symsum
play

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 - PowerPoint PPT Presentation

Sep 15, 2023 •104 likes •449 views

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

  1. SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc } @cse.iitkgp.ernet.in 2 Department of Mathematics Vidyasagar University, India babu.sukhendu@gmail.com FSE 2017 Tokyo, Japan

  2. Basics SHA3 / Keccak ◮ Follows SPONGE construction ◮ Internal permutation called Keccak - f / Keccak - p ◮ Internal state ◮ Array of 5 × 5 slices ◮ Biggest size → 1600 bits ◮ Total 24 rounds ◮ 1 Round = 5 sub-operations R = ι ◦ χ ◦ π ◦ ρ ◦ θ Note: Position of ι in the round function Round-constants added at the end of a round

  3. Basics FIPS 202 ◮ SHA3 Family Fixed-Length → SHA3-224/256/384/512 XOF → SHAKE128/256 ◮ Main difference with Keccak Family: ◮ Introduction of the domain separation bits prior to 10*1 padding � M || 01 Fixed-Length Add Suffix M − − − − − − − → M || 1111 XOF

  4. Distinguishing Attacks on Keccak - f Towards exhibiting non-random behaviour

  5. Distinguishers on Keccak - f Target the Hermetic Sponge Strategy Internal permutation of Sponge based hash function should be designed such that they cannot be distinguished from a randomly-chosen permutation. ◮ Maximum results on Keccak- f during SHA-3 competition ◮ e.g., Zero-Sum, Rotational among others Particular Attention Zero-Sum Distinguisher ◮ Based on higher-order derivatives of forward/inverse rounds ◮ Only distinguisher to reach full 24-rounds ◮ Uses inside-out strategy

  6. What about distinguishers on Keccak ? Distinguishing the hash-function itself

  7. Distinguishers on Keccak Distinguishers on Keccak - f may not directly extend to Keccak ◮ Due to restrictions imposed by SPONGE ◮ e.g. Zero-Sum applies ◮ But looses number of penetrable rounds ◮ Inside-out technique invalidated Few results on distinguishers on Keccak hash function ◮ 4-round Keccak ◮ 6-round Keccak ◮ Due to Naya-Plasencia, ◮ Due to Das and Meier R¨ ock, and Meier ◮ Using low weight ◮ Based on biased output differential path bits ◮ Complexity: 2 24 ◮ Complexity: 2 52

  8. An Experiment on SHA3 Based on self-symmetry

  9. Self-Symmetry Internal State ◮ A restriction on the internal σ 2 state of Keccak - f ◮ 1600-bit State ( S ) visualized as two 800-bit Substates σ 1 ( σ 1 , σ 2 ) S = σ 1 || σ 2 ◮ σ i = 5 × 5 × 32 bits The Restriction: Equal Substates σ 1 = σ 2

  10. Self-Symmetric State An Example ◮ A self-symmetric state Table 1: A Self-Symmetric ◮ Represented in standard 62C05E2462C05E24 0934258C0934258C 49DA0D3D49DA0D3D lane × sheet format B6C808B2B6C808B2 24B83B0524B83B05 2026890020268900 ◮ Look at individual lanes 94BA023194BA0231 74F1384174F13841 ADE17841ADE17841 64010A3264010A32 8030F1308030F130 E383F57AE383F57A ◮ The first Substate is 68DD183C68DD183C 36FB572A36FB572A 120A313A120A313A highlighted Table 1: A Self-Symmetric state. σ 1 is highligted. 62C05E2462C05E24 0934258C0934258C 49DA0D3D49DA0D3D 2923A54B2923A54B 8817062C8817062C B6C808B2B6C808B2 24B83B0524B83B05 2026890020268900 738E1141738E1141 3886D76A3886D76A 94BA023194BA0231 74F1384174F13841 ADE17841ADE17841 411E023D411E023D 98C34C6798C34C67 64010A3264010A32 8030F1308030F130 E383F57AE383F57A 35388C8235388C82 61F7231161F72311 68DD183C68DD183C 36FB572A36FB572A 120A313A120A313A 1C6E105D1C6E105D B50D7CA2B50D7CA2

