design strategies for arx with provable bounds sparx and
play

Design Strategies for ARX with Provable Bounds: SPARX and LAX Daniel - PowerPoint PPT Presentation

Jun 17, 2023 •166 likes •730 views

Design Strategies for ARX with Provable Bounds: SPARX and LAX Daniel Dinu 1 , Lo Perrin 1 , Aleksei Udovenko 1 , Vesselin Velichkov 1 , Johann Groschdl 1 , Alex Biryukov 1 1 SnT, University of Luxembourg https://www.cryptolux.org December

  1. Design Strategies for ARX with Provable Bounds: SPARX and LAX Daniel Dinu 1 , Léo Perrin 1 , Aleksei Udovenko 1 , Vesselin Velichkov 1 , Johann Großschädl 1 , Alex Biryukov 1 1 SnT, University of Luxembourg https://www.cryptolux.org December 7, 2016 ASIACRYPT

  2. Design of an ARX-cipher (allegory) source: Wiki Commons Can we use ARX and have provable bounds? Block Cipher Design )︃ # active S-Boxes (︃ ∆ S P difg ≤ 2 b Design of an S-Box based SPN (wide-trail strategy) Cryptolux Team SPARX and LAX 1 / 24

  3. Can we use ARX and have provable bounds? Block Cipher Design )︃ # active S-Boxes (︃ ∆ S P difg ≤ 2 b Design of an ARX-cipher Design of an S-Box based SPN (allegory) (wide-trail strategy) source: Wiki Commons Cryptolux Team SPARX and LAX 1 / 24

  4. Block Cipher Design )︃ # active S-Boxes (︃ ∆ S P difg ≤ 2 b Design of an ARX-cipher Design of an S-Box based SPN (allegory) (wide-trail strategy) source: Wiki Commons Can we use ARX and have provable bounds? Cryptolux Team SPARX and LAX 1 / 24

  5. Talk Outline Outline 1 The Long-Trail Strategy 2 The SPARX Family of LW-BC Methodology Results 3 The LAX Approach 4 Conclusion Cryptolux Team SPARX and LAX 2 / 24

  6. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Plan 1 The Long-Trail Strategy The Wide Trail Strategy ARX-Boxes The Long Trail Strategy 2 The SPARX Family of LW-BC Methodology Results 3 The LAX Approach 4 Conclusion Cryptolux Team SPARX and LAX 2 / 24

  7. Used to design the AES! Application to ARX Can we use this to build an ARX-based cipher? The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion The Wide Trail Strategy (WTS) Wide Trail Argument MEDCP ( F r ) ≤ p S a ( r ) MEDCP ( F r ) = max ( P [ any trail covering r rounds of F ]) P [ S ( x ⊕ c ) ⊕ S ( x ) = d ] ≤ p S # { active S-Boxes on r rounds } ≥ a ( r ) Cryptolux Team SPARX and LAX 3 / 24

  8. Application to ARX Can we use this to build an ARX-based cipher? The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion The Wide Trail Strategy (WTS) Wide Trail Argument MEDCP ( F r ) ≤ p S a ( r ) MEDCP ( F r ) = max ( P [ any trail covering r rounds of F ]) P [ S ( x ⊕ c ) ⊕ S ( x ) = d ] ≤ p S # { active S-Boxes on r rounds } ≥ a ( r ) Used to design the AES! Cryptolux Team SPARX and LAX 3 / 24

  9. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion The Wide Trail Strategy (WTS) Wide Trail Argument MEDCP ( F r ) ≤ p S a ( r ) MEDCP ( F r ) = max ( P [ any trail covering r rounds of F ]) P [ S ( x ⊕ c ) ⊕ S ( x ) = d ] ≤ p S # { active S-Boxes on r rounds } ≥ a ( r ) Used to design the AES! Application to ARX Can we use this to build an ARX-based cipher? Cryptolux Team SPARX and LAX 3 / 24

  10. Parameter Search Rotations 7 2 Second best crypto properties, lightest Indeed NSA design strategy (see DAC’15). The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion ARX-Boxes (1/2) SPECKEY ⊕ 1 Start from SPECK-32 ≫ 7 2 XOR key in full state (Markov assumption) ⊞ 3 Find best trails ≪ 2 ⊕ SPECKEY. Cryptolux Team SPARX and LAX 4 / 24

  11. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion ARX-Boxes (1/2) SPECKEY ⊕ 1 Start from SPECK-32 ≫ 7 2 XOR key in full state (Markov assumption) ⊞ 3 Find best trails ≪ 2 Parameter Search ⊕ Rotations 7 , − 2 Second best crypto properties, lightest SPECKEY. Indeed NSA design strategy (see DAC’15). Cryptolux Team SPARX and LAX 4 / 24

