a general proof framework for recent aes distinguishers
play

A General Proof Framework for Recent AES Distinguishers Christina - PowerPoint PPT Presentation

Jan 19, 2023 •30 likes •700 views

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

  1. A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019

  2. Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 2/ 37

  3. Definitions and the multiple-of-8 distinguisher Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 3/ 37

  4. Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15 Daniel Coggia 4/ 37

  5. Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15   0 0 0 x 0 x 1 0 0 0    ∈ C 0 Columns   0 0 0 x 2  x 3 0 0 0 Daniel Coggia 4/ 37

  6. Definitions and the multiple-of-8 distinguisher Some definitions...   x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13    ∈ F 16 x i ∈ F 2 8   2 8 x 2 x 6 x 10 x 14  x 3 x 7 x 11 x 15   0 0 0 x 0 x 1 0 0 0    ∈ C 0 Columns   0 0 0 x 2  x 3 0 0 0   0 x 0 0 y 0 I ⊆ { 0 , . . . , 3 } : C I = � 0 0 x 1 y 1 i ∈ I C i .    ∈ C { 1 , 3 }   0 x 2 0 y 2  0 x 3 0 y 3 Daniel Coggia 4/ 37

  7. Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3 ShiftRows D I − − − − − − → C I Daniel Coggia 5/ 37

  8. Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3   x 0 0 0 0 0 0 0 x 1    ∈ ID 0 Anti-diagonals   0 0 x 2 0  0 0 0 x 3 ShiftRows C I − − − − − − → ID I Daniel Coggia 5/ 37

  9. Definitions and the multiple-of-8 distinguisher   x 0 0 0 0 0 0 0 x 1    ∈ D 0 Diagonals   0 0 x 2 0  0 0 0 x 3   x 0 0 0 0 0 0 0 x 1    ∈ ID 0 Anti-diagonals   0 0 x 2 0  0 0 0 x 3   2 · x 0 x 1 x 2 3 · x 3 3 · x 2 2 · x 3 x 0 x 1    ∈ M 0 Mixed   x 0 3 · x 1 2 · x 2 x 3  3 · x 0 2 · x 1 x 2 x 3 MixColumns ID I − − − − − − − → M I Daniel Coggia 5/ 37

  10. Definitions and the multiple-of-8 distinguisher R � �� � SubBytes ShiftRows MixColumns D I − − − − − → D I − − − − − − → C I − − − − − − − → C I R � �� � SubBytes ShiftRows MixColumns C I − − − − − → C I − − − − − − → ID I − − − − − − − → M I Daniel Coggia 6/ 37

  11. Definitions and the multiple-of-8 distinguisher R � �� � SubBytes ShiftRows MixColumns D I − − − − − → D I − − − − − − → C I − − − − − − − → C I R � �� � SubBytes ShiftRows MixColumns C I − − − − − → C I − − − − − − → ID I − − − − − − − → M I k 0 k 1 k 2 k r · · · m c R 1 R 2 R r Daniel Coggia 6/ 37

  12. Definitions and the multiple-of-8 distinguisher Subspace trails Grassi, Rechberger and Rønjom, ToSC 2016 F ∀ a ∈ F 16 2 8 , ∃ b ∈ F 16 U ⇒ V if 2 8 : F ( U + a ) = V + b . F F F Daniel Coggia 7/ 37

  13. Definitions and the multiple-of-8 distinguisher Subspace trails Grassi, Rechberger and Rønjom, ToSC 2016 F ∀ a ∈ F 16 2 8 , ∃ b ∈ F 16 U ⇒ V if 2 8 : F ( U + a ) = V + b . F Examples: F ◮ { 0 } ⇒ { 0 } F F ⇒ F N ◮ U 2 8 R ◮ D I ⇒ C I R ◮ C I F ⇒ M I Daniel Coggia 7/ 37

  14. Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 2 8 Daniel Coggia 8/ 37

  15. Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i 2 8 Daniel Coggia 8/ 37

  16. Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 Daniel Coggia 8/ 37

  17. Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( D i + a ) | R 5 ( p 0 ) + R 5 ( p 1 ) ∈ M J } . Daniel Coggia 8/ 37

  18. Definitions and the multiple-of-8 distinguisher The multiple-of-8 distinguisher Grassi, Rechberger and Rønjom, Eurocrypt 2017 a ∈ F 16 i ∈ { 0 , . . . , 3 } : D i J ⊆ { 0 , . . . , 3 } : M J 2 8 n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( D i + a ) | R 5 ( p 0 ) + R 5 ( p 1 ) ∈ M J } . Then n ≡ 0 mod 8. Daniel Coggia 8/ 37

  19. Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? ◮ Can we adapt this distinguisher to other SPN ? Daniel Coggia 9/ 37

  20. Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? New proof ◮ Can we adapt this distinguisher to other SPN ? Daniel Coggia 9/ 37

  21. Definitions and the multiple-of-8 distinguisher Our contribution starts here Questions to answer: ◮ Is the maximal branch number necessary ? New proof ◮ Can we adapt this distinguisher to other SPN ? Adaptation of the new proof Daniel Coggia 9/ 37

