new techniques for searching di ff erential trails in
play

New Techniques for Searching Di ff erential Trails in Keccak Guozhen - PowerPoint PPT Presentation

Oct 08, 2023 •177 likes •392 views

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

  1. New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

  2. Overview Introduction 1 Brief Description of Keccak -f[1600] Previous Works on Di ff erential Trail Search New 3-Round Trial Core Search Strategy 2 Classification of Search Space Ideal Improvement Assumption General Search Algorithm Summary of Search Result 3-Round Di ff erential Trail Core Search of Keccak Permutation 2 / 21

  3. Introduction Brief Description of Keccak -f[1600] Keccak -f[1600] - the SHA3 Permutation Keccak -f[1600] permutation uses XOR, AND and NOT operations in its round function. The state size is 1600 bits, organized as a 5 × 5 array of 64-bit lanes with ( x, y, z ) coordinates. Each round consists of 5 steps, i.e., the linear θ , ρ , π , ι operation, and the nonlinear χ . R = ι ◦ χ ◦ π ◦ ρ ◦ θ 2 4 rounds. 3-Round Di ff erential Trail Core Search of Keccak Permutation 3 / 21

  4. Introduction Brief Description of Keccak -f[1600] Round Function of Keccak -f[1600] R = ι ◦ χ ◦ π ◦ ρ ◦ θ y z z x θ step adds two columns to current bit position (x,y,z). column sum c [ x ][ z ] = � 4 y =0 a [ x ][ y ][ z ] a [ x ][ y ][ z ] = c [ x − 1][ z ] ⊕ a [ x ][ y ][ z ] ⊕ c [ x + 1][ z − 1] 3-Round Di ff erential Trail Core Search of Keccak Permutation 4 / 21

  5. Introduction Brief Description of Keccak -f[1600] Round Function of Keccak -f[1600] R = ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane-level rotation. It rotates the 64 bits of each lane by a specific o ff set , which is determined by the coordinates [x,y] of the lane. 3-Round Di ff erential Trail Core Search of Keccak Permutation 5 / 21

  6. Introduction Brief Description of Keccak -f[1600] Round Function of Keccak -f[1600] R = ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes. It rearranges the 25 bits of each slice. a [ y ][2 x + 3 y ][ z ] = a [ x ][ y ][ z ] . 3-Round Di ff erential Trail Core Search of Keccak Permutation 6 / 21

  7. Introduction Brief Description of Keccak -f[1600] Round Function of Keccak -f[1600] R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ is the only nonlinear component. It is a row wise 5-bit Sbox. 3-Round Di ff erential Trail Core Search of Keccak Permutation 7 / 21

  8. Introduction Brief Description of Keccak -f[1600] Round Function of Keccak -f[1600] R = ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: add a round constant to the state Add a round-dependent constant to the first lane to destroy the symmetry. Since it has no e ff ect on this kind of di ff erential trail search, we ignore it. 3-Round Di ff erential Trail Core Search of Keccak Permutation 8 / 21

  9. Introduction Previous Works on Di ff erential Trail Search Previous Results on Exhaustive Trail Search of Keccak -f[1600] Di ff erential Propagation Analysis from [DVA12] 3-round trails with propagation weight below T 3 = 36 are searched completely. Lower bound of 6-round trails is 74. New techniques for trail search [MDVA17] 3-round trail cores with threshold propagation weight T 3 = 45 are searched exhaustively. Lower bound on propagation weight of 4/5/6-round trails are improved accordingly. Our results We set T 3 = 53 for our search strategy. There is no theoretical proof for a satisfactory lower bound, but we indeed found many new trail cores. 3-Round Di ff erential Trail Core Search of Keccak Permutation 9 / 21

  10. New 3-Round Trial Core Search Strategy Classification of Search Space θ Property and 3-Round Trail Core Column Parity p of state α is the parity of all columns, i.e., p = P ( α ) . In CP Kernel and out CP Kernel. If p = 0 , θ has no e ff ect on α , α is called in CP Kernel denoted as | K | , otherwise, it’s out CP Kernel, denoted as | N | . We use parity and Kernel to represent column parity and column y z parity kernel. z x 3-round trail core χ λ λ β 0 ��� α 1 − → β 1 − → α 2 − → β 2 A 3-round trail core is denoted by ( α 1 , α 2 ) or ( β 1 , β 2 ) . Target 3-round trail cores The 3-round trail core ( β 1 , β 2 ) with propagation weight w rev ( α 1 ) a + w ( β 1 ) + w ( β 2 ) ≤ T 3 . a w rev ( α 1 ) refers to the optimal weight of β 0 which can propagate to α 1 3-Round Di ff erential Trail Core Search of Keccak Permutation 10 / 21

