collision spectrum entropy loss t sponges and
play

Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of - PowerPoint PPT Presentation

Apr 17, 2023 •249 likes •1.12k views

Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 L eo Perrin Dmitry Khovratovitch firstname.lastname@uni.lu University of Luxembourg March 3, 2014 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum,

  1. Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 L´ eo Perrin Dmitry Khovratovitch firstname.lastname@uni.lu University of Luxembourg March 3, 2014 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 1 / 21

  2. Random functions What happens when a random function is used to update the internal state of a cryptographic primitive? Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 2 / 21

  3. Random functions What happens when a random function is used to update the internal state of a cryptographic primitive? Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 2 / 21

  4. Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 3 / 21

  5. Plan Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 3 / 21

  6. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  7. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  8. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  9. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  10. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 • ... Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  11. Random Functions Statistics Flajolet and Odlyzko (89), on a random functions g : S → S : $ • Distribution of the preimages sizes for a ← S : $ ← S ] = e − 1 / k ! P [ g ( x ) = a has k solutions for a • (Expected) size of iterated image: | g i ( S ) | ≈ |S| i / 2 � π |S| • (Expected) cycle and tail length: 8 • ... For functions chosen uniformly at random among all the functions from S to itself (random mappings). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 4 / 21

  12. Using state shrinking/presence of trees • Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov et. al. 01). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 5 / 21

  13. Using state shrinking/presence of trees • Trees and output shrinking used to attack A5/1 (Golic 97, Biryukov et. al. 01). • Shrinking of the state space of mickey observed by Hong and Kim (05), studied by R¨ ock (08). Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 5 / 21

  14. Plan Known Results CPS and Iterated (Pre)-Images Applications to Cryptography Application to gluon -64 Conclusion Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 6 / 21

  15. Collision Probability Spectrum ( cps ) Definition (Collision Probability Spectrum) We call Collision Probability Spectrum ( cps ) of g : S → S the set { c k } k ≥ 1 c k = P [ g ( a + x ) = g ( a ) has k solutions ] . Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 7 / 21

  16. Collision Probability Spectrum ( cps ) Definition (Collision Probability Spectrum) We call Collision Probability Spectrum ( cps ) of g : S → S the set { c k } k ≥ 1 c k = P [ g ( a + x ) = g ( a ) has k solutions ] . Definition The average number of non-zero roots is denoted κ and called collision average : � κ = c k · k − 1 k ≥ 1 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 7 / 21

  17. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S|

  18. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } .

  19. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  20. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  21. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  22. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  23. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! | g ( V k ) | = c k k · |S| Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  24. Output Shrinking Let V k = { x 0 ∈ S , g ( x 0 + y ) = g ( x 0 ) has k solutions } . ⇒ | V k | = c k · |S| Let g have CPS { c 1 = c 2 = 1 / 2 } . S V 1 V 2 Lost! | g ( V k ) | = c k k · |S| Independence Assumption: In what follows, we assume that x ∈ g ( V k ) and x ∈ V j are independent for any k , j . Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 8 / 21

  25. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  26. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  27. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  28. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  29. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) g 4 ( S ) Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  30. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) g 3 ( S ) g 4 ( S ) |S| | g i ( S ) | ∼ i · κ/ 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

  31. Iterated Output Shrinking and Collision Trees � g : S → S has CPS { c 3 = 1 } ; # iterations < |S| S g ( S ) g 2 ( S ) 4 g 3 ( S ) g 4 ( S ) |S| | g i ( S ) | ∼ i · κ/ 2 Perrin, Khovratovitch (Uni. of Luxembourg) Collision Spectrum, Entropy Loss, T-Sponges and Cryptanalysis of gluon -64 9 / 21

Recommend

PHYLUM PORIFERA Sponges Simple Animals SPONGES Simplest and most unusual animals Most

PHYLUM PORIFERA Sponges Simple Animals SPONGES Simplest and most unusual animals Most

PHYLUM PORIFERA Sponges Simple Animals SPONGES Simplest and most unusual animals Most ancient animals Around 540 million years old Aquatic animals Ocean and fresh water Variety of colours, shapes and sizes Porifera

652 views • 16 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]: automatic suggestions about the motions of objects immediately following a collision; animation systems using dynamical simulation inherently must respond

