trail bound techniques in primitives with weak alignment
play

Trail Bound Techniques in Primitives with Weak Alignment Silvia - PowerPoint PPT Presentation

Jan 23, 2023 •143 likes •644 views

Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work with Joan Daemen 2 and Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University APBC 2018 Outline 1 Differential trails 2 Tree search 3 Bounds in

  1. Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work with Joan Daemen 2 and Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University APBC 2018

  2. Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  3. Differential trails Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  4. Differential trails Differential trails in iterated mappings

  5. Differential trails Differential trails and weight w = − log 2 ( DP )

  6. Differential trails Trail extension

  7. Differential trails Trail extension

  8. Differential trails Trail extension

  9. Differential trails Trail extension

  10. Differential trails Trail cores min min

  11. Differential trails Bounding the weight of trails ◮ We restrict to trail cores... ◮ ...up to a given target weight T ◮ We start from 2-round trail cores and then extend min min

  12. Tree search Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  13. Tree search Definition Set U of units with a total order relation ≺ Tree ◮ Node: subset of U , represented as a unit list a = ( u i ) i =1 ,..., n u 1 ≺ u 2 ≺ · · · ≺ u n ◮ Children of a node a : a ∪ { u n +1 } ∀ u n +1 : u n ≺ u n +1 ◮ Root: the empty set a = ∅

  14. Tree search Bounding the cost Goal: tree traversal up to given cost target T Cost-related functions ◮ Cost function: γ ( a ) (e.g. w rev ( a ) + w dir ( a )) ◮ Cost bounding function: L ( a ) s.t. for all descendants a ′ of a γ ( a ′ ) ≥ L ( a ) ⇒ Prune all the subtrees with L ( a ) > T

  15. Tree search Example: active bit positions

  16. Bounds in Keccak - f Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  17. Bounds in Keccak - f Keccak - f Keccak - f Operates on 3D state: Round function with 5 steps: ◮ θ : mixing layer ◮ ρ : inter-slice bit transposition ◮ π : intra-slice bit transposition ◮ χ : non-linear layer state y ◮ ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x ◮ 12 rounds in Keccak - f [25] ◮ (5 × 5)-bit slices ◮ 24 rounds in Keccak - f [1600] ◮ 2 ℓ -bit lanes ◮ parameter 0 ≤ ℓ < 7 [Bertoni, Daemen, Peeters, Van Assche, 2008]

  18. Bounds in Keccak - f Keccak - f Properties of θ + = column parity θ e ff ect combine ◮ The θ map adds a pattern, that depends on the parity, to each plane. ◮ Affected columns are complemented ◮ Unaffected columns are not changed

  19. Bounds in Keccak - f Keccak - f The parity Kernel + = column parity θ effect combine ◮ θ acts as the identity if parity is zero ◮ A state with parity zero is in the kernel (or in | K | ) ◮ A state with parity non-zero is outside the kernel (or in | N | )

  20. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  21. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  22. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  23. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 6-round trail cores Lemma A 6-round trail of weight W always contains a 3-round trail of � W � weight below or equal to 2

  24. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Space split based on parity of a i ◮ Four classes: | K | K | , | K | N | , | N | K | and | N | N |

  25. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 1 , b 1 ) ◮ Extending forward by one round

  26. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 1 , b 1 ) ◮ Extending forward by one round

  27. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 2 , b 2 ) ◮ Extending backward by one round

  28. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 2 , b 2 ) ◮ Extending backward by one round

  29. Bounds in Keccak - f Generating trail cores in | K | Orbitals ◮ orbital = [ z , x , y 1 , y 2 ] 2 1 0 -1 -2 y

  30. Bounds in Keccak - f Generating trail cores in | K | Orbitals (continued) ◮ y ′ 1 > y 2 2 1 0 -1 -2 y

  31. Bounds in Keccak - f Generating trail cores in | K | Generating trail cores in | K | ◮ Root: the empty state ◮ Units: orbitals = [ z , x , y 1 , y 2 ] ◮ Bound: cost of the node itself

  32. Bounds in Keccak - f Generating trail cores in | N | Parity-bare states Parity-bare state: a state with the minimum number of active bits before and after θ for a given parity ◮ 0 active bits in unaffected even columns ◮ 1 active bit in unaffected odd column ◮ 5 active bits in affected column either before or after θ θ

  33. Bounds in Keccak - f Generating trail cores in | N | States in | N | Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ

  34. Bounds in Keccak - f Generating trail cores in | N | States in | N | Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ

  35. Bounds in Keccak - f Generating trail cores in | N | Orbital tree ◮ Root: a parity-bare state ◮ Units: orbitals in unaffected columns ◮ Bound: cost of the trail itself