  11. <latexit sha1_base64="wru6bG+JPhHs0P57svuamOHSbA=">ACmXicfZHLSsNAFIYn8V5vVcGNm2ARXJVMFXThwgtKcaVoVWhKOJlOm6GTCzMnagl9J5/FnW/jtI2gRjw8P/83lnCVQqPrflj2zOzc/MLiUmV5ZXVtvbqx+aCTDHeYolM1FMAmksR8xYKlPwpVRyiQPLHYHAxzh+fudIie9xmPJOBP1Y9AQDNJZfNApiH4rveqRD9EUCp5yT1pTujCyAs4ljIWCt8dFRz9h6Nljn5xjX+4RplrfHEHfrXm1t1JOWVBC1EjRd341Xevm7As4jEyCVq3qZtiJweFgk+qniZ5imwAfR528gYIq47+aSzI2fPOF2nlyizYnQm7ncih0jrYRSYnRFgqH9nY/OvrJ1h7iTizjNkMdselEvkw4mznhMTlcozlAOjQCmhHmrw0JQwNAMs2KaQH9/uSweGnXq1untYe30vGjHItkhu2SfUHJETkmT3JAWYda2dWJdWlf2jn1mN+3r6VbKpgt8qPsu08nEdEL</latexit> <latexit sha1_base64="wru6bG+JPhHs0P57svuamOHSbA=">ACmXicfZHLSsNAFIYn8V5vVcGNm2ARXJVMFXThwgtKcaVoVWhKOJlOm6GTCzMnagl9J5/FnW/jtI2gRjw8P/83lnCVQqPrflj2zOzc/MLiUmV5ZXVtvbqx+aCTDHeYolM1FMAmksR8xYKlPwpVRyiQPLHYHAxzh+fudIie9xmPJOBP1Y9AQDNJZfNApiH4rveqRD9EUCp5yT1pTujCyAs4ljIWCt8dFRz9h6Nljn5xjX+4RplrfHEHfrXm1t1JOWVBC1EjRd341Xevm7As4jEyCVq3qZtiJweFgk+qniZ5imwAfR528gYIq47+aSzI2fPOF2nlyizYnQm7ncih0jrYRSYnRFgqH9nY/OvrJ1h7iTizjNkMdselEvkw4mznhMTlcozlAOjQCmhHmrw0JQwNAMs2KaQH9/uSweGnXq1untYe30vGjHItkhu2SfUHJETkmT3JAWYda2dWJdWlf2jn1mN+3r6VbKpgt8qPsu08nEdEL</latexit> <latexit sha1_base64="wru6bG+JPhHs0P57svuamOHSbA=">ACmXicfZHLSsNAFIYn8V5vVcGNm2ARXJVMFXThwgtKcaVoVWhKOJlOm6GTCzMnagl9J5/FnW/jtI2gRjw8P/83lnCVQqPrflj2zOzc/MLiUmV5ZXVtvbqx+aCTDHeYolM1FMAmksR8xYKlPwpVRyiQPLHYHAxzh+fudIie9xmPJOBP1Y9AQDNJZfNApiH4rveqRD9EUCp5yT1pTujCyAs4ljIWCt8dFRz9h6Nljn5xjX+4RplrfHEHfrXm1t1JOWVBC1EjRd341Xevm7As4jEyCVq3qZtiJweFgk+qniZ5imwAfR528gYIq47+aSzI2fPOF2nlyizYnQm7ncih0jrYRSYnRFgqH9nY/OvrJ1h7iTizjNkMdselEvkw4mznhMTlcozlAOjQCmhHmrw0JQwNAMs2KaQH9/uSweGnXq1untYe30vGjHItkhu2SfUHJETkmT3JAWYda2dWJdWlf2jn1mN+3r6VbKpgt8qPsu08nEdEL</latexit> <latexit sha1_base64="wru6bG+JPhHs0P57svuamOHSbA=">ACmXicfZHLSsNAFIYn8V5vVcGNm2ARXJVMFXThwgtKcaVoVWhKOJlOm6GTCzMnagl9J5/FnW/jtI2gRjw8P/83lnCVQqPrflj2zOzc/MLiUmV5ZXVtvbqx+aCTDHeYolM1FMAmksR8xYKlPwpVRyiQPLHYHAxzh+fudIie9xmPJOBP1Y9AQDNJZfNApiH4rveqRD9EUCp5yT1pTujCyAs4ljIWCt8dFRz9h6Nljn5xjX+4RplrfHEHfrXm1t1JOWVBC1EjRd341Xevm7As4jEyCVq3qZtiJweFgk+qniZ5imwAfR528gYIq47+aSzI2fPOF2nlyizYnQm7ncih0jrYRSYnRFgqH9nY/OvrJ1h7iTizjNkMdselEvkw4mznhMTlcozlAOjQCmhHmrw0JQwNAMs2KaQH9/uSweGnXq1untYe30vGjHItkhu2SfUHJETkmT3JAWYda2dWJdWlf2jn1mN+3r6VbKpgt8qPsu08nEdEL</latexit> New 3-Round Trial Core Search Strategy Classification of Search Space Classification of 3-Round Trail Core χ 0 χ 1 χ 2 λ λ λ α 0 → β 0 → α 1 → β 1 → α 2 → β 2 → α 3 − − − − − − According to whether α 1 and α 2 are in Kernel , 3-round trail cores can be classified into 4 1 categories. | K | K | trail cores, both α 1 and α 2 are in Kernel. | N | K | and | N | N | trail cores, with always α 1 out Kernel. (In our work, trail cores with either of the features are covered by the same strategy.) | K | N | trail cores with only α 2 in Kernel. For the last two cases, the search strategy are quite similar. But for | N | K | and | N | N | trails, the 2 trail core search starts from out Kernel α 1 , and from out Kernel α 2 for | K | N | trails. 3-Round Di ff erential Trail Core Search of Keccak Permutation 11 / 21

