analyse de primitives sym etriques
play

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay - PowerPoint PPT Presentation

Dec 19, 2023 •321 likes •906 views

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay & Rennes, l Th` ese pr epar ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et

  1. Analyse de primitives sym´ etriques Pierre Karpman a l’Inria Saclay & Rennes, l’´ Th` ese pr´ epar´ ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et Thomas Peyrin Palaiseau 2016–11–18 2016–11–18 Analyse de primitives sym´ etriques 1/53 Pierre Karpman

  2. Introduction New linear mappings for block ciphers Practical freestart collisions for the full SHA-1 Conclusion 2016–11–18 Analyse de primitives sym´ etriques 2/53 Pierre Karpman

  3. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  4. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  5. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  6. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  7. Motivating cryptography 2016–11–18 Analyse de primitives sym´ etriques 3/53 Pierre Karpman

  8. A hierarchy of cryptographic components A protocol (e.g. TLS) uses among others ▸ A key exchange algorithm (e.g. Diffie-Hellman) — “public-key” cryptography ▸ instantiated with a secure group (e.g. ANSSI FRP256V1) ▸ An authenticated-encryption mode of operation (e.g. GCM) — “symmetric-key” cryptography ▸ instantiated with a secure block cipher (e.g. the AES) ▸ A digital signature algorithm (e.g. ECDSA) — “public-key” + “symmetric-key” cryptography ▸ instantiated with a secure group and a secure hash function (e.g. SHA-3) 2016–11–18 Analyse de primitives sym´ etriques 4/53 Pierre Karpman

  9. Primitive-centered crypto in a nutshell ▸ Design new primitives ▸ Fast, lightweight, quantum-resistant (isogeny-based, etc.), ... ▸ Analyse new proposals ▸ Analyse standards ▸ AES, SHA- { 1,2,3 } , ... 2016–11–18 Analyse de primitives sym´ etriques 5/53 Pierre Karpman

  10. Focus of this thesis We studied various aspects of ▸ design ▸ analysis ▸ implementation of block ciphers and hash functions 2016–11–18 Analyse de primitives sym´ etriques 6/53 Pierre Karpman

  11. List of publications Efficient and Provable White-Box Primitives with Pierre-Alain Fouque, Paul Kirchner and Brice Minaud ASIACRYPT 2016 Freestart collision for full SHA-1 with Thomas Peyrin and Marc Stevens EUROCRYPT 2016 Key-Recovery Attacks on ASASA with Patrick Derbez, Pierre-Alain Fouque and Brice Minaud ASIACRYPT 2015 From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour ISC 2015 Practical Free-Start Collision Attacks on 76-step SHA-1 with Thomas Peyrin and Marc Stevens CRYPTO 2015 Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE with Thomas Espitau and Pierre-Alain Fouque CRYPTO 2015 Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation with Daniel Augot and Pierre-Alain Fouque SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 7/53 Pierre Karpman

  12. List of publications Efficient and Provable White-Box Primitives with Pierre-Alain Fouque, Paul Kirchner and Brice Minaud ASIACRYPT 2016 Freestart collision for full SHA-1 with Thomas Peyrin and Marc Stevens EUROCRYPT 2016 Key-Recovery Attacks on ASASA with Patrick Derbez, Pierre-Alain Fouque and Brice Minaud ASIACRYPT 2015 From Distinguishers to Key Recovery: Improved Related-Key Attacks on Even-Mansour ISC 2015 Practical Free-Start Collision Attacks on 76-step SHA-1 with Thomas Peyrin and Marc Stevens CRYPTO 2015 Higher-Order Differential Meet-in-The-Middle Preimage Attacks on SHA-1 and BLAKE with Thomas Espitau and Pierre-Alain Fouque CRYPTO 2015 Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation with Daniel Augot and Pierre-Alain Fouque SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 7/53 Pierre Karpman

  13. Introduction New linear mappings for block ciphers Practical freestart collisions for the full SHA-1 Conclusion 2016–11–18 Analyse de primitives sym´ etriques 8/53 Pierre Karpman

  14. Block ciphers Block cipher A block cipher is a mapping E ∶ K × M → C s.t. for all k ∈ K , E( k , ⋅ ) is invertible and E( k , ⋅ ) , E − 1 ( k , ⋅ ) are efficiently computable. In most cases: ▸ M = C = { 0 , 1 } n , n ∈ { 64 , 128 } ▸ K = { 0 , 1 } κ , κ ∈ { 64 , 80 , 128 , 256 } 2016–11–18 Analyse de primitives sym´ etriques 9/53 Pierre Karpman

  15. Security of block ciphers Ideal block cipher Key-recovery security Differential cryptanalysis (Biham and Shamir, 1990) Exploit statistical properties of x ↦ E( k , x ) ⊕ E( k , x ⊕ ∆ ) 2016–11–18 Analyse de primitives sym´ etriques 10/53 Pierre Karpman

  16. Substitution-Permutation-Network block ciphers SPN round function: R = A ○ S ▸ S is the parallel application of s b -bit S-boxes ▸ A is an affine transformation over F n 2 , n = s × b 2016–11–18 Analyse de primitives sym´ etriques 11/53 Pierre Karpman