  36. Bounds in Keccak - f Generating trail cores in | N | Run tree ◮ Root: the empty state ◮ Units: column assignments (x, z, odd/affected, column value) ◮ Bound: cost minus potential loss due to new CAs

  37. Bounds in Keccak - f Extending trails Trail extension

  38. Bounds in Keccak - f Extending trails Tree-search on affine space ◮ Affine space: o + � b 1 , . . . , b m � � a = o + α j b j j ◮ Unit set U = { b 1 , . . . , b m } ◮ Root: a = o ◮ Node: a = ( b i ) : α i = 1 ◮ Define L ( a ) to take advantage of stable active bits

  39. Experimental results Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  40. Experimental results Experimental results ◮ All 3-round trail cores with weight ≤ 45 10 4 Keccak - f [200] Keccak - f [400] 10 3 Keccak - f [800] # cores Keccak - f [1600] 10 2 10 1 20 22 24 26 28 30 32 34 36 38 40 42 44 T 3 ◮ No 6-round trail with weight ≤ 91

  41. Experimental results Trails for parity profile | K | K | | K | N | 10 4 10 4 10 3 10 3 # cores # cores 10 2 10 2 10 10 1 1 20 22 24 26 28 30 32 34 36 38 40 42 44 28 30 32 34 36 38 40 42 44 T 3 T 3 | N | K | | N | N | 10 4 10 3 10 3 10 2 # cores # cores 10 2 10 10 1 1 27 29 31 33 35 37 39 41 43 45 38 39 40 41 42 43 44 45 T 3 T 3

  42. Experimental results Bounds rounds b = 200 b = 400 b = 800 b = 1600 2 8 8 8 8 3 20 24 32 32 4 46 [48,63] [48,104] [48,134] 5 [50,89] [50,147] [50,247] [50,372] 6 [92,142] [92,278] [92,556] [92,1112] [276, · ] [280, · ] [292, · ] [368, · ] n r

  43. Symmetry properties Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  44. Symmetry properties Invariance by translation or rotation E.g., in Keccak - f , w ( τ z a ) = w ( a ) for any translation τ z along z

  45. Symmetry properties Canonicity Canonical representation ◮ Define an order relation on states ◮ Define the canonical representation as the minimum one, e.g., a canonical ⇔ a = min τ z a z

  46. Symmetry properties Tree search restricted to canonical representations Reminder ◮ Set U of units with a total order relation ≺ ◮ Unit list: a = ( u i ) i =1 ,..., n with u 1 ≺ u 2 ≺ · · · ≺ u n Lemma Assuming that ◮ ≺ lex is the lexicographic order on unit lists ◮ canonicity is defined w.r.t. ≺ lex then the parent of a canonical pattern is canonical. ⇒ Complete non-canonical subtrees can be pruned [Mella, Daemen, Van Assche, FSE 2017]

  47. Symmetry properties Testing for canonicity Basic algorithm ◮ Input: unit list a = ( u i ) i =1 ,..., n ◮ For each i ◮ Transform a such that τ ( u i ) is ≺ -minimum ◮ Sort the resulting unit list ◮ Compare it (using ≺ lex ) to the currently minimum unit list ◮ Output: canonical representation (or just true/false)

  48. Conclusions Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT New alignment Existing Hamblen gravel Elem School trail PUBLIC PRESENTATIONS Initial presentation to adjacent property owners in late

505 views • 24 slides
Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT New alignment Existing Hamblen gravel Elem School trail COMPREHENSIVE PLAN Spokane features three major transportation pathways or

696 views • 25 slides
PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY

PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY

PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY FEATURES DESIGN CONCEPTS January 20, 2016 1 m e n g n t l i A T a i l r NM 313 R S E L A R R TRAIL ALIGNMENT O C 6 5 5

364 views • 8 slides
1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no denial of service during transient network partitions - supports massive

319 views • 8 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder + Chair Ludlam Trail Im a neighbor! Biscayne Trail Ludlam Trail Southern Glades Trail The Underline Amelia Trail South Dade Greenway

516 views • 20 slides
Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder + Chair Ludlam Trail Im a neighbor! Biscayne Trail Ludlam Trail Southern Glades Trail The Underline Amelia Trail South Dade Greenway

563 views • 17 slides
E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context

E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context

E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context Supporting Plans Parks, Recreation &amp; Culture Master Plan (2004) Regional District of Nanaimo Regional Parks &amp; Trails Plan (2005) PRC

584 views • 30 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth

Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth

Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth Proposed Campus Connector Trail Campus Connector Trail Alignment Options North Star East Academy High UMD Ordean East CSS Congdon 2016

