cryptanalysis of low data instances of full lowmcv2
play

Cryptanalysis of Low-Data Instances of Full LowMCv2 Christian - PowerPoint PPT Presentation

Feb 06, 2023 •217 likes •853 views

Cryptanalysis of Low-Data Instances of Full LowMCv2 Christian Rechberger 1 Hadi Soleimany 2 Tyge Tiessen 3 1 Graz University of Technology, Austria 2 Shahid Beheshti University, Iran 3 Technical University of Denmark, Denmark FSE 2019, Paris,

  1. Cryptanalysis of Low-Data Instances of Full LowMCv2 Christian Rechberger 1 Hadi Soleimany 2 Tyge Tiessen 3 1 Graz University of Technology, Austria 2 Shahid Beheshti University, Iran 3 Technical University of Denmark, Denmark FSE 2019, Paris, France 1 / 14

  2. Outline Introduction LowMC Description Related Work New Technique Overview of the Technique Proposed Framework Key Recovery Simplified Representation of LowMC Impact on Applications of LowMC Conclusion 2 / 14

  3. Introduction LowMC Description Related Work New Technique Overview of the Technique Proposed Framework Key Recovery Simplified Representation of LowMC Impact on Applications of LowMC Conclusion 3 / 14

  4. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. 3 / 14

  5. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. 3 / 14

  6. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) 3 / 14

  7. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) ◮ Fully homomorphic encryption (FHE) 3 / 14

  8. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) ◮ Fully homomorphic encryption (FHE) ◮ Zero-knowledge proof systems like SNARKs or STARKs 3 / 14

  9. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) ◮ Fully homomorphic encryption (FHE) ◮ Zero-knowledge proof systems like SNARKs or STARKs ◮ Quantum-resilient public-key signature 3 / 14

  10. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) ◮ Fully homomorphic encryption (FHE) ◮ Zero-knowledge proof systems like SNARKs or STARKs ◮ Quantum-resilient public-key signature ◮ A main goal in the design of suitable ciphers/permutations/hash functions is to minimize the number of multiplications. 3 / 14

  11. New Designs for New Applications ◮ Some design choices that were sensible for classical applications are suboptimal for a range of new applications. ◮ Implementation properties are comlex, but linear operations come often almost for free whereas the bottleneck are nonlinear operations. ◮ Multi-party computation (MPC) ◮ Fully homomorphic encryption (FHE) ◮ Zero-knowledge proof systems like SNARKs or STARKs ◮ Quantum-resilient public-key signature ◮ A main goal in the design of suitable ciphers/permutations/hash functions is to minimize the number of multiplications. ◮ Examples of such designs include LowMC, Kreyvium, Flip, MiMC and Rasta. 3 / 14

  12. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . 4 / 14

  13. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. 4 / 14

  14. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. ◮ Round function: 4 / 14

  15. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. ◮ Round function: ◮ Using partial non-linear layers 4 / 14

  16. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. ◮ Round function: ◮ Using partial non-linear layers ◮ Using 3 × 3 Sbox with algebraic degree 2. 4 / 14

  17. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. ◮ Round function: ◮ Using partial non-linear layers ◮ Using 3 × 3 Sbox with algebraic degree 2. ◮ Linear layers are binary invertible matrices that are chosen independently and uniformly at random. 4 / 14

  18. LowMC Description ◮ First design proposed at Eurocrypt 2015 [Albrecht et al. 15] . ◮ Allows to create suitable instances for a wide range of applications, e.g. used for a signature scheme currently under consideration in round 2 of the NIST PQ process. ◮ Round function: ◮ Using partial non-linear layers ◮ Using 3 × 3 Sbox with algebraic degree 2. ◮ Linear layers are binary invertible matrices that are chosen independently and uniformly at random. ◮ Round key is generated by a randomly chosen multiplication of a full-rank b × k with the master key. 4 / 14

