mixture differential cryptanalysis
play

Mixture Differential Cryptanalysis: a New Approach to Distinguishers - PowerPoint PPT Presentation

Oct 09, 2023 •148 likes •576 views

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

  1. Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019

  2. www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for 5-round AES - based on the multiple-of-8 property - has been presented. However, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher: can this new observation lead to attacks on AES which are competitive w.r.t. previously known results? 1 / 25

  3. www.iaik.tugraz.at Table of Contents 1 AES Design and the “Multiple-of-8” Property 2 Mixture Differential Cryptanalysis 3 New Key-Recovery Attacks for AES 4 Concluding Remarks 2 / 25

  4. www.iaik.tugraz.at Part I AES Design and the “Multiple-of-8” Property

  5. www.iaik.tugraz.at AES High-level description of AES [ DR02 ]: block cipher based on a design principle known as substitution-permutation network ; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits & 10/12/14 rounds: Source-code of the Figure – by J´ er´ emy Jean – copied from https://www.iacr.org/authors/tikz/ 3 / 25

  6. www.iaik.tugraz.at “Multiple-of-8” property for 5-round AES [ GRR17b ] Assume 5-round AES without the final MixColumns operation. Consider a set of 2 32 chosen plaintexts with one active diagonal   A C C C C A C C   C C A C C C C A The number of different pairs of ciphertexts which are equal in one (fixed) anti-diagonal   0 ? ? ? ? ? ? 0   ? ? 0 ? ? ? ? 0 is a multiple of 8 with probability 1 independent of the secret key, of the details of S-Box and of MixColumns matrix . 4 / 25

  7. www.iaik.tugraz.at Multiple-of-8 Property– Formal Theorem Consider 2 32 ·| I | plaintexts with | I | active diagonals (namely, in an affine space D I ⊕ a ) and the corresponding ciphertexts after 5 rounds, i.e. ( p i , c i ≡ R 5 ( p i )) for i = 0 , ..., 2 32 ·| I | − 1 where p i ∈ D I ⊕ a . Theorem (Eurocrypt 2017) For a fixed J ⊆ { 0 , 1 , 2 , 3 } , let n be the number of different pairs of ciphertexts ( c i , c j ) for i � = j such that c i ⊕ c j are equal in 4 − | J | anti-diagonals (namely, c 1 ⊕ c 2 ∈ M J ): n := |{ ( p i , c i ) , ( p j , c j ) | ∀ p i , p j ∈ D I ⊕ a , p i < p j and c i ⊕ c j ∈ M J }| . The number n is a multiple of 8 independent of the secret key, of the details of S-Box and of MixColumns matrix . 5 / 25

  8. www.iaik.tugraz.at What about a Key-Recovery Attack? What happens if we extend the previous distinguisher into a key-recovery attack ? E.g. R 5 ( · ) R − 1 ( · ) D I ⊕ a − − − − → multiple-of-8 ← key-guessing ciphertexts − − − − − − − prob. 1 Problem: we need to guess the entire final round-key in order to check the property “ number of pairs of ciphertexts ( c i , c j ) s.t.  0 ? ? ?  � � � ? ? ? 0 � i < j and R − 1 ( c i ) ⊕ R − 1 ( c j ) = MC − 1 × ( c i , c j ) �   � ? ? 0 ?   ? ? ? 0 is a multiple of 8” 6 / 25

  9. www.iaik.tugraz.at What about a Key-Recovery Attack? What happens if we extend the previous distinguisher into a key-recovery attack ? E.g. R 5 ( · ) R − 1 ( · ) D I ⊕ a − − − − → multiple-of-8 ← key-guessing ciphertexts − − − − − − − prob. 1 Problem: we need to guess the entire final round-key in order to check the property “ number of pairs of ciphertexts ( c i , c j ) s.t.  0 ? ? ?  � � � ? ? ? 0 � i < j and R − 1 ( c i ) ⊕ R − 1 ( c j ) = MC − 1 × ( c i , c j ) �   � ? ? 0 ?   ? ? ? 0 is a multiple of 8” 6 / 25

