new milp modeling improved conditional cube attacks on
play

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based - PowerPoint PPT Presentation

Dec 29, 2022 •476 likes •930 views

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

  1. New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

  2. Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 2 / 25

  3. Introduction Outline 1 Introduction Keyed Keccak Constructions Our Contributions 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 3 / 25

  4. Introduction Keyed Keccak Constructions Keccak Permutation-based hash function Designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche Selected as SHA-3 standard Keccak under keyed modes: KMAC , Keccak -MAC Its relatives Authenticated encrytion: Keyak , Ketje Pseudorandom function: Kravatte Permutation: Xoodoo Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 3 / 25 Underlying permutation: Keccak - p [1600 , 24]

  5. Introduction Keyed Keccak Constructions Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. http://www.iacr.org/authors/tikz/ Row Lane Column Slice state bits 4 / 25 steps: each round R consists of fjve b of Keccak - p [ b , n r ] Permutation b bits: seen as a 5 × 5 array 25 -bit lanes, A [ x , y ] n r rounds R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : S-box on each row π, ρ : change the position of

  6. Introduction Keyed Keccak Constructions http://keccak.noekeon.org/ The Column Parity kernel Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 5 / 25 Keccak - p Round Function: θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] If C [ x ] = 0 , 0 ≤ x < 5, then the state A is in the CP kernel.

  7. Introduction 2,3 0,1 0,2 0,3 0,4 1,0 1,1 1,2 1,3 1,4 2,0 2,1 2,2 2,4 Keyed Keccak Constructions 3,0 3,1 3,2 3,3 3,4 4,0 4,1 4,2 4,3 4,4 Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 0,0 4,0 4,1 2,4 http://keccak.noekeon.org/ 0,4 0,3 0,2 0,1 0,0 1,4 1,3 1,2 1,1 1,0 2,3 2,2 4,2 4,3 4,4 3,0 3,1 3,2 3,3 3,4 2,0 2,1 6 / 25 Keccak - p Round Function: ρ, π ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] π step: permutation on lanes, A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] π

  8. Introduction Keyed Keccak Constructions Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The algebraic degree of n rounds is 2 n . Nonlinear term: product of two adjacent bits in a row. 7 / 25 Keccak - p Round Function: χ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1 ) · x 2 , y 1 = x 1 + ( x 2 + 1 ) · x 3 , y 2 = x 2 + ( x 3 + 1 ) · x 4 , y 3 = x 3 + ( x 4 + 1 ) · x 0 , y 4 = x 4 + ( x 0 + 1 ) · x 1 . y 0 y 1 y 2 y 3 y 4

  9. Introduction Keyed Keccak Constructions Sponge construction [BDPV11] b -bit permutation f Keccak -MAC Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 8 / 25 Keccak : Keccak - p [1600 , 24] + Sponge Two parameters: bitrate r , capacity c , and b = r + c . Take K || M as input

  10. Introduction KMAC Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. Ketje Keyak Keyed Keccak Constructions 9 / 25 Keyed Keccak Constructions output N || S M || L ||00 K ⌊⋅⌋ L pad pad pad r 0 f f f f f ... c 0 absorbing squeezing σ 0 σ 1 K ||Nonce K ||Nonce σ 0 σ j Z 0 M 0 M 0 Z 0 ⌊⋅⌋ ρ pad pad pad pad pad r r ... ... ... ... ... ... ... ... 0 f f f 0 f 0 f 1 f 1 f 1

  11. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  12. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  13. Introduction larger versions of Ketje so far Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. — the Keyak designers by exploiting full-state absorbing remains an open question”. “Whether these attacks can still be extended to more rounds Solve the open problem of “Full State Keyed Duplex (Sponge)” Best key recovery attacks on round-reduced KMAC , Keyak and Our Contributions types of cube attacks Mixed Integer Linear Programming models for searching two Contributions cube attacks. Key Recovery Attacks 10 / 25 Intuition : deg ( χ ) = 2. Consider algebraic cryptanalsis, in paticular,

  14. Conditional Cube Attacks Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 11 / 25

  15. Conditional Cube Attacks q contains terms that are not divisible by t I Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. Cube Attacks [DS09] The the cube sum is exactly 11 / 25 Higher Order Difgerential Cryptanalysis [Lai94] Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = v i 1 ... v i d , I = { v i 1 , ..., v i d } , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q p S I is called the superpoly of I in f v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = p S I ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a linear polynomial in key bits. Cube testers: distinguish p S I from a random function. If deg ( f ) < d , p S I = 0

