some cryptanalytic results on triad
play

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, - PowerPoint PPT Presentation

Dec 22, 2022 •343 likes •1.1k views

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu) Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium

  1. Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu)

  2. Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium -like ciphers Our Contribution Conclusion

  4. ◮ Call for Lightweight Cryptographic Algorithms

  5. ◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1

  6. ◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1 ◮ TRIAD [2] is one of them

  7. TRIAD Family 4 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data

  8. TRIAD Family 4 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

  9. TRIAD Family 5 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

  10. TRIAD adopts Trivium -like Structure

  11. TRIAD - AE Vs Trivium

  12. TRIAD - AE Vs Trivium State size 256 bits 288 bits

  13. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits

  14. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits

  15. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round

  16. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round Type AEAD - AEAD - Authenticated encryption with associated data

  17. Attacks on Trivium -like ciphers

  18. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009

  19. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key

  20. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack

  21. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks

  22. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks ◮ Cube attacks use algebraic rather than statistical techniques to find the secret key

  23. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009

  24. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction

  25. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario

  26. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties

  27. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties Distinguisher Non-randomness (control over the public variables only) (control over the public and private variables both)

  28. Structure of TRIAD-AE 11 z t = f ( K, IV ), where f is a Boolean function

  29. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2

  30. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly

  31. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly ◮ { n 1 , n 2 } involved in term are referred as cube variables

  32. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly ◮ { n 1 , n 2 } involved in term are referred as cube variables ◮ Observe � f ( · ) = k 3 + 1 = superpoly { n 1 ,n 2 }∈ F 2 2

  33. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient

  34. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2

  35. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks

  36. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation?

  37. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem.

  38. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem. Since after sufficient no. of rounds, a well-designed stream cipher has complicated expression

  39. Our Contribution

  40. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE

  41. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube

  42. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube ◮ We observe some cubes in the reduced version of the cipher

  43. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by 1 Non-linear feedback shift registers

  44. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by A t = ( a t , a t − 1 , . . . , a t − n A +1 ) , B t = ( b t , b t − 1 , . . . , b t − n B +1 ) , C t = ( c t , c t − 1 , . . . , c t − n C +1 ) . And the corresponding feedback functions are given by a t = c t − i 1 · c t − i 2 ⊕ l A ( s ( t − 1) ) , b t = a t − j 1 · a t − j 2 ⊕ b t − j 3 · c t − j 3 ⊕ l B ( s ( t − 1) ) , c t = b t − k 1 · b t − k 2 ⊕ l C ( s ( t − 1) ) , 1 Non-linear feedback shift registers

  45. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by A t = ( a t , a t − 1 , . . . , a t − n A +1 ) , B t = ( b t , b t − 1 , . . . , b t − n B +1 ) , C t = ( c t , c t − 1 , . . . , c t − n C +1 ) . And the corresponding feedback functions are given by a t = c t − i 1 · c t − i 2 ⊕ l A ( s ( t − 1) ) , b t = a t − j 1 · a t − j 2 ⊕ b t − j 3 · c t − j 3 ⊕ l B ( s ( t − 1) ) , c t = b t − k 1 · b t − k 2 ⊕ l C ( s ( t − 1) ) , where 1 ≤ j 1 < j 2 < n A and j 2 < j 3 < n B = n C . 1 Non-linear feedback shift registers

  46. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max

  47. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t ◮ ( t − j 1 ) ≤ 0

  48. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t ◮ ( t − j 1 ) ≤ 0 ◮ 1 + j 1 ≤ t ≤ j 2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup projects better and more cost-effective. Case: Complementary laboratory (ICP, etc) and field XRF analysis Drs Ben Keet

411 views • 30 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

T-79.514 Special Course on Cryptology September 30, 2004 Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki University of Technology mjos@tcs.hut.fi T.79-514 Markku-Juhani O. Saarinen 1 Terminology

646 views • 35 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los Alamos National Laboratory STILTS you Or why LANL doesnt use HSM nt wo Brad Settlemyer May 22, 2019 Managed by Triad National Security, LLC for

246 views • 7 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

305 views • 16 slides
The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on

784 views • 55 slides
6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be combined in the same learning situation without risking divergence? (circle three) (a) eligibility traces (b) bootstrapping (c) sample backups (d)

146 views • 14 slides
eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait

eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait

eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait Example design problem When chatting with A and C, 1. Visibility A C how does B not highlight the forbidden triad? B 2. Visibility B hears

508 views • 13 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple NewMITM Dissection Summary Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer Science Department University of Haifa 4th July, 2013 Orr Dunkelman Multiple Encryption 1/ 35 Multiple

1.49k views • 110 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya Mironov 13 1 Google, 2 Northeastern, 3 Facebook Solve For W Given: Given: Given: CAT Our Question: Given query access to a neural network,

1.8k views • 122 slides
he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los Alamos National Laboratory LA-UR-19-24811 Understanding Storage System Challenges you for Parallel Scientific Simulations nt wo Brad Settlemyer

624 views • 27 slides
Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic

Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic

Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic course contents: Fundamental cryptography and its applications in constructing secure information infrastructure:

459 views • 12 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

AFRICACRYPT 2010 STIAS Stellenbosch Stellenbosch South Africa G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic crypto device in designed in South Africa designed in South Africa Keeloq: A simple

659 views • 61 slides
CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An

CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An

CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An Analysis The height of the BTree determines maximum number of ____________ possible in search data. and the height of the structure is:

916 views • 16 slides
CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch

CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch

CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles Has Hashi hing ng Has Hashi hing ng Goals: We want to define a keyspace , a (mathematical)

658 views • 17 slides
Lessons Learned with Cassandra &amp; Spark_ Matthias Niehoff Apache: Big Data 2017

Lessons Learned with Cassandra &amp; Spark_ Matthias Niehoff Apache: Big Data 2017

Lessons Learned with Cassandra &amp; Spark_ Matthias Niehoff Apache: Big Data 2017 @matthiasniehoff 1 @codecentric Our Use Cases_ join read write join read write Lessons Learned with Cassandra Data modeling: Primary key_ Primary

1.26k views • 47 slides
NoSQL Databases Amir H. Payberah payberah@kth.se 03/09/2019 The Course Web Page

NoSQL Databases Amir H. Payberah payberah@kth.se 03/09/2019 The Course Web Page

NoSQL Databases Amir H. Payberah payberah@kth.se 03/09/2019 The Course Web Page https://id2221kth.github.io 1 / 89 Where Are We? 2 / 89 Database and Database Management System Database: an organized collection of data. Database

1.91k views • 136 slides

More recommend