on the construction of partial difference distribution
play

On the Construction of Partial Difference Distribution Tables for - PowerPoint PPT Presentation

Aug 12, 2023 •35 likes •475 views

Motivation Partial DDT-s Results Conclusions On the Construction of Partial Difference Distribution Tables for ARX Ciphers A. Biryukov V. Velichkov LACS, Luxembourg University ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg

  1. Motivation Partial DDT-s Results Conclusions On the Construction of Partial Difference Distribution Tables for ARX Ciphers A. Biryukov V. Velichkov LACS, Luxembourg University ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 1 / 37

  2. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 2 / 37

  3. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 3 / 37

  4. Motivation Partial DDT-s Results Conclusions Differential Cryptanalysis [Biham,Shamir,1991] α = P ⊕ P ⋆ P ⋆ P round round X ⋆ X 1 ∆ X 1 1 round round X ⋆ X 2 ∆ X 2 2 round round β = C ⊕ C ⋆ C ⋆ C DP ( α → β ) =? (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 4 / 37

  5. Motivation Partial DDT-s Results Conclusions Substitution Box (S-box): a Source of Non-linearity An example 4-bit S-box: a S b = S [ a ] 0 1 2 3 4 5 6 7 8 9 A B C D E F a E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 S [ a ] The differential probability of an S-box: DP ( α → β ) = # { a : S [ a ⊕ α ] ⊕ S [ a ] = β } . # { a } S-boxes make differential cryptanalysis harder (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 5 / 37

  6. Motivation Partial DDT-s Results Conclusions Difference Distribution Table (DDT) for 4-bit S-box 0 1 2 3 4 5 6 7 8 9 A B C D E F α , β 0 16 . . . . . . . . . . . . . . . 1 . . . 2 . . . 2 . 2 4 . 4 2 . . 2 . . . 2 . 6 2 2 . 2 . . . . 2 . 3 . . 2 . 2 . . . . 4 2 . 2 . . 4 4 . . . 2 . . 6 . . 2 . 4 2 . . . 5 . 4 . . . 2 2 . . . 4 . 2 . . 2 6 . . . 4 . 4 . . . . . . 2 2 2 2 7 . . 2 2 2 . 2 . . 2 2 . . . . 4 8 . . . . . . 2 2 . . . 4 . 4 2 2 9 . 2 . . 2 . . 4 2 . 2 2 2 . . . A . 2 2 . . . . . 6 . . 2 . . 4 . B . . 8 . . 2 . 2 . . . . . 2 . 2 C . 2 . . 2 2 2 . . . . 2 . 6 . . D . 4 . . . . . 4 2 . 2 . 2 . 2 . E . . 2 4 2 . . . 6 . . . . . 2 . F . 2 . . 6 . . . . 4 . 2 . . 2 . (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 6 / 37

  7. Motivation Partial DDT-s Results Conclusions DDT: Analyzing the Differential Properties of an S-box A DDT reflects the differential properties of an S-box Many useful parameters can be computed from the DDT e.g. the maximum differential probability: α,β DP ( α → β ) = DP ( 0xB → 0x2 ) = 8 max 16 = 0 . 5 . Used to estimate the strength against DC e.g. set upper bound on the max. probability of a differential (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 7 / 37

  8. Motivation Partial DDT-s Results Conclusions Cipher Designs that Use S-boxes Many cipher designs use S-boxes as a component S S S S P Examples: DES, AES, PRESENT, etc. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 8 / 37

  9. Motivation Partial DDT-s Results Conclusions Modular Addition and XOR as Sources of Non-linearity a a b b a + b a ⊕ b ADD XOR ADD is non-linear w.r.t. XOR differences: ( a ⊕ α )+( b ⊕ β ) � = ( a + b ) ⊕ ( α + β ) . XOR is non-linear w.r.t. ADD differences ( a + α ) ⊕ ( b + β ) � = ( a ⊕ b ) + ( α ⊕ β ) . (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 9 / 37