  16. Conditional Cube Attacks Conditional Cube Testers of Keccak [HWX+17] Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. conditions are met. n -round Keccak if the Given such a cube with Type II conCube conditions are met. n -round Keccak if the 12 / 25 Given such a cube with Type I conCube We classify two types of conditional cubes: cube variable even in the second round under certain conditions . There exist p cube variables that are not multiplied with any Linearize the fjrst round. conCube Renamed conCube p = 1. p = d . d = 2 n − 2 + 1, p S I = 0 for d = 2 n − 1 , p S I = 0 for

  17. 1 (2 n 2 Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The number of conditions is minimized. (low complexity). 2 as large as possible; (attack more rounds). 1) where n is Conditional Cube Attacks ConCube on Keccak Find Type I (II) cubes with dimension 2 n 1 Task of the MILP Model How to fjnd good cubes? recover the key. If the conditions involve the key, the conditional cube can be used to 13 / 25

  18. 1 (2 n 2 Improved Conditional Cube Attacks on Keccak-Based Constructions Song et al. The number of conditions is minimized. (low complexity). 2 as large as possible; (attack more rounds). 1) where n is Conditional Cube Attacks ConCube on Keccak Find Type I (II) cubes with dimension 2 n 1 Task of the MILP Model How to fjnd good cubes? recover the key. If the conditions involve the key, the conditional cube can be used to 13 / 25

  19. Conditional Cube Attacks ConCube on Keccak If the conditions involve the key, the conditional cube can be used to recover the key. How to fjnd good cubes? Task of the MILP Model 1 as large as possible; (attack more rounds). 2 The number of conditions is minimized. (low complexity). Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 13 / 25 Find Type I (II) cubes with dimension 2 n − 1 (2 n − 2 + 1) where n is

  20. MILP Model for Searching Cubes Outline 1 Introduction 2 Conditional Cube Attacks 3 MILP Model for Searching Cubes 4 Main Results Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 14 / 25

  21. MILP Model for Searching Cubes Mixed Integer Linear Programming An MILP problem is of the form min c T x Solvers Gurobi, CPLEX, SCIP, ... Application to cryptanalysis since Mouha et al.’s pioneering work [MWGP11] Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 14 / 25 Ax ≥ b x i ≥ 0 x i ∈ Z

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek 1 , Yu Sasaki 2 , Yosuke Todo 2 , Mohamed Tolba 1 , and Amr M. Youssef 1 1:Concordia University, 2: NTT Talk @ ASK2017, 10 December 2017

567 views • 38 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
EXPLICITLY IMPOSING CONSTRAINTS IN DEEP NETWORKS VIA CONDITIONAL GRADIENTS GIVES IMPROVED

EXPLICITLY IMPOSING CONSTRAINTS IN DEEP NETWORKS VIA CONDITIONAL GRADIENTS GIVES IMPROVED

AAAI 19 EXPLICITLY IMPOSING CONSTRAINTS IN DEEP NETWORKS VIA CONDITIONAL GRADIENTS GIVES IMPROVED GENERALIZATION AND FASTER CONVERGENCE Sathya Ravi, Tuan Dinh, Vishnu Lokhande, Vikas Singh Department of Computer Sciences University of

797 views • 52 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium July 15, 2016 1 2 2 2 2

Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium July 15, 2016 1 2 2 2 2

Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium July 15, 2016 1 2 2 2 2 2 2 2 2 2 2 Modeling Attacks 3 Modeling Attacks 3 Modeling Attacks Encryption 3 Modeling Attacks Encryption 3 Modeling Attacks

1.82k views • 169 slides
Sequential Data Modeling - Conditional Random Fields Graham Neubig Nara Institute of Science and

Sequential Data Modeling - Conditional Random Fields Graham Neubig Nara Institute of Science and

Sequential Data Modeling Conditional Random Fields Sequential Data Modeling - Conditional Random Fields Graham Neubig Nara Institute of Science and Technology (NAIST) 1 Sequential Data Modeling Conditional Random Fields Prediction

448 views • 41 slides
Tour-Based Mode Choice Modeling: Using An Ensemble of (Un-) Conditional Data-Mining Classifiers