  17. An SPN round function in a picture x / n = 7 × b / b / b / b / b / b / b / b S S S S S S S / b / b / b / b / b / b / b / n A y 2016–11–18 Analyse de primitives sym´ etriques 12/53 Pierre Karpman

  18. The wide-trail strategy (Daemen, 1995) ▸ Use structure in A and S to lower-bound the number of active S-boxes in a differential characteristic or linear approximation ▸ Introduce a notion of diffusion for a round function ▸ Canonical example: the AES (Daemen & Rijmen, 2002) 2016–11–18 Analyse de primitives sym´ etriques 13/53 Pierre Karpman

  19. New linear mappings for block ciphers Diffusion Matrices from Algebraic-Geometry Codes with Efficient SIMD Implementation , with Daniel Augot and Pierre-Alain Fouque, SAC 2014 2016–11–18 Analyse de primitives sym´ etriques 14/53 Pierre Karpman

  20. The objective ▸ Find A over F s 2 b with very good diffusion , with b small (i.e. 4) A diffusion measure: the branch number (Daemen 1995) Let M ∈ M s ( F 2 b ) , x ∈ F s 2 b and wt ( x ) be the number of non-zero coordinates of x . The differential branch number of M is x ≠ 0 ( wt ( x ) + wt ( M x )) min The linear branch number of M is x ≠ 0 ( wt ( x ) + wt ( M t x )) min 2016–11–18 Analyse de primitives sym´ etriques 15/53 Pierre Karpman

  21. Branch number & minimal distance ▸ M ∈ M s ( F 2 b ) has differential branch number d ⇔ [ I s M ] generates a [ 2 s , s , d ] F 2 b code ▸ Singleton bound: d is at most s + 1; equality ⇒ MDS code, MDS matrix ▸ MDS conjecture: there is no [ 2 s , s , s + 1 ] F 2 b MDS code with 2 s > 2 b 2016–11–18 Analyse de primitives sym´ etriques 16/53 Pierre Karpman

  22. The idea ▸ Take for A a single M with high branch number (SHARK structure, Rijmen et al., 1996) ▸ For b = 4, s ≥ 16 (block size ≥ 64), M cannot be MDS ▸ ⇒ Use Algebraic geometry codes : trade length for minimal distance (Goppa, 1981), (Tsfasman,Vl˘ adut , ,Zink, 1982) 2016–11–18 Analyse de primitives sym´ etriques 17/53 Pierre Karpman

  23. AG codes AG codes as evaluation codes: ▸ Say we want an [ n , k ] F q code 1 Let X be a smooth plane curve of genus g with # X ( F q ) > n 2 Inject F k q to L ( rP ) of dim. k with P ∈ X ( F q ) 3 C ( m ) is the evaluation of m on n distinct points of X /{ P } 4 For well-chosen n and k , r = k − 1 + g (Riemann, Roch) ⇒ wt ( C ( m ≠ 0 )) ≥ n − ( k − 1 + g ) ▸ ⇒ the min. distance is g less than MDS, but X can be chosen s.t. # X ( F q ) > q + 1 2016–11–18 Analyse de primitives sym´ etriques 18/53 Pierre Karpman

  24. A concrete AG code ▸ Let X be of equation x 5 = y 2 z 3 + yz 4 in P 2 ( F 2 4 ) ▸ It is a maximal curve of genus 2 and has 33 points ▸ ⇒ We can define a [ 32 , 16 , 15 ] F 24 code C ▸ This gives many (up to 32!) M ∈ M 16 ( F 2 4 ) of diff. branch number 15 ▸ The dual also has min. distance 15 ⇒ M has lin. branch number 15 2016–11–18 Analyse de primitives sym´ etriques 19/53 Pierre Karpman

  25. Implementation matters For M to be used as A in a block cipher, we need: ▸ Efficient implementations of multiplication by M ... ▸ ... That are “constant-time”, to protect against side-channel attacks Thus we: ▸ Defined good vectorized algorithms for × M using pshufb ▸ Optimized the structure of M for faster multiplication A cost function for × M : # pshufb ▸ Combinatorial in nature ▸ Low cost can be obtained if M is generated by a single row 2016–11–18 Analyse de primitives sym´ etriques 20/53 Pierre Karpman

  26. Tuning M for fast implementations ▸ Idea: use the automorphisms of C to find a circulant M ▸ Result: no luck, but still got M generated by 8 rows (cost 52) ▸ Second idea: randomly sample many generating matrices ( ≈ 2 38 ) ▸ Result: found many matrices of cost 43 2016–11–18 Analyse de primitives sym´ etriques 21/53 Pierre Karpman

Recommend

Metric properties of large graphs Propri et es m etriques des grands graphes PhD

Metric properties of large graphs Propri et es m etriques des grands graphes PhD

Metric properties of large graphs Propri et es m etriques des grands graphes PhD Candidate: Guillaume Ducoffe Advisor: David Coudert Universit e C ote dAzur, Inria, CNRS, I3S, France December 9 th , 2016 1 / 44 Goals for Network