  12. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion ARX-Boxes (2/2) Difgerential/Linear bounds r 1 2 3 4 5 6 7 8 9 10 MEDCP ( A r ) − 0 − 1 − 3 − 5 − 9 − 13 − 18 − 24 − 30 − 34 MELCC ( A r ) − 0 − 0 − 1 − 3 − 5 − 7 − 9 − 12 − 14 − 17 Maximum expected difgerential characteristic probabilities (MEDCP) and maximum expected absolute linear characteristic correlations (MELCC) of SPECKEY ( log 2 scale); r is the number of rounds. Cryptolux Team SPARX and LAX 5 / 24

  13. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Notations k 0 k 0 ⊕ ⊕ L R ≫ 7 A ⊞ k r − 1 k r − 1 ⊕ ⊕ L R ≪ 2 A ⊕ A r k . A . Cryptolux Team SPARX and LAX 6 / 24

  14. Active ARX-Boxes: a 2 s 5 s , log 2 MEDCP A 4 5 MEDCP A 4 log 2 P difg. trail on 2s steps 5 s log 2 P difg. trail on 2s steps 25 s Need 2 128 25 12 steps, i.e. 48 ARX rounds! The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Naive Approach S-Box: A 4 ; Linear layer: 128-bit MixColumns. A 4 k A 4 k A 4 k A 4 k 1 step MixColumns A 4 k A 4 k A 4 k A 4 k MixColumns Cryptolux Team SPARX and LAX 7 / 24

  15. MEDCP A 4 log 2 P difg. trail on 2s steps 5 s log 2 P difg. trail on 2s steps 25 s Need 2 128 25 12 steps, i.e. 48 ARX rounds! The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Naive Approach S-Box: A 4 ; Linear layer: 128-bit MixColumns. A 4 k A 4 k A 4 k A 4 k 1 step Active ARX-Boxes: MixColumns a ( 2 s ) ≥ 5 s , A 4 k A 4 k A 4 k A 4 k MEDCP ( A 4 ) (︁ )︁ log 2 = − 5 MixColumns Cryptolux Team SPARX and LAX 7 / 24

  16. Need 2 128 25 12 steps, i.e. 48 ARX rounds! The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Naive Approach S-Box: A 4 ; Linear layer: 128-bit MixColumns. A 4 k A 4 k A 4 k A 4 k 1 step Active ARX-Boxes: MixColumns a ( 2 s ) ≥ 5 s , A 4 k A 4 k A 4 k A 4 k MEDCP ( A 4 ) (︁ )︁ log 2 = − 5 MixColumns log 2 ( P [ difg. trail on 2s steps ]) ≤ 5 s × MEDCP ( A 4 ) log 2 ( P [ difg. trail on 2s steps ]) ≤ − 25 s Cryptolux Team SPARX and LAX 7 / 24

  17. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Naive Approach S-Box: A 4 ; Linear layer: 128-bit MixColumns. A 4 k A 4 k A 4 k A 4 k 1 step Active ARX-Boxes: MixColumns a ( 2 s ) ≥ 5 s , A 4 k A 4 k A 4 k A 4 k MEDCP ( A 4 ) (︁ )︁ log 2 = − 5 MixColumns log 2 ( P [ difg. trail on 2s steps ]) ≤ 5 s × MEDCP ( A 4 ) log 2 ( P [ difg. trail on 2s steps ]) ≤ − 25 s Need 2 ⌈ 128 / 25 ⌉ = 12 steps, i.e. 48 ARX rounds! Cryptolux Team SPARX and LAX 7 / 24

  18. A New Hope log 2 MEDCP A 4 5 log 2 MEDCP A 8 24 5 2 The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Drawbacks The Wide Trail Strategy fails here Two (bad) options: 1 design a very weak cipher, or 2 design a very slow cipher. Cryptolux Team SPARX and LAX 8 / 24

  19. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Drawbacks The Wide Trail Strategy fails here Two (bad) options: 1 design a very weak cipher, or 2 design a very slow cipher. A New Hope (︁ MEDCP ( A 4 ) )︁ log 2 = − 5 MEDCP ( A 8 ) (︁ )︁ log 2 = − 24 ≪ − 5 × 2 Cryptolux Team SPARX and LAX 8 / 24

