differential propagation analysis of keccak
play

Differential propagation analysis of Keccak Joan Daemen and Gilles - PowerPoint PPT Presentation

Apr 27, 2023 •49 likes •409 views

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

  1. Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28

  2. Differential propagation analysis of Keccak Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 2 / 28

  3. Differential propagation analysis of Keccak Introduction Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 3 / 28

  4. Differential propagation analysis of Keccak Introduction Differential trails and iterated mappings Differential trails in iterated mappings Trail: sequence of differences 4 / 28 DP ( Q ) : fraction of pairs that exhibit q i differences

  5. Differential propagation analysis of Keccak Introduction Differential trails and iterated mappings Differential trails and weight 5 / 28 w = − log 2 ( DP ) If independent rounds and w ( Q ) < b : # pairs ( Q ) ≈ 2 b − w ( Q )

  6. Differential propagation analysis of Keccak Introduction …but proving strong lower bounds also cryptanalysis seems hard Keccak : weak alignment revert to pre-DC/LC folklore such as avalanche effect no strong trail weight bounds ARX still, truncated trails, rebound attack, … easy demonstration of strong trail weight bounds Rijndael-inspired: strong alignment Different design approaches Design approaches 6 / 28 estimating # pairs ( Q ) from Q : easy estimating # pairs ( Q ) from Q : hard # pairs ( Q ) from Q : easy

  7. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer state y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  8. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer slice y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  9. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer row y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  10. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer column y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  11. Differential propagation analysis of Keccak tight MD6 [Rivest et al., SHA-3 2008][Heilman, Ecrypt Hash 2011] Noekeon [Nessie, 2000] Inspired by similar efforts for this work 1600 non-tight 206 per 18 rounds 200 non-tight 146 per 16 rounds 100 54 per 6 rounds Introduction 50 tight 30 per 5 rounds 25 bound b Bounds for small versions of Keccak - f …and not on presumed hardness of finding them Security of Keccak relies on absence of exploitable trails This work Goal of this work 8 / 28

  12. Differential propagation analysis of Keccak Trails in Keccak - f Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 9 / 28

  13. Differential propagation analysis of Keccak Trails in Keccak - f Conventions and concepts Trails in Keccak - f 10 / 28 Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ a i fully determines b i = λ ( a i ) χ has degree 2: w ( b i − 1 ) independent of a i

  14. Differential propagation analysis of Keccak Trails in Keccak - f Conventions and concepts Trails in Keccak - f For Keccak - f : 10 / 28 w ( Q ) : # conditions on intermediate state bits b : # degree of freedom

  15. Differential propagation analysis of Keccak Trails in Keccak - f Trail generation techniques Trail generation techniques Given a trail, we can extend it: Tree search: extension can be done recursively pruning as soon as weight exceeds some limit 11 / 28 forward: iterate a r + 1 over A ( b r ) backward: iterate b − 1 over all differences χ − 1 -compatible with a 0 = λ − 1 ( b 0 )

  16. Differential propagation analysis of Keccak Generating all trails up to some weight Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 12 / 28

  17. Differential propagation analysis of Keccak Generating all trails up to some weight First order approach First-order approach Fact Generating trails up to weight T , first order approach extend backward down to b 0 prune as soon as weight exceeds T 13 / 28 An r -round trail Q with w ( Q ) ≤ T has at least one b i with weight ≤ T / r Generate V 1 = { b | w ( b ) ≤ t avg } with t avg = T / r ∀ 0 ≤ i < r , iterate b i over V 1 extend forward up to b r − 1

  18. Differential propagation analysis of Keccak Generating all trails up to some weight First order approach Limits of first-order approach 14 / 28 V 1 grows quickly with t avg and Keccak - f width:

  19. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Definitions: minimum reverse weight and trail cores Minimum reverse weight : min Can be used to lower bound of set of trails 15 / 28 w rev ( a ) � b : a ∈A ( b ) w ( b ) Trail core : set of trails with b 1 , b 2 , . . . in common

  20. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Definitions: minimum reverse weight and trail cores Minimum reverse weight : min Can be used to lower bound of set of trails 15 / 28 w rev ( a ) � b : a ∈A ( b ) w ( b ) Trail core : set of trails with b 1 , b 2 , . . . in common

  21. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Second-order approach Observation high weight and vice versa Generating trails up to weight T , second order approach extend backward down to b 0 prune as soon as weight exceeds T 16 / 28 For most low-weight a , b = λ ( a ) has Generate V 2 = { b | b = λ ( a ) and w rev ( a ) + w ( b ) ≤ 2 t avg } ∀ 0 ≤ i < r , iterate b i over V 2 extend forward up to b r − 1 But how does the size of V 2 behave with t avg ?

