on the security margin of tinyjambu with refined
play

On the Security Margin of TinyJAMBU with Refined Differential and - PowerPoint PPT Presentation

Feb 25, 2024 •44 likes •444 views

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

  1. On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and Computer Science, IIT Bhilai 2 NTT Secure Platform Laboratories 3 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences 4 University of Chinese Academy of Sciences 5 Inria FSE 2020

  2. High-level Description - AEAD Key Message Ciphertext Nonce Authentication Tag Associated Data

  3. TinyJAMBU ▸ Designed by Hongjun Wu and Tao Huang ▸ A small variant of JAMBU [WH15] ▸ A family of AEAD schemes ▸ Currently a Round-2 candidate in NIST LWC Table: Security goals of TinyJAMBU with unique nonce Version Encryption Authentication 112-bit 64-bit TinyJAMBU-128 168-bit 64-bit TinyJAMBU-192 224-bit 64-bit TinyJAMBU-256 WH15 - JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU. Submission to CAESAR, 2015 ▸

  4. Step 1: Initialization K 125 128 Init. 0 3 Nonce 3

  5. Inside Init. (Key Setup + Nonce Setup) Init. Nonce 0 Nonce 1 Nonce 2 K K K K K K 32 32 32 125 128 93 93 93 128 128 ˆ Init. P K P K P K P K 0 0 P K 3 3 3 3 Nonce 3 1 1 1 P K , ˆ P K → Keyed Permutations

  6. Step 2: Associated Data Processing A 0 A 1 K K K 125 32 32 128 93 93 Init. P K P K 0 3 3 3 Nonce 3 3 5

  7. Step 3: Encryption C 0 C 1 A 0 A 1 M 0 M 1 K K K K K 125 32 32 32 32 32 32 128 93 93 ˆ ˆ Init. P K P K 0 P K P K 61 61 3 3 3 3 3 Nonce 3 3 5 5 7

  8. Step 4: Finalization C 0 C 1 T 0 T 1 A 0 A 1 M 0 M 1 K K K K K K K 125 32 32 32 32 32 32 32 32 32 128 93 93 32 ˆ ˆ ˆ Init. P K P K P K 0 P K P K P K 61 61 61 3 3 3 3 3 64 Nonce 3 3 5 5 7 7

  9. The Three Variants of TinyJAMBU C 0 C 1 T 0 T 1 A 0 A 1 M 0 M 1 K K K K K K K 125 32 32 32 32 32 32 32 32 32 128 93 93 32 ˆ ˆ ˆ P K P K P K 0 Init. P K P K P K 61 61 61 3 3 3 3 3 64 Nonce 3 3 5 5 7 7 ▸ Note: The number of rounds of ˆ Sizes in bits # of rounds P K is AEAD ˆ State Key Nonce Tag P K P K much larger than that of P K 128 128 96 64 384 1024 TinyJAMBU-128 128 192 96 64 384 1152 TinyJAMBU-192 ▸ Used in Key Setup and Encryption 128 256 96 64 384 1280 TinyJAMBU-256

  10. The Internal Permutation ▸ NLFSR based keyed-permutation ▸ Computes only a single NAND gate as a non-linear component per round b ∈ F 2 NAND 127 91 85 70 47 0

  11. Previous Cryptanalysis and Research Challenges

  12. Cryptanalysis Courtesy: Designers Strategy Counts the number of active AND gates to find differential and linear trails with the minimum of such active gates by MILP Why is this insufficient? → Fast but inaccurate ▸ Ignores the correlation between multiple AND gates which can impact probabilities of the differential or linear trails [KLT15, AEL+18] ▸ Designers have ignored effect of differentials which can amplify the probabilities of the trails [AK18] ▸ For linear cryptanalysis designer only analyzed internal permutation assuming access to all input bits KLT15 - K¨ olbl et al. Observations on the SIMON block cipher family. CRYPTO 2015 ▸ AEL+18 - Ashur et al. Cryptanalysis of MORUS ASIACRYPT 2018 ▸ AK18 - Ankele and K¨ olbl. Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis. SAC 2018 ▸