  12. New 3-Round Trial Core Search Strategy Classification of Search Space Search strategy for | K | K | trail cores First prepare all the theoretical candidate β 1 structures for in Kernel α 1 with m orbitals 1 . Store 1 them in a look up table. According to β 1 can propagate to α 1 which is in Kernel through λ − 1 = ρ − 1 ◦ π − 1 , construct the 2 possible α 1 Based on the relationship between α 1 and β 1 , filter α 1 , and extend forward by one round to obtain 3 the target three round trails 1 A group of 2 active bits in the same column is called an orbital 3-Round Di ff erential Trail Core Search of Keccak Permutation 12 / 21

  13. New 3-Round Trial Core Search Strategy Classification of Search Space An Example - | K | K | Trail Search Algorithm 4 orbitals at α 1 propagate to 3 slices at β 1 with { 3,3,2 } pattern From the look up table, we enumerate all the possible valid slice for z ′ 1 to obtain p ′′ 1 , p ′′ 2 and p ′′ 3 . Through λ − 1 = θ − 1 ◦ ρ − 1 ◦ π − 1 , p 1 , p 2 , and p 3 are determined. Then q 1 , q 2 , q 3 can be enumerated according to the orbital relation. Through π ◦ ρ ◦ θ , q ′′ 3 is determined. According to the valid 2-bit slices stored in the look up table, p ′′ 4 can be obtained, so p 4 is fixed, after that, q 4 can be enumerated according to the orbital relation. Until now, all the four orbitals with 8 bits are determined. Then we filter α 1 by checking q ′′ 1 , q ′′ 2 and q ′′ 4 are all at slice z ′ 2 or not and they result in in kernel slice at α 2 or not. Extend one round to get the target three round trail cores. 3-Round Di ff erential Trail Core Search of Keccak Permutation 13 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vat Phou and Champasaks trails Champasaks Highlights Archaeological trails Cultural

Vat Phou and Champasaks trails Champasaks Highlights Archaeological trails Cultural

Vat Phou and Champasaks trails Champasaks Highlights Archaeological trails Cultural trails Historical trails Natural trails Discover Vat Phou and Champasaks cultural and historic landscape by exploring thematjc trails 8 7 2 3 6

91 views • 6 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Searching for Subspace Trails and Truncated Differentials March 5th, 2018 Horst Grtz Institute

Searching for Subspace Trails and Truncated Differentials March 5th, 2018 Horst Grtz Institute