  22. Differential propagation analysis of Keccak Generating all trails up to some weight Add to each cell the parities of two nearby columns 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine Compute parity c x , z of each column

  23. Differential propagation analysis of Keccak Generating all trails up to some weight Single-bit parity flips already 10 bits 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine Other linear mapping ρ and π just move bits around

  24. Differential propagation analysis of Keccak Generating all trails up to some weight Effect collapses if parity is zero The kernel 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine

  25. Differential propagation analysis of Keccak Generating all trails up to some weight Limits of the second-order approach Limits of second-order approach 18 / 28 V 2 still grows quickly with t avg and Keccak - f width Reason: V 2 contains states in kernel

  26. Differential propagation analysis of Keccak Generating all trails up to some weight Third-order approach Third-order approach: dealing with the kernel 19 / 28 V 3 : trail cores ( b , d ) with w rev ( a ) + w ( b ) + w ( d ) ≤ 3 t avg a = λ − 1 ( b ) is in the kernel c = λ − 1 ( d ) is in the kernel Elements of V 3 can then be extended as usual

  27. Differential propagation analysis of Keccak Generating all trails up to some weight Third-order approach Third-order approach: dealing with the kernel 19 / 28 V 3 : trail cores ( b , d ) with w rev ( a ) + w ( b ) + w ( d ) ≤ 3 t avg a = λ − 1 ( b ) is in the kernel c = λ − 1 ( d ) is in the kernel Elements of V 3 can then be extended as usual

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1 Overview Introduction Keccak Differential Cryptanalysis Semantics of Trees and Iterators Proven Iterator Conclusion 2 Introduction Hashing vs

977 views • 56 slides
Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on

Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on

Canberra, 13-17 July 2009 Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on Harmonic Analysis and Spectral Theory 1 Consider a differential operator in divergence form, on R d , d 3, P = div (

322 views • 13 slides
Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan

Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan

Seminar Static Program Analysis Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan Constant Propagation and Interval Analysis 1 / 70 Outline Motivation 1 Constant Propagation 2 Interval Analysis 3

952 views • 70 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting Propagation Types of Propagation Sexual Propagation: Asexual Propagation: Seed Division &amp; Separation Cuttings Grafting &amp; Budding

623 views • 60 slides
Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver

Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver

Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver Schwahn, Karthik Pattabiraman , Neeraj Suri Fault Injection Evaluate the robustness of software 2 Motivation: Error Propagation Analysis (EPA) Compare

286 views • 16 slides
Global Optimization Lecture Outline Global flow analysis Global constant propagation

Global Optimization Lecture Outline Global flow analysis Global constant propagation

Global Optimization Lecture Outline Global flow analysis Global constant propagation Liveness analysis 2 Compiler Design I (2011) Local Optimization Recall the simple basic-block optimizations Constant propagation

1.11k views • 54 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017 Nvidia GTC S7254 Transcriptomic Data Personome.com Biological Pathways Nature.org Differential expression analysis Class labels C1 C2

414 views • 30 slides
THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

PROPAGATION THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What causes it? How does it effect HF Communications How do we understand the charts Were do we find the propagation information What is it?

978 views • 28 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
A Simply Typed -Calculus of Forward Automatic Differentiation Oleksandr Manzyuk National

A Simply Typed -Calculus of Forward Automatic Differentiation Oleksandr Manzyuk National

A Simply Typed -Calculus of Forward Automatic Differentiation Oleksandr Manzyuk National University of Ireland Maynooth manzyuk@gmail.com A Simply Typed -Calculus of Forward Automatic Differentiation Oleksandr Manzyuk National

720 views • 42 slides
Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Overview Cartesian differential categories Examples of Non-linear CDCS Differential forms Cohomology Non-linear tangent categories Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan Bradet-Legris

409 views • 30 slides
Chemistry 4010 Lecture 7: Invariant manifolds of differential equations Marc R. Roussel October

Chemistry 4010 Lecture 7: Invariant manifolds of differential equations Marc R. Roussel October

Chemistry 4010 Lecture 7: Invariant manifolds of differential equations Marc R. Roussel October 3, 2019 Marc R. Roussel Invariant manifolds October 3, 2019 1 / 16 Interpreting the linearization Recall the linearization of a set of

708 views • 16 slides
On Sequential Monte Carlo Sampling of Discretely Observed Stochastic Differential Equations Simo

On Sequential Monte Carlo Sampling of Discretely Observed Stochastic Differential Equations Simo

Problem Formulation Continuous-Discrete SIR Example Problem Conclusion On Sequential Monte Carlo Sampling of Discretely Observed Stochastic Differential Equations Simo Srkk &lt;simo.sarkka@hut.fi&gt; Laboratory of Computational

933 views • 43 slides
Importing and Exporting of of Cargo Th The Rol ole of of th the Mar aritime an and Por

Importing and Exporting of of Cargo Th The Rol ole of of th the Mar aritime an and Por

Importing and Exporting of of Cargo Th The Rol ole of of th the Mar aritime an and Por ort Auth thority of of Brunei Dar arussalam (M (MPABD) MSME Fes estival Brid idex Jer Jerudong 31 31 Ma Mac 20 2019 19 Pih ihak

367 views • 16 slides
Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips &amp; tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
OVN Project Update Russell Bryant (@russellbryant) Kyle Mestery (@mestery) Justin Pettit

OVN Project Update Russell Bryant (@russellbryant) Kyle Mestery (@mestery) Justin Pettit

OVN Project Update Russell Bryant (@russellbryant) Kyle Mestery (@mestery) Justin Pettit (@Justin_D_Pettit) Ben Pfaff (@Ben_Pfaff) The Case for Network Virtualization Network provisioning needs to be self-service. Virtual network

385 views • 26 slides
Wireless world in NS Padma Haldar USC/ ISI 1 Outline Introduction Wireless basics

Wireless world in NS Padma Haldar USC/ ISI 1 Outline Introduction Wireless basics

Wireless world in NS Padma Haldar USC/ ISI 1 Outline Introduction Wireless basics Wireless internals Ad hoc routing Mobile IP Satellite networking Directed diffusion 2 Contributions to mobility in ns Original

554 views • 38 slides

More recommend