rasta
play

Rasta A cipher with low ANDdepth and few ANDs per bit Christoph - PowerPoint PPT Presentation

Oct 21, 2023 •1.02k likes •1.52k views

Rasta A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018 Rasta Motivation 1 / 26 Rasta

  1. Rasta A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018

  2. Rasta Motivation 1 / 26

  3. Rasta Motivation Several designs minimize number of multiplications FLIP [MJSC16] Kreyvium [CCFLNPS16] LowMC [ARSTZ15] MiMC [AGRRT16] New optimization goals enable/require new design strategies 2 / 26

  4. Rasta Motivation FLIP 25 Kreyvium LowMC 20 ANDdepth 15 10 5 0 2 4 8 16 32 64 128 256 512 1024 ANDs per bit 3 / 26

  5. Rasta Motivation FLIP 25 Kreyvium LowMC 20 ANDdepth Rasta 15 10 5 0 2 4 8 16 32 64 128 256 512 1024 ANDs per bit 3 / 26

  6. Rasta Challenges 4 / 26

  7. Rasta Challenges for Rasta How to minimize ANDdepth and ANDs per bit at the same time? Especially low ANDdepth seems challenging How to analyze the outcome? 5 / 26

  8. Rasta Why do we have a high ANDdepth? I K Function O 6 / 26

  9. Rasta Why do we have a high ANDdepth? I K O 6 / 26

  10. Rasta Why do we have a high ANDdepth? Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection Against higher-order differentials, cube-like attacks, ... O 1 = I 1 K 1 K 3 + I 2 I 3 K 4 + I 1 I 2 K 2 + I 1 I 2 + I 4 K 1 + K 2 O 1 = I 1 I 2 ( K 2 + 1 ) + I 1 K 1 K 3 + I 2 I 3 K 4 + I 4 K 1 + K 2 7 / 26

  11. Rasta Why do we have a high ANDdepth? Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection Against higher-order differentials, cube-like attacks, ... O 1 = I 1 K 1 K 3 + I 2 I 3 K 4 + I 1 I 2 K 2 + I 1 I 2 + I 4 K 1 + K 2 O 1 = I 1 I 2 ( K 2 + 1 ) + I 1 K 1 K 3 + I 2 I 3 K 4 + I 4 K 1 + K 2 7 / 26

  12. Rasta The Design 8 / 26

  13. Rasta Rasta Stream cipher based on family of public permutations P N , i Each permutation evaluated once Different permutations to generate key stream Choice of permutation depends solely on public parameters Public nonce N Block counter i K K P N ,1 P N ,2 · · · key stream 9 / 26

  14. Rasta Rasta public N , i XOF · · · key-dependent · · · ⊕ A 0 , N , i A 1 , N , i A r , N , i K N , i K S S S Seed extendable output function (XOF) with public values “Randomly” generates invertible matrices M j , N , i “Randomly” generates round constants c j , N , i To get affine layer A j , N , i ( x ) = M j , N , i · x ⊕ c j , N , i Use of χ [Dae95] as non-linear function S 10 / 26

  15. Rasta Rasta public N , i XOF · · · key-dependent · · · ⊕ A 0 , N , i A 1 , N , i A r , N , i K N , i K S S S High-level idea to make relevant computations of the cipher independent of the key was first used in Flip [MJSC16] XOF does not influence relevant AND metric 10 / 26

  16. Rasta Design Rationale Changing affine layers against Differential and impossible-differential attacks Cube and higher-order differential attacks Integral attacks Block size, key size ≫ security level against Attacks based on linear approximations Attacks targeting polynomial system of equations 11 / 26

  17. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  18. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  19. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  20. Rasta The Road to Rasta 13 / 26

  21. Rasta Linear approximations Bound probability that good approximations exist M 0 M 1 M 2 M 3 M 4 S S S S � �� � � �� � P 1 P 2 14 / 26

  22. Rasta Probability of good approximations 0 log 2 ( probability ) − 200 − 400 128-bit, r = 2 128-bit, r = 4 − 600 128-bit, r = 6 0 256 512 768 1024 1536 key/block size k (bits) 15 / 26

  23. Rasta Solving non-linear multivariate polynomial equations General problem of solving non-linear systems of m equations with k unknowns Limiting the degree limits possible number of different monomials Increase k to prevent trivial linearization 16 / 26

  24. Rasta Maximum number of different monomials log 2 ( maximum different monomials ) 400 depth r = 6 depth r = 5 depth r = 4 300 depth r = 3 depth r = 2 200 100 0 128 256 512 1024 2048 4096 key and block size k (bits) 17 / 26