  10. Motivation Partial DDT-s Results Conclusions Designs Based on ADD and XOR (ARX) ADD and XOR provide non-linearity similarly to an S-box ≪ ≪ ≪ ≪ Examples: FEAL, MD4, MD5, Salsa20, Skein, etc. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 10 / 37

  11. Motivation Partial DDT-s Results Conclusions The XOR Differential Probability of Modular Addition α , β , γ are XOR differences: α β xdp + γ xdp + ( α, β → γ ) = # { ( a , b ) : (( a ⊕ α ) + ( b ⊕ β ) ⊕ ( a + b )) = γ } . # { ( a , b ) } (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 11 / 37

  12. Motivation Partial DDT-s Results Conclusions The Additive Differential Probability of XOR α , β , γ are additive ( ADD ) differences: α β adp ⊕ γ adp ⊕ ( α, β → γ ) = # { ( a , b ) : (( a + α ) ⊕ ( b + β )) − ( a + b ) = γ } . # { ( a , b ) } (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 12 / 37

  13. Motivation Partial DDT-s Results Conclusions A DDT for ADD (resp. XOR )? Viewing the ADD operation as an S-box: S c = a + b = S [ a || b ] ( a , b ) The DDT of this S-box is huge: 2 64 × 2 32 Infeasible to compute and store the full table! Maybe we can only store part of the DDT, say, the top k differentials: k ≪ 2 64 × 2 32 . (1) A partial DDT? (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 13 / 37

  14. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 14 / 37

  15. Motivation Partial DDT-s Results Conclusions Partial DDT for XOR and ADD Definition A partial difference distribution table D for ADD (resp. XOR ) is a DDT that contains all XOR (resp. ADD ) differentials ( α, β → γ ) whose probabilities are larger than or equal to a pre-defined threshold p thres : ⇒ DP ( α, β → γ ) ≥ p thres . ( α, β, γ ) ∈ D ⇐ (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 15 / 37

  16. Motivation Partial DDT-s Results Conclusions Computation of a Partial DDT Proposition The differential probabilities (DP) of ADD and XOR (resp. xdp + and adp ⊕ ) are monotonously decreasing with the word size n of the differences α, β, γ : p n ≤ . . . ≤ p k + 1 ≤ p k ≤ p k − 1 ≤ . . . ≤ p 1 , where p k = DP ( α k , β k → γ k ) , n ≤ k ≤ 1 , and x k denotes the k LSB-s of the difference x. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 16 / 37

  17. Motivation Partial DDT-s Results Conclusions The DP of ADD and XOR is Decreasing with n For ADD , the proposition follows from a result by [LM01]: i = 0 ¬ eq ( α [ i ] ,β [ i ] ,γ [ i ]) , xdp + ( α, β → γ ) = 2 − � n − 2 where eq ( α [ i ] , β [ i ] , γ [ i ]) = 1 ⇐ ⇒ α [ i ] = β [ i ] = γ [ i ] . Is also true for adp ⊕ . [LM01] Lipmaa, Moriai: Efficient Algorithms for Computing Differential Properties of Addition. FSE 2001: 336-350 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 17 / 37

  18. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 1 α β 0 1 1 . 0 1 γ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  19. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 2 α β 10 01 0 . 5 01 γ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  20. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 3 α β 110 001 0 . 25 001 γ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  21. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 4 α β 1110 0001 0 . 125 0001 γ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  22. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 5 α β 01110 00001 0 . 0625 00001 γ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  23. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 6 α β 101110 000001 0 . 0625 100001 γ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  24. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 7 α β 0101110 1000001 0 . 03125 1100001 γ 0 . 03125 ≤ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  25. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 8 α β 00101110 11000001 0 . 015625 11100001 γ 0 . 015625 ≤ 0 . 03125 ≤ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recap 1. We can use the t-distribution to estimate the probability of a difference between

