rotational cryptanalysis in the presence of constants
play

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur - PowerPoint PPT Presentation

Jun 02, 2023 •383 likes •1.12k views

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

  1. Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1

  2. Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 2

  3. ARX 3

  4. ARX • Symmetric-key designs 3

  5. ARX • Symmetric-key designs • Addition + Rotation + XOR 3

  6. ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis 3

  7. ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis 3

  8. Differences 4

  9. Differences XOR difference x ⊕ δ x E k E k y y ⊕ ∆ 4

  10. Differences Modular difference XOR difference x x ⊞ δ x ⊕ δ x E k E k E k E k y y ⊞ ∆ y y ⊕ ∆ 4

  11. Differences Modular difference Rotational difference XOR difference x x ⊞ δ x x ≪ r x ⊕ δ x E k E k E k E k E k E k y y y ≪ r y ⊞ ∆ y y ⊕ ∆ 4

  12. Rotational Cryptanalysis 5

  13. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) 5

  14. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) XOR ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r 5

  15. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) XOR ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p 5

  16. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p 6

  17. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p When r = 1 , p achieves the maximum. p = 2 − 1 . 415 6

  18. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p When r = 1 , p achieves the maximum. p = 2 − 1 . 415 Denote x ≪ 1 by ← − x for simplicity. 6

  19. Rotational Cryptanalysis Rotational Cryptanalysis (v1), [KN10] The probability that a rotational distinguisher holds for an ARX primitive is determined by the number of modular additions. Pr = (2 − 1 . 415 ) # ⊞ [KN10]: D. Khovratovich, I. Nikolic: Rotational Cryptanalysis of ARX, FSE 2010 7

  20. Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. 8

  21. Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r ( x ≪ r ) ⊞ ( y ≪ r ) ⊞ ( z ≪ r ) = ( x ⊞ y ⊞ z ) ≪ r [KNP+15]: D. Khovratovich, I. Nikolic, J. Pieprzyk, P. Sokolowski, R. Steinfeld: Rotational Cryptanalysis of ARX Revisited. FSE 2015 8

  22. Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 9

  23. ARX with constants 10

  24. ARX with constants • Complete system ARX-C 10

  25. ARX with constants • Complete system ARX-C • Constants come with keys and round constants 10

  26. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r 10

  27. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r XOR with a constant ( x ≪ r ) ⊕ k 10

  28. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r XOR with a constant ( x ≪ r ) ⊕ k • Previous analyses: experiment 10

  29. Rotational cryptanalysis on ARX-C 11

  30. Rotational cryptanalysis on ARX-C x ≪ r x E k E k y y ≪ r 11

  31. Rotational cryptanalysis on ARX-C x ′ = x ≪ r x x ≪ r x E k E k E k E k y y ≪ r y y ′ ⊕ δ = y ≪ r 11

  32. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) 12

  33. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) 12

  34. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) (( a 1 , a 2 ) , γ ) -Rotational-XOR difference (RX-difference) ( x ⊕ a 1 , ( x ≪ γ ) ⊕ a 2 ) 12

  35. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) (( a 1 , a 2 ) , γ ) -Rotational-XOR difference (RX-difference) ( x ⊕ a 1 , ( x ≪ γ ) ⊕ a 2 ) equivalent to (˜ x, (˜ x ≪ γ ) ⊕ ( a 1 ≪ γ ) ⊕ a 2 ) 12

  36. Rotational-XOR difference through ARX 13

  37. Rotational-XOR difference through ARX Rotation ≪ γ x → x ≪ γ − − − ≪ γ → ← − − − − ← − x ⊕ a x ≪ γ ⊕ ( a ≪ γ ) − − − ≪ γ ⇒ ((0 , a ) , 1) → ((0 , a ≪ γ ) , 1) − − − 13

  38. Rotational-XOR difference through ARX Rotation ≪ γ x → x ≪ γ − − − ≪ γ → ← − − − − ← − x ⊕ a x ≪ γ ⊕ ( a ≪ γ ) − − − ≪ γ ⇒ ((0 , a ) , 1) → ((0 , a ≪ γ ) , 1) − − − XOR ⊕ x, y → x ⊕ y − − → ← − − − ← x ⊕ a, ← − − ⊕ y ⊕ b x ⊕ y ⊕ ( a ⊕ b ) − − ⊕ ⇒ ((0 , a ) , 1) , ((0 , b ) , 1) → ((0 , a ⊕ b ) , 1) − − 13