  22. Proof for the distinguisher Definitions and the multiple-of-8 distinguisher Proof for the distinguisher Generalisation of this proof framework Adaptation to other SPN ciphers Daniel Coggia 10/ 37

  23. Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 2 2 � �� � � �� � R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J Daniel Coggia 11/ 37

  24. Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 1 2 2 ���� � �� � � �� � Lemma R R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J ��� Daniel Coggia 11/ 37

  25. Proof for the distinguisher A key lemma Grassi, Rechberger and Rønjom, Eurocrypt 2017 1 2 2 ���� � �� � � �� � Lemma R R R R R D I ⇒ C I ⇒ M I D J ⇒ C J ⇒ M J ��� Lemma Let a ∈ F 16 2 8 , I ⊂ � 0 , 3 � , J ⊆ � 0 , 3 � . We define n = # { { p 0 , p 1 } with p 0 , p 1 ∈ ( M I + a ) | R ( p 0 ) + R ( p 1 ) ∈ D J } . Then n ≡ 0 mod 8 . Daniel Coggia 11/ 37

  26. Proof for the distinguisher Step 1: equivalence relation between pairs In M 0       2 · x 0 x 1 z 2 3 · z 3 2 · y 0 y 1 z 2 3 · z 3       x 0 x 1 3 · z 2 2 · z 3 y 0 y 1 3 · z 2 2 · z 3      ,     x 0 3 · x 1 2 · z 2 z 3 y 0 3 · y 1 2 · z 2 z 3          3 · x 0 2 · x 1 z 2 z 3 3 · y 0 2 · y 1 z 2 z 3 Definition p 0 , p 1 ∈ ( M I + a ) . The information set K of the pair { p 0 , p 1 } is { k ∈ { 0 , . . . , 3 } | ∃ i ∈ I : x i , k � = y i , k } . It is K = { 0 , 1 } in the example. Daniel Coggia 12/ 37

  27. Proof for the distinguisher       2 · x 0 3 · z 3 2 · y 0 3 · z 3 x 1 z 2 y 1 z 2       x 0 x 1 3 · z 2 2 · z 3 y 0 y 1 3 · z 2 2 · z 3      ,     3 · x 1 2 · z 2 3 · y 1 2 · z 2 x 0 z 3 y 0 z 3          3 · x 0 2 · x 1 z 2 z 3 3 · y 0 2 · y 1 z 2 z 3 ∼       2 · x 0 3 · w 3 2 · y 0 3 · w 3 y 1 w 2 x 1 w 2       x 0 y 1 3 · w 2 2 · w 3 y 0 x 1 3 · w 2 2 · w 3      ,     x 0 3 · y 1 2 · w 2 w 3 y 0 3 · x 1 2 · w 2 w 3          3 · x 0 2 · y 1 w 2 w 3 3 · y 0 2 · x 1 w 2 w 3 Definition p 0 , p 1 , q 0 , q 1 ∈ ( M I + a ) , P = { p 0 , p 1 } , Q = { q 0 , q 1 } P ∼ Q if: ◮ P and Q share the same information set K . i , k = p 1 − b ◮ ∀ k ∈ K , ∃ b ∈ { 0 , 1 } : ∀ i ∈ I , q 0 i , k = p b i , k et q 1 i , k . ∼ is an equivalence relation on the pairs of ( M I + a ) . Daniel Coggia 13/ 37

  28. Proof for the distinguisher Theorem The function ∆ : { p 0 , p 1 } �− → R ( p 0 ) + R ( p 1 ) is constant on the equivalence classes of ∼ . Daniel Coggia 14/ 37

  29. Proof for the distinguisher Theorem The function ∆ : { p 0 , p 1 } �− → R ( p 0 ) + R ( p 1 ) is constant on the equivalence classes of ∼ . Proposition Let C be an equivalence class with information set K . Then # C = 2 | K |− 1 + 8 | I | ( 4 −| K | ) ≡ 0 mod 8 . Daniel Coggia 14/ 37

Recommend

General Reference Framework Draft General Reference Framework Why it is important for us ?

General Reference Framework Draft General Reference Framework Why it is important for us ?

Ljubljana Process II Rehabilitating our Common Heritage RCC TFFCS The First working meeting Cetinje, October 18 th 2011. General Reference Framework Draft General Reference Framework Why it is important for us ? To implement it

337 views • 15 slides
Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 ,

Standardization Robustness Distinguishers/Key recovery for FFX-3.1 and FEA Orr Dunkelman 1 , Abhishek Kumar 2 , Eran Lambooij 1 and Somitra Kumar Sanadhya 2 1 University of Haifa, Israel 2 IIT Ropar, India 1 / 7 ISO 3103 Figure: A broken tea cup

676 views • 12 slides
MATERIALS Am. Jur. Proof of Facts Now in third series General index provides access to

MATERIALS Am. Jur. Proof of Facts Now in third series General index provides access to

PRACTICE MATERIALS Am. Jur. Proof of Facts Now in third series General index provides access to specific articles Outlines elements of proof needed to establish claim Provides model discovery forms Concludes with