RUHR-UNIVERSITT BOCHUM Searching for Subspace Trails and Truncated Differentials March 5th, 2018 Horst Grtz Institute for IT Security Ruhr-Universitt Bochum Gregor Leander, Cihangir Teczan, and Friedrich Wiemer Friedrich Wiemer |

540 views • 24 slides
Trails of the World Millions of outdoor enthusiasts exploring and sharing great trails and

Trails of the World Millions of outdoor enthusiasts exploring and sharing great trails and

Trails of the World Millions of outdoor enthusiasts exploring and sharing great trails and pictures .com 10M Trails Community 4M Users 10M Trails 4M Registered Users 17M Pictures &amp; Videos 4M Trails 75 Activities 2M Trails 190

191 views • 6 slides
Searching and Recursion 1 Objectives T o understand the basic techniques for analyzing the

Searching and Recursion 1 Objectives T o understand the basic techniques for analyzing the

Searching and Recursion 1 Objectives T o understand the basic techniques for analyzing the effjciency of algorithms. T o know what searching is and understand the algorithms for linear and binary search. T o understand the basic

723 views • 71 slides
Trails and Networks: Loom; Going from Trails to Networks and Networks to Trails Mihovil

Trails and Networks: Loom; Going from Trails to Networks and Networks to Trails Mihovil

&lt;Your Name&gt; Trails and Networks: Loom; Going from Trails to Networks and Networks to Trails Mihovil Bartulovic mbartulovic@cmu.edu Dr. Kathleen M. Carley kathleen.carley@cs.cmu.edu Center for Computational Analysis of Social and

393 views • 18 slides
E-bikes and Trails: Measuring Impact and Acceptance of Class 1 E-bikes on Trails Presentation

E-bikes and Trails: Measuring Impact and Acceptance of Class 1 E-bikes on Trails Presentation

E-bikes and Trails: Measuring Impact and Acceptance of Class 1 E-bikes on Trails Presentation Overview Relevant legislation JCOS study design Current findings Decision on Class I on JCOS paved trails E-bike demo Discussion HB 17-1151

922 views • 32 slides
TALKING TRAILS BREAKFAST PRESENTED BY: CABOT TRAILS COMMITTEE &amp; CENTRAL VERMONT REGIONAL

TALKING TRAILS BREAKFAST PRESENTED BY: CABOT TRAILS COMMITTEE &amp; CENTRAL VERMONT REGIONAL

TALKING TRAILS BREAKFAST PRESENTED BY: CABOT TRAILS COMMITTEE &amp; CENTRAL VERMONT REGIONAL PLANNING COMMISSION WELCOME Introductions Cabot Trails Committee Recreation Trails Planning Grant Review of Purpose and Needs

117 views • 10 slides
TRAILHEAD NORTH The Ontario Trails Strategy and Trails Action Plan Presentation by Carol Oitment

TRAILHEAD NORTH The Ontario Trails Strategy and Trails Action Plan Presentation by Carol Oitment

TRAILHEAD NORTH The Ontario Trails Strategy and Trails Action Plan Presentation by Carol Oitment Ministry of Tourism, Culture and Sport (MTCS) April 20, 2016 OVERVIEW OF THE PRESENTATION The Provincial Context for Trails Research on the

454 views • 28 slides
Communications Update Circuit Trails Coalition Semi-Annual Meeting May 2017 Quick Refresher

Communications Update Circuit Trails Coalition Semi-Annual Meeting May 2017 Quick Refresher

Communications Update Circuit Trails Coalition Semi-Annual Meeting May 2017 Quick Refresher Objectives Raise awareness of Circuit Trails vision Increase use of existing trails Drive support for trails among influencers,

322 views • 28 slides
Kids in Parks Designing Self-guided Trails that Get Kids in Parks Introducing TRACK Trails Kids

Kids in Parks Designing Self-guided Trails that Get Kids in Parks Introducing TRACK Trails Kids

Kids in Parks Designing Self-guided Trails that Get Kids in Parks Introducing TRACK Trails Kids in Parks provides a network of self-guided, brochure-led hiking trails designed for kids and their families called TRACK Trails. 1 st TRACK Trail

504 views • 13 slides
Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching

Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching

Language and Computers Topic 2: Searching Introduction Text Speech Searching in a Library Catalogue Special characters Linguistics 384: Language and Computers Operators Searching the web Topic 2: Searching Operators Improving searching

