revisiting division property based cube attacks key
play

Revisiting Division Property Based Cube Attacks: Key-Recovery or - PowerPoint PPT Presentation

Apr 12, 2023 •141 likes •734 views

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

  1. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  2. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Outline 1 Introduction 2 Motivations and Contributions 3 Preliminaries 4 Our Main Idea 5 Main Results . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  3. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results 1 Introduction 2 Motivations and Contributions 3 Preliminaries 4 Our Main Idea 5 Main Results . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  4. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Cube Attacks The output bit z is a tweakable Boolean function f on secret key variables and IV variables, i.e., z = f ( x , v ). For a given public variable set I = { v i 1 , v i 2 , . . . , v i d } , f could be rewritten as f ( x , v ) = t I · p I ( x , v \ I ) ⊕ q ( x , v ) . - t I = ∏ d j =1 v i j - q is the sum of terms that miss at least one variable in I The basic idea of cube attacks p I ( x , v \ I ) = ⊕ 2 f ( x , v ) ( v i 1 ,v i 2 ,...,v id ) ∈ F d - variables in I are called cube variables, the remaining variables in v are called non-cube variables - linear space C I spanned by cube variables is called a cube - p I ( x , v \ I ) is called the superpoly of I in f . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  5. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Cube Attacks The output bit z is a tweakable Boolean function f on secret key variables and IV variables, i.e., z = f ( x , v ). For a given public variable set I = { v i 1 , v i 2 , . . . , v i d } , f could be rewritten as f ( x , v ) = t I · p I ( x , v \ I ) ⊕ q ( x , v ) . - t I = ∏ d j =1 v i j - q is the sum of terms that miss at least one variable in I The basic idea of cube attacks p I ( x , v \ I ) = ⊕ 2 f ( x , v ) ( v i 1 ,v i 2 ,...,v id ) ∈ F d - variables in I are called cube variables, the remaining variables in v are called non-cube variables - linear space C I spanned by cube variables is called a cube - p I ( x , v \ I ) is called the superpoly of I in f . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  6. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Cube Attacks The output bit z is a tweakable Boolean function f on secret key variables and IV variables, i.e., z = f ( x , v ). For a given public variable set I = { v i 1 , v i 2 , . . . , v i d } , f could be rewritten as f ( x , v ) = t I · p I ( x , v \ I ) ⊕ q ( x , v ) . - t I = ∏ d j =1 v i j - q is the sum of terms that miss at least one variable in I The basic idea of cube attacks p I ( x , v \ I ) = ⊕ 2 f ( x , v ) ( v i 1 ,v i 2 ,...,v id ) ∈ F d - variables in I are called cube variables, the remaining variables in v are called non-cube variables - linear space C I spanned by cube variables is called a cube - p I ( x , v \ I ) is called the superpoly of I in f . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  7. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Cube Attacks and Cube Testers Off-line phase - independent of the secret key - find some useful superpolies to recover the secret key on-line phase - solve a system of equations derived from previously found superpolies under the real key cube testers Finding superpolies which could be distinguished from random polynomial, such as 0-constant polynomial(called zero-sum distinguishers). . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  8. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Cube Attacks and Cube Testers Off-line phase - independent of the secret key - find some useful superpolies to recover the secret key on-line phase - solve a system of equations derived from previously found superpolies under the real key cube testers Finding superpolies which could be distinguished from random polynomial, such as 0-constant polynomial(called zero-sum distinguishers). . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  9. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Division Property Based Cube Attacks Originally, linearity tests are applied to find linear superpolies in cube attacks; Complexity: c × 2 | I | , where I is a set of cube variables; | I | is confined to around 40; At CRYPTO 2017, Y. Todo et al applied the division property to cube attacks for the first time. Division property is used to analyse the algebraic normal form(ANF) of the output bit f ( x , v ). Cubes with large sizes could be used. . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  10. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Division Property Based Cube Attacks Originally, linearity tests are applied to find linear superpolies in cube attacks; Complexity: c × 2 | I | , where I is a set of cube variables; | I | is confined to around 40; At CRYPTO 2017, Y. Todo et al applied the division property to cube attacks for the first time. Division property is used to analyse the algebraic normal form(ANF) of the output bit f ( x , v ). Cubes with large sizes could be used. . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  11. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Development of the Division Property Division property, as a generalization of the integral property, was first proposed at EUROCRYPT 2015. At FSE 2016, bit-based division property was proposed to investigate integral characteristics for bit-based block ciphers. At ASIACRYPT 2016, Xiang et al. combine mixed integer linear programming (MILP) methods with division property. With the aid of MILP, bit-based division property could be applied widely. · · · . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  12. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Development of the Division Property Division property, as a generalization of the integral property, was first proposed at EUROCRYPT 2015. At FSE 2016, bit-based division property was proposed to investigate integral characteristics for bit-based block ciphers. At ASIACRYPT 2016, Xiang et al. combine mixed integer linear programming (MILP) methods with division property. With the aid of MILP, bit-based division property could be applied widely. · · · . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  13. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Development of the Division Property Division property, as a generalization of the integral property, was first proposed at EUROCRYPT 2015. At FSE 2016, bit-based division property was proposed to investigate integral characteristics for bit-based block ciphers. At ASIACRYPT 2016, Xiang et al. combine mixed integer linear programming (MILP) methods with division property. With the aid of MILP, bit-based division property could be applied widely. · · · . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

