joey Durham Faculty Advisor: Francesco Bullo Better Algorithms Design algorithms for better multi-robot coordination Design a Search Algorithms for robots

644 views • 27 slides
Searching for Sustainability: Avalon in the Samvera Community Jon W. Dunn Indiana University

Searching for Sustainability: Avalon in the Samvera Community Jon W. Dunn Indiana University

Searching for Sustainability: Avalon in the Samvera Community Jon W. Dunn Indiana University David Schober Ryan Steans Northwestern University Open Repositories 2019 June 11, 2019 Background: What is Avalon? Open source software system

731 views • 22 slides
Searching from Within: The Challenge of Intraorganizational Recruitment in Specialized Units

Searching from Within: The Challenge of Intraorganizational Recruitment in Specialized Units

Searching from Within: The Challenge of Intraorganizational Recruitment in Specialized Units Mike Mourouzis 14 May 2020 1 The Problem Enlisted Operators in USSOCOM GREEN BERET ENLISTED RECRUITS Active-Duty Enlisted Special Forces

468 views • 25 slides
RESEARCH RESOURCES Spanish for Fluent Speakers Ms. Toledo Fall 2016 WHAT WILL WE LEARN? WHERE

RESEARCH RESOURCES Spanish for Fluent Speakers Ms. Toledo Fall 2016 WHAT WILL WE LEARN? WHERE

RESEARCH RESOURCES Spanish for Fluent Speakers Ms. Toledo Fall 2016 WHAT WILL WE LEARN? WHERE TO FIND INFORMATION Databases Books Images HOW TO CITE INFORMATION HOW TO PRESENT INFORMATION WHAT WILL WE LEARN?

249 views • 21 slides
Searching for the best partners Fraser MacCorquodale General Manager Exploration Disclaimer

Searching for the best partners Fraser MacCorquodale General Manager Exploration Disclaimer

NEWCREST Searching for the best partners Fraser MacCorquodale General Manager Exploration Disclaimer Forward Looking Statements This presentation includes forward looking statements. Forward looking statements can generally be identified by

328 views • 20 slides
Agenda 1. Goal & Challenges 2. AMASE drone swarm simulator 3. Algorithm 4. Example 5.

Agenda 1. Goal & Challenges 2. AMASE drone swarm simulator 3. Algorithm 4. Example 5.

SwarmSense : Effective and Resilient Drone Swarming and Search for Disaster Response and Management Application Cheolmin Jeon, Hanbum Ko, Jeongsoo Ha, Byungman Lee, Bo Ryu Chungnam National University EpiSci Agenda 1. Goal & Challenges

1.1k views • 52 slides
Searching for Explanations for the Gender Gap in STEM: Methodological Approaches from across K-16

Searching for Explanations for the Gender Gap in STEM: Methodological Approaches from across K-16

Searching for Explanations for the Gender Gap in STEM: Methodological Approaches from across K-16 Presentations Linda J. Sax, UCLA Beth Casey, Boston College Karen Kim, CSU Fullerton Breakout groups 1. National datasets 2. Intervention

383 views • 16 slides
Searching for Dark Photons at PHENIX Sam Kohn Physics 290E 15 March 2017 1 What is a dark

Searching for Dark Photons at PHENIX Sam Kohn Physics 290E 15 March 2017 1 What is a dark

Searching for Dark Photons at PHENIX Sam Kohn Physics 290E 15 March 2017 1 What is a dark photon? e + Dark sector doesnt interact (much) with SM particles U e Dark photon U (or A ) q analogous to SM photon U Hypothesized

165 views • 15 slides

More recommend