  20. we can use MEDCP A 12 instead of 3 . MEDCP A 4 We can use MEDCP A 8 instead of 2 . MEDCP A 4 If left half has zero difgerences, The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Better Approach A 4 k A 4 k A 4 k A 4 k ⊕ ℓ New linear layer “chaining” ⊕ ARX-Boxes. A 4 k A 4 k A 4 k A 4 k ⊕ ℓ ⊕ A 4 k A 4 k A 4 k A 4 k Cryptolux Team SPARX and LAX 9 / 24

  21. we can use MEDCP A 12 instead of 3 . MEDCP A 4 We can use MEDCP A 8 instead of 2 . MEDCP A 4 If left half has zero difgerences, The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Better Approach A 4 k A 4 k A 4 k A 4 k ⊕ ℓ New linear layer “chaining” ⊕ ARX-Boxes. A 4 k A 4 k A 4 k A 4 k ⊕ ℓ ⊕ A 4 k A 4 k A 4 k A 4 k Cryptolux Team SPARX and LAX 9 / 24

  22. we can use MEDCP A 12 instead of 3 . MEDCP A 4 If left half has zero difgerences, The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Better Approach A 4 k A 4 k A 4 k A 4 k ⊕ ℓ New linear layer “chaining” ⊕ ARX-Boxes. We can use MEDCP ( A 8 ) instead of A 4 k A 4 k A 4 k A 4 k )︁ 2 . MEDCP ( A 4 ) (︁ ⊕ ℓ ⊕ A 4 k A 4 k A 4 k A 4 k Cryptolux Team SPARX and LAX 9 / 24

  23. we can use MEDCP A 12 instead of 3 . MEDCP A 4 The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Better Approach A 4 k A 4 k A 4 k A 4 k ⊕ ℓ New linear layer “chaining” ⊕ ARX-Boxes. We can use MEDCP ( A 8 ) instead of A 4 k A 4 k A 4 k A 4 k )︁ 2 . MEDCP ( A 4 ) (︁ If left half has zero ⊕ ℓ difgerences, ⊕ A 4 k A 4 k A 4 k A 4 k Cryptolux Team SPARX and LAX 9 / 24

  24. The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion Better Approach A 4 k A 4 k A 4 k A 4 k ⊕ ℓ New linear layer “chaining” ⊕ ARX-Boxes. We can use MEDCP ( A 8 ) instead of A 4 k A 4 k A 4 k A 4 k )︁ 2 . MEDCP ( A 4 ) (︁ If left half has zero ⊕ ℓ difgerences, we can use ⊕ MEDCP ( A 12 ) instead of )︁ 3 . (︁ MEDCP ( A 4 ) A 4 k A 4 k A 4 k A 4 k Cryptolux Team SPARX and LAX 9 / 24

  25. Defjnition (Truncated Trail) 0 1 4 : 1 if ARX-Box i is active, else 0. A sequence of values in The Long-Trail Strategy The SPARX Family of LW-BC The LAX Approach Conclusion The Long Trail Argument (1/2) Defjnition (Long Trail) A Long Trail (LT) is a trail covering several ARX-Boxes without receiving any outside difgerence. Can be static (probability = 1) or dynamic (depends on the trail). Cryptolux Team SPARX and LAX 10 / 24

Recommend

Non-convex Robust PCA: Provable Bounds Anima Anandkumar U.C. Irvine Joint work with Praneeth

Non-convex Robust PCA: Provable Bounds Anima Anandkumar U.C. Irvine Joint work with Praneeth

Non-convex Robust PCA: Provable Bounds Anima Anandkumar U.C. Irvine Joint work with Praneeth Netrapalli, U.N. Niranjan, Prateek Jain and Sujay Sanghavi. Learning with Big Data High Dimensional Regime Missing observations, gross corruptions,

849 views • 83 slides
The PGM-index: a fully-dynamic compressed learned index with provable worst-case bounds Paolo

The PGM-index: a fully-dynamic compressed learned index with provable worst-case bounds Paolo

The PGM-index: a fully-dynamic compressed learned index with provable worst-case bounds Paolo Giorgio Ferragina Vinciguerra pgm.di.unipi.it The predecessor search problem Given sorted input keys (e.g. integers), implement

1.14k views • 27 slides
Scott Hebbard Scott Hebbard Communicatjons Manager at Sparx Systems Over 2 decades of

Scott Hebbard Scott Hebbard Communicatjons Manager at Sparx Systems Over 2 decades of

Scott Hebbard Scott Hebbard Communicatjons Manager at Sparx Systems Over 2 decades of experience in computjng and modeling Sparx Systems Sparx Systems Enterprise Architect: Commercially released in 2000 Based in Creswick, near

848 views • 53 slides
Paper Presentation (Date: 15 th September 2014) Call for Papers: SPARX-2014 Authors including