Recap 1. We can use the t-distribution to estimate the probability of a difference between

Unit 3: Inference for Categorical and Numerical Data 3. Difference of many means (Chapter 4.4) 3/2/2020 Recap 1. We can use the t-distribution to estimate the probability of a difference between unpaired values. 2. Degrees of freedom

652 views • 28 slides
Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates Venice Grigsby Steps of a Partial Estimate (Creation Payment) Construction Project Closeout Chris Durbin Process

1.09k views • 54 slides
Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates Venice Grigsby Steps of a Partial Estimate (Creation Payment) Construction Project Closeout Chris Durbin Process

837 views • 54 slides
Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang

Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang

Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang Department of Computer Science, University of Haifa, Haifa, Israel 2020 . 11 . 5 Background and Motivation Difference Distribution Table (DDT) of an

830 views • 48 slides
Hadamard difference sets and corresponding regular partial difference sets in groups of order 144

Hadamard difference sets and corresponding regular partial difference sets in groups of order 144

Hadamard difference sets and corresponding regular partial difference sets in groups of order 144 Tanja Vu ci ci c University of Split, Croatia March 17, 2015 Tanja Vu ci ci c (University of Split, Croatia) ALCOMA15,Kloster

848 views • 51 slides
Partial Model Construction Given a clause set N and an ordering we can construct a (partial)

Partial Model Construction Given a clause set N and an ordering we can construct a (partial)

Partial Model Construction Given a clause set N and an ordering we can construct a (partial) model N I for N as follows: N C := D C D if D = D P , P strictly maximal and N D | { P } = D D := otherwise

394 views • 15 slides
Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem:

Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem:

Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem: Combining Models from Different Contexts Theory: Solomonoff Operator Induction and Beta Distribution Practice: Inference Control Meta-Learning 2

715 views • 33 slides
Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New

Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New

Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New York, NY, USA tim@cims.nyu.edu SETTING Z a compact (metrizable) Abelian group U 1 , . . . , U k closed subgroups of Z F ( Z ) { measurable

711 views • 27 slides
New examples of partial difference sets in finite nonabelian groups Eric Swartz The University

New examples of partial difference sets in finite nonabelian groups Eric Swartz The University

New examples of partial difference sets in finite nonabelian groups Eric Swartz The University of Western Australia 5 August 2013 Introduction Definitions Definition The groups, graphs, etc., considered in this talk will be finite.

717 views • 22 slides
Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical Sciences Peking University Finite Difference Methods for Hyperbolic Equations Finite Difference Schemes for Advection-Diffusion Equations A Model

555 views • 42 slides
Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle

Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle

Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle Sets Gianira N. Alfarano, Julia Lieb, Joachim Rosenthal University of Zurich gianiranicoletta.alfarano@math.uzh.ch ISIT 2020: IEEE International

654 views • 39 slides
Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in difference Card & Krueger (1995,AER) Rise in minimum wage from 4,2$ to 5,05$ in April 1992 in the State of New Jersey. Research question:

405 views • 28 slides
Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we

Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we

Unit 3: Inference for Categorical and Numerical Data 3. Difference of two means (Chapter 4.3) 2/26/2020 Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we shouldnt use the Normal distribution. We

353 views • 20 slides
Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst

Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst

Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst Wit Department of Statistics University of Glasgow, UK www.stats.gla.ac.uk/~raya/suppldata.html The analytical objective Construct gene

1.55k views • 18 slides
SCHOOLS MAKE A CHILDHOOD ORIGINS WHAT SCHOOLS HUGE DIFFERENCE OF CRIME CAN DO (partial

SCHOOLS MAKE A CHILDHOOD ORIGINS WHAT SCHOOLS HUGE DIFFERENCE OF CRIME CAN DO (partial

18/09/2017 CHILDHOOD ORIGINS OF ADULT HAPPINESS (partial correlation coefficients) MENTAL HEALTH IN Highest .07 qualification ADULT SCHOOLS LIFE Behaviour .03 at 16 SATIS- Richard Layard Emotional FACTION .10 12 September 2017