  11. Experiment Message Set (SHA3-512) Pad ( AddSuffix (Message)) → Self-Symmetric Internal State ◮ Single block messages 8cd812d28cd812d2 ◮ Similar to ZeroSum computation ****0*9b****0*9b 0000000000000000 ◮ But with additional restriction of 0000000000000000 preserving symmetry ◮ By construction, � Msg = 0 Msg ∈ MsgSet 4a36ea584a36ea58 8cd812d28cd812d2 88e61fc788e61fc7 f3372eaff3372eaf ea3f0b51ea3f0b51 ce168c02ce168c02 ****0*9b****0*9b b934cb9fb934cb9f 866ac262866ac262 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Zeros at end indicate value of capacity bits

  12. Experiment 4-rounds SHA3 -512 ◮ Run SHA3 (Round-Reduced) over the Message Set ◮ Compute Output-Sum What is the nature of the Output-Sum?

  13. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Remark Output-Sum 000000000000000000000000000000000000000000000000 2 17 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000000000000000000000000

  14. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Output-Sum Remark 000000000000000000000000000000000000000000000000 2 17 000000000000000000000000000000000000000000000000 Zero-Sum 00000000000000000000000000000000 000000000000000000000000000000000000000000000000 2 16 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000001000000010000000000000000000000200000002000

  15. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Output-Sum Remark 000000000000000000000000000000000000000000000000 2 17 000000000000000000000000000000000000000000000000 Zero-Sum 00000000000000000000000000000000 000000000000000000000000000000000000000000000000 2 16 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000001000000010000000000000000000000200000002000 2 15 Symmetric-Sum 000000000000000000000000000000000000000000000000 00000000000000000000004000000040 243f4942243f4942528c98d5528c98d57300b0d17300b0d1

  16. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Remark Output-Sum 000000000000000000000000000000000000000000000000 2 17 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000000000000000000000000 2 16 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000001000000010000000000000000000000200000002000 2 15 000000000000000000000000000000000000000000000000 Symmetric-Sum 00000000000000000000004000000040 243f4942243f4942528c98d5528c98d57300b0d17300b0d1 2 14 Symmetric-Sum c0585999c0585999147b20a3147b20a3083a3900083a3900 09225588092255886302671c6302671c 81ed3fca81ed3dca15553dac15553dec25858e1125858e11

  17. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Remark Output-Sum 000000000000000000000000000000000000000000000000 2 17 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000000000000000000000000 2 16 000000000000000000000000000000000000000000000000 Zero-Sum 00000000000000000000000000000000 000001000000010000000000000000000000200000002000 2 15 Symmetric-Sum 000000000000000000000000000000000000000000000000 00000000000000000000004000000040 243f4942243f4942528c98d5528c98d57300b0d17300b0d1 2 14 c0585999c0585999147b20a3147b20a3083a3900083a3900 Symmetric-Sum 09225588092255886302671c6302671c 81ed3fca81ed3dca15553dac15553dec25858e1125858e11 2 13 Not Symmetric 11c9af8b11c9af8b509927bf5099273f9276901992679019 ca92a3d5ca9223d54ffce7974ffc6797 78f523d01479a153802f16a4c8bbb67116d502ea0495823a

  18. Experimental Results The Output-Sum Table 2: Output-Sum exhibiting self-symmetric property | MsgSet | Remark Output-Sum 000000000000000000000000000000000000000000000000 2 17 Zero-Sum 000000000000000000000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000000000000000000000000 2 16 000000000000000000000000000000000000000000000000 Zero-Sum 00000000000000000000000000000000 000001000000010000000000000000000000200000002000 2 15 Symmetric-Sum 000000000000000000000000000000000000000000000000 00000000000000000000004000000040 243f4942243f4942528c98d5528c98d57300b0d17300b0d1 2 14 c0585999c0585999147b20a3147b20a3083a3900083a3900 Symmetric-Sum 09225588092255886302671c6302671c 81ed3fca81ed3dca15553dac15553dec25858e1125858e11 2 13 Not Symmetric 11c9af8b11c9af8b509927bf5099273f9276901992679019 ca92a3d5ca9223d54ffce7974ffc6797 78f523d01479a153802f16a4c8bbb67116d502ea0495823a 2 12 Not Symmetric 71057dfbf18b25f22bba947d0ba094fd1240ee380a42df38 99eaa56698fa64e6a21ac1328138c126