597 views • 36 slides
Searching Tiziana Ligorio 1 Todays Plan Searching algorithms and their analysis 2

Searching Tiziana Ligorio 1 Todays Plan Searching algorithms and their analysis 2

Searching Tiziana Ligorio 1 Todays Plan Searching algorithms and their analysis 2 Searching Looking for something! In this discussion we will assume searching for an element in an array 3 Linear search Most intuitive

269 views • 25 slides
Di ff erential gene expression analysis using RNA-seq Applied Bioinformatics Core

Di ff erential gene expression analysis using RNA-seq Applied Bioinformatics Core

Di ff erential gene expression analysis using RNA-seq Applied Bioinformatics Core https://abc.med.cornell.edu/ Day 1: Introduction 1. RNA isolation &amp; library preparation 2. Illuminas sequencing by synthesis 3. experimental design 4. raw

908 views • 76 slides
Trails and Networks: Loom; Network Representation of Trails Mihovil Bartulovic

Trails and Networks: Loom; Network Representation of Trails Mihovil Bartulovic

&lt;Your Name&gt; Trails and Networks: Loom; Network Representation of Trails Mihovil Bartulovic mbartulovic@cmu.edu Dr. Kathleen M. Carley kathleen.carley@cs.cmu.edu Center for Computational Analysis of Social and Organizational Systems

301 views • 18 slides
Chapter 5 Searching and Binary Search Trees 5.1 Searching sequence The purpose of searching :

Chapter 5 Searching and Binary Search Trees 5.1 Searching sequence The purpose of searching :

CS 2412 Data Structures Chapter 5 Searching and Binary Search Trees 5.1 Searching sequence The purpose of searching : find out some specific item from a collection of data. Key of information: some kind of index of items in the collection of

943 views • 69 slides
Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec.

Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec.

Space charge studies based on beta measurement in J-PARC MR K. Ohmi KEK, Accelerator Lab Dec. 10, 2015, talk at Fermilab K. Ohmi (KEK) Space charge on measured beta Dec. 10, 2015, talk at Fermilab 1 / 36 Overview Hamiltonian and Resonances

632 views • 37 slides
Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today

Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today

Lecture 25: Autoencoders Kernel PCA Aykut Erdem January 2017 Hacettepe University Today Motivation PCA algorithms Applications PCA shortcomings Autoencoders Kernel PCA 2 Autoencoders 3

550 views • 34 slides
Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg

Synthesis Tools for White-box Implementations Aleksei Udovenko SnT, University of Luxembourg WhibOx Workshop May 19, 2019 Introduction Circuit Construction Compilation Attacks Conclusion Plan Introduction Circuit Construction

690 views • 30 slides
Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical

Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical

Introduction Lijun Zhang zlj@nju.edu.cn http://cs.nju.edu.cn/zlj Outline Mathematical Optimization Least-squares Linear Programming Convex Optimization Nonlinear Optimization Summary Outline Mathematical Optimization

749 views • 38 slides
Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy

Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy

Early Dark Energy and the BAO Matt Francis (SISSA) with Eric Linder (LBNL) Early Dark Energy Can arise for instance in quintessence models with attractor solutions and coupled dark energy models Even percent levels of e could have a

330 views • 10 slides
CS-184: Computer Graphics Lecture #8: Projection Prof. James OBrien University of

CS-184: Computer Graphics Lecture #8: Projection Prof. James OBrien University of

1 CS-184: Computer Graphics Lecture #8: Projection Prof. James OBrien University of California, Berkeley V2016-F-08-1.0 2 Today Windowing and Viewing Transformations Windows and viewports Orthographic projection

685 views • 40 slides
Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of

Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of

Neural Networks Representations Fall 2017 Learning in the net Problem: Given a collection of input-output pairs, learn the function Learning for classification x 2 x 1 When the net must learn to classify.. Learning for classification x

960 views • 91 slides
CSCE 970 Lecture 4: Thus we will remap feature vectors to new Nonlinear Classifiers space

CSCE 970 Lecture 4: Thus we will remap feature vectors to new Nonlinear Classifiers space

Introduction For non-linearly separable classes, performance of even the best linear classifier might not be good CSCE 970 Lecture 4: Thus we will remap feature vectors to new Nonlinear Classifiers space where they are (almost) linearly

254 views • 11 slides

More recommend