boomerang distinguisher for the simd 512 compression
play

Boomerang Distinguisher for the SIMD-512 Compression Function - PowerPoint PPT Presentation

Nov 15, 2023 •11 likes •741 views

Institute for Applied Information Processing and Communications (IAIK) Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad Institute for Applied Information Processing and Communications (IAIK) Graz

  1. Institute for Applied Information Processing and Communications (IAIK) Boomerang Distinguisher for the SIMD-512 Compression Function Florian Mendel and Tomislav Nad Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria Tomislav.Nad@iaik.tugraz.at Tomislav Nad 13.12.2011 Indocrypt 2011 1

  2. Institute for Applied Information Processing and Communications (IAIK) Outline SHA-3 Competition 1 2 SIMD Higher-Order Differentials and Boomerangs 3 4 Distinguisher for SIMD-512 Permutation Distinguisher for SIMD-512 Compression Function 5 6 Conclusions Tomislav Nad 13.12.2011 Indocrypt 2011 2

  3. Institute for Applied Information Processing and Communications (IAIK) Outline SHA-3 Competition 1 2 SIMD Higher-Order Differentials and Boomerangs 3 4 Distinguisher for SIMD-512 Permutation Distinguisher for SIMD-512 Compression Function 5 6 Conclusions Tomislav Nad 13.12.2011 Indocrypt 2011 3

  4. Institute for Applied Information Processing and Communications (IAIK) SHA-3 Competition Organized by NIST [Nat07] Successor for SHA-1 and SHA-2 64 submissions 51 round 1 candidates 14 round 2 candidates 5 finalists Tomislav Nad 13.12.2011 Indocrypt 2011 4

  5. Institute for Applied Information Processing and Communications (IAIK) Outline SHA-3 Competition 1 2 SIMD Higher-Order Differentials and Boomerangs 3 4 Distinguisher for SIMD-512 Permutation Distinguisher for SIMD-512 Compression Function 5 6 Conclusions Tomislav Nad 13.12.2011 Indocrypt 2011 5

  6. Institute for Applied Information Processing and Communications (IAIK) SIMD Is a Message Digest[LBF08] Designed by Ga¨ etan Leurent, Charles Bouillaguet and Pierre-Alain Fouque Round 2 candidate Message block SIMD-256: 512 bits SIMD-512: 1024 bits Inner state (wide-pipe) SIMD-256: 16 32-bit words SIMD-512: 32 32-bit words Tomislav Nad 13.12.2011 Indocrypt 2011 6

  7. Institute for Applied Information Processing and Communications (IAIK) The SIMD Hash Function Similar to Chop-MD Internal state is twice as large as the output Output transformation: truncation T | M | M 1 M 2 M 3 M l C C C C C ′ H ( m ) IV T Tomislav Nad 13.12.2011 Indocrypt 2011 7

  8. Institute for Applied Information Processing and Communications (IAIK) The SIMD Compression Function (1/2) Modified Davis-Meyer H i − 1 construction M Expanded message size: 8 · blocksize Strong security in the M message expansion E P H i Tomislav Nad 13.12.2011 Indocrypt 2011 8

  9. Institute for Applied Information Processing and Communications (IAIK) The SIMD Compression Function (2/2) Based on a Feistel structure; similar to MD5 SIMD-256: 4 times the step function in parallel SIMD-512: 8 times the step function in parallel 32 steps plus 4 steps in the feed-forward Tomislav Nad 13.12.2011 Indocrypt 2011 9

  10. Institute for Applied Information Processing and Communications (IAIK) Update Function at Step t A t − 1 B t − 1 C t − 1 D t − 1 i i i i Φ t w t ≪ r t i ≪ s t A t − 1 pt ( i ) ≪ r t A t B t C t D t i i i i Tomislav Nad 13.12.2011 Indocrypt 2011 10

  11. Institute for Applied Information Processing and Communications (IAIK) Update Function at Step t A t − 1 B t − 1 C t − 1 D t − 1 A t i =( D t − 1 ⊞ w t i ⊞ Φ( A t − 1 , B t − 1 , C t − 1 )) i i i i i i i i ≪ s t ⊞ ( A t − 1 p t ( i ) ≪ r t ) Φ t B t i = A t − 1 ≪ r t w t ≪ r t i i i = B t − 1 C t ≪ s t i D t i = C t − 1 A t − 1 pt ( i ) ≪ r t i Φ is either IF or MAJ A t B t C t D t i i i i Tomislav Nad 13.12.2011 Indocrypt 2011 10