  19. LowMC Cryptanalysis and Impact ◮ 2012-2015: Authors provide analysis with a large variety of techniques. Given block size ( b ), allowable data complexity D , and number of Sboxes per round ( m ), a ’v0 round formular’ ( r ) is provided to allows to create instances for any desired security level. 5 / 14

  20. LowMC Cryptanalysis and Impact ◮ 2012-2015: Authors provide analysis with a large variety of techniques. Given block size ( b ), allowable data complexity D , and number of Sboxes per round ( m ), a ’v0 round formular’ ( r ) is provided to allows to create instances for any desired security level. ◮ Observations by Khovratovich, Leurent led to v1 (Eurocrypt 2015) 5 / 14

  21. LowMC Cryptanalysis and Impact ◮ 2012-2015: Authors provide analysis with a large variety of techniques. Given block size ( b ), allowable data complexity D , and number of Sboxes per round ( m ), a ’v0 round formular’ ( r ) is provided to allows to create instances for any desired security level. ◮ Observations by Khovratovich, Leurent led to v1 (Eurocrypt 2015) ◮ Attacks by Dobraunig, Eichlseder and Mendel, and Dinur, Liu, Meier and Wang led to v2 (eprint 2016). 5 / 14

  22. LowMC Cryptanalysis and Impact ◮ 2012-2015: Authors provide analysis with a large variety of techniques. Given block size ( b ), allowable data complexity D , and number of Sboxes per round ( m ), a ’v0 round formular’ ( r ) is provided to allows to create instances for any desired security level. ◮ Observations by Khovratovich, Leurent led to v1 (Eurocrypt 2015) ◮ Attacks by Dobraunig, Eichlseder and Mendel, and Dinur, Liu, Meier and Wang led to v2 (eprint 2016). ◮ Our new cryptanalysis led to v3 (github 2017). 5 / 14

  23. LowMC Cryptanalysis and Impact ◮ 2012-2015: Authors provide analysis with a large variety of techniques. Given block size ( b ), allowable data complexity D , and number of Sboxes per round ( m ), a ’v0 round formular’ ( r ) is provided to allows to create instances for any desired security level. ◮ Observations by Khovratovich, Leurent led to v1 (Eurocrypt 2015) ◮ Attacks by Dobraunig, Eichlseder and Mendel, and Dinur, Liu, Meier and Wang led to v2 (eprint 2016). ◮ Our new cryptanalysis led to v3 (github 2017). LowMCv3 is used in all applications we are aware of, e.g Picnic signature scheme (Zaverucha et al., CCS 2017), group signature schemes (Boneh et al., Derler et al.), or a protype Signal ’plugin’ for private contact discovery. 5 / 14

  24. Overview of Previous Techniques ◮ Meet-in-the-middle cryptanalysis requires extremely limited data and it is almost independent of inner components. 6 / 14

  25. Overview of Previous Techniques ◮ Meet-in-the-middle cryptanalysis requires extremely limited data and it is almost independent of inner components. ◮ But it is applicable to the ciphers with weak key schedule. 6 / 14

Recommend

Data Structures Data Object instances may or may not be related data object myDataObject =

Data Structures Data Object instances may or may not be related data object myDataObject =

Data Structures Data Object instances may or may not be related data object myDataObject = {apple, chair, 2, 5.2, red, green, Jack} set or collection of instances integer = {0, +1, -1, +2, -2, +3, -3, } daysOfWeek = {S,M,T,W,Th,F,Sa} Data

116 views • 7 slides
Data Structures Data Object instances may or may not be related data object myDataObject =

Data Structures Data Object instances may or may not be related data object myDataObject =

Data Structures Data Object instances may or may not be related data object myDataObject = {apple, chair, 2, 5.2, red, green, Jack} set or collection of instances integer = {0, +1, -1, +2, -2, +3, -3, } daysOfWeek = {S,M,T,W,Th,F,Sa} Data

369 views • 5 slides
Data Structures data object set or collection of instances integer = {0, +1, -1, +2, -2, +3, -3,

