differential propagation analysis of keccak
play

Differential propagation analysis of Keccak Joan Daemen and Gilles - PowerPoint PPT Presentation

Apr 27, 2023 •49 likes •409 views

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

  1. Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28

  2. Differential propagation analysis of Keccak Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 2 / 28

  3. Differential propagation analysis of Keccak Introduction Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 3 / 28

  4. Differential propagation analysis of Keccak Introduction Differential trails and iterated mappings Differential trails in iterated mappings Trail: sequence of differences 4 / 28 DP ( Q ) : fraction of pairs that exhibit q i differences

  5. Differential propagation analysis of Keccak Introduction Differential trails and iterated mappings Differential trails and weight 5 / 28 w = − log 2 ( DP ) If independent rounds and w ( Q ) < b : # pairs ( Q ) ≈ 2 b − w ( Q )

  6. Differential propagation analysis of Keccak Introduction …but proving strong lower bounds also cryptanalysis seems hard Keccak : weak alignment revert to pre-DC/LC folklore such as avalanche effect no strong trail weight bounds ARX still, truncated trails, rebound attack, … easy demonstration of strong trail weight bounds Rijndael-inspired: strong alignment Different design approaches Design approaches 6 / 28 estimating # pairs ( Q ) from Q : easy estimating # pairs ( Q ) from Q : hard # pairs ( Q ) from Q : easy

  7. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer state y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  8. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer slice y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  9. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer row y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  10. Differential propagation analysis of Keccak Introduction Round function with 5 steps: 7 / 28 Operates on 3D state: Keccak - f : an iterative permutation Keccak - f : an iterative permutation θ : mixing layer ρ : inter-slice bit transposition π : intra-slice bit transposition χ : non-linear layer column y ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x 12 rounds in Keccak - f [ 25 ] 24 rounds in Keccak - f [ 1600 ] ( 5 × 5 ) -bit slices 2 ℓ -bit lanes parameter 0 ≤ ℓ < 7

  11. Differential propagation analysis of Keccak tight MD6 [Rivest et al., SHA-3 2008][Heilman, Ecrypt Hash 2011] Noekeon [Nessie, 2000] Inspired by similar efforts for this work 1600 non-tight 206 per 18 rounds 200 non-tight 146 per 16 rounds 100 54 per 6 rounds Introduction 50 tight 30 per 5 rounds 25 bound b Bounds for small versions of Keccak - f …and not on presumed hardness of finding them Security of Keccak relies on absence of exploitable trails This work Goal of this work 8 / 28

  12. Differential propagation analysis of Keccak Trails in Keccak - f Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 9 / 28

  13. Differential propagation analysis of Keccak Trails in Keccak - f Conventions and concepts Trails in Keccak - f 10 / 28 Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ a i fully determines b i = λ ( a i ) χ has degree 2: w ( b i − 1 ) independent of a i

  14. Differential propagation analysis of Keccak Trails in Keccak - f Conventions and concepts Trails in Keccak - f For Keccak - f : 10 / 28 w ( Q ) : # conditions on intermediate state bits b : # degree of freedom

  15. Differential propagation analysis of Keccak Trails in Keccak - f Trail generation techniques Trail generation techniques Given a trail, we can extend it: Tree search: extension can be done recursively pruning as soon as weight exceeds some limit 11 / 28 forward: iterate a r + 1 over A ( b r ) backward: iterate b − 1 over all differences χ − 1 -compatible with a 0 = λ − 1 ( b 0 )

  16. Differential propagation analysis of Keccak Generating all trails up to some weight Outline 1 Introduction 2 Trails in Keccak - f 3 Generating all trails up to some weight 4 Illustration 5 Conclusions 12 / 28

  17. Differential propagation analysis of Keccak Generating all trails up to some weight First order approach First-order approach Fact Generating trails up to weight T , first order approach extend backward down to b 0 prune as soon as weight exceeds T 13 / 28 An r -round trail Q with w ( Q ) ≤ T has at least one b i with weight ≤ T / r Generate V 1 = { b | w ( b ) ≤ t avg } with t avg = T / r ∀ 0 ≤ i < r , iterate b i over V 1 extend forward up to b r − 1

  18. Differential propagation analysis of Keccak Generating all trails up to some weight First order approach Limits of first-order approach 14 / 28 V 1 grows quickly with t avg and Keccak - f width:

  19. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Definitions: minimum reverse weight and trail cores Minimum reverse weight : min Can be used to lower bound of set of trails 15 / 28 w rev ( a ) � b : a ∈A ( b ) w ( b ) Trail core : set of trails with b 1 , b 2 , . . . in common

  20. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Definitions: minimum reverse weight and trail cores Minimum reverse weight : min Can be used to lower bound of set of trails 15 / 28 w rev ( a ) � b : a ∈A ( b ) w ( b ) Trail core : set of trails with b 1 , b 2 , . . . in common

  21. Differential propagation analysis of Keccak Generating all trails up to some weight Second order approach Second-order approach Observation high weight and vice versa Generating trails up to weight T , second order approach extend backward down to b 0 prune as soon as weight exceeds T 16 / 28 For most low-weight a , b = λ ( a ) has Generate V 2 = { b | b = λ ( a ) and w rev ( a ) + w ( b ) ≤ 2 t avg } ∀ 0 ≤ i < r , iterate b i over V 2 extend forward up to b r − 1 But how does the size of V 2 behave with t avg ?