Paper Presentation (Date: 15 th September 2014) Call for Papers: SPARX-2014 Authors including

SPARX 2014 Paper Presentation (Date: 15 th September 2014) Call for Papers: SPARX-2014 Authors including graduate, post graduate student are invited to submit their papers for presentation in the event. The paper shall be submitted to the email

592 views • 3 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
SCHEMATIC SCHEMATIC DESIGN DESIGN KEY ISSUES STAY THE SAME STRATEGIES TO STAY THE COURSE

SCHEMATIC SCHEMATIC DESIGN DESIGN KEY ISSUES STAY THE SAME STRATEGIES TO STAY THE COURSE

IMPROVEMENT PROJECT PHASE III SCHEMATIC SCHEMATIC DESIGN DESIGN KEY ISSUES STAY THE SAME STRATEGIES TO STAY THE COURSE STRATEGY | UTILITIES INFRASTRUCTURE IMPROVEMENTS Water looped alignments Storm Drain Secondary

683 views • 39 slides
Rank Bounds for Design Matrices and Applications Abdul Basit University of Notre Dame Institut

Rank Bounds for Design Matrices and Applications Abdul Basit University of Notre Dame Institut

Rank Bounds for Design Matrices and Applications Abdul Basit University of Notre Dame Institut Henri Poincar Model Theory and Combinatorics January 31 st , 2018 Ordinary lines Let P be a set of n points in R 2 . For r 2 , define a r

1.02k views • 69 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS? Why RSA-PSS? Comparing original and standardized PSS Status of Protocols, Standards and Imple- mentations RSA-PSS in X.509

718 views • 19 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Design strategies to minimise the use of placebo in MS clinical trials Maria Pia Sormani

Design strategies to minimise the use of placebo in MS clinical trials Maria Pia Sormani

Design strategies to minimise the use of placebo in MS clinical trials Maria Pia Sormani University of Genoa, Italy Study design strategies Active controlled trials: both arms receive an active treatment Surrogate endpoints: their use

392 views • 16 slides
COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1

COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1

COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1 University of Manitoba Lower Bounds Introductions Assume you design an algorithm that solves a given problem P in ( n 2 ). Further exploration

1.58k views • 61 slides
Randomness in Computing L ECTURE 10 Last time Chernoff Bounds Today Hoeffding Bounds

Randomness in Computing L ECTURE 10 Last time Chernoff Bounds Today Hoeffding Bounds

Randomness in Computing L ECTURE 10 Last time Chernoff Bounds Today Hoeffding Bounds Applications of Chernoff- Hoeffding Bounds Estimating a Parameter Set Balancing 2/25/2020 Sofya Raskhodnikova;Randomness in Computing Sums

272 views • 11 slides
Design Patterns Applications Programming What is design patterns? The design patterns are

Design Patterns Applications Programming What is design patterns? The design patterns are

10/26/2011 G52APR Design Patterns Applications Programming What is design patterns? The design patterns are language- Design Patterns 1 independent strategies for solving common object-oriented design problems. Jiawei Li (Michael)

316 views • 8 slides
Bounds on the Capacity of Channels with Insertions, Deletions and Substitutions Dario Fertonani

Bounds on the Capacity of Channels with Insertions, Deletions and Substitutions Dario Fertonani

Introduction Existing Capacity Bounds Proposed Capacity Bounds Bounds on the Capacity of Channels with Insertions, Deletions and Substitutions Dario Fertonani Advisor: Prof. Tolga M. Duman Department of Electrical Engineering Fulton School

817 views • 16 slides
February 24, 2017 | FitCity Miami WHAT IS ACTIVE DESIGN? Evidence-based design & policy

February 24, 2017 | FitCity Miami WHAT IS ACTIVE DESIGN? Evidence-based design & policy

Photo: Sandy DeWitt DESIGN & POLICY STRATEGIES FOR HEALTHIER COMMUNITIES February 24, 2017 | FitCity Miami WHAT IS ACTIVE DESIGN? Evidence-based design & policy strategies to support health Concept originated with NYCs Active

485 views • 26 slides
Strategies for computing second-order derivatives in CFD design problems Massimiliano Martinelli

Strategies for computing second-order derivatives in CFD design problems Massimiliano Martinelli

Strategies for computing second-order derivatives in CFD design problems Massimiliano Martinelli Alain Dervieux Laurent Hascot INRIA Sophia-Antipolis Project TROPICS WEHSFF, Moscou, november 20, 2007 M. Martinelli Strategies for computing

594 views • 26 slides
Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

908 views • 31 slides

More recommend