  13. A Note on Existing Literature on MILP Modeling ▸ Techniques exists to evaluate the exact probability by limiting the search space to only valid trails [SHW+15a, SHW+15b] What is the issue? → Accurate but too slow ▸ Such models involve too many variables and constraints ▸ Cannot be solved in practical time ▸ Good for verifying the validity of a given trail ▸ Not so efficient to find optimal ones [SHW+15a] SHW+15a - Sun et al. Constructing mixed-integer programming models whose feasible region is exactly the set of all valid differential ▸ characteristics of SIMON. ePrint 2015 SHW+15b - Sun et al. Extending the applicability of the mixed- integer programming technique in automatic differential cryptanalysis. ISC ▸ 2015

  14. A Note on Existing Literature on MILP Modeling ▸ Techniques exists to evaluate the exact probability by limiting the search space to only valid trails [SHW+15a, SHW+15b] What is the issue? → Accurate but too slow ▸ Such models involve too many variables and constraints ▸ Cannot be solved in practical time ▸ Good for verifying the validity of a given trail ▸ Not so efficient to find optimal ones [SHW+15a] Our Motivation: Strike a good balance of efficiency and accuracy while modeling SHW+15a - Sun et al. Constructing mixed-integer programming models whose feasible region is exactly the set of all valid differential ▸ characteristics of SIMON. ePrint 2015 SHW+15b - Sun et al. Extending the applicability of the mixed- integer programming technique in automatic differential cryptanalysis. ISC ▸ 2015

  15. Our Contributions

  16. Identifying Issues With Simple MILP Model What happens in the simple model? Table: Restrictions on the values of a and b in a ⋅ b = z when ∆ z = 1. If there is a difference on at least one of the two input bits, the output of the ∆ a ∆ b ∆ z = 1 iff AND gates has a difference with 0 0 Never probability 2 − 1 or does not with 0 1 a = 1 probability 2 − 1 1 0 b = 1 1 1 a = b ▸ It considers independently every AND gate and ▸ Treats every AND gate in the Simple model fails to capture these same way restrictions

  17. Introducing Refined Model b ∈ F 2 NAND 127 91 85 70 47 0 Main Observation The same value, as it is shifted, will enter twice in two different AND gates.

  18. The Internal State ( S 127 , ⋯ S 0 ) S 127 S 100 S 85 S 70 S 0 ( a ) ( b ) ( c )

  19. S 85 Enters AND gate Twice (First: b ⋅ c ) And Gate - 1 ( b ⋅ c ) S 127 S 100 S 85 S 70 S 0 ( a ) ( b ) ( c )

  20. After 15 rounds (Second: a ⋅ b ) And Gate - 1 ( b ⋅ c ) S 127 S 100 S 85 S 70 S 0 ( a ) ( b ) ( c ) S 100 S 85 S 70 And Gate - 2 ( a ⋅ b )

  21. First Order Correlations And Gate - 1 ( b ⋅ c ) S 127 S 100 S 85 S 70 S 0 ( a ) ( b ) ( c ) S 100 S 85 S 70 Correlation of a ⋅ b and b ⋅ c And Gate - 2 for some values a , b , c ( a ⋅ b )

  22. Case-1: Case-2: Dependency of two AND gates Difference Difference

  23. Case-2: Dependency of two AND gates Difference Difference Case-1:

  24. Dependency of two AND gates Difference Difference Case-1: Case-2:

  25. Dependency of two AND gates Difference Difference Case-1: Case-2: In this scenario Refined model ▸ Forces that both differences jointly propagate, or not, and ▸ Only counts this as a single active gate.

  26. The Refined Model ▸ It adds additional constraints on MILP model variables: top of the simple model ▸ d a modelizes ∆ a ▸ All chained AND gates are ▸ d ab modelizes ∆ ab recorded ▸ γ abc indicates if there’s a correlation between the two Example Recorded Chains - AND gates ab and bc . {( d ab , d a , d b ) , ( d bc , d b , d c ) ,... } Then for all consecutive couples Finally (( d ab , d a , d b ) , ( d bc , d b , d c )) the Subtract all values γ abc in the following constraint is added: objective function to only count γ abc = d a d b d c this once , whereas the simple d ab − d bc ≤ 1 − γ abc model would count two active d bc − d ab ≤ 1 − γ abc gates.