  22. Differential propagation analysis of Keccak Generating all trails up to some weight Add to each cell the parities of two nearby columns 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine Compute parity c x , z of each column

  23. Differential propagation analysis of Keccak Generating all trails up to some weight Single-bit parity flips already 10 bits 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine Other linear mapping ρ and π just move bits around

  24. Differential propagation analysis of Keccak Generating all trails up to some weight Effect collapses if parity is zero The kernel 17 / 28 Intermezzo: θ properties θ , the mixing layer + = column parity θ effect combine

  25. Differential propagation analysis of Keccak Generating all trails up to some weight Limits of the second-order approach Limits of second-order approach 18 / 28 V 2 still grows quickly with t avg and Keccak - f width Reason: V 2 contains states in kernel

  26. Differential propagation analysis of Keccak Generating all trails up to some weight Third-order approach Third-order approach: dealing with the kernel 19 / 28 V 3 : trail cores ( b , d ) with w rev ( a ) + w ( b ) + w ( d ) ≤ 3 t avg a = λ − 1 ( b ) is in the kernel c = λ − 1 ( d ) is in the kernel Elements of V 3 can then be extended as usual

  27. Differential propagation analysis of Keccak Generating all trails up to some weight Third-order approach Third-order approach: dealing with the kernel 19 / 28 V 3 : trail cores ( b , d ) with w rev ( a ) + w ( b ) + w ( d ) ≤ 3 t avg a = λ − 1 ( b ) is in the kernel c = λ − 1 ( d ) is in the kernel Elements of V 3 can then be extended as usual

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1 Overview Introduction Keccak Differential Cryptanalysis Semantics of Trees and Iterators Proven Iterator Conclusion 2 Introduction Hashing vs

977 views • 56 slides
Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on

Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on

Canberra, 13-17 July 2009 Propagation estimates for the Schr odinger equation Jean-Marc Bouclet, Lille 1 Workshop on Harmonic Analysis and Spectral Theory 1 Consider a differential operator in divergence form, on R d , d 3, P = div (

322 views • 13 slides
Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan

Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan

Seminar Static Program Analysis Constant Propagation and Interval Analysis Daniela Moldovan 29. May 2010 Daniela Moldovan Constant Propagation and Interval Analysis 1 / 70 Outline Motivation 1 Constant Propagation 2 Interval Analysis 3

952 views • 70 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting Propagation Types of Propagation Sexual Propagation: Asexual Propagation: Seed Division &amp; Separation Cuttings Grafting &amp; Budding

623 views • 60 slides
Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver

Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver

Error Propagation Analysis for Multi-Threaded Programs Habib Saissi, Stefan Winter, Oliver Schwahn, Karthik Pattabiraman , Neeraj Suri Fault Injection Evaluate the robustness of software 2 Motivation: Error Propagation Analysis (EPA) Compare

286 views • 16 slides
Global Optimization Lecture Outline Global flow analysis Global constant propagation

Global Optimization Lecture Outline Global flow analysis Global constant propagation

Global Optimization Lecture Outline Global flow analysis Global constant propagation Liveness analysis 2 Compiler Design I (2011) Local Optimization Recall the simple basic-block optimizations Constant propagation

1.11k views • 54 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017 Nvidia GTC S7254 Transcriptomic Data Personome.com Biological Pathways Nature.org Differential expression analysis Class labels C1 C2

414 views • 30 slides
THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

PROPAGATION THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What causes it? How does it effect HF Communications How do we understand the charts Were do we find the propagation information What is it?

978 views • 28 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
1 How to deal with Radio Propagation How to deal with Radio Propagation Where are you from?

1 How to deal with Radio Propagation How to deal with Radio Propagation Where are you from?

Lecture II Agenda Lecture II Agenda Radio Propagation Physical of radio propagation Two types of propagation models Wireless Multimedia System Outdoor vs. Indoor Radio Propagation Model How to do

538 views • 15 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Pratical case and Data State of the art Differential Analysis method based on CCHAC Conclusion Hi-C Differential Analysis: A new method using tree representation based on Contiguity Constrained Hierarchical Agglomerative Clustering (CCHAC)

644 views • 28 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Information Propagation on Blockchains: Analysis,Method and Evaluation

Information Propagation on Blockchains: Analysis,Method and Evaluation

Information Propagation on Blockchains: Analysis,Method and Evaluation - - 5120309578 Preface Blockchain is a distributed system node that

229 views • 18 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides

More recommend