  12. Institute for Applied Information Processing and Communications (IAIK) Results on SIMD-512 Distinguisher Mendel and Nad [MN09] Full compression function (complexity: 2 427 ) → tweaked! Nikoli´ c et al. [INS10] 12 out of 32 steps (complexity: 2 236 ) Yu and Wang [YW11] Full compression function (complexity: 2 398 ) Free-start near-collision Yu and Wang [YW11] 24 out of 32 steps (complexity: 2 208 ) Tomislav Nad 13.12.2011 Indocrypt 2011 11

  13. Institute for Applied Information Processing and Communications (IAIK) Our Contribution Application of Higher-Order Differentials to SIMD-512 Non-random properties for the permutation of SIMD-512 Extend technique to overcome the feed-forward of SIMD-512 Non-random properties for the compression function of SIMD-512 Tomislav Nad 13.12.2011 Indocrypt 2011 12

  14. Institute for Applied Information Processing and Communications (IAIK) Outline SHA-3 Competition 1 2 SIMD Higher-Order Differentials and Boomerangs 3 4 Distinguisher for SIMD-512 Permutation Distinguisher for SIMD-512 Compression Function 5 6 Conclusions Tomislav Nad 13.12.2011 Indocrypt 2011 13

  15. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differentials Introduced by Lai in [Lai94] First applied to block ciphers by Knudsen [Knu94] Recently applied to SHA-2 [BLMN11] and several SHA-3 candidates BLAKE [BNR11], Hamsi [BC10], Keccak [BC10], Luffa [WHYK10], ... Tomislav Nad 13.12.2011 Indocrypt 2011 14

  16. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differentials: Basic Definitions Definition Let ( S , +) and ( T , +) be abelian groups. For a function f : S → T , the derivative at a point a 1 ∈ S is defined as ∆ ( a 1 ) f ( y ) = f ( y + a 1 ) − f ( y ) . The i -th derivative of f at ( a 1 , a 2 , . . . , a i ) is then recursively defined as ∆ ( a 1 ,..., a i ) f ( y ) = ∆ ( a i ) (∆ ( a 1 ,..., a i − 1 ) f ( y )) . Tomislav Nad 13.12.2011 Indocrypt 2011 15

  17. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differentials: Basic Definitions Definition A differential of order i for a function f : S → T is an ( i + 1 ) -tuple ( a 1 , a 2 , . . . , a i ; b ) such that ∆ ( a 1 ,..., a i ) f ( y ) = b . Tomislav Nad 13.12.2011 Indocrypt 2011 16

  18. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differential Collision When applying differential cryptanalysis to a hash function, a collision for the hash function corresponds to a pair of inputs with output difference zero. Tomislav Nad 13.12.2011 Indocrypt 2011 17

  19. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differential Collision When applying differential cryptanalysis to a hash function, a collision for the hash function corresponds to a pair of inputs with output difference zero. Definition An i -th-order differential collision for f : S → T is an i -tuple ( a 1 , a 2 , . . . , a i ) together with a value y such that ∆ ( a 1 ,..., a i ) f ( y ) = 0 . Tomislav Nad 13.12.2011 Indocrypt 2011 17

  20. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differential Collision When applying differential cryptanalysis to a hash function, a collision for the hash function corresponds to a pair of inputs with output difference zero. Definition An i -th-order differential collision for f : S → T is an i -tuple ( a 1 , a 2 , . . . , a i ) together with a value y such that ∆ ( a 1 ,..., a i ) f ( y ) = 0 . Note that the common definition of a collision for hash functions corresponds to a higher-order differential collision of order i = 1. Tomislav Nad 13.12.2011 Indocrypt 2011 17

  21. Institute for Applied Information Processing and Communications (IAIK) Complexity What is the query complexity of a differential collision of order i ? From the definition before we see that we can freely choose i + 1 of the input parameters which then fix the remaining ones ⇒ Query complexity: ≈ 2 n / ( i + 1 ) Tomislav Nad 13.12.2011 Indocrypt 2011 18

  22. Institute for Applied Information Processing and Communications (IAIK) Complexity What is the query complexity of a differential collision of order i ? From the definition before we see that we can freely choose i + 1 of the input parameters which then fix the remaining ones ⇒ Query complexity: ≈ 2 n / ( i + 1 ) Note that the complexity might be much higher in practice than this bound for the query complexity. Tomislav Nad 13.12.2011 Indocrypt 2011 18

  23. Institute for Applied Information Processing and Communications (IAIK) Higher-Order Differential Collision for Block Cipher based Compression Functions Observation For any block-cipher-based compression function with which can be written in the form f ( y ) = E ( y ) + L ( y ) , where L is a linear function with respect to + , an i -th-order differential collision for the block cipher transfers to an i -th-order collision for the compression function for i ≥ 2. Tomislav Nad 13.12.2011 Indocrypt 2011 19