  25. Rasta Instances of Rasta Security level Rounds 2 3 4 5 6 2 21 . 2 2 12 80-bit 327 327 219 2 33 . 2 2 18 128-bit 1 877 525 351 2 65 . 2 2 34 2 18 . 8 256-bit 3 545 703 18 / 26

  26. Rasta The Road to Agrasta (Cryptanalysis) 19 / 26

  27. Rasta Cryptanalysis SAT solver Exhaustive search performs better for more than 1 round Experiments with toy versions No obvious outliers Various dedicated attacks For various versions of SAS Variants of 2-round Rasta where block size ≈ security level Variants of 3-round Rasta where block size ≈ security level 20 / 26

  28. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  29. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  30. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  31. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  32. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  33. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  34. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  35. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  36. Rasta Cryptanalysis of instances with 80-bit security Rasta 6 5 rounds r 4 3 2 1 80 128 256 512 key and block size k (bits) 22 / 26

  37. Rasta Cryptanalysis of instances with 80-bit security Rasta 6 Agrasta 5 rounds r 4 3 2 1 80 128 256 512 key and block size k (bits) 22 / 26

  38. Rasta Agrasta: More agressive parameters Security level Rounds Block size 80-bit 4 81 128-bit 4 129 256-bit 5 257 23 / 26

  39. Rasta Conclusion 24 / 26

  40. Rasta Conclusion Rasta: conservative, based on bounds and arguments Agrasta: more aggressive, based on attacks New design approach Even conservative versions competitive in benchmark (HElib) Huge gap between known attacks and bounds 25 / 26

  41. Rasta Bibliography I [AGRRT16] M. R. Albrecht, L. Grassi, C. Rechberger, A. Roy, and T. Tiessen MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity ASIACRYPT 2016 [ARSTZ15] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and M. Zohner Ciphers for MPC and FHE EUROCRYPT 2015 [CCFLNPS16] A. Canteaut, S. Carpov, C. Fontaine, T. Lepoint, M. Naya-Plasencia, P. Paillier, and R. Sirdey Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression FSE 2016

  42. Rasta Bibliography II [Dae95] J. Daemen, Cipher and hash function design – Strategies based on linear and differential cryptanalysis, http://jda.noekeon.org/JDA_Thesis_1995.pdf , PhD thesis, Katholieke Universiteit Leuven, 1995. [MJSC16] P. M´ eaux, A. Journault, F.-X. Standaert, and C. Carlet Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts EUROCRYPT 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Some Notes on the Psychoacoustics and Signal Processing of RASTA-PLP Analysis of Speech Jrg

Some Notes on the Psychoacoustics and Signal Processing of RASTA-PLP Analysis of Speech Jrg

Wire Communication Laboratory - University of Patras Some Notes on the Psychoacoustics and Signal Processing of RASTA-PLP Analysis of Speech Jrg Buchholz Introduction Reflection Masking Model RASTA-PLP Processing RASTA

170 views • 15 slides
Rasta Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander,

Rasta Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander,

Rasta Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Florian Mendel, Christian Rechberger September 8, 2017 Rasta Motivation Design cipher with low ANDdepth and few ANDs per bit Remove huge

401 views • 39 slides
Mendels lows GE02: day 1 part 2 Yurii Aulchenko Erasmus MC Rotterdam Gregor J. Mendel (1822

Mendels lows GE02: day 1 part 2 Yurii Aulchenko Erasmus MC Rotterdam Gregor J. Mendel (1822

Mendels lows GE02: day 1 part 2 Yurii Aulchenko Erasmus MC Rotterdam Gregor J. Mendel (1822 1884) 1865: talk on Experiments on Plants Hybridisation at two meetings of the Natural History Society of Brunn Mendel, G., 1866,

202 views • 17 slides
Past 10-15 kya of human evolution -Transition: from hunter-gatherers to agriculture -Population

Past 10-15 kya of human evolution -Transition: from hunter-gatherers to agriculture -Population

Past 10-15 kya of human evolution -Transition: from hunter-gatherers to agriculture -Population size went from millions to billions -Began living in socially-stratified sedentary populations 1 Past 10-15 kya of human evolution Sedentism: living

490 views • 19 slides
Generalized linear models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring

Generalized linear models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring

Generalized linear models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring 2013 Christopher F Baum (BC / DIW) Generalized linear models Boston College, Spring 2013 1 / 25 Introduction to generalized linear models

