analysis of reduced shavite 3 256 v2
play

Analysis of reduced-SHAvite-3-256 v2 Marine Minier 1 , Mar a - PowerPoint PPT Presentation

Mar 02, 2023 •290 likes •453 views

Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Analysis of reduced-SHAvite-3-256 v2 Marine Minier 1 , Mar a Naya-Plasencia 2 , Thomas Peyrin 3 1 Universit e de Lyon, INRIA, INSA Lyon, France 2 FHNW,

  1. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Analysis of reduced-SHAvite-3-256 v2 Marine Minier 1 , Mar´ ıa Naya-Plasencia 2 , Thomas Peyrin 3 1 Universit´ e de Lyon, INRIA, INSA Lyon, France 2 FHNW, Switzerland 3 Nanyang Technological University, Singapore FSE 2011 M. Minier, M. Naya-Plasencia, T. Peyrin 1 / 15

  2. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Introduction The SHAvite-3 -256 Hash Function Rebound and Super-Sbox Analysis of SHAvite-3 - 256 Chosen-Related-Salt Distinguishers 7-round Distinguisher with 2 7 computations 8-round Distinguisher with 2 25 computations Conclusion M. Minier, M. Naya-Plasencia, T. Peyrin 2 / 15

  3. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Hash functions and the SHA3 competition ◮ Due to attacks against MD5 and the SHA family, NIST launched the SHA-3 competition. Among the phase 2 finalists: SHAvite-3 ◮ Previous analysis on SHAvite-3 -512 [Gauravaram et al. 10]: chosen-counter chosen-salt preimage attack on the full compression function ◮ In this talk, we give a first analysis SHAvite-3 -256 which is an AES -based proposal ◮ Our analysis is based on rebound attack Super-Sbox cryptanalysis chosen related salt M. Minier, M. Naya-Plasencia, T. Peyrin 3 / 15

  4. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion General Overview of SHAvite-3 -256 ◮ SHAvite-3 -256 = 256-bit version of SHAvite-3 based on the HAIFA framework [Biham - Dunkelman 06] The message M is padded and split into 512-bit message blocks M 0 � M 1 � . . . � M ℓ − 1 compression function C 256 = 256-bit internal state h 0 = IV h i = C 256 ( h i − 1 , M i − 1 , salt , cnt ) hash = trunc n ( h i ) ◮ C 256 consists of a 256-bit block cipher E 256 used in classical Davies-Meyer mode h i = C 256 ( h i − 1 , M i − 1 , salt , cnt ) = h i − 1 ⊕ E 256 M i − 1 � salt � cnt ( h i − 1 ) M. Minier, M. Naya-Plasencia, T. Peyrin 4 / 15

  5. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion The block cipher E 256 ◮ 12 rounds of a Feistel scheme ◮ h i − 1 = ( A 0 , B 0 ), the i th round ( i = 0 , . . . , 11) is: A i B i AESr AESr AESr k 2 k 1 k 0 i i i A i +1 B i +1 ◮ AESr is unkeyed AES round: SubBytes SB , ShiftRows ShR and MixColumns MC ◮ k 0 i , k 1 i and k 2 i are 128-bit local keys generated by the message expansion M. Minier, M. Naya-Plasencia, T. Peyrin 5 / 15

  6. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion The message expansion of C 256 : key schedule of E 256 ◮ Inputs: M i : 16 32-bit words k 0 k 1 k 2 k 0 0 0 0 1 ( m 0 , m 1 , . . . , m 15 ) salt : 8 32-bit words ( s 0 , s 1 , s 2 , s 3 ) ( s 4 , s 5 , s 6 , s 7 ) ( s 0 , s 1 , s 2 , s 3 ) ( s 4 , s 5 , s 6 , s 7 ) ( s 0 , s 1 , . . . , s 7 ) AES AES AES AES cnt [0] cnt : 2 32-bit words cnt [1] ( cnt 0 , cnt 1 ) L 1 ◮ Outputs: 36 128-bit subkeys k j i used at round i k 1 k 2 k 0 k 1 1 1 2 2 k 0 0 , k 1 0 , k 2 0 and k 0 1 initialized with the m i ◮ Process (4 times): L 2 4 parallel AES rounds (key first) k 2 k 0 k 1 k 2 2 3 3 3 2 linear layers L 1 and L 2 M. Minier, M. Naya-Plasencia, T. Peyrin 6 / 15