  27. Differential Cryptanalysis

  28. Trail Types in TinyJAMBU Submission Doc ▸ Designers searched for the differential trail that has the minimum number of active AND gates in the simple model Type 1: Input differences only exist in the 32 MSBs. No constraint on the output. Type 2: No constraint on the input. Output differences only exist in the 32 MSBs. Type 3: Both of the input and output differences only exist in the 32 MSBs. Type 4: No constraint. Designers Claim Proven Wrong in Refined Model ▸ Max. probability of the 384-round trail of Type 3 is 2 − 80 ▸ Max. probability of the 320-round characteristic of Type 4 is 2 − 13

  29. Attacks for the AEAD Setting Forgery for TinyJAMBU Mode Nonce 0 Nonce 1 Nonce 2 K K K K K ▸ Attack the nonce setup or ▸ The associated data 32 32 32 processing 128 93 93 93 128 ˆ P K P K P K P K 0 P K ▸ Recall P K → 384 Rounds 3 3 3 ▸ Use Type 3 trails 1 1 1 P K Exploiting ( ∆ i ∥ 0 96 ) �→ ( ∆ i + 1 ∥ 0 96 ) with probability p ▸ Also makes the case for MAC reforgeability [BC09] ▸ Unlike designers we also look at cluster of multiple trails BC09 - Black and Cochran. MAC reforgeability. FSE 2009 ▸

  30. Attacks for the AEAD Setting Observations on Full 384 Rounds ▸ Found contradiction for simple model ▸ 14 couples are correlated ▸ Refined model reports 88 active AND ▸ Prob. = 2 −( 88 − 14 ) = 2 − 74 gates Input: ∆ S 127 .. 0 01004800 00000000 00000000 00000000 ∆ S 255 .. 128 81044c80 24080304 d9200000 22090000 ∆ S 383 .. 256 81004082 00010200 83000010 26090240 Output: ∆ S 511 .. 384 81004082 00000000 00000000 00000000 103 distinct differential trails Overall Differential Prob. = 2 − 70 . 68 2 − 74 2 − 75 2 − 76 2 − 77 2 − 78 2 − 79 2 − 80 Probability # Trails 1 5 9 14 20 24 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes Peter Gai 1

Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes Peter Gai 1

Key-Length Extension Main Lemma Randomized Cascading Plain Cascading Conclusion Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes Peter Gai 1 Jooyoung Lee 2 Yannick Seurin 3 John Steinberger 4 Stefano

1.35k views • 102 slides
About this class Maximizing the Margin Maximum margin classifiers Picture of large and small

About this class Maximizing the Margin Maximum margin classifiers Picture of large and small

About this class Maximizing the Margin Maximum margin classifiers Picture of large and small margin hyperplanes SVMs: geometric derivation of the primal prob- lem Intuition: large margin condition acts as a reg- ularizer and should generalize

219 views • 9 slides
NEW CULINARY EXPERIENCE Let Happy Jack do the cooking for you! REFINED RUSTICITY The cuisine

NEW CULINARY EXPERIENCE Let Happy Jack do the cooking for you! REFINED RUSTICITY The cuisine

NEW CULINARY EXPERIENCE Let Happy Jack do the cooking for you! REFINED RUSTICITY The cuisine of the future will see the expression of a new "refined rusticity", to seek in modern memories and emotions of the past . Enjoy the

282 views • 9 slides
Refined Cauchy/Littlewood identities and partition functions of the six-vertex model Michael

Refined Cauchy/Littlewood identities and partition functions of the six-vertex model Michael

Refined Cauchy/Littlewood identities and partition functions of the six-vertex model Michael Wheeler LPTHE (UPMC Paris 6), CNRS (Collaboration with Dan Betea and Paul Zinn-Justin ) 26 June, 2014 . . . . . . Michael Wheeler Refined Cauchy

487 views • 36 slides
In SMV I IAML: Support Vector Machines II We saw: Max margin trick Nigel Goddard

In SMV I IAML: Support Vector Machines II We saw: Max margin trick Nigel Goddard

In SMV I IAML: Support Vector Machines II We saw: Max margin trick Nigel Goddard Geometry of the margin and how to compute it School of Informatics Finding the max margin hyperplane using a constrained optimization problem Max

292 views • 7 slides
In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M )

In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M )

X.ge#ofQu4sche-s Virtual surfaced on . Introduction O . surface X Ici smooth CE Hak tf ( X ,Z ) , 2) projective e , . In theoretic Fgm ( X invariant k GW 1) us GW . = Ijf , M ) invariant refined ( M ) MTH ( v ) VW