  24. Institute for Applied Information Processing and Communications (IAIK) Compression Function Constructions M j H j − 1 M j H j − 1 E M j H j − 1 E E H j H j H j Matyas-Meyer- Davies-Meyer Miyaguchi-Preneel Oseas Tomislav Nad 13.12.2011 Indocrypt 2011 20

  25. Institute for Applied Information Processing and Communications (IAIK) Second-order Differential Collision Second-order differential collision: f ( y ) − f ( y + a 2 ) + f ( y + a 1 + a 2 ) − f ( y + a 1 ) = 0 Tomislav Nad 13.12.2011 Indocrypt 2011 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer Illiac IV (first SIMD) Sponsored by DARPA, built by various Cray-1 (vector processor, not a SIMD) companies, assembled by Burroughs,

227 views • 4 slides
SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer Illiac IV (first SIMD) Sponsored by DARPA, built by various Cray-1 (vector processor, not a SIMD) companies, assembled by Burroughs,

82 views • 6 slides
Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic

Check Yourself Before You Wreck Yourself Auditing and Improving the Performance of Boomerang Nic Jansma njansma@akamai.com @nicj Why are we here today? Boomerang: an open-source Real User Monitoring (RUM) third-party library

645 views • 41 slides
SIMD+ Overview Illiac IV History Early machines First massively

SIMD+ Overview Illiac IV History Early machines First massively

SIMD+ Overview Illiac IV History Early machines First massively parallel (SIMD) computer Illiac IV (first SIMD) Sponsored by DARPA, built by various Cray-1 (vector processor, not a SIMD)

183 views • 4 slides
Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1

Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1

Introduction New Distinguisher Application to PRESENT Conclusion Known-Key Distinguisher on Full PRESENT eline Blondeau 1 Thomas Peyrin 2 Lei Wang 2 , 3 C 1 Aalto University, Finland 2 Nanyang Technological University, Singapore 3 Shanghai Jiao

434 views • 32 slides
Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang

Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang

Boomerang Connectivity Table Revisited Ling Song 1,2 , Xianrui Qin 3 , Lei Hu 2 1. Nanyang Technological University, Singapore 2. Institute of Information Engineering, CAS, China 3. Shandong University, China FSE 2019 @ Paris Boomerang Attacks

483 views • 37 slides
Parallel Programming and Heterogeneous Computing SIMD: Integrated Accelerators Max Plauth, Sven

Parallel Programming and Heterogeneous Computing SIMD: Integrated Accelerators Max Plauth, Sven

Parallel Programming and Heterogeneous Computing SIMD: Integrated Accelerators Max Plauth, Sven Khler , Felix Eberhardt, Lukas Wenzel, and Andreas Polze Operating Systems and Middleware Group 1 SIMD ParProg 2019 SIMD: Integrated

832 views • 48 slides
Module 5.1 Thread Execusion Efficiency Warps and SIMD Hardware Objective To understand

Module 5.1 Thread Execusion Efficiency Warps and SIMD Hardware Objective To understand

GPU Teaching Kit Accelerated Computing Module 5.1 Thread Execusion Efficiency Warps and SIMD Hardware Objective To understand how CUDA threads execute on SIMD Hardware Warp partitioning SIMD Hardware Control divergence 2

132 views • 12 slides
On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University

On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University

On the Boomerang Uniformity of Cryptographic Sboxes Christina Boura and Anne Canteaut University of Versailles, France Inria Paris, France FSE 2019, Paris Boomerang attacks [Wagner 99] Combine differentials for two sub-ciphers: a E 0 d

634 views • 19 slides
SIMD Programming CS 240A, 2017 1 Flynn* Taxonomy, 1966 In 2013, SIMD and MIMD most common

SIMD Programming CS 240A, 2017 1 Flynn* Taxonomy, 1966 In 2013, SIMD and MIMD most common

SIMD Programming CS 240A, 2017 1 Flynn* Taxonomy, 1966 In 2013, SIMD and MIMD most common parallelism in architectures usually both in same system! Most common parallel processing programming style: Single Program Multiple Data

599 views • 31 slides
Automatic SIMD vectorization for Haskell Leaf Petersen, Dominic Orchard , Neal Glew ICFP 2013 -

Automatic SIMD vectorization for Haskell Leaf Petersen, Dominic Orchard , Neal Glew ICFP 2013 -

Automatic SIMD vectorization for Haskell Leaf Petersen, Dominic Orchard , Neal Glew ICFP 2013 - Boston, MA, USA Work done at Intel Labs SIMD Trend towards parallel architectures (multi-core & instruction-level parallelism) SIMD:

559 views • 29 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Welcome! INFOMOV Lecture 5 SIMD (1) 2 Meanwhile, on ars technica INFOMOV

Welcome! INFOMOV Lecture 5 SIMD (1) 2 Meanwhile, on ars technica INFOMOV

/INFOMOV/ Optimization & Vectorization J. Bikker - Sep-Nov 2019 - Lecture 5: SIMD (1) Welcome! INFOMOV Lecture 5 SIMD (1) 2 Meanwhile, on ars technica INFOMOV Lecture 5 SIMD (1) 3 Meanwhile, the job

578 views • 38 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Architecture without explicit locks for logic Importance Of Simulation simulation on SIMD

Architecture without explicit locks for logic Importance Of Simulation simulation on SIMD

SIMD simulation M. Chimeh, P. Cockshott Architecture without explicit locks for logic Importance Of Simulation simulation on SIMD machines Simulation Algorithms Circuit Representation M. Chimeh P. Cockshott SIMD Simulation Department

414 views • 23 slides
Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview

Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview

Homotopy and Directed Type Theory: a Sample Dan Doel October 24, 2011 Type Theory Overview Judgments ctx A type M : A Families , x : A B ( x ) type Inference 1 J 1 2 J 2 Type Theory Overview

415 views • 27 slides
Search for production of a Higgs boson and a single top quark Ken Bloom for the CMS

Search for production of a Higgs boson and a single top quark Ken Bloom for the CMS

Search for production of a Higgs boson and a single top quark Ken Bloom for the CMS Collaboration 1 August 2017 At the bottom We all know the five favorite Higgs production mechanisms and tend to forget about another The SM cross

459 views • 14 slides
Multi-channel streaming for medical and multimedia industry applications and multimedia industry

Multi-channel streaming for medical and multimedia industry applications and multimedia industry

Multi-channel streaming for medical and multimedia industry applications and multimedia industry applications Ji Halk 1 , Michal Krsek 1 , Pavel Pe iva 2 , Sven Ubik 1 , Petr ejdl 1 1 CESNET 2 MNUL 1 CESNET, 2 MNUL 3rd E2E Workshop

533 views • 22 slides
Agenda Introductions & Housekeeping Overview Basics of FEMA Form 81-31 NORFMA

Agenda Introductions & Housekeeping Overview Basics of FEMA Form 81-31 NORFMA

Elevation Certificates Training 11/14/2013 Agenda Introductions & Housekeeping Overview Basics of FEMA Form 81-31 NORFMA Floodplain Conference Building Diagrams November 14, 2013 Exercise Boise, Idaho Common Errors

354 views • 18 slides
L4. @, ry Es<c*, 2' P.l! r * Re.,.ru/ /-r'o'"1 i 3,r - 3.6 ,, 5,2, s.tr, S,s Scc

L4. @, ry Es<c*, 2' P.l! r * Re.,.ru/ /-r'o'"1 i 3,r - 3.6 ,, 5,2, s.tr, S,s Scc

\l L4. @, ry Es<c*, 2' P.l! r * Re.,.ru/ /-r'o'"1 i 3,r - 3.6 ,, 5,2, s.tr, S,s Scc r (lhertar tv*t F!) pc"Ller,s 6 * 4/e boofrr, //o c*loul'.tts rotat , {c ; 6'1 seo& , 6.2 * lfo'eworl( ?, 0ul ot'

565 views • 19 slides
Virtual Memory: Systems 15-213: Introduc0on to Computer Systems

Virtual Memory: Systems 15-213: Introduc0on to Computer Systems

Carnegie Mellon Virtual Memory: Systems 15-213: Introduc0on to Computer Systems 16 th Lecture, Oct. 19, 2010 Instructors: Randy Bryant and Dave OHallaron

668 views • 33 slides
Approachability Theory and Differential Games Sylvain Sorin UPMC-Paris 6 Ecole Polytechnique

Approachability Theory and Differential Games Sylvain Sorin UPMC-Paris 6 Ecole Polytechnique

Approachability Theory and Differential Games Sylvain Sorin UPMC-Paris 6 Ecole Polytechnique sorin@math.jussieu.fr Sixi` emes Journ ees Franco-Chiliennes dOptimisation 19-21 mai 2008 Universit e du Sud Toulon-Var Sylvain Sorin

1.4k views • 105 slides
1 Last class: Operating system structure and basics Today: Process Management 2

1 Last class: Operating system structure and basics Today: Process Management 2

1 Last class: Operating system structure and basics Today: Process Management 2 Why Processes? We have programs, so why do we need processes? 3 Overview Questions that we explore How are processes created? From

770 views • 33 slides

More recommend