  7. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Super-Sbox Analysis of SHAvite-3 - 256 (1/2) The cryptanalyst tool 1: the truncated differential path: the trail D �→ 1 �→ C �→ F happens with probability 2 − 24 F C D 1 M. Minier, M. Naya-Plasencia, T. Peyrin 7 / 15

  8. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Super-Sbox Analysis of SHAvite-3 - 256 (1/2) The cryptanalyst tool 1: the truncated differential path: the trail D �→ 1 �→ C �→ F happens with probability 2 − 24 F C D 1 The cryptanalyst tool 2: the freedom degrees and the Super-Sbox ◮ Rebound attack on 2 AES rounds: local meet-in-the-middle-like technique: the freedom degrees are consumed in the middle part of the differential ◮ Super-Sbox on 3 AES rounds: Complexity: max { 2 32 , k } computations; 2 32 memory For k solutions ◮ Both methods find in average one solution for one operation M. Minier, M. Naya-Plasencia, T. Peyrin 7 / 15

  9. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Super-Sbox Analysis of SHAvite-3 - 256 (2/2) ◮ 7-round distinguisher in 2 48 computations and 2 32 memory (v.s. 2 64 computations for the ideal case) Super-Sbox ∆ ∆ 2 − 24 ∆ fourth round first round ∆ ∆ fifth round 2 − 24 ∆ second round Super-Sbox ∆ sixth round ∆ third round ∆ ∆ seventh round ◮ 1st and 6th rounds: 2 − 48 to find a valid pair when ∆ is fixed ◮ Middle part (3d and 4th rounds): Fix ∆ then using Super-Sbox, find 2 32 valid 128-bit pair for the 4th round, do the same for the 3d round M. Minier, M. Naya-Plasencia, T. Peyrin 8 / 15

  10. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion Chosen-Related-Salt Distinguishers M. Minier, M. Naya-Plasencia, T. Peyrin 9 / 15

  11. Conclusion 10 / 15 7-round Distinguisher with 2 7 computations (1/2) 5 , ∆ = ∆ 3 6 , ∆ = ∆ 7 1 , ∆ = 0 2 , ∆ = 0 3 , ∆ = 0 7 , ∆ =? k 2 k 0 k 1 k 2 s 4 s 5 s 6 s 7 s 4 s 5 s 6 s 7 k 0 k 1 s 4 s 5 s 6 s 7 ∆ = 0 0 , ∆ = ∆ 1 4 , ∆ = ∆ 3 6 , ∆ = ∆ 6 four parallel AES rounds four parallel AES rounds four parallel AES rounds 2 , ∆ = 0 3 , ∆ = 0 7 , ∆ =? Chosen-Related-Salt Dist. second linear layer second linear layer first linear layer first linear layer first linear layer k 1 k 0 k 1 k 2 s 0 s 1 s 2 s 3 s 0 s 1 s 2 s 3 k 2 k 0 s 0 s 1 s 2 s 3 ∆ 1 ˜ ∆ = 4 , ∆ = ∆ 2 5 , ∆ = ∆ 5 0 , ∆ = 0 1 , ∆ = 0 3 , ∆ = 0 7 , ∆ =? k 0 k 1 k 2 k 0 s 4 s 5 s 6 s 7 s 4 s 5 s 6 s 7 s 4 s 5 s 6 s 7 k 1 k 2 ∆ = 0 0 , ∆ = ∆ 1 4 , ∆ = ∆ 2 5 , ∆ = ∆ 4 6 , ∆ = ∆ 8 1 , ∆ = 0 2 , ∆ = 0 k 1 k 2 k 0 s 0 s 1 s 2 s 3 s 0 s 1 s 2 s 3 k 0 k 1 s 0 s 1 s 2 s 3 k 2 ∆ 1 ˜ ∆ = Rebound ◮ Principle: up to initial transform ◮ Cancel the subkeys in round 2,3 ◮ Distinguisher: find a valid pair ◮ begin at round 5 by fixing the that verifies the path for the The SHAvite-3 -256 Hash Function ∆ 1 = ∆( s 0 , s 1 , s 2 , s 3 ) = differences ∆ 2 and ∆ 3 ∆( m 0 , m 1 , m 2 , m 3 ) = ∆( m 8 , m 9 , m 10 , m 11 ) M. Minier, M. Naya-Plasencia, T. Peyrin rounds 5, 6 and 7 and 4 Intro