537 views • 17 slides
map-D map-D data refined map-D data refined map-D A GPU Database for Real-Time Big Data

map-D map-D data refined map-D data refined map-D A GPU Database for Real-Time Big Data

map-D map-D data refined map-D data refined map-D A GPU Database for Real-Time Big Data Analytics and Interactive Visualization map-D data refined map-D A GPU Database for Real-Time Big Data Analytics and Interactive Visualization SC13

837 views • 32 slides
VS. TIN W H I C H I S B E T T E R F O R C A N S ? APPEARANCE Both refined aluminum and

VS. TIN W H I C H I S B E T T E R F O R C A N S ? APPEARANCE Both refined aluminum and

ALUMINUM VS. TIN W H I C H I S B E T T E R F O R C A N S ? APPEARANCE Both refined aluminum and tin are silvery-gray in color. Evaluation: T he appearance of the two metals doesnt affect their use in cans. HARDNESS Aluminum has a

379 views • 10 slides
Max Margin-Classifier Oliver Schulte - CMPT 726 Bishop PRML Ch. 7 Maximum Margin Criterion Math

Max Margin-Classifier Oliver Schulte - CMPT 726 Bishop PRML Ch. 7 Maximum Margin Criterion Math

Maximum Margin Criterion Math Maximizing the Margin Non-Separable Data Max Margin-Classifier Oliver Schulte - CMPT 726 Bishop PRML Ch. 7 Maximum Margin Criterion Math Maximizing the Margin Non-Separable Data Outline Maximum Margin

582 views • 55 slides
Margin Squeeze Hartwig Tauber FTTH Council Europe Margin Squeeze 1 Recognise BEREC are

Margin Squeeze Hartwig Tauber FTTH Council Europe Margin Squeeze 1 Recognise BEREC are

BoR (14) 147 Margin Squeeze Hartwig Tauber FTTH Council Europe Margin Squeeze 1 Recognise BEREC are acting to interpret the Commissions replicability tests in the Recommendation on Non- Discrimination and Cost Accounting. FTTH

80 views • 5 slides
Luke 10:38-42 Martha Mary & Margin OVERCOMING OVERLOAD Mary FOCUSED RELAXED UNCONCERNED

Luke 10:38-42 Martha Mary & Margin OVERCOMING OVERLOAD Mary FOCUSED RELAXED UNCONCERNED

Luke 10:38-42 Martha Mary & Margin OVERCOMING OVERLOAD Mary FOCUSED RELAXED UNCONCERNED PRESENT Martha DISTRACTED ANXIOUS TROUBLED DISTANT Margin THE AMOUNT AVAILABLE BEYOND WHATS NECESSARY Margin SABBATH TITHING

660 views • 17 slides
Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3

Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3

Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3 Adjusted EBIT margin improves to 15.5% Free cash flow doubles, net financial debt down 80% Good strategic progress: e.g., pilot deal and Air Berlin

628 views • 38 slides
Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3

Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3

Lufthansa Group Conference & Roadshow Presentation 2.5% margin improvement in Q3 Adjusted EBIT margin improves to 15.5% Free cash flow doubles, net financial debt down 80% Good strategic progress Trading outlook for Q4 2017

895 views • 52 slides
MAXIMUM MARGIN CLASSIFIERS MAXIMUM MARGIN CLASSIFIERS Matthieu R Bloch Tuesday, February 11,

MAXIMUM MARGIN CLASSIFIERS MAXIMUM MARGIN CLASSIFIERS Matthieu R Bloch Tuesday, February 11,

MAXIMUM MARGIN CLASSIFIERS MAXIMUM MARGIN CLASSIFIERS Matthieu R Bloch Tuesday, February 11, 2020 1 LOGISTICS LOGISTICS TAs and Office hours Tuesday: TJ (VL C449 Cubicle D) - 1:30pm - 2:45pm Wednesday: Matthieu (TSRB 423) - 12:00:pm-1:15pm

286 views • 14 slides
$9.99 Retail Beautifully Packaged Cork Closure Under $10.00 Retail 30% Retail Margin 30%

$9.99 Retail Beautifully Packaged Cork Closure Under $10.00 Retail 30% Retail Margin 30%

$9.99 Retail Beautifully Packaged Cork Closure Under $10.00 Retail 30% Retail Margin 30% Distributor Margin Great Point of Sale Items High Volume & Traction Delicious Fruit Forward Imported From Italy Dear Wine Manager, We