  10. www.iaik.tugraz.at Part II Mixture Differential Cryptanalysis

  11. www.iaik.tugraz.at From Multiple-of-8 to Mixture Diff. Cryptanalysis Why does the “multiple-of-8” property hold? Given a pair of plaintexts ( p 1 , p 2 ) s.t. R 5 ( p 1 ) ⊕ R 5 ( p 2 ) ∈ M , then other pairs of texts ( q 1 , q 2 ) have the same property ( R 5 ( q 1 ) ⊕ R 5 ( q 2 ) ∈ M ), where the pairs ( p 1 , p 2 ) and ( q 1 , q 2 ) are not independent. Instead of limiting ourselves to count the number of collisions and check that it is a multiple of 8, the idea is to check the relationships between the variables that generate the pairs of plaintexts ( p 1 , p 2 ) and ( q 1 , q 2 ) . Mixture Differential Cryptanalysis : a way to translate the “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). 7 / 25

  12. www.iaik.tugraz.at From Multiple-of-8 to Mixture Diff. Cryptanalysis Why does the “multiple-of-8” property hold? Given a pair of plaintexts ( p 1 , p 2 ) s.t. R 5 ( p 1 ) ⊕ R 5 ( p 2 ) ∈ M , then other pairs of texts ( q 1 , q 2 ) have the same property ( R 5 ( q 1 ) ⊕ R 5 ( q 2 ) ∈ M ), where the pairs ( p 1 , p 2 ) and ( q 1 , q 2 ) are not independent. Instead of limiting ourselves to count the number of collisions and check that it is a multiple of 8, the idea is to check the relationships between the variables that generate the pairs of plaintexts ( p 1 , p 2 ) and ( q 1 , q 2 ) . Mixture Differential Cryptanalysis : a way to translate the “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). 7 / 25

  13. www.iaik.tugraz.at Mixture Diff. Cryptanalysis – 1 st Case (1/2) Consider p 1 , p 2 ∈ C 0 ⊕ a : x 1 x 2  0 0 0   0 0 0  y 1 y 2 0 0 0 0 0 0 p 1 = a ⊕ p 2 = a ⊕      ,  z 1   z 2  0 0 0 0 0 0    w 1 w 2 0 0 0 0 0 0 where x 1 � = x 2 , y 1 � = y 2 , z 1 � = z 2 and w 1 � = w 2 . For the following: p 1 ≡ ( x 1 , y 1 , z 1 , w 1 ) p 2 ≡ ( x 2 , y 2 , z 2 , w 2 ) . and 8 / 25

  14. www.iaik.tugraz.at Mixture Diff. Cryptanalysis – 1 st Case (2/2) Given p 1 , p 2 ∈ C 0 ⊕ a as before: p 1 ≡ ( x 1 , y 1 , z 1 , w 1 ) p 2 ≡ ( x 2 , y 2 , z 2 , w 2 ) and it follows that R 4 ( p 1 ) ⊕ R 4 ( p 2 ) ∈ M J R 4 (ˆ p 1 ) ⊕ R 4 (ˆ p 2 ) ∈ M J if and only if where p 1 ≡ ( x 2 , y 1 , z 1 , w 1 ) , p 2 ≡ ( x 1 , y 2 , z 2 , w 2 ); ˆ ˆ p 1 ≡ ( x 1 , y 2 , z 1 , w 1 ) , p 2 ≡ ( x 2 , y 1 , z 2 , w 2 ); ˆ ˆ p 1 ≡ ( x 1 , y 1 , z 2 , w 1 ) , p 2 ≡ ( x 2 , y 2 , z 1 , w 2 ); ˆ ˆ p 1 ≡ ( x 1 , y 1 , z 1 , w 2 ) , p 2 ≡ ( x 2 , y 2 , z 2 , w 1 ); ˆ ˆ p 1 ≡ ( x 1 , y 1 , z 2 , w 2 ) , p 2 ≡ ( x 2 , y 2 , z 1 , w 1 ); ˆ ˆ p 1 ≡ ( x 1 , y 2 , z 1 , w 2 ) , p 2 ≡ ( x 2 , y 1 , z 2 , w 1 ); ˆ ˆ p 1 ≡ ( x 1 , y 2 , z 2 , w 1 ) , p 2 ≡ ( x 2 , y 1 , z 1 , w 2 ) . ˆ ˆ 9 / 25