  19. What to make of these results? ◮ Results ◮ Partly intuitive ◮ Partly inexplicable ◮ Definitely worth investigating (Our Motivation) First Question What is the underlying operator in the experiment? Intuition We must be computing some kind of higher order derivative. ◮ But not simple higher order derivatives (as in case of classical Zero-Sum) ◮ Recall: Multiple variables change values per call ◮ Also, the self-symmetry constraint

  20. m − fold vectorial derivatives The Operator So, What is the underlying operator? Answer: m − fold vectorial derivatives 1 ◮ Slightly different notion of higher-order derivatives ◮ Analogous to computing derivatives over a subspace ◮ Partitions the inputs variables The Experiment ≡ Computing m − fold vectorial derivatives with specially selected subspaces Specially selected subspace → Self-Symmetry constraint 1 Refer paper for mathematical form

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Abstract By representing functions of many variables as sums of separable functions, one obtains

Abstract By representing functions of many variables as sums of separable functions, one obtains

Abstract By representing functions of many variables as sums of separable functions, one obtains a method to bypass the curse of dimensionality. I will discuss efforts to develop, understand, and use this method, both in a general context and

362 views • 19 slides
Arithmetic Series (Lesson Slides) UNIT #7: Sequences and Series WARMUP Arithmetic Series

Arithmetic Series (Lesson Slides) UNIT #7: Sequences and Series WARMUP Arithmetic Series

Arithmetic Series (Lesson Slides) UNIT #7: Sequences and Series WARMUP Arithmetic Series Determine the recursion formula and explicit formula for Learning Goal: the nth term for the arithmetic sequence if the first term is I will learn how to

352 views • 3 slides
Fall 2020 Reopening Plan A Note from the Executive Director Dear NHCS Families, As I explained in

Fall 2020 Reopening Plan A Note from the Executive Director Dear NHCS Families, As I explained in

Fall 2020 Reopening Plan A Note from the Executive Director Dear NHCS Families, As I explained in my August 4th letter, we have made the difficult decision to begin the 2020-2021 school year remotely. While I know this news is hard for many,

592 views • 25 slides
A s A safegu guard f rd for or Jay Jayhaw hawk int ntegrity September 9, 2020 Co

A s A safegu guard f rd for or Jay Jayhaw hawk int ntegrity September 9, 2020 Co

A s A safegu guard f rd for or Jay Jayhaw hawk int ntegrity September 9, 2020 Co Conflict of Interest + Co Commitment Reporting Introduction Provost Barbara Bichelmeyer KU manages COI to safeguard public trust KU encourages

386 views • 26 slides
MATH 12002 - CALCULUS I 4.2: Riemann Sum Examples Professor Donald L. White Department of

MATH 12002 - CALCULUS I 4.2: Riemann Sum Examples Professor Donald L. White Department of

MATH 12002 - CALCULUS I 4.2: Riemann Sum Examples Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 7 Riemann Sums Definition Let y = f ( x ) be a function defined on

102 views • 7 slides
CSE 115 Introduction to Computer Science I Road map Review range(stop) and

CSE 115 Introduction to Computer Science I Road map Review range(stop) and

CSE 115 Introduction to Computer Science I Road map Review range(stop) and range(start, stop, step) for in Python live coding / exercise Arrays An array is a collection of variables, with related names. var x = ['zero', 'one',

572 views • 36 slides
ex Gray Codes = reflected binary codes Karnaugh Maps: find (minimal) sums of products CD gray

ex Gray Codes = reflected binary codes Karnaugh Maps: find (minimal) sums of products CD gray