767 views • 53 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Generalized Cross Entropy Loss for Noisy Labels Zhilu Zhang and Mert R. Sabuncu Cornell

Generalized Cross Entropy Loss for Noisy Labels Zhilu Zhang and Mert R. Sabuncu Cornell

Generalized Cross Entropy Loss for Noisy Labels Zhilu Zhang and Mert R. Sabuncu Cornell University Generalized Cross Entropy Loss for Noisy Labels Poster # 101

259 views • 11 slides
Sponges: Chondroclada lampadglobus Size: up to 50 cm high with inflated spheres 35 cm in

Sponges: Chondroclada lampadglobus Size: up to 50 cm high with inflated spheres 35 cm in

Sponges: Chondroclada lampadglobus Size: up to 50 cm high with inflated spheres 35 cm in diameter Distribu-on: East Pacific Rise (178S, 23S, 13N) Biolog y: rooted in sediments near vents or on pillow basalts but not near to the animals

870 views • 53 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision

Collision Detection Part 2. Narrow Phase Collision Detection The Narrow Phase Exact collision detection: Where precisely have objects touched, where to apply forces, torques? Collision Response The following is an equation for Rigid Body

1.06k views • 79 slides
Q44.2 Consider the collision p + p -&gt; p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -&gt; p + p + 0 p + p + Consider the collision p + p

Q44.2 Consider the collision p + p -&gt; p + p + 0 p + p + Consider the collision p + p A. It is exoergic. g B. It is endoergic C These terms dont apply to this type of collision C. These terms don t apply to this type of collision

596 views • 20 slides
Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known

07 Tutorial: Broadphase Collision Detection Collision detection weaknesses Naive collision detection suffers from 3 known weaknesses Fixed-timestep weakness All-pairs weakness Pair-processing weakness Two-phase collision detection

833 views • 20 slides
I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision

I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision

I. Introduction II. Collision of Domain Walls in 5D Minkowski Space III. Reheating by Collision of Branes IV. Fermion Localization at Collision V. Collision of Domain Walls in Asymptotically AdS Space VI. Summary Kei-ichi Maeda Waseda Univ.

451 views • 26 slides
Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K

Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K

Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K L 1 L y k log k ( x ) + (1 y k ) log k ( x ) k =1 s l 1 L s l + 2 w l ij 2 m l =1 i =1

912 views • 50 slides
Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i

Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i

Class 29: More collisions Simple collision problem in 1D Before collision: m 1 m 2 #2 v 2i v 1i #1 After collision: m 2 m 1 #1 v 1f v 2f #2 Equation of motion: m 1 v 1i + m 2 v 2i = m 1 v 1f + m 2 v 2f Can solve for any one unknown from v 1i , v

452 views • 9 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling

Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling

IIT Delhi Collision Detection http://www.cse.iitd.ac.in/ Collision Detection IIT Delhi Collision handling is fundamental to animation or dynamic scenes in virtual environments. http://www.cse.iitd.ac.in/ Applications IIT Delhi Games

519 views • 23 slides
Inference under the entropy-maximizing Bayesian model of sufficient evidence The Third

Inference under the entropy-maximizing Bayesian model of sufficient evidence The Third

Inference under the entropy-maximizing Bayesian model of sufficient evidence The Third International Conference on Mathematical and Computational Medicine 18 May 2016 David Bickel University of Ottawa Loss function example What act is

366 views • 15 slides
Collision Detection Based on Collision Series On XNA Creators Club Collision Detection Circular

Collision Detection Based on Collision Series On XNA Creators Club Collision Detection Circular

Collision Detection Based on Collision Series On XNA Creators Club Collision Detection Circular Rectangular Pixel based Rotated rectangles Pixel based with rotations Minimize work (to do) Circular Collision Detection

486 views • 19 slides
CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to

CS 1666 www.cs.pitt.edu/~nlf4/cs1666/ Collision detection Collision detection We already had to implement some basic collision detection in the motion example I.e., to keep our square from moving out of the window Checking for

679 views • 14 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

CPSC 599.86 / 601.86 Sonny Chan - University of Calgary Collision Detection I Motivation F d X S, X Collision Force detection response F d F r Control algorithms Haptic rendering Problem Definition We seek efficient algorithms to

822 views • 42 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides

More recommend