  15. www.iaik.tugraz.at Mixture Diff. Cryptanalysis – 2 nd Case Given p 1 , p 2 ∈ C 0 ⊕ a as before: p 1 ≡ ( x 1 , y 1 , z 1 , w ) p 2 ≡ ( x 2 , y 2 , z 2 , w ) and it follows that R 4 ( p 1 ) ⊕ R 4 ( p 2 ) ∈ M J R 4 (ˆ p 1 ) ⊕ R 4 (ˆ p 2 ) ∈ M J if and only if where p 1 ≡ ( x 1 , y 1 , z 2 , Ω) , p 2 ≡ ( x 2 , y 2 , z 2 , Ω); ˆ ˆ p 1 ≡ ( x 2 , y 1 , z 1 , Ω) , p 2 ≡ ( x 1 , y 2 , z 2 , Ω); ˆ ˆ p 1 ≡ ( x 1 , y 2 , z 1 , Ω) , p 2 ≡ ( x 2 , y 1 , z 2 , Ω); ˆ ˆ p 1 ≡ ( x 1 , y 1 , z 2 , Ω) , p 2 ≡ ( x 2 , y 2 , z 1 , Ω); ˆ ˆ where Ω can take any value in F 2 8 . 10 / 25

  16. www.iaik.tugraz.at Mixture Diff. Cryptanalysis – 3 rd Case Given p 1 , p 2 ∈ C 0 ⊕ a as before: p 1 ≡ ( x 1 , y 1 , z , w ) p 2 ≡ ( x 2 , y 2 , z , w ) and it follows that R 4 ( p 1 ) ⊕ R 4 ( p 2 ) ∈ M J R 4 (ˆ p 1 ) ⊕ R 4 (ˆ p 2 ) ∈ M J if and only if where p 1 ≡ ( x 1 , y 1 , Z , Ω) , p 2 ≡ ( x 2 , y 2 , Z , Ω); ˆ ˆ p 1 ≡ ( x 2 , y 1 , Z , Ω) , p 2 ≡ ( x 1 , y 2 , Z , Ω); ˆ ˆ where Z and Ω can take any value in F 2 8 . 11 / 25

  17. www.iaik.tugraz.at Reduction to 2 Rounds AES Since � x ⊕ y ∈ D J R 2 ( x ) ⊕ R 2 ( y ) ∈ M J � � � Prob = 1 we can focus only on the two initial rounds: R 2 ( · ) R 2 ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ C I ⊕ b − − − − − − − → Consider p 1 , p 2 ∈ C I ⊕ a . We are going to prove that R 2 ( p 1 ) ⊕ R 2 ( p 2 ) ∈ D J if and only if R 2 (ˆ p 1 ) ⊕ R 2 (ˆ p 2 ) ∈ D J , p 2 ∈ C I ⊕ a are defined as before. p 1 , ˆ where ˆ 12 / 25

  18. www.iaik.tugraz.at Reduction to 2 Rounds AES Since � x ⊕ y ∈ D J R 2 ( x ) ⊕ R 2 ( y ) ∈ M J � � � Prob = 1 we can focus only on the two initial rounds: R 2 ( · ) R 2 ( · ) → D J ⊕ a ′ prob. 1 M J ⊕ b ′ C I ⊕ b − − − − − − − → Consider p 1 , p 2 ∈ C I ⊕ a . We are going to prove that R 2 ( p 1 ) ⊕ R 2 ( p 2 ) ∈ D J if and only if R 2 (ˆ p 1 ) ⊕ R 2 (ˆ p 2 ) ∈ D J , p 2 ∈ C I ⊕ a are defined as before. p 1 , ˆ where ˆ 12 / 25