  12. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion 7-round Distinguisher with 2 7 computations (2/2) ∆ 1 0 ∆ 1 ∆ 3 ∆ 2 ∆ 2 first round fifth round ∆ 5 ∆ 4 ∆ 3 0 0 0 second round sixth round ∆ 8 ∆ 7 ∆ 6 0 0 0 third round seventh round 0 0 0 ? ? ? eight round fourth round ◮ 5th round : try 2 6 B 4 ⊕ k 0 4 column by column to find a match. It will fix k 1 4 ◮ 6th round : Do the same with B 5 ⊕ k 0 5 and k 1 5 ◮ Final step : Fix ∆ 1 and k 0 5 to fix all the other values ◮ Total cost: 2 × 2 6 = 2 7 operations M. Minier, M. Naya-Plasencia, T. Peyrin 11 / 15

  13. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion 8-round Distinguisher with 2 25 computations (1/2) ◮ Add a 8th round by canceling the differences in round 7 ◮ Do Round 5 and 6 as previously: ∆ 2 , ∆ 3 , B 4 ⊕ k 0 4 , k 1 4 , B 5 ⊕ k 0 5 and k 1 5 are fixed ◮ Start by fixing the differences in the 7th round column by column: ∆ = 0 ∆ = 0 k 2 k 1 k 0 4 = ∆ 3 4 = ∆ 2 4 = ∆ 2 A 4 B 4 AES AES AES round round round ∆ = 0 ∆ = 0 Relations between the values: k 2 k 1 k 0 5 = ∆ 3 5 5 ( B 6 ) i = ⇒ ( A 5 ) i = ( B 4 ) i = ⇒ ( k 0 4 ) i A 5 B 5 4 ) i = 5 ) i +1 = ( k 0 ⇒ ( k 0 ⇒ ( k 1 6 ) i +1 AES AES AES round round round 4 ) 2 = 5 ) 3 = 6 ) 3 = ( k 0 ⇒ ( k 0 ⇒ ( k 1 5 ) 3 ⊕ ( k 1 ∆ = 0 ∆ = 0 ( k 0 6 ) 0 k 2 k 1 k 0 6 6 6 A 6 B 6 AES AES AES round round round ∆ = 0 ∆ = 0 A 7 B 7 M. Minier, M. Naya-Plasencia, T. Peyrin 12 / 15

  14. Intro The SHAvite-3 -256 Hash Function Rebound Chosen-Related-Salt Dist. Conclusion 8-round Distinguisher with 2 25 computations (2/2) Overall Complexity: 2 25 computations 6 ) i compatible with ∆( X ) i and Requirements for verifying the path: ∆( k 0 6 ) i compatible with ∆ k 2 MC (∆( X ) i ) ⊕ ∆( k 1 6 k 0 6 ∆ known ◮ Test 2 24 values for the 2nd value known First AES round B 6 diagonal ( B 6 ∗ ) 1 , 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 SubBytes ShiftRows MixColumns 4 1 2 3 4 1 2 3 4 1 2 3 1 2 3 4 2 13 makes the path possible 3 4 1 2 3 4 1 2 3 4 1 2 1 2 3 4 2 3 4 1 2 3 4 1 2 3 4 1 1 2 3 4 X ◮ Do the same for the 3rd k 1 diagonal. 2 12 values of ( B 6 ∗ ) 1 6 1 2 C 4 = f ( C 1 ) 4 1 and ( B 6 ∗ ) 2 together are valid 3 4 ∆ known Second AES round 2 3 C 1 ◮ For each solution, find the 2 20 SubBytes ShiftRows MixColumns values of ( B 6 ∗ ) 3 and ( B 6 ∗ ) 0 ∆ known ∆ known ∆ known compatible k 2 6 ◮ Test the linear relation between ∆ known Third AES round 6 ) 0 and ( k 1 ( k 1 6 ) 3 SubBytes ShiftRows MixColumns ∆ = 0 ∆ = 0 ∆ = 0 ∆ = 0 M. Minier, M. Naya-Plasencia, T. Peyrin 13 / 15

