cryptanalysis results on the nist candidate gimli wip
play

Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio - PowerPoint PPT Presentation

Jun 18, 2023 •439 likes •529 views

Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio Flrez Gutirrez, Gatan Leurent, Mara Naya-Plasencia, Lo Perrin, Andr Schrottenloher, Ferdinand Sibleyras Inria, France Context Gimli is a permutation proposed by

  1. Cryptanalysis Results on the NIST Candidate Gimli (WIP) Antonio Flórez Gutiérrez, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin, André Schrottenloher, Ferdinand Sibleyras Inria, France

  2. Context Gimli is a permutation proposed by Bernstein et al. (CHES 2017) and a candidate in the second round of the NIST lightweight crypto competition We study the permutation and Gimli-Hash The permutation operates on a 384-bit state: 4 “columns” of 96 = 3 × 32 bits each column has three 32-bit “words” x , y , z It applies 24 rounds (24 to 1) of: SP-Box on each column (Every 2 rounds) “big” or “small” swap: swaps the x words between pairs of columns (Every 4 rounds) Constant addition Antonio, Gaëtan, María, Léo, André, Ferdinand 2/7

  3. Illustration Antonio, Gaëtan, María, Léo, André, Ferdinand 3/7

  4. Illustration (ctd.) 24 24 24 24 SP SP SP SP rc 24 ⊕ 23 23 23 23 SP SP SP SP 22 22 22 22 SP SP SP SP 21 21 21 21 SP SP SP SP 20 20 20 20 SP SP SP SP rc 20 ⊕ 19 19 19 19 SP SP SP SP 18 18 18 18 SP SP SP SP Antonio, Gaëtan, María, Léo, André, Ferdinand 4/7

  5. Distinguishers on the full permutation Limited-birthday distinguishers We create a state s such that s and Gimli ( s ) both have 2 identical columns. We can distinguish: full Gimli (rounds 24 to 1) in time 2 64 and constant memory 28 /24 rounds (27 to 0) with the same attack 23 /24 rounds (23 to 1) in practical time Idea: start from the middle and complete the middle state column by column (each swap brings a new condition to satisfy in order to retain the symmetry). 7f9fcf70 6aedf7e6 7f9fcf70 cb2f0e6a Input: 0ba2f1f9 f339b619 0ba2f1f9 f70cf15c b2ee8259 df0b4801 b2ee8259 3856106d a8ef848d 8c17b743 9615b3bc 8c17b743 Output: 541122c5 30530879 8d9d5d30 30530879 74b6dbe6 18885a6e 744b55c1 18885a6e Antonio, Gaëtan, María, Léo, André, Ferdinand 5/7

  6. Collisions on reduced-round Gimli -Hash Gimli-hash is a sponge where the 128-bit rate contains the x word of each column. Using the slow diffusion and the SP-Box, we found full-state collisions: up to 12 rounds up to 14 rounds quantumly practically up to 8 rounds (21 to 14): First message block dc84bf38 00000000 00000000 00000000 dc84bf38 00000000 00000000 00000000 Second message block bbdb41f3 4333192c bc17e444 8a9d06c7 1b1da6e4 4333192c bc17e444 8a9d06c7 Third message block 00000000 00000000 00000000 00000000 00000000 00000000 afad801e 00000000 Antonio, Gaëtan, María, Léo, André, Ferdinand 6/7

  7. Ongoing work investigate linear trails in the permutation performing differential-linear cryptanalysis (Even-Mansour Gimli cipher): 16 rounds with complexity 2 137 . 4 17 rounds with complexity 2 156 . 8 dominate the NIST lightweight competition Thanks you for your attention! Antonio, Gaëtan, María, Léo, André, Ferdinand 7/7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gimli: Server Process Monitoring & Fault Analysis Agenda What problem does Gimli solve?

Gimli: Server Process Monitoring & Fault Analysis Agenda What problem does Gimli solve?

Gimli: Server Process Monitoring & Fault Analysis Agenda What problem does Gimli solve? How does it work? How can I leverage Gimli? Where can I get Gimli? How can I contribute to Gimli? 2 The Setting

484 views • 29 slides
Cryptanalysis of FlexAEAD Mostafizar Rahman 1 , Dhiman Saha 2 , Goutam Paul 1 1 Indian Statistical

Cryptanalysis of FlexAEAD Mostafizar Rahman 1 , Dhiman Saha 2 , Goutam Paul 1 1 Indian Statistical

Cryptanalysis of FlexAEAD Mostafizar Rahman 1 , Dhiman Saha 2 , Goutam Paul 1 1 Indian Statistical Institute, Kolkata 2 Indian Institute of Technology, Bhilai Africacrypt 2020 Introduction FlexAEAD is round 1 candidate of NIST LWC The

766 views • 28 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1:

Cryptanalysis of LEDAcrypt Daniel Apon 1 , Ray Perlner 1 , Angela Robinson 1 , Paolo Santini 2 1: NIST 2: Universit Politecnica delle Marche, Florida Atlantic University Significance We present an attack on the QC-LDPC-McEliece construction

735 views • 25 slides
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K olbl, Stefan Lucks, Pedro

Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K olbl, Stefan Lucks, Pedro

Gimli: A Cross-Platform Permutation Daniel J. Bernstein, Stefan K olbl, Stefan Lucks, Pedro Maat Costa Massolino, Florian Mendel, Kashif Nawaz, Tobias Schneider, Peter Schwabe, Fran cois-Xavier Standaert, Yosuke Todo, Beno t Viguier

1.28k views • 44 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3

Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3

The JAMBU Candidate Performance and Security Claims Nonce-misuse Attack on JAMBU Conclusion Cryptanalysis of JAMBU Thomas Peyrin 1 Siang Meng Sim 1 Lei Wang 1 Guoyan Zhang 1 , 2 , 3 1.Nanyang Technological University, Singapore 2.School of

1.01k views • 35 slides
CARLA HST Results OR THE HST GRISM CONFIRMATION RESULTS OF THE 20 DENSEST CARLA CANDIDATE

CARLA HST Results OR THE HST GRISM CONFIRMATION RESULTS OF THE 20 DENSEST CARLA CANDIDATE

CARLA HST Results OR THE HST GRISM CONFIRMATION RESULTS OF THE 20 DENSEST CARLA CANDIDATE CLUSTERS AT 1.4<z<2.8 Gal Noirot +the CARLA Collaboration Daniel Stern, Jol Vernet, Carlos De Breuck, Simona Mei, Audrey Galametz, Dominika

311 views • 18 slides
The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers

The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers

The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers perceive an organizations recruitment process This includes everything from initial sourcing, recruiting, interviewing, hiring, and even

537 views • 31 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
BROWN TO GREEN Hash tag for webinar: #B2Greport Follow us: @ClimateT_G20 The G20 transition to a

BROWN TO GREEN Hash tag for webinar: #B2Greport Follow us: @ClimateT_G20 The G20 transition to a

Brown to Green Report | 2017 BROWN TO GREEN Hash tag for webinar: #B2Greport Follow us: @ClimateT_G20 The G20 transition to a low carbon economy Monday 3 July 2017, 10 11 am CEST Brown to Green Report | 2017 BROWN TO GREEN Hash tag for

323 views • 28 slides
THE LEGAL ASPECTS OF USING CRYPTOGRAPHIC HASH VALUES, IN DIGITAL FORENSICS IN LIGHT OF RECENT

THE LEGAL ASPECTS OF USING CRYPTOGRAPHIC HASH VALUES, IN DIGITAL FORENSICS IN LIGHT OF RECENT

THE LEGAL ASPECTS OF USING CRYPTOGRAPHIC HASH VALUES, IN DIGITAL FORENSICS IN LIGHT OF RECENT VULNERIBILITES AND COLLISSIONS WITHIN THESE HASH VALUES. VERONICA SCHMITT (ACE, AMCSS) SPECIAL INVESTIGATING UNIT ABSTRACT MD5 and SHA-1

233 views • 22 slides
Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar Erlingsson The nature of the problem IPv4 has 2 32 possible addresses, IPv6 has 2 128 . IPv4 sets can be realized as bit arrays. (0.5GB) IPv4

585 views • 20 slides
REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF

REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF

REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF MULTIPLE COMPUTERS DENNIS CORTJENS UVA | SNE | RP2 NFI AGENDA Introduction Results / Conclusion Research Future research

625 views • 20 slides
Whats new in SAS 9.4 (and whats not but neat) 16 May 2017 So what is new in 9.4? Actually

Whats new in SAS 9.4 (and whats not but neat) 16 May 2017 So what is new in 9.4? Actually

Whats new in SAS 9.4 (and whats not but neat) 16 May 2017 So what is new in 9.4? Actually not very much for the SAS user. There have been major changes in the platform (web and security mainly with some I/O optimisation) which are of no

529 views • 30 slides
Public Meeting US 81/US 287 Frontage Roads Project: Rhome to Avondale From north of Pioneer Road

Public Meeting US 81/US 287 Frontage Roads Project: Rhome to Avondale From north of Pioneer Road

Texas Department of Transportation 11/07/2019 Fort Worth District Public Meeting US 81/US 287 Frontage Roads Project: Rhome to Avondale From north of Pioneer Road to south of Avondale Haslet Road Wise and Tarrant Counties, Texas CSJs:

350 views • 9 slides
FM 156 (H ASLET C OUNTY L INE R OAD ) FROM I NTERMODAL P ARKWAY TO US 81 / US 287 Public Meeting

FM 156 (H ASLET C OUNTY L INE R OAD ) FROM I NTERMODAL P ARKWAY TO US 81 / US 287 Public Meeting

FM 156 (H ASLET C OUNTY L INE R OAD ) FROM I NTERMODAL P ARKWAY TO US 81 / US 287 Public Meeting December 13, 2018 December 13, 2018 FM 156 Public Meeting Project Overview FM FM 156 (Hasl 56 (Haslet Count t County Line Line Road) Pr

328 views • 21 slides
Quarterly Northwest Report Independent School 2Q16 District Learn from Yesterday

Quarterly Northwest Report Independent School 2Q16 District Learn from Yesterday

Quarterly Northwest Report Independent School 2Q16 District Learn from Yesterday Understand Today Plan for Tomorrow Economic Conditions DFW Area (June 2016) 3.2% 29,562 108,700 new jobs Unemployment 5,565 more National rate

316 views • 28 slides

More recommend