606 views • 4 slides
Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting in German Partial VPs Partial APs Kordula De Kuthy Detmar Meurers Partial NPs Interaction: Partial constituents embedded in VPs

224 views • 7 slides
3.1 Linear Models a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics

3.1 Linear Models a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics

3.1 Linear Models a lesson for MATH F302 Differential Equations Ed Bueler, Dept. of Mathematics and Statistics, UAF January 30, 2019 for textbook: D. Zill, A First Course in Differential Equations with Modeling Applications , 11th ed. 1 / 13

410 views • 13 slides
FEMBs Design of FEMBs with LArASIC, ColdADC, FPGA/COLDATA Jack Fried on behalf of the CE group

FEMBs Design of FEMBs with LArASIC, ColdADC, FPGA/COLDATA Jack Fried on behalf of the CE group

FEMBs Design of FEMBs with LArASIC, ColdADC, FPGA/COLDATA Jack Fried on behalf of the CE group February 6 , 2020 Outline FEMB History FEMB Versions LArASIC + P1 ADC + FPGA LArASIC + ColdADC + FPGA LArASIC + ColdADC +

582 views • 44 slides
MA-207 Differential Equations II Ronnie Sebastian Department of Mathematics Indian Institute of

MA-207 Differential Equations II Ronnie Sebastian Department of Mathematics Indian Institute of

MA-207 Differential Equations II Ronnie Sebastian Department of Mathematics Indian Institute of Technology Bombay Powai, Mumbai - 76 1 / 40 One-dimensional wave equation 2 / 40 One-dimensional wave equation Consider the following

1.62k views • 135 slides
Math 211 Math 211 Lecture #3 Solutions to Differential Equations August 29, 2003 2

Math 211 Math 211 Lecture #3 Solutions to Differential Equations August 29, 2003 2

1 Math 211 Math 211 Lecture #3 Solutions to Differential Equations August 29, 2003 2 Differential Equations Differential Equations A differential equation is an equation involving an unknown function and one or more of its derivatives, in

526 views • 15 slides
Multiplication in differential cohomology and cohomology operation Kiyonori GOMI Kyoto

Multiplication in differential cohomology and cohomology operation Kiyonori GOMI Kyoto

Introduction Definition and Property Physics ordinary cohomology K -cohomology Multiplication in differential cohomology and cohomology operation Kiyonori GOMI Kyoto University Feb 17, 2009 Introduction Definition and Property Physics

965 views • 49 slides
Distributions, Di ff erential Equations, and Zeros... Qu ebec-Maine... September 2020 Paul

Distributions, Di ff erential Equations, and Zeros... Qu ebec-Maine... September 2020 Paul

Distributions, Di ff erential Equations, and Zeros... Qu ebec-Maine... September 2020 Paul Garrett, University of Minnesota Partly joint work with E. Bombieri, IAS Some technical and historical background: Designed Pseudo-Laplacians E.

465 views • 24 slides
Diffraction Theory 1 2 , 2 4 3 5 1 + 2

Diffraction Theory 1 2 , 2 4 3 5 1 + 2

Diffraction Theory 1 2 , 2 4 3 5 1 + 2 , + 5 , , = 1 , + 3 , + 4 , + =

1.34k views • 75 slides
1 - INTERFERENCE AND MICHELSON INTERFEROMETER 1.1 Simple formulas on interference Let us start by

1 - INTERFERENCE AND MICHELSON INTERFEROMETER 1.1 Simple formulas on interference Let us start by

PREPARATORY SCHOOL TO THE Winter College on Optics 2019: Application of Optics and Photonics in Food Science ------------------- EXPERIMENTS in the DIFFRACTION LABORATORY ANNA CONSORTINI UNIVERSITA` DEGLI STUDI DI FIRENZE

262 views • 8 slides

More recommend