861 views • 14 slides
LOCALLY REFINED SPLINES FOR COMPACT REPRESENTATION AND ANALYSES OF GEOSPATIAL BIG DATA Tor

LOCALLY REFINED SPLINES FOR COMPACT REPRESENTATION AND ANALYSES OF GEOSPATIAL BIG DATA Tor

LOCALLY REFINED SPLINES FOR COMPACT REPRESENTATION AND ANALYSES OF GEOSPATIAL BIG DATA Tor Dokken, Vibeke Skytt and Oliver Barrowclough Department of Mathematics and Cybernetics SINTEF Digital, Oslo, Norway Mathematical Models and Methods in

718 views • 39 slides
Robust Relational Layout Synthesis from Examples Pavol Bielik , Marc Fischer, Martin Vechev

Robust Relational Layout Synthesis from Examples Pavol Bielik , Marc Fischer, Martin Vechev

Robust Relational Layout Synthesis from Examples Pavol Bielik , Marc Fischer, Martin Vechev Department of Computer Science ETH Zurich User Interface Design Today Designer Developer picture created by [Credits: Radu Cristian] Designer

763 views • 65 slides
1 Further information: go.ifrs.org/IFRS-17-implementation and IFRS 17 webcasts YouTube playlist:

1 Further information: go.ifrs.org/IFRS-17-implementation and IFRS 17 webcasts YouTube playlist:

1 Further information: go.ifrs.org/IFRS-17-implementation and IFRS 17 webcasts YouTube playlist: https://www.youtube.com/playlist?list=PLrLeeuMbuaUeLNX7Qoqlq7Oh3csegFwYn 2 3 4 Further information: IFRS 17 paragraph 32 IFRS 17 Appendix A

559 views • 23 slides
Linear, Binary SVM Classifiers COMPSCI 371D Machine Learning COMPSCI 371D Machine

Linear, Binary SVM Classifiers COMPSCI 371D Machine Learning COMPSCI 371D Machine

Linear, Binary SVM Classifiers COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Linear, Binary SVM Classifiers 1 / 17 Outline 1 What Linear, Binary SVM Classifiers Do 2 Margin 3 Loss and Regularized Risk 4 Training an SVM is

510 views • 17 slides
Does aid reduce inequality? Evidence for Latin America David Castells-Quintana AQR-IREA.

Does aid reduce inequality? Evidence for Latin America David Castells-Quintana AQR-IREA.

Does aid reduce inequality? Evidence for Latin America David Castells-Quintana AQR-IREA. Universidad de Barcelona, Jos Mara Larr Universidad CEU San Pablo larram@ceu.es MOTIVATION & FRAMEWORK POVERTY within - + income between

533 views • 20 slides
CSS Styl e WHAT IS CSS? language for specifying the presentations of Web documents

CSS Styl e WHAT IS CSS? language for specifying the presentations of Web documents

CS 498RK SPRING 2019 Cascadin g Sheet s CSS Styl e WHAT IS CSS? language for specifying the presentations of Web documents www.w3.org/TR/CSS/ IF THERE WAS NO CSS tex t i n image s Hkon Wium Lie Interview Timelin e 1993: 1st HTML spec

1.29k views • 41 slides
CSC 411 Lecture 9: SVMs and Boosting Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla

CSC 411 Lecture 9: SVMs and Boosting Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla

CSC 411 Lecture 9: SVMs and Boosting Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla University of Toronto UofT CSC 411: 09-Classification Odds and Ends 1 / 34 Overview Support Vector Machines Connection between Exponential Loss

387 views • 34 slides
Support Vector Machines INFO-4604, Applied Machine Learning University of Colorado Boulder

Support Vector Machines INFO-4604, Applied Machine Learning University of Colorado Boulder

Support Vector Machines INFO-4604, Applied Machine Learning University of Colorado Boulder September 27, 2018 Prof. Michael Paul Today Two important concepts: Margins Kernels Large Margin Classification Linear Predictions

709 views • 27 slides
f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further

f able : Estimation of marginal effects with transformed covariates Taking Margins a step further Rios-Avila, Fernando 1 1 friosavi@levy.org Levy Economics Institute UK Stata Conference, September 2020 Rios-Avila (Levy) f able Stata 2020 1 /

884 views • 23 slides

More recommend