Tour-Based Mode Choice Modeling: Using An Ensemble of (Un-) Conditional Data-Mining Classifiers

Tour-Based Mode Choice Modeling: Using An Ensemble of (Un-) Conditional Data-Mining Classifiers James P. Biagioni Piotr M. Szczurek Peter C. Nelson, Ph.D. Abolfazl Mohammadian, Ph.D. Agenda Background Data-Mining (Un-) Conditional

319 views • 29 slides
Solve a Constraint Problem Without Modeling It Chris'an

Solve a Constraint Problem Without Modeling It Chris'an

1 /20 Solve a Constraint Problem Without Modeling It Chris'an Bessiere, Remi Cole1a, Nadjib Lazaar CNRS, University of Montpellier COCONUT Team

229 views • 20 slides
Wake fields and impedances calculations with GdfidL, MMM and CST for benchmarking purposes Oscar

Wake fields and impedances calculations with GdfidL, MMM and CST for benchmarking purposes Oscar

Wake fields and impedances calculations with GdfidL, MMM and CST for benchmarking purposes Oscar Frasciello 1 , M. Zobov 1 , N. Biancacci 2 1 INFN, Laboratori Nazionali di Frascati, Rome, Italy 2 CERN, Geneva, Switzerland Impedance meeting, CERN,

305 views • 14 slides
Simple dynamics on graphs Maximilien Gadouleau Durham University, UK Adrien Richard CNRS &amp;

Simple dynamics on graphs Maximilien Gadouleau Durham University, UK Adrien Richard CNRS &amp;

Simple dynamics on graphs Maximilien Gadouleau Durham University, UK Adrien Richard CNRS &amp; Universit e de Nice-Sophia Antipolis Paris, Novembre 23, 2015 Gadouleau &amp; Richard Simple Dynamics on Graphs Paris 2015 1/12 Let A = { 0 ,

832 views • 15 slides
NOT AS WE KNOW IT ! Reminiscence from the Original Star trek Service introduction As part of a

NOT AS WE KNOW IT ! Reminiscence from the Original Star trek Service introduction As part of a

ITS THERAPY JIM BUT NOT AS WE KNOW IT ! Reminiscence from the Original Star trek Service introduction As part of a joint Slaintecare, Pobal ,HSE initiative the project was designed to provide services to people recently diagnosed with

320 views • 11 slides
Compressed Suffix Trees in Practice Simon Gog Computing and Information Systems The University

Compressed Suffix Trees in Practice Simon Gog Computing and Information Systems The University

Introduction CST design CST in practice Compressed Suffix Trees in Practice Simon Gog Computing and Information Systems The University of Melbourne February 13th 2013 Introduction CST design CST in practice Outline Introduction 1 Basic

1.1k views • 75 slides
Fast Generation of Cubic Graphs Gunnar Brinkmann and Jan Goedgebeur Gunnar.Brinkmann@UGent.be

Fast Generation of Cubic Graphs Gunnar Brinkmann and Jan Goedgebeur Gunnar.Brinkmann@UGent.be

Fast Generation of Cubic Graphs Gunnar Brinkmann and Jan Goedgebeur Gunnar.Brinkmann@UGent.be Jan.Goedgebeur@UGent.be Faculty of Science Cubic graphs are graphs where every vertex has degree 3 (3 edges meet in every vertex). Faculty of

652 views • 40 slides
The K3 category of cubic fourfolds and Gushel-Mukai fourfolds Laura Pertusi Universit di Roma

The K3 category of cubic fourfolds and Gushel-Mukai fourfolds Laura Pertusi Universit di Roma

The K3 category of cubic fourfolds and Gushel-Mukai fourfolds Laura Pertusi Universit di Roma Tor Vergata December 20, 2019 Introduction Derived category K3 categories Complex Algebraic Geometry Aim: to study smooth projective varieties

973 views • 75 slides
Variants of the Segment Number of a Graph Yoshio Okamoto University of Electro-Communications,

Variants of the Segment Number of a Graph Yoshio Okamoto University of Electro-Communications,

Variants of the Segment Number of a Graph Yoshio Okamoto University of Electro-Communications, Ch ofu, Japan and RIKEN Center for Advanced Intelligence Project, Tokyo, Japan Alexander Ravsky Pidstryhach Institute for Applied Problems of

1.07k views • 62 slides

More recommend