925 views • 77 slides
Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM,

Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM,

Mers de Particules et S eries hyperg eom etriques Sylvie Corteel CNRS PRiSM, Universit e de Versailles Saint-Quentin S eminaire ALGO, INRIA 26 Janvier 2004 1 manujans 1 1 summation ( a ) n = ( a ; q ) n = n 1 i =0

465 views • 24 slides
Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

JGB71E - Bioinformatique applique Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van Helden Jacques.van-Helden@univ-amu.fr Aix-Marseille Universit, France Technological Advances for Genomics and

886 views • 75 slides
Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives

Beyond Block I/O: Rethinking / Traditional Storage Primitives Traditional Storage Primitives Xiangyong Ouyang * , David Nellans , Robert Wipfel , David Flynn , D. K. Panda * d * D id Fl D K P * The Ohio State University

335 views • 29 slides
Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for

Implementing new Topology Mapping Primitives Guillermo Baltra Prior Work Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization, Beverly, R., Berger, A., Xie, G., IMC 2010. Demonstrated the ability of

1.2k views • 80 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes

RenderMan Primitives RenderMan Primitives CSCD 472? Slide 1 4/5/10 Primitive Attributes Primitive Attributes Two different methods of attaching attributes to primitives: Graphics state attributes inherited by the primitive from the

318 views • 19 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques the Greek's used during battle L.O To analyse the main reasons for the Greek victory 5/10/20 Starter Who was Alexander the great? L.O To analyse

613 views • 40 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F .

Introduction Primitives Extraction Problems Conclusion Recovering Primitives in 3D CAD meshes Roseline B eni` ere G. Subsol, G. Gesqui` ere, F . Le Breton and W. Puech LIRMM, Montpellier, France C4W, Montpellier, France LSIS, Arles,

1.04k views • 57 slides
2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc.

Week 4 Part 2 Introduction to 2D Graphics & Java 2D 2D graphics Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Can be zoomed infinitively, moved

569 views • 22 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

Assessing Writing at FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students pieces of writing. Analyse assessment criteria and glossary. Practise assessing with samples of students work.

315 views • 27 slides
Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6

Chapter 6 User-Defined Primitives 1 Verilog HDL:Digital Design and Modeling Chapter 6 User-Defined Primitives Chapter 6 User-Defined Primitives 2 Page 229 //3-input AND gate as a udp primitive udp_and3 (z1, x1, x2,

619 views • 42 slides
2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines,

2D graphics Week 4 Part 2 Vector graphics Use of geometric primitives: points, lines, curves, etc. Primitives are created by using mathematical equations Introduction to 2D Graphics & Java 2D Can be zoomed infinitively, moved

197 views • 6 slides
Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud Ecole normale sup erieure C.N.R.S. I.N.R.I.A. 3 avril 2014 D. Vergnaud (ENS) Cryptographic Primitives for Digital Confidence Apr. 3rd 2014,

1.27k views • 82 slides
CS 418: Interactive Computer Graphics Introduction to WebGL: Geometric Primitives Eric Shaffer

CS 418: Interactive Computer Graphics Introduction to WebGL: Geometric Primitives Eric Shaffer

CS 418: Interactive Computer Graphics Introduction to WebGL: Geometric Primitives Eric Shaffer Things we will learn Loading shaders from the DOM rather than strings Geometric primitives supported by WebGL Triangles Lines

190 views • 17 slides
Hidden surface removal Visibility of primitives Clipping algorithms will discard objects or

Hidden surface removal Visibility of primitives Clipping algorithms will discard objects or

Hidden surface removal Visibility of primitives Clipping algorithms will discard objects or parts We dont want to waste time rendering primitives which dont contribute to the final image. of objects that are outside of the viewing

598 views • 8 slides
Other Synchronization Primitives Prof. Patrick G. Bridges 1 University of New Mexico Infinitely

Other Synchronization Primitives Prof. Patrick G. Bridges 1 University of New Mexico Infinitely

University of New Mexico Other Synchronization Primitives Prof. Patrick G. Bridges 1 University of New Mexico Infinitely Many Synch. Primitives Java monitors Monitors were originally in the Mesa language Per-object locks and

421 views • 25 slides
Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a

Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a

I NTRODUCTION S ET - UP FE MODEL I DENTIFICATION V ALIDATION C ONCLUSIONS Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a panel Florence Dewalque, Olivier Brls Department of Aerospace and

383 views • 22 slides
Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and graphically represented in rela9on to and within the context of the internetworked society. Star9ng with Lawrence Lessig's illustra9on of the

275 views • 13 slides
INTRODUCTION SORTING PRIMITIVES GENE SORT EVALUATION

INTRODUCTION SORTING PRIMITIVES GENE SORT EVALUATION

AUTHORS Xiaoming Li, Mara Jess Garzarn, and David Padua University of Illinois hGp://polaris.cc.uiuc.edu INTRODUCTION SORTING PRIMITIVES GENE SORT

730 views • 53 slides
The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

CATCH: Case and Termination Checker for Haskell Neil Mitchell (Supervised by Colin Runciman) http://www.cs.york.ac.uk/~ ndm/ The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe pattern matches

420 views • 19 slides

More recommend