But first Recall: sum of products logical sum (OR) of products (AND) 1. Basic combinational building blocks of inputs or their complements (NOT). 2. Logic for arithmetic Construct with: A B C M 1 code detector per 1-valued output

687 views • 6 slides
Algorithms and Algorithm Analysis Etymology of Algorithm Algorism = process of doing

Algorithms and Algorithm Analysis Etymology of Algorithm Algorism = process of doing

CS206 CS206 Algorithms and Algorithm Analysis Etymology of Algorithm Algorism = process of doing arithmetic using Arabic numerals. Algorithm: A clearly specified set of instructions the computer A misperception: algiros [painful] +

314 views • 4 slides
Lecture 1: Introduction to the Sum of Squares Hierarchy Lecture Outline Part I:

Lecture 1: Introduction to the Sum of Squares Hierarchy Lecture Outline Part I:

Lecture 1: Introduction to the Sum of Squares Hierarchy Lecture Outline Part I: Introduction/Motivation Part II: Planted Clique Part III: A Game for Sum of Squares (SOS) Part IV: SOS on General Equations Part V: Overview of SOS

748 views • 64 slides
Review Session CSCI 2021, Spring 2020 Structure Review Problems 1-9 with their solutions.

Review Session CSCI 2021, Spring 2020 Structure Review Problems 1-9 with their solutions.

Review Session CSCI 2021, Spring 2020 Structure Review Problems 1-9 with their solutions. Buffer Overflows main: int main(){ Address Variable Initial Value pushq %rbp char x[4]; movq%rsp, %rbp 0x108 y[0] 0x0 char y[4]; subq $16,

814 views • 21 slides
+ Design of Parallel Algorithms Bulk Synchronous Parallel A Bridging Model of Parallel

+ Design of Parallel Algorithms Bulk Synchronous Parallel A Bridging Model of Parallel

+ Design of Parallel Algorithms Bulk Synchronous Parallel A Bridging Model of Parallel Computation + Need for a Bridging Model n The RAM model has been reasonable successful for serial programming n The model provides a framework for describing

509 views • 22 slides
Strong Direct Sum for Randomized Query Complexity Eric Blais Joshua Brody University of Waterloo

Strong Direct Sum for Randomized Query Complexity Eric Blais Joshua Brody University of Waterloo

Strong Direct Sum for Randomized Query Complexity Eric Blais Joshua Brody University of Waterloo Swarthmore College Conference on Computational Complexity New Brunswick, New Jersey July 18, 2019 Outline Introduction Strong Direct

593 views • 35 slides
Maximum Contiguous Subsequence Sum Check out from SVN: MCS CSSRac Races es Finish

Maximum Contiguous Subsequence Sum Check out from SVN: MCS CSSRac Races es Finish

Maximum Contiguous Subsequence Sum Check out from SVN: MCS CSSRac Races es Finish Comparators Maximum Contiguous Subsequence Sum Problem Worktime for WA02 or Pascal? Correctness usually graded using JUnit tests Exception:

927 views • 29 slides
Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5 9 2 4 3 3 B: 3 4 5 12 14 19 28 30 34 37 40 1 / 86 Recap: Parallel Prefix Sums Recursive algorithm Recursively computes sums Use

3.11k views • 86 slides
Sum and difference formulae for sine and cosine Consider angles and with > . These

Sum and difference formulae for sine and cosine Consider angles and with > . These

Sum and difference formulae for sine and cosine Consider angles and with > . These angles identify points on the unit circle, P (cos , sin ) and Q (cos , sin ) . Elementary Functions Part 5, Trigonometry Lecture 5.1a, Sum

421 views • 7 slides
A Simple Near-Linear Pseudopolynomial Time Randomized Algorithm for Subset Sum Ce Jin , Hongxun Wu

A Simple Near-Linear Pseudopolynomial Time Randomized Algorithm for Subset Sum Ce Jin , Hongxun Wu

A Simple Near-Linear Pseudopolynomial Time Randomized Algorithm for Subset Sum Ce Jin , Hongxun Wu Tsinghua University SOSA 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