Data Structures data object set or collection of instances integer = {0, +1, -1, +2, -2, +3, -3,

Data Structures data object set or collection of instances integer = {0, +1, -1, +2, -2, +3, -3, } daysOfWeek = {S,M,T,W,Th,F,Sa} Data Object instances may or may not be related myDataObject = {apple, chair, 2, 5.2, red, green, Jack} 1

151 views • 13 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen Gauravaram 1 , Ga eten Leurent 2 , Florian Mendel 3 , Mar a Naya-Plasencia 4 , Thomas Peyrin 5 , Christian Rechberger 6 , Martin Schl affer 3 , 1

822 views • 45 slides
Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname

Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname

R1 sid bid day Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these S1 sid sname rating age instances of the 22 dustin 7 45.0 SQL: Queries, Constraints, Triggers Sailors and Reserves relations in our 31

415 views • 7 slides
Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh 2 , Virginie Lallemand 2 , Mara Naya-Plasencia 3 , Lo Perrin 3 , Andr Schrottenloher 3 1 Universit de Rennes, CNRS, Irisa - Rennes, France

717 views • 44 slides
Data Analy/c Cloud Instance Op/ons MapReduce Spot Instances Evalua/on Data

Data Analy/c Cloud Instance Op/ons MapReduce Spot Instances Evalua/on Data

Navraj Chohan 1 Claris Cas/llo 2 Mike Spreitzer 2 Malgorzata Steinder 2 Asser Tantawi 2 Chandra Krintz 1 UC Santa Barbara 1 IBM Research 2 Data Analy/c Cloud Instance Op/ons MapReduce Spot Instances Evalua/on Data Public Cloud

197 views • 19 slides
Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating

Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating

sid bid day R1 Example Instances 22 101 10/10/96 58 103 11/12/96 We will use these sid sname rating age S1 SQL: Queries, Programming, instances of the 22 dustin 7 45.0 Sailors and Triggers Reserves relations 31 lubber

400 views • 7 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema

Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema

Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema architecture and data independence Database languages and interfaces Database systems DBMS Architectures Classification of DBMSes 2 /

570 views • 16 slides
Data Mining Ian H. Witten The problem Data Mining with Weka Classification (supervised)

Data Mining Ian H. Witten The problem Data Mining with Weka Classification (supervised)

Data Mining Ian H. Witten The problem Data Mining with Weka Classification (supervised) Given A set of classified examples instances Produce A way of classifying new examples Instances: described by fixed set of features

632 views • 13 slides
The SciPy Stack Data Analytics in Python 1 / 9 Data Analytics/Scientific Computing Gaining

The SciPy Stack Data Analytics in Python 1 / 9 Data Analytics/Scientific Computing Gaining

The SciPy Stack Data Analytics in Python 1 / 9 Data Analytics/Scientific Computing Gaining insight from data: Do instances fall into discernible groups? Which characteristics differentiate groups? Do some characteristics of instances

1.09k views • 9 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Ontology Visualization What is the graph widget? Allows visual editing of instances and

Ontology Visualization What is the graph widget? Allows visual editing of instances and

9 th International Protg Conference Jennifer Vendetti, Stanford University Ontology Visualization What is the graph widget? Allows visual editing of instances and relationships between instances Alternative to Protege Forms for

539 views • 31 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020

Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020

S C I E N C E P A S S I O N T E C H N O L O G Y Incentives for LowMC-Cryptanalysis in the Low-Data Scenario Christian Rechberger, Eurocrypt 2020 Rump Session 12.05.2020 > https://lowmcchallenge.github.io/ LowMC First cipher design

503 views • 9 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image

Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image

2/2/2016 Plan for today 1. Basics in feature extraction: filtering 2. Invariant local features Recognizing object instances 3. Recognizing object instances Kristen Grauman UT-Austin Image Formation Basics in feature extraction

1.02k views • 37 slides

More recommend