  39. Rotational-XOR difference through ARX Modular addition 14

  40. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 14

  41. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: 14

  42. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: x = L ( x ) R ( x ) = L 0 ( x ) R 0 ( x ) γ bits γ bits 14

  43. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← x ⊕ a 2 ) ⊞ ( ← − − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: x = L ( x ) R ( x ) = L 0 ( x ) R 0 ( x ) γ bits γ bits The addition of two variables: L ( x ) R ( x ) L ( y ) R ( y ) x one bit of carry � L ( x ) � L ( y ) � C 1 R ( x ) � R ( y ) n − γ 14

  44. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) 15

  45. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) = (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) || (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 n − γ ) ⊕ L (∆ 1 ) . 15

  46. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) = (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) || (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 n − γ ) ⊕ L (∆ 1 ) . RHS: ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 ′ ( a 2 )) ⊞ ( R ( y ) ⊕ L ′ ( b 2 )) ⊞ C 2 ′ (∆ 2 ) || = (( R ( x ) ⊕ L γ ) ⊕ L ′ ( a 2 )) ⊞ ( L ( y ) ⊕ R ′ ( b 2 ))) ⊕ R ′ (∆ 2 ) . (( L ( x ) ⊕ R 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1 Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrin Ranea & Glenn De Witte from

552 views • 31 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational Kinetic Energy Angular Momentum

1.46k views • 130 slides
AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

Slide 1 / 130 Slide 2 / 130 AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational

562 views • 54 slides
Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the Moment of Inertia Vector Product Torque Newtons 2nd Law for Rotation Homework 1 Rotational Kinetic Energy K i = 1 i = 1 2 m i v 2 2 m

538 views • 15 slides
Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass Rotational Energy Calculating Moment of Inertia Torque Rotational Dynamics Rotation About a Fixed Axis Static Equilibrium

160 views • 3 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational spectroscopy Energy states provided by sum of rotational and vibrational energy: n,J = ( n +1/2) + B J(J+1) CO spectrum

310 views • 10 slides
6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will

6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will

6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will learn About A Constants, Optical and Ultrasound How to calculate IOL Power? Which constants used in di ff erent formula? What is ELP

297 views • 25 slides
Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories

Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories

20/05/2010 20/05/2010 IHES IHES Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories involve constants These parameters cannot be determined by the theory that introduces them. These arbitrary

702 views • 52 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Constants Objectives Describe ways to create constants const readonly enum 2

Constants Objectives Describe ways to create constants const readonly enum 2

Constants Objectives Describe ways to create constants const readonly enum 2 Motivation Idea of constant is useful makes programs more readable allows more compile time error checking 3 Const Keyword const used

253 views • 23 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation Kensuke Okada 1 Shin-ichi Mayekawa 2 1 Senshu University 2 Tokyo Institute of Technology August 26 2010 Rotational indeterminacy Infinite

317 views • 19 slides
3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

Joints = rotations Rotational DOFs are widely used in character animation 3 translational DOFs 3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3 DOF: arm representation of Orientation Translation

361 views • 10 slides
Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37:

Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37:

Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37: correct text about division speed: four-byte division is weirdly not much slower than 1-byte division on Skylake (but 64-bit division is much slower)

2.06k views • 162 slides
B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.96 AES (Advanced Encryption

B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.96 AES (Advanced Encryption

1 B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.96 AES (Advanced Encryption Standard) AES is a symmetric block cipher with plaintext space P = ciphertext space C = {0,1} 128 key space w K = {0,1} 128 (usual case) or

803 views • 44 slides
Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass

Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass

Row Format Data Format Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Wintersemester 2019/20 http://www.informatik.uni-halle.de/brass/dbi19/ Stefan

415 views • 19 slides
Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline Introduction Information storage Integer coding Basic arithmetics Hexadecimal notation Endianness Floats IEEE FP

308 views • 19 slides
Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations p. 1/19 Place Value Numerals A numeral represents a number using some notation. Normal place value numerals: each place represents a power of

235 views • 19 slides
Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various types of numbers: Integer (1234) Floating point number (12.34) Octal and hexadecimal number (0177, 0x9gff) Complex number (3.0+4.1j)

255 views • 7 slides
Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems Converting Numbers Summation and Subtraction of Binary Numbers Numerical Systems Binary (base 2) Octal (base 8) Decimal (Base 10)

560 views • 13 slides
CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

The Big Picture Languages and Tools Lab/Assignment 1 Build machine model of execution SM213 Assembly SimpleMachine simulator CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse and get it

9.69k views • 3 slides

More recommend