832 views • 58 slides
Lecture 2 expressions, variables, for loops Special thanks to CS Washington CS 142 Except where

Lecture 2 expressions, variables, for loops Special thanks to CS Washington CS 142 Except where

Lecture 2 expressions, variables, for loops Special thanks to CS Washington CS 142 Except where otherwise noted, this work is licensed under: http://creativecommons.org/licenses/by-nc-sa/3.0 Who uses Python? Python is fast enough for our

360 views • 15 slides
A Reproducible Accurate Summation Algorithm for High-Performance Computing Sylvain Collange 1 ,

A Reproducible Accurate Summation Algorithm for High-Performance Computing Sylvain Collange 1 ,

A Reproducible Accurate Summation Algorithm for High-Performance Computing Sylvain Collange 1 , David Defour 2 , Stef Graillat 4 , and Roman Iakymchuk 3 , 4 1 INRIA Centre de recherche Rennes Bretagne Atlantique 2 DALILIRMM, Universit

708 views • 33 slides
High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha

High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha

High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha Ober, Jaco A. Hofmann, Lukas Sommer, Lukas Weber, Andreas Koch Embedded Systems and Applications Group, TU Darmstadt 20.11.2019 | TU Darmstadt |

623 views • 36 slides
Sparse Prefix Sums Michael Shekelyan, Anton Digns, Johann Gamper 1 0 0 0 1 7 7 15 0 0

Sparse Prefix Sums Michael Shekelyan, Anton Digns, Johann Gamper 1 0 0 0 1 7 7 15 0 0

1 7 8 6 7 6 5 16 5 6 77 8 2 5 54 Sparse Prefix Sums Michael Shekelyan, Anton Digns, Johann Gamper 1 0 0 0 1 7 7 15 0 0 0 6 6 0 0 0 Free University of Bozen-Bolzano, Italy 7 0 0 6 13 0 0 6 7 0 5 27 34

1.2k views • 62 slides
Quantum Information Complexity and Direct Sum Dave Touchette Universit e de Montr eal QIP

Quantum Information Complexity and Direct Sum Dave Touchette Universit e de Montr eal QIP

Quantum Information Complexity and Direct Sum Dave Touchette Universit e de Montr eal QIP 2015, Sydney, Australia touchette.dave@gmail.com Quantum Information Complexity and Direct Sum QIP 2015, Sydney, Australia 1 / 19 Interactive

649 views • 25 slides
Verilog HDL:Digital Design and Modeling Chapter 2 Overview Chapter 2 Overview 2 Page 16

Verilog HDL:Digital Design and Modeling Chapter 2 Overview Chapter 2 Overview 2 Page 16

Chapter 2 Overview 1 Verilog HDL:Digital Design and Modeling Chapter 2 Overview Chapter 2 Overview 2 Page 16 //dataflow and gate with two inputs module and2 (x1, x2, z1); input x1, x2; output z1; wire x1, x2; wire z1; assign z1 = x1

679 views • 32 slides
Optimal Merging in Quantum k -xor and k -sum Algorithms Mara Naya-Plasencia, Andr

Optimal Merging in Quantum k -xor and k -sum Algorithms Mara Naya-Plasencia, Andr

Optimal Merging in Quantum k -xor and k -sum Algorithms Mara Naya-Plasencia, Andr Schrottenloher Inria, France Merging with many Solutions Quantum Merging With a Single Solution Outline Merging with many Solutions 1 Quantum Merging 2

727 views • 34 slides
Repetition Statements Recitation 02/20/2009 CS 180 Department of Computer Science, Purdue

Repetition Statements Recitation 02/20/2009 CS 180 Department of Computer Science, Purdue

Repetition Statements Recitation 02/20/2009 CS 180 Department of Computer Science, Purdue University Announcement Grades are out: Project 2, 3 Lab 2, 3, 4, 5 Project 4 is due on Feb 25 th Syntax for Three Forms of Loops

212 views • 18 slides

More recommend