521 views • 25 slides
Marriage Age, Social Status and Intergenerational Effects in Uganda Naveen Sunder UNU-WIDER

Marriage Age, Social Status and Intergenerational Effects in Uganda Naveen Sunder UNU-WIDER

Introduction Data & Methodology Results Conclusions Marriage Age, Social Status and Intergenerational Effects in Uganda Naveen Sunder UNU-WIDER Human Capital and Growth Conference June 7, 2016 Naveen Sunder | Marriage Age, Social Status

419 views • 20 slides
Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1 , 4 David Gerault 2

Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1 , 4 David Gerault 2

Analysis of AES, SKINNY, and Others with Constraint Programming Siwei Sun 1 , 4 David Gerault 2 Pascal Lafourcade 2 Qianqian Yang 1 , 4 Yosuke Todo 3 Kexin Qiao 1 , 4 Lei Hu 1 , 4 1 Institute of Information Engineering, Chinese Academy of Sciences,

512 views • 36 slides
ASCON AUTHENTICATED ENCRYPTION AND HASHING Christoph Dobraunig, Maria Eichlseder, Florian Mendel,

ASCON AUTHENTICATED ENCRYPTION AND HASHING Christoph Dobraunig, Maria Eichlseder, Florian Mendel,

ASCON AUTHENTICATED ENCRYPTION AND HASHING Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schlffer ASCON TEAM Christoph Dobraunig Maria Eichlseder Florian Mendel Martin Schlffer CAESAR Goal: Select portfolio

891 views • 31 slides
Null Hypothesis Significance Testing Gallery of Tests 18.05 Spring 2014 Jeremy Orloff and Jonathan

Null Hypothesis Significance Testing Gallery of Tests 18.05 Spring 2014 Jeremy Orloff and Jonathan

Null Hypothesis Significance Testing Gallery of Tests 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom General pattern of NHST You are interested in whether to reject H 0 in favor of H A . Design: Design experiment to collect data relevant to

299 views • 16 slides
From Processing Reduction to Interval . . . Interval-Valued Fuzzy Data Need for Type-2 Fuzzy . .

From Processing Reduction to Interval . . . Interval-Valued Fuzzy Data Need for Type-2 Fuzzy . .

Why Data Processing . . . From Probabilistic to . . . Main Problem of . . . Need to Process Fuzzy . . . From Processing Reduction to Interval . . . Interval-Valued Fuzzy Data Need for Type-2 Fuzzy . . . Towards Fast . . . to General Type-2:

811 views • 36 slides
The Laws underlying causes phenomena of Physics scientific and the & mechanisms quest [

The Laws underlying causes phenomena of Physics scientific and the & mechanisms quest [

CiS Manchester, 2014 The Laws underlying causes phenomena of Physics scientific and the & mechanisms quest [ eg: sun /moon /stars] Reliability of God Prof David Watts , University of Manchester, UK Overview "Why does the

122 views • 8 slides
CONCEPTS OF LOGICAL AI John McCarthy Computer Science Department Stanford University Stanford,

CONCEPTS OF LOGICAL AI John McCarthy Computer Science Department Stanford University Stanford,

CONCEPTS OF LOGICAL AI John McCarthy Computer Science Department Stanford University Stanford, CA 94305 jmc@cs.stanford.edu http://www-formal.stanford.edu/jmc/ 1999 Dec 18, 11:24 a.m. Abstract Logical AI involves representing knowledge of

465 views • 24 slides
Promoting Student Metacognition ARTICLE in CBE LIFE SCIENCES EDUCATION JUNE 2012 Impact Factor:

Promoting Student Metacognition ARTICLE in CBE LIFE SCIENCES EDUCATION JUNE 2012 Impact Factor:

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/225186579 Promoting Student Metacognition ARTICLE in CBE LIFE SCIENCES EDUCATION JUNE 2012 Impact Factor: 1.89 DOI:

357 views • 9 slides
Probabilistic Inductive Logic Programming Fabrizio Riguzzi Department of Mathematics and Computer

Probabilistic Inductive Logic Programming Fabrizio Riguzzi Department of Mathematics and Computer

Probabilistic Inductive Logic Programming Fabrizio Riguzzi Department of Mathematics and Computer Science University of Ferrara, Italy fabrizio.riguzzi@unife.it F. Riguzzi (UNIFE) PILP-ECAI20 1 / 129 Outline 1 Probabilistic Logic

1.75k views • 129 slides
Specifying Strategies for Exercises Bastiaan Heeren 1 Johan Jeuring 1 , 2 Arthur van Leeuwen 2 Alex

Specifying Strategies for Exercises Bastiaan Heeren 1 Johan Jeuring 1 , 2 Arthur van Leeuwen 2 Alex

Specifying Strategies for Exercises Bastiaan Heeren 1 Johan Jeuring 1 , 2 Arthur van Leeuwen 2 Alex gerdes 1 1 Open Universiteit Nederland 2 Universiteit Utrecht, The Netherlands July 30, 2008 (MKM08) Birmingham Heeren, Jeuring et al.