Recommend

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen Gauravaram 1 , Ga eten Leurent 2 , Florian Mendel 3 , Mar a Naya-Plasencia 4 , Thomas Peyrin 5 , Christian Rechberger 6 , Martin Schl affer 3 , 1

822 views • 45 slides
Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Polytron Lubrication Technology Based on Micro-Metallurgical Process Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n Reduced noise level n Reduced electrical power consumption n Considerable

630 views • 16 slides
Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi Meier Indocrypt 2011 1 / 28 Overview Sponge construction and K ECCAK Previous analysis results Differentials in K ECCAK Differential

311 views • 28 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Two-dimensional Signal Analysis Reduced from Three-dimensional Nystagmus Eye Movements Martti

Two-dimensional Signal Analysis Reduced from Three-dimensional Nystagmus Eye Movements Martti

Two-dimensional Signal Analysis Reduced from Three-dimensional Nystagmus Eye Movements Martti Juhola1, Heikki Aalto2 and Timo Hirvonen2 1Computer Science, School of Information Sciences, University of Tampere, Tampere, Finland 2Department of

735 views • 19 slides
A Reduced Orthogonal Projection Approach for Stochastic Finite Element Analysis S Adhikari 1 1

A Reduced Orthogonal Projection Approach for Stochastic Finite Element Analysis S Adhikari 1 1

A Reduced Orthogonal Projection Approach for Stochastic Finite Element Analysis S Adhikari 1 1 Swansea University, UK The University of Liverpool Adhikari (Swansea) Reduced Projection Approach for SFEM 14 September 2010 1 / 58 Outline of the

853 views • 58 slides
Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on

Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on

Reduced-Precision Floa1ng-Point Analysis via Binary Modifica1on Mike Lam, UMD Jeff Hollingsworth, UMD Context Floa1ng-point arithme1c represents real

294 views • 25 slides
Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio

Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio

Seismic Attenuation System Synthesis by Reduced Order Models from Multibody Analysis Valerio Boschi , Riccardo DeSalvo, Virginio Sannibale California Institute of Technology Pierangelo Masarati, Giuseppe Quaranta Politecnico di Milano 1

531 views • 32 slides
Perplexity on Reduced Corpora Analysis of Cutoff by Power Law Hayato Kobayashi Yahoo Japan

Perplexity on Reduced Corpora Analysis of Cutoff by Power Law Hayato Kobayashi Yahoo Japan

Perplexity on Reduced Corpora Analysis of Cutoff by Power Law Hayato Kobayashi Yahoo Japan Corporation Cutoff Removing low-frequency words from a corpus Common practice to save computational costs in learning Language modeling

344 views • 32 slides
Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Preliminary: Spectral Methods for PDEs with Uncertain Coefficients Reduced Basis Methods Reduced Basis + Sparse Grid Collocation Iterative Solution of Reduced Problem Concluding Remarks Reduced Basis Collocation Methods for Partial Differential

476 views • 43 slides
Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef Pieprzyk and Ron Steinfeld Joint work between Macquarie University , Qualcomm Inc. Australia and Monash University CANS 2013, Paraty, Brazil Outline

429 views • 30 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Analysis of new reduced corporate tax rates CTC Pune Study Group Meeting 11 January 2020 Pramod

Analysis of new reduced corporate tax rates CTC Pune Study Group Meeting 11 January 2020 Pramod

Analysis of new reduced corporate tax rates CTC Pune Study Group Meeting 11 January 2020 Pramod Achuthan Background A legislative backdrop of The Amendment Act The Taxation Laws (Amendment) Ordinance, 2019 (hereafter referred as Ordinance)

507 views • 32 slides
NUTLEY BOARD OF EDUCATION State Aid Reduced by 34% = $2.7 Million Aid cut by 5% of 2009/10

NUTLEY BOARD OF EDUCATION State Aid Reduced by 34% = $2.7 Million Aid cut by 5% of 2009/10

NUTLEY BOARD OF EDUCATION State Aid Reduced by 34% = $2.7 Million Aid cut by 5% of 2009/10 Operating Budget Aid reduced to $5.2 Million from $7.9 million Debt Service Aid Reduced by 15% Reduction totaled $147,597 ARRA IDEA

277 views • 13 slides
Operator analysis of geometric data structures Wojciech Czaja Reduced Order Modeling in General

Operator analysis of geometric data structures Wojciech Czaja Reduced Order Modeling in General