  14. Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results The Development of the Division Property Based Cube Attacks At CRYPTO 2017, Y. Todo et al. proposed the division property based cube attacks. Soon after proposing division property based cube attacks, Y. Todo et al.: Considering the effect of non-cube variables which are set to 0 At CRYPTO 2018, by proposing some new techniques, Wang et al. improved the division property based cube attacks. - Flag technique - Degree Evaluation Method - Precise/Relaxed Term Enumeration . . . . . . Chen-Dong Ye and Tian Tian Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu , Jingchun Yang, Wenhao Wang, Dongdai Lin Eurocrypt 2018 May 2 2018, Tel Aviv, Israel 1/25 Algebraic Degree and Security of Cryptosystems Tweakable Boolean

360 views • 32 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Revisiting Pollution and Property Rights: A Christian Libertarian Perspective Presented at the

Revisiting Pollution and Property Rights: A Christian Libertarian Perspective Presented at the

Revisiting Pollution and Property Rights: A Christian Libertarian Perspective Presented at the 2017 Annual American Scientific Affiliation Conference Colorado School of Mines, Golden, CO July 29, 2017 Points of Departure 1. Complexity Theory

434 views • 11 slides
Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn

Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn

Presented by: Division of Property Assessments August 21, 2018 Division of Property Assessments Jaclyn Harding, Assistant Director Bryan Kinsey, AAS, Assistant Director Overview of Division of Property Assessments The Property Tax Process

533 views • 37 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

1.03k views • 72 slides
The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski

The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski

The Bolzano property and the cube-like complexes Przemys law Tkacz and Marian Turza nski Cardnial Stefan Wyszy nski University Warsaw, Poland Introduction Theorem (Bolzano 1817) If a continuous f : [ a , b ] R and f ( a ) f ( b

700 views • 38 slides
Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

1.5k views • 74 slides
Recent works on orbital angular momentum Masashi Wakamatsu , Osaka University Transversity

Recent works on orbital angular momentum Masashi Wakamatsu , Osaka University Transversity

Recent works on orbital angular momentum Masashi Wakamatsu , Osaka University Transversity 2011, September, 2011, Veli Losinj, Croatia Plan of Talk 1. Introduction 2. Model-independent complete decomposition of the nucleon spin 3.

717 views • 46 slides
t tts

t tts

t tts r ss rts s P

614 views • 27 slides
cse 311: foundations of computing Fall 2015 Lecture 5: Canonical forms and predicate logic

cse 311: foundations of computing Fall 2015 Lecture 5: Canonical forms and predicate logic

cse 311: foundations of computing Fall 2015 Lecture 5: Canonical forms and predicate logic administrivia Hom omewor ork k #1 #1 Due Today at 11:59pm Your Gradescope login is your UW or CSE email address Homework #2 will be posted today and

439 views • 22 slides
Lecture 2: Introduction to Crossed Products and More 1129 July 2016 Examples of Actions

Lecture 2: Introduction to Crossed Products and More 1129 July 2016 Examples of Actions

The Second Summer School on Operator Algebras and Noncommutative Geometry 2016 East China Normal University, Shanghai Lecture 2: Introduction to Crossed Products and More 1129 July 2016 Examples of Actions Lecture 1 (11 July 2016): Group

247 views • 7 slides
Topic: SQAK: Doing More with Keywords Speaker: YINGJING YAN Why SQAK? Todays

Topic: SQAK: Doing More with Keywords Speaker: YINGJING YAN Why SQAK? Todays

Topic: SQAK: Doing More with Keywords Speaker: YINGJING YAN Why SQAK? Todays enterprise databases are large and complex, o=en rela>ng hundreds of en>>es.

1.38k views • 88 slides
CS 4518 Mobile and Ubiquitous Computing Lecture 19: ActivPass & Sandra Emmanuel Agu

CS 4518 Mobile and Ubiquitous Computing Lecture 19: ActivPass & Sandra Emmanuel Agu

CS 4518 Mobile and Ubiquitous Computing Lecture 19: ActivPass & Sandra Emmanuel Agu Announcement Final Project Pitches Remember: Thursday (3/2) and Friday (3/3) this week ActivPass ActivPass S. Dandapat, S Pradhan, B Mitra, R

428 views • 31 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Gamification & Energy Efficiency

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Gamification & Energy Efficiency

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Gamification & Energy Efficiency Emmanuel Agu Urbanopoly The Problem: Curated Datasets Location-based recommendations excellent E.g. Best pizza spot near me, ratings pictures

636 views • 45 slides
State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY

State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY

State Machine for GPRS MM READY timer expiry or GPRS Attach Force to STANDBY IDLE IDLE READY READY STANDBY STANDBY GPRS Detach, PDU transmission RAU Reject or GPRS Attach Reject (a) MS MM States for GPRS (a) MS MM States for GPRS

1.51k views • 11 slides

More recommend