conditional cube attacks on keccak p based constructions
play

Conditional Cube Attacks on Keccak - p Based Constructions Ling - PowerPoint PPT Presentation

Nov 14, 2022 •159 likes •614 views

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

  1. Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30

  2. Outlines 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 2 / 30

  3. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 / 30

  4. SHA-3 ( Keccak ) Hash Function The sponge construction [BDPV11] b -bit permutation f The message is padded and then split into r -bit blocks. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 / 30 Two parameters: bitrate r , capacity c , and b = r + c .

  5. Keccak Permutation http://www.iacr.org/authors/tikz/ ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 4 / 30 steps: each round R consists of five 24 rounds of 64-bit lanes, 1600 bits: seen as a 5 × 5 array A [ x , y ] , 0 ≤ x , y < 5 Row Lane Column Slice R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : the only nonlinear operation

  6. Keccak Permutation http://keccak.noekeon.org/ The Column Parity kernel L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 5 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ◮ If C [ x ] = 0 , 0 ≤ x < 5 , then the state A is in the CP kernel.

  7. Keccak Permutation 21 10 43 25 39 41 45 15 8 20 18 2 61 56 14 L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 6 / 30 55 28 http://keccak.noekeon.org/ 1 62 0 27 36 44 6 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] Rotation offsets r [ x , y ] x = 0 x = 1 x = 2 x = 3 x = 4 y = 0 y = 1 y = 2 y = 3 y = 4

  8. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 7 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 π 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ]

  9. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 8 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1) · x 2 , y 1 = x 1 + ( x 2 + 1) · x 3 , y 2 = x 2 + ( x 3 + 1) · x 4 , y 3 = x 3 + ( x 4 + 1) · x 0 , y 4 = x 4 + ( x 0 + 1) · x 1 . y 0 y 1 y 2 y 3 y 4

  10. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 9 / 30 Adding one round-dependent constant to the first ”lane”, to destroy the symmetry. Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding a round constant to the state 0,0 1,0 2,0 3,0 4,0 0,1 1,1 2,1 3,1 4,1 0,2 1,2 2,2 3,2 4,2 0,3 1,3 2,3 3,3 4,3 0,4 1,4 2,4 3,4 4,4 A [0 , 0] = A [0 , 0] ⊕ RC [ i ]

  11. Keccak Permutation Round function ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 10 / 30 Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = A [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = A [ x , y ] ⊕ (( A [ x + 1 , y ]) & A [ x + 2 , y ]) ι step A [0 , 0] = A [0 , 0] ⊕ RC [ i ] - RC [ i ] are the round constants. The only non-linear operation is χ step.

  12. Keccak - p Based Constructions KMAC Figure: KMAC processing one message block Two versions: KMAC128 and KMAC256 N and S are public strings. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 11 / 30

  13. Keccak - p Based Constructions Kravatte stands for permutations and symbolizes rolling functions. 1 Version of 17-Jul-2017. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 12 / 30 p b = p c = Keccak - p [ 1600 , 6 ], p d = p e = Keccak - p [ 1600 , 4 ] 1 .

  14. Keccak - p Based Constructions Keyak and Ketje (a) Keyak and (b) Ketje L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 13 / 30

  15. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 14 / 30

  16. Cube Attacks [DS09] The the cube sum is exactly ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 14 / 30 Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = ∧ i r ∈ I v i r , I = ( i 1 , ..., i d ) , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) ◮ q contains terms that are not divisible by t I ◮ p S I is called the superpoly of I in f ◮ v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ p S I = f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a low-degree polynomial in key bits. Cube testers: distinguish p S I from a random function. E.g., p S I = 0 .

  17. Conditional Cube Testers of Keccak [HWX+17] Time complexity of the key recovery: ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. t , where t is the 2 2 n t k used to recover the key. Ordinary cube variables: If the conditions involve the key, the conditional cube can be -round Keccak . The cube sum is zero for n n -dimensional cubes with 1 conditional cube variable Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under

  18. Conditional Cube Testers of Keccak [HWX+17] Time complexity of the key recovery: ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. t , where t is the 2 2 n t k used to recover the key. Ordinary cube variables: If the conditions involve the key, the conditional cube can be Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under 2 n -dimensional cubes with 1 conditional cube variable ◮ The cube sum is zero for ( n + 1) -round Keccak .