Mathematical Techniques Numerical Techniques Operator analysis of geometric data structures Wojciech Czaja Reduced Order Modeling in General Relativity Pasadena, June 6, 2013 Wojciech Czaja Operator analysis of geometric data structures

665 views • 35 slides
REDUCED FEE PROGRAM PROPOSED UPDATES Reduced Fee Program Proposed Updates TEAM Janice Saeger,

REDUCED FEE PROGRAM PROPOSED UPDATES Reduced Fee Program Proposed Updates TEAM Janice Saeger,

City of Fort Collins Recreation Department REDUCED FEE PROGRAM PROPOSED UPDATES Reduced Fee Program Proposed Updates TEAM Janice Saeger, Financial Analyst & Team Lead Emily Frare, Publicity/Marketing Tech Ashley Ruffer, Social & Event

465 views • 20 slides
Improved Zeroth-Order Variance Reduced Algorithms and Analysis for Nonconvex Optimization Kaiyi Ji

Improved Zeroth-Order Variance Reduced Algorithms and Analysis for Nonconvex Optimization Kaiyi Ji

Improved Zeroth-Order Variance Reduced Algorithms and Analysis for Nonconvex Optimization Kaiyi Ji 1 , Zhe Wang 1 , Yi Zhou 2 , Yingbin Liang 1 1 Ohio State University, 2 Duke University ICML 2019 K. Ji, Z. Wang, Y. Zhou, Y. Liang Zeroth-Order

327 views • 9 slides
Grading Prostate Cancer: Recommendation rating of D Recent Changes and Reduced

Grading Prostate Cancer: Recommendation rating of D Recent Changes and Reduced

UCSF UCSF USPSTF: 2012 Report on serum PSA Screening Grading Prostate Cancer: Recommendation rating of D Recent Changes and Reduced screening, Reduced biopsies, reduced incidence Refinements Refinements currently occurring in

706 views • 33 slides
CPSC 320: Intermediate Algorithm Design and Analysis Schedule transformation example Schedule

CPSC 320: Intermediate Algorithm Design and Analysis Schedule transformation example Schedule

CPSC 320: Intermediate Algorithm Design and Analysis Schedule transformation example Schedule transformation example Theorem: If S j is a reduced schedule that is the same as S FF for the first requests, then there is a reduced schedule S j+1

424 views • 15 slides
Reduced Formulation of Steady Fluid-structure Interaction with Parametric Coupling Toni Lassila

Reduced Formulation of Steady Fluid-structure Interaction with Parametric Coupling Toni Lassila

Reduced Formulation of Steady Fluid-structure Interaction with Parametric Coupling Toni Lassila , , Alfio Quarteroni , , Gianluigi Rozza Department of Mathematics and Systems Analysis MOX - Modellistica e Calcolo

496 views • 21 slides
PERC Phase 2.0 Why Drainline Transport? Toilet consumption reduced 3.5 gpf 1.6 gpf

PERC Phase 2.0 Why Drainline Transport? Toilet consumption reduced 3.5 gpf 1.6 gpf

The Implications of Reduced Flows in Building Drains PERC Phase 2.0 Why Drainline Transport? Toilet consumption reduced 3.5 gpf 1.6 gpf 1.28 gpf ? Commercial installations Isolated bathrooms Long horizontal run

257 views • 25 slides
Vector Quantizers Quantizers for for Vector Reduced Bit- -Rate Coding Rate Coding Reduced

Vector Quantizers Quantizers for for Vector Reduced Bit- -Rate Coding Rate Coding Reduced

Vector Quantizers Quantizers for for Vector Reduced Bit- -Rate Coding Rate Coding Reduced Bit of Correlated Sources of Correlated Sources Russell M. Mersereau Center for Signal and Image Processing Georgia Institute of Technology

362 views • 33 slides
Reduced Basis Methods for Option Pricing page 1/54 Reduced Basis Methods for Option Pricing |

Reduced Basis Methods for Option Pricing page 1/54 Reduced Basis Methods for Option Pricing |

Karsten Urban Reduced Basis Methods for Option Pricing page 1/54 Reduced Basis Methods for Option Pricing | Paristech, 14.-18.04.2014 | Karsten Urban | Acknowledgements joint work with / contributions from Silke Glas, Antonia Mayerhofer,

1.32k views • 131 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides

More recommend