  19. www.iaik.tugraz.at Idea of the Proof Given p 1 , p 2 and ˆ p 2 in C 0 ⊕ a as before, if p 1 , ˆ R 2 ( p 1 ) ⊕ R 2 ( p 2 ) = R 2 (ˆ p 1 ) ⊕ R 2 (ˆ p 2 ) then the previous result R 2 ( p 1 ) ⊕ R 2 ( p 2 ) ∈ D J R 2 (ˆ p 1 ) ⊕ R 2 (ˆ p 2 ) ∈ D J iff follows immediately! 13 / 25

  20. www.iaik.tugraz.at Super-Box Notation (1/2) Let super - SB ( · ) be defined as super - SB ( · ) = S-Box ◦ ARK ◦ MC ◦ S-Box ( · ) . 2-round AES can be rewritten as R 2 ( · ) = ARK ◦ MC ◦ SR ◦ super - SB ◦ SR ( · ) 14 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Concept of Differentials Propagation Ratio The

471 views • 15 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

617 views • 32 slides
Unix Essentials Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311: Introduction to Systems

Unix Essentials Devin J. Pohly &lt;djpohly@cse.psu.edu&gt; CMPSC 311: Introduction to Systems

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Unix Essentials Devin J. Pohly

315 views • 20 slides
GHDL and the economy of EDA FOSS Tristan Gingold - FSiC 2019 1 / 21 What is GHDL ? A Free

GHDL and the economy of EDA FOSS Tristan Gingold - FSiC 2019 1 / 21 What is GHDL ? A Free

GHDL and the economy of EDA FOSS Tristan Gingold - FSiC 2019 1 / 21 What is GHDL ? A Free (GPL v2+) VHDL simulator Supports IEEE 1076 (VHDL) 1987, 1993 and 2008 (partially) Compiled Command line tool Binaries for Linux (x86,

1.05k views • 21 slides
A Tutorial By Sarita Adve &amp; Kourosh Gharachorloo Slides by Jim Larson Outline

A Tutorial By Sarita Adve &amp; Kourosh Gharachorloo Slides by Jim Larson Outline

Shared Memory Consistency Models: A Tutorial By Sarita Adve &amp; Kourosh Gharachorloo Slides by Jim Larson Outline Concurrent programming on a uniprocessor The effect of optimizations on a uniprocessor The effect of the same

1.49k views • 100 slides
Apache Cassandra for Big Data Applications Christof Roduner Java User Group Switzerland COO and

Apache Cassandra for Big Data Applications Christof Roduner Java User Group Switzerland COO and

Apache Cassandra for Big Data Applications Christof Roduner Java User Group Switzerland COO and co-founder January 7, 2014 christof@scandit.com AGENDA 2 Cassandra origins and use How we use Cassandra Data model and query language

535 views • 49 slides
Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert

Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/306571931 Thesis Defense Slides Data August 2016 CITATIONS READS 0 47 1 author: Andrew Weinert Singapore-MIT Alliance 46

1.16k views • 102 slides
Recap: Refactoring Improve the structure of code No value gain at the moment, but

Recap: Refactoring Improve the structure of code No value gain at the moment, but

Anti-Patterns CS356 Object-Oriented Design and Programming http://cs356.yusun.io December 1, 2014 Yu Sun, Ph.D. http://yusun.io yusun@csupomona.edu Recap: Refactoring Improve the structure of code No value gain at the moment, but

817 views • 38 slides
11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1

11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1

11/12/2018 http://assign3.chem.usyd.edu.au/spectroscopy/reductionOperator.php?res=high 1 11/12/2018 Write the best dot structure you can for NO 2 . NO 2 is a radical. Is the unpaired electron on nitrogen or oxygen? A. nitrogen B. oxygen C.

270 views • 13 slides
Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with

Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with

Multi-modal Factorized High-order Pooling for Visual Question Answering Team HDU-USYD-UNCC with members Zhou Yu 1 , Jun Yu 1 , Chenchao Xiang 1 , Dalu Guo 2 , Jianping Fan 3 and Dacheng Tao 2 1 Hangzhou Dianzi University, China 2 The University of

493 views • 10 slides

More recommend