  19. Conditional Cube Testers of Keccak [HWX+17] used to recover the key. ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. k Time complexity of the key recovery: If the conditions involve the key, the conditional cube can be Ordinary cube variables: Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under 2 n -dimensional cubes with 1 conditional cube variable ◮ The cube sum is zero for ( n + 1) -round Keccak . t · 2 2 n + t , where t is the

  20. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes Requirements New MILP Model 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30

  21. Observation When there is no neighbouring variables in the input of an Sbox, then the application of does NOT increase algebraic degree. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30 How to keep the first χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 .

  22. Observation When there is no neighbouring variables in the input of an Sbox, then L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30 How to keep the first χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . the application of χ does NOT increase algebraic degree.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa

Estonian Theory Days, Koke, Estonia Designated Verifier Signatures: Attacks, New Definitions and Constructions Helger Lipmaa Helsinki University of Technology, Finland Guilin Wang and Feng Bao Institute of Infocomm Research, Singapore Koke,

732 views • 37 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Building Functions Thomas Duarte duarte_t@auhsd.us @Thomasduarte13 High School Teacher

Building Functions Thomas Duarte duarte_t@auhsd.us @Thomasduarte13 High School Teacher

Building Functions Thomas Duarte duarte_t@auhsd.us @Thomasduarte13 High School Teacher Anaheim, California NBCT, NCTM Classroom Resources Committee Goal: Engage in rich tasks and identify the strategies used to support students. WODB.ca

504 views • 14 slides
Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes

Polyhedral Volumes Visual Techniques T. V. Raman &amp; M. S. Krishnamoorthy Polyhedral Volumes p.1/43 Outline Identities of the golden ratio. Polyhedral Volumes p.2/43 Outline Identities of the golden ratio. Locating coordinates of

1.34k views • 59 slides
Service-Oriented Systems &amp; Self-Adaptive Software S-Cube Research Roadmap Workshop on Service-

Service-Oriented Systems &amp; Self-Adaptive Software S-Cube Research Roadmap Workshop on Service-

Service-Oriented Systems &amp; Self-Adaptive Software S-Cube Research Roadmap Workshop on Service- oriented Systems. 22.11.2011. Barcelona, Spain Holger Giese System Analysis &amp; Modeling Group, Hasso Plattner Institute for Software Systems

250 views • 6 slides
2.1 Explicit &amp; Implicit Surfaces Hao Li http://cs599.hao-li.com 1 Administrative

2.1 Explicit &amp; Implicit Surfaces Hao Li http://cs599.hao-li.com 1 Administrative

Spring 2015 CSCI 599: Digital Geometry Processing 2.1 Explicit &amp; Implicit Surfaces Hao Li http://cs599.hao-li.com 1 Administrative Exercise 1 discussion: Next Tuesday Hao Li (Instructor) Office Hour: Tue 2:00 PM - 4:00

848 views • 68 slides
Analysis report exam ination w ith Cube Bert W esarg Technische Universitt Dresden VIRTUAL

Analysis report exam ination w ith Cube Bert W esarg Technische Universitt Dresden VIRTUAL

VIRTUAL INSTITUTE HIGH PRODUCTIVITY SUPERCOMPUTING Analysis report exam ination w ith Cube Bert W esarg Technische Universitt Dresden VIRTUAL INSTITUTE HIGH PRODUCTIVITY SUPERCOMPUTING Cube Parallel program analysis report

251 views • 21 slides
CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye Bhm June 12, 2018 What weve seen so far 1 CBV/CBN reduction strategies 2 Simulating CBN in a CBV language Wrap each argument in an extra x .

321 views • 19 slides
Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule Joint work with Armin Biere, Oliver Kullmann, and Victor W. Marek Parallel Constraint Reasoning August 6, 2017 1/19 Satisfiability (SAT) Solving Has

463 views • 31 slides
Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law

Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law

Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law Microgeometry effects Implementing BRDFs Ambient lighting Image based rendering A more complicated tool for area lighting is

582 views • 31 slides

More recommend