427 views • 32 slides
Biology FEST: Faculty Explora.ons in Scien.fic Teaching Biology FEST

Biology FEST: Faculty Explora.ons in Scien.fic Teaching Biology FEST

Biology FEST: Faculty Explora.ons in Scien.fic Teaching Biology FEST Luncheon Workshop #2 Tuesday, March 19th 12:30-2 pm Exploring Classroom Assessment and

347 views • 11 slides
Medical Cyber-Physical Systems On the Research Challenges for the Safe Interconnection of Medical

Medical Cyber-Physical Systems On the Research Challenges for the Safe Interconnection of Medical

Medical Cyber-Physical Systems On the Research Challenges for the Safe Interconnection of Medical Devices Franziska Khn 1 , 2 Martin Leucker 1 Daniel Thoma 1 {kuehn, leucker, thoma}@isp.uni-luebeck.de 1 Institute for Software Engineering and

737 views • 58 slides
NDAL`s Research Activities and the State of Biological Research in Turkey A. Nazl Baak

NDAL`s Research Activities and the State of Biological Research in Turkey A. Nazl Baak

NDAL`s Research Activities and the State of Biological Research in Turkey A. Nazl Baak Boazii University Department of Molecular Biology and Genetics Neurodegeneration Research Laboratory Outline Part I Research Interests of

608 views • 33 slides
Learning Objectives Compounding Sterile Preparations 1. To challenge current practices in your

Learning Objectives Compounding Sterile Preparations 1. To challenge current practices in your

10/4/2014 Learning Objectives Compounding Sterile Preparations 1. To challenge current practices in your sterile preparations areas by becoming aware of Learning from Past Mistakes to recent compounding errors in the USA that have resulted in

300 views • 8 slides
Assessing and Communicating Adverse Events Following Immunization (AEFIs) Dr Aye Mya Chan Thar

Assessing and Communicating Adverse Events Following Immunization (AEFIs) Dr Aye Mya Chan Thar

Assessing and Communicating Adverse Events Following Immunization (AEFIs) Dr Aye Mya Chan Thar Assistant Director/Deputy Programme Manager (EPI) Ministry of Health and Sports, Myanmar The 7 th Asian Vaccine Conference (2019) September 13-15,

498 views • 35 slides
Time series vs. point processes for space-time surveillance in public health ohle 1 , 2 Thais

Time series vs. point processes for space-time surveillance in public health ohle 1 , 2 Thais

Motivation Case Study Temporal Monitoring Spatio-temporal Monitoring Discussion References Time series vs. point processes for space-time surveillance in public health ohle 1 , 2 Thais Correa 3 Michael H 1 Department of Statistics,

1.07k views • 28 slides
Outline in CNS Infections Infections of the Brain Infections of the Spine Brian

Outline in CNS Infections Infections of the Brain Infections of the Spine Brian

2/21/19 Update Outline in CNS Infections Infections of the Brain Infections of the Spine Brian Schwartz, MD Division of Infectious Diseases, UCSF Outline Infections of the Brain Infections of the Spine 1 2/21/19 Case

623 views • 15 slides
What is a Knowledge Representation? COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk

What is a Knowledge Representation? COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk

What is a Knowledge Representation? COMP34512 Sebastian Brandt brandt@cs.manchester.ac.uk (slides by Bijan Parsia bparsia@cs.man.ac.uk) Tuesday, 25 February 2014 Where are we? 2 Tuesday, 25 February 2014 Where are we? Weve been

828 views • 53 slides
EARN or LEARN It is worth reminding parents and students that there is a policy being adopted by

EARN or LEARN It is worth reminding parents and students that there is a policy being adopted by

Issue 01 Feb. 13, 2004 THOUGHT FOR THE DAY WELCOME TO SCHOOL - 2004 No doubt the holidays would have left you with some indelible memories. However, here we are once again, facing the future and looking forward to brighter prospects for the

220 views • 4 slides

More recommend