efficient dissection of composite
play

Efficient Dissection of Composite Problems, with Applications to - PowerPoint PPT Presentation

Dec 04, 2022 •15 likes •345 views

Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems Itai Dinur 1 , Orr Dunkelman 1,2 , Nathan Keller 3 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute,

  1. Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems Itai Dinur 1 , Orr Dunkelman 1,2 , Nathan Keller 3 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University of Haifa, Israel 3 Department of Mathematics, Bar-Ilan University, Israel

  2. Single Encryption • The Basic Cryptanalytic Problem: P • Input : a list of plaintext-ciphertext n pairs (P 1 ,C 1 ), (P 2 ,C 2 ),(P 3 ,C 3 ),… • Goal : find all keys K such that n K C 1 =E K (P 1 ), C 2 =E K (P 2 ),… n • Exhaustive Search: C • For each n-bit value of K • Perform trial encryptions i.e., test whether C 1 =E K (P 1 ), if so test whether C 2 =E K (P 2 ) … • Time: 2 n , Memory: constant

  3. Double Encryption P K 1 X K 2 C • C=E K 2 ) E K 1 ) P)) with independent keys n-bit keys K 1 ,K 2 • Suggested following concerns about the small keys size of DES

  4. MITM Attack (Hellman, Merkle ‘ 81) P 1 K 1 X K 1 101 000 X 011 010 . . . . K 2 . . 110 111 C 1 • For each n-bit value of K 1 • Partially encrypt P 1 and store the n-bit suggestions for X in a sorted list • For each n-bit value of K 2 • Partially decrypt C 1 and look for matches in the list • For each of the ≈ 2 n matches test the full key • Time 2 n , memory 2 n (ignoring logarithmic factors)

  5. Triple Encryption • Triple Encryption : C=E K 3 (E K 2 ) E K 1 ) P))) with independent keys K 1 ,K 2 ,K 3 • Triple-DES was used as a de-facto encryption standard from 1998 until 2001 (and even today…) • A trivial extension of the MITM attack (by guessing K 3 ) breaks triple encryption in time 2 2n and memory 2 n • Still the best known algorithm for triple encryption

  6. Multiple Encryption • r-fold encryption: E K r ) E K r-1 ) …(E K 1 ) P))) with independent keys K 1 ,K 2 ,…, K r • An extension of MITM breaks r-fold encryption in time T and memory M such that TM=2 rn =N (provided M≤ 2 [r/2]n ) • Suggests an optimal time-memory tradeoff of TM=N

  7. Improved Attack on 4-Fold Encryption with M=2 n P 1 P 3 P 4 P 2 K 1 K 1 X 1 Y 1 K 2 K 2 X 2 Y 2 K 3 K 3 Y 3 X 3 K 4 K 4 C 1 C 3 C 4 C 2 • For each n-bit value of X 2

  8. Improved Attack on 4-Fold Encryption with M=2 n P 1 K 1 P 4 P 3 P 2 K 2 X 2 C 4 C 3 C 2 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack

  9. Improved Attack on 4-Fold Encryption with M=2 n P 2 K 1 ,K 2 Y 2 K 1 P 1 P 4 P 3 K 2 110 101 000 Y 2 111 011 010 . . . . . . . . . C 1 C 4 C 3 100 110 111 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack • For each suggestion, obtain Y 2 and store the triplet in a sorted list

  10. Improved Attack on 4-Fold Encryption with M=2 n K 1 ,K 2 Y 2 P 4 P 2 P 3 110 101 000 X 2 111 011 010 K 3 . . . . . . K 4 . . . C 4 C 2 C 3 100 110 111 C 1 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack • For each suggestion, obtain Y 2 and store the triplet in a sorted list • Given X 2 ,C 1 obtain ≈ 2 n suggestions for K 3 ,K 4 using a 2R MITM attack

  11. Improved Attack on 4-Fold Encryption with M=2 n P 2 K 1 ,K 2 Y 2 K 1 P 1 P 4 P 3 K 2 110 101 000 Y 2 111 011 010 K 3 . . . . . . K 4 . . . C 1 C 4 C 3 100 110 111 C 2 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack • For each suggestion, obtain Y 2 and store the triplet in a sorted list • Given X 2 ,C 1 obtain ≈ 2 n suggestions for K 3 ,K 4 using a 2R MITM attack • For each suggestion, obtain Y 2 and match with the stored list

  12. Improved Attack on 4-Fold Encryption with M=2 n P 3 P 4 K 1 K 1 P 2 P 1 K 2 K 2 K 3 K 3 K 4 K 4 C 1 C 2 C 3 C 4 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack • For each suggestion, obtain Y 2 and store the triplet in a sorted list • Given X 2 ,C 1 obtain ≈ 2 n suggestions for K 3 ,K 4 using a 2R MITM attack • For each suggestion, obtain Y 2 and match with the stored list • For each of the ≈ 2 n matches test the full key using (P 3 ,C 3 ( and (P 4 ,C 4 (

  13. Improved Attack on 4-Fold Encryption with M=2 n P 4 P 3 P 1 P 2 K 1 K 1 K 1 K 1 K 2 K 2 K 2 K 2 K 3 K 3 K 3 K 3 K 4 K 4 K 4 K 4 C 4 C 3 C 1 C 2 • For each n-bit value of X 2 • Given P 1 ,X 2 obtain ≈ 2 n suggestions for K 1 ,K 2 using a 2R MITM attack • For each suggestion, obtain Y 2 and store the triplet in a sorted list • Given X 2 ,C 1 obtain ≈ 2 n suggestions for K 3 ,K 4 using a 2R MITM attack • For each suggestion, obtain Y 2 and match with the stored list • For each of the ≈ 2 n matches test the full key using (P 3 ,C 3 ( and (P 4 ,C 4 ( • Time 2 2n , memory 2 n (the same as triple-encryption!)