538 views • 17 slides
Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project

Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project

Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project Location Trail Alignment Making Connections Trail Signage Making Connections Trail Access Making Connections Project History &amp;

231 views • 9 slides
To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people, that by all means I might save some. I do it all for the sake of the gosepl, that I might share with them in its blessing. Do you not know that in

652 views • 40 slides
The Probabilistic Method Techniques Union bound Argument from expectation Alterations The

The Probabilistic Method Techniques Union bound Argument from expectation Alterations The

The Probabilistic Method Techniques Union bound Argument from expectation Alterations The second moment method The (Lovasz) Local Lemma And much more Alon and Spencer, The Probabilistic Method Bolobas, Random Graphs Hung Q.

258 views • 9 slides
I NTENT ? Are you looking to build a trail or challenge? Do you have a trail

I NTENT ? Are you looking to build a trail or challenge? Do you have a trail

P OSITIONING YOUR T RAIL TO MAXIMIZE THE ECONOMIC IMPACT Michelle Clement Director of Destination Development Projects, ROOST I NTENT ? Are you looking to build a trail or challenge? Do you have a trail you want to

433 views • 17 slides
3.3 Index Access Scheduling Given: index scans over m lists L i (i=1..m), with current

3.3 Index Access Scheduling Given: index scans over m lists L i (i=1..m), with current

3.3 Index Access Scheduling Given: index scans over m lists L i (i=1..m), with current positions pos i score predictors for score(pos) and pos(score) for each L i selectivity predictors for document d L i current top-k queue T

643 views • 37 slides
PROGRAMMING IN PARALLAXIS THOMAS BRUNL Overview Definition of the Parallaxis programming

PROGRAMMING IN PARALLAXIS THOMAS BRUNL Overview Definition of the Parallaxis programming

University of Stuttgart Institute for Parallel and Distributed High Performance Systems (IPVR) Computer Vision Group Breitwiesenstrae 20 22 D-70565 Stuttgart, Germany PROGRAMMING IN PARALLAXIS THOMAS BRUNL Overview Definition of

763 views • 49 slides
Vorlesung Datenstrukturen und Algorithmen Letzte Vorlesung 2018 Felix Friedrich, 30.5.2018

Vorlesung Datenstrukturen und Algorithmen Letzte Vorlesung 2018 Felix Friedrich, 30.5.2018

Vorlesung Datenstrukturen und Algorithmen Letzte Vorlesung 2018 Felix Friedrich, 30.5.2018 Map/Reduce Sorting Networks Prfung 1 MAP AND REDUCE AND MAP/REDUCE 2 Summing a Vector Accumulator Divide and conquer + + + + + + + + +

853 views • 69 slides
Sorting (Chapter 9) Alexandre David B2-206 Sorting Problem Arrange an unordered collection of

Sorting (Chapter 9) Alexandre David B2-206 Sorting Problem Arrange an unordered collection of

Sorting (Chapter 9) Alexandre David B2-206 Sorting Problem Arrange an unordered collection of elements into monotonically increasing (or decreasing) order. Let S = &lt;a 1 ,a 2 ,,a n &gt;. Sort S into S = &lt;a 1 ,a 2 ,,a n

426 views • 40 slides
r

r

r t rst Ptr rr

1.62k views • 103 slides
The Problem MDMDP(V): Multi-Dimensional Mechanism Design Problem for class V Revenue

The Problem MDMDP(V): Multi-Dimensional Mechanism Design Problem for class V Revenue

The Problem MDMDP(V): Multi-Dimensional Mechanism Design Problem for class V Revenue maximization approximation Single buyer, single seller Buyers values drawn from a distribution New Hardness of Approximation Results Hard

574 views • 4 slides
Recursive Regularization for Large-scale Classification with Hierarchical and Graphical

Recursive Regularization for Large-scale Classification with Hierarchical and Graphical

Motivation Related Work Proposed Model Optimization Experiments Recursive Regularization for Large-scale Classification with Hierarchical and Graphical Dependencies Siddharth Gopal Yiming Yang Carnegie Mellon Univeristy 12th Aug 2013

569 views • 53 slides
General Game Playing in AI Research and Education Michael Thielscher GGP in AI Research &amp;

General Game Playing in AI Research and Education Michael Thielscher GGP in AI Research &amp;

General Game Playing in AI Research and Education Michael Thielscher GGP in AI Research &amp; Education What is General Game Playing (GGP)? The Many Facets of GGP Research The Potential for GGP in AI Teaching General Game Playing

1.06k views • 60 slides

More recommend