173 views • 16 slides
Why Beta Priors: Main Result and Its Proof Invariance-Based Proof (cont-d) How to Get a General

Why Beta Priors: Main Result and Its Proof Invariance-Based Proof (cont-d) How to Get a General

Formulation of the . . . Main Idea Let Us Describe This . . . Resulting Definition Why Beta Priors: Main Result and Its Proof Invariance-Based Proof (cont-d) How to Get a General . . . Explanation Acknowledgments Bibliography Olga

606 views • 15 slides
Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22 Dec, ASK 2014 @ Chennai, India 1 Overview Introduction to HMAC Pollard Rho Method and Functional Graph Distinguishers, Forgeries and Key

604 views • 34 slides
Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews

Automatic Library Compilation Proof Tree Visualisation Conclusion Automatic Library Compilation and Proof Tree Visualisation for Coq Proof General Hendrik Tews Technische Universit at Dresden Third Coq Workshop, August 26, 2011 Hendrik

385 views • 16 slides
Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of

Towards cryptographic function distinguishers with evolutionary circuits Statistical testing of cryptographic function output based on genetic programming Petr venda, Martin Ukrop, Vashek Maty {svenda,xukrop,matyas}@fi.muni.cz Overview

367 views • 19 slides
Recent Development in India Recent Development in India Recent Development in India Recent

Recent Development in India Recent Development in India Recent Development in India Recent

Recent Development in India Recent Development in India Recent Development in India Recent Development in India Mr. SRIKARA PRADHAN, General Manager Mr. SRIKARA PRADHAN, General Manager INDIA GOVERNMENT MINT, MUMBAI (a unit of SPMCIL, Govt.

277 views • 9 slides
Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT

Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT

JANUARY 2014 Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT Activity Outreach IT Training HR Social Media General announcements Recent CERT Activity Sunday Monday Tuesday

671 views • 31 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6

Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers Zejun Xiang Wentao Zhang Zhenzhen Bao Dongdai Lin Institute of Information Engineering, CAS, Beijing, China December 7, 2016.

1.5k views • 74 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X.

Side-Channel Cryptanalysis Models and Dependencies New Generic Test Experiments Conclusions Generic Side-Channel Distinguishers: Improvements and Limitations N. Veyrat-Charvillon and F-X. Standaert UCL Crypto Group, Universit e catholique

355 views • 24 slides
Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie

Revealing the secrets of success Theoretical efficiency of side-channel distinguishers Annelie Heuser, Sylvain Guilley, Olivier Rioul INSTITUT MINES-TLCOM Outline Motivation State of the art New metric: success metric (SM)

1.32k views • 25 slides
n -indescribabilities in proof theory Toshiyasu Arai(Chiba) 1 In this talk let us report a

n -indescribabilities in proof theory Toshiyasu Arai(Chiba) 1 In this talk let us report a

1 n -indescribabilities in proof theory Toshiyasu Arai(Chiba) 1 In this talk let us report a recent proof-theoretic reduction on indescribable cardinals. It is shown that over ZF + ( V = L ), the existence of a 1 1 - indescribable

421 views • 24 slides
Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory Jesper Cockx DistriNet KU Leuven 3 September 2017 Unification for dependent types Unification is used for many purposes: logic programming, type

1.97k views • 151 slides
AIECE General Report November 2011 Part I: Recent Trends Brussels, 21-22 November 2011

AIECE General Report November 2011 Part I: Recent Trends Brussels, 21-22 November 2011

AIECE General Report AIECE General Report November 2011 Part I: Recent Trends Brussels, 21-22 November 2011 Presented by Rachel Whitworth National Institute of Economic and Social Research 1. Recent Developments A Summary Global

367 views • 17 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Practical proof reconstruction for first-order logic and set-theoretical constructions Cl

Practical proof reconstruction for first-order logic and set-theoretical constructions Cl

Practical proof reconstruction for first-order logic and set-theoretical constructions Cl ement Hurlin January 25, 2007 Outline 1 Introduction Two different worlds Proof reconstruction General procedure Targeted languages 2 Quantifier

1.02k views • 43 slides
Improving the Performance of Cancer Services: p g A Framework and Recent Ontario Experience

Improving the Performance of Cancer Services: p g A Framework and Recent Ontario Experience

Improving the Performance of Cancer Services: p g A Framework and Recent Ontario Experience Terrence Sullivan President and CEO C Cancer Care Ontario C O i Canada Planning: Newly diagnosed cancers by LHIN: 2007, 2012, 2017 2 More

196 views • 16 slides
A Robust Machine Code Proof Framework for Highly Secure Applications David Hardin Advanced

A Robust Machine Code Proof Framework for Highly Secure Applications David Hardin Advanced

A Robust Machine Code Proof Framework for Highly Secure Applications David Hardin Advanced Technology Center Rockwell Collins Eric Smith Stanford University Bill Young University of Texas at Austin UNCLASSIFIED SLIDE 1 Overview Overview

552 views • 27 slides

More recommend