  14. Increasing r Further • We obtained TM=2 3n (instead of 2 4n ) for r=4 • What happens when we increase r further? • We first fix M=2 n and try to minimize T r 1 2 3 4 5 6 7 8 … T 2 n 2 n 2 2n 2 3n 2 4n 2 5n 2 6n 2 7n 2 3n 2 4n 2 5n 2 6n 2 2n

  15. Surprisingly Efficient Attack on 7- Fold Encryption (a 7r attack) 2 • Split the 7r cipher into two subciphers, a 3r top part and a 4r 3 bottom part • Guess 2 intermediate encryption values in the middle (one for 4 (P 1 ,C 1 ) and one for (P 2 ,C 2 )) • Apply a 3r attack to the top part and store the 2 n returned suggestions • Apply the 4r attack to the bottom part and test the returned keys on the fly

  16. Analysis of the Attack • We guess 2n bits in the middle • The top 3r attack takes 2 2n time and 2 n memory • The bottom 4r attack takes 2 2n time and 2 n memory • The total complexity is T=2 4n (instead of 2 6n ) • We obtain TM=2 5n (instead of 2 7n )

  17. Extending the 7r Attack • Our 7r attack divides the cipher asymmetrically into a top and bottom part r 1 2 3 4 5 6 7 8 … 2 n T 2 n 2 2n 2 3n 2 4n 2 5n 2 6n 2 7n 2 3n 2 4n 2 5n 2 6n 2 2n 2 4n 2 5n • Can be extended recursively by dividing the cipher asymmetrically into subciphers

  18. Constructing Asymmetric Algorithms • Using the asymmetric recursion, we construct a “magic sequence” of the “turning points” Magic={4,7,11,16,22,29,37,46 ,… } • The algorithm becomes increasingly more efficient compared to the standard MITM • For r=4, we have T=2 2n (compared to T=2 3n ) • For r=7, we have T=2 4n (compared to T=2 6n ) • For r=11, we have T=2 7n (compared to T=2 10n )… • We obtain an asymptotic time complexity of T ≈ 2 n(r- √ (2r)) • The algorithms generalize to any amount of memory

  19. Where does the asymmetry come from? • Most recursive algorithms divide the problem symmetrically to avoid bottlenecks • However, there is asymmetry between the top and bottom subciphers • In the top part, we store all remaining suggestions in memory -> at most 2 n suggestions can remain • In the bottom part, we can check the key suggestions on the fly -> no restriction on their number! • Hence, it is better to have more rounds in the bottom part!

  20. Dissection Algorithms • We obtain a new class of algorithms which we call dissection algorithms • We perform “cuts” of different sizes in carefully chosen places of the encryption structure

  21. Composite Problems • A composite problem • We are given the initial value(s) and the final value(s) of a cascade of r steps • In each step, one of a list of possible transformations was applied • The goal: Find out, which transformation was applied in each step (i.e., find all possible options) • Clearly, r-fold encryption is a composite problem

  22. Application to Knapsacks • Modular Knapsack Problem: • Input : A list of n integers {a 1 ,a 2 ,…,a n } of n bits each, and a target integer S • Goal : Find a vector ɛ={ɛ 1 ,ɛ 2 …ɛ n } where ɛ i ϵ {0,1} such that S=∑ 1 ≤i≤n ( ɛ i ∙a i ) mod 2 n • How do we apply the dissection techniques to the Knapsack problem?

  23. Representing Knapsack as a Block Cipher P +(ɛ 1 ∙a 1 ) +(ɛ 2 ∙a 2 ) ɛ={ɛ 1 ,ɛ 2 …ɛ n } …… +( ɛ n ∙a n ) C=P+∑ 1 ≤i≤n ( ɛ i ∙a i ) (mod 2 n ) • We fix the plaintext to be the 0 n-bit vector, the ciphertext to be S • The knapsack problem reduces to recovering the key of this block cipher, given one plaintext- ciphertext pair

  24. Representing Knapsack as 4-Fold Encryption • We split the knapsack to 4 independent knapsacks by splitting the generators and (mod 2 n ) defining S= σ 1 + σ 2 + σ 3 + σ 4 • X i =∑ 1 ≤j≤i ( σ j ) 0 {ɛ 1 ,ɛ 2 …ɛ n/4 } X 1 {ɛ n/4+1 ,…,ɛ n/2 } X 2 {ɛ n/2+1 ,…,ɛ 3n/4 } X 3 {ɛ 3n/4+1 ,…,ɛ n } S

  25. Representing Knapsack as 4-Fold Encryption • Problem: In r-fold encryption, we have r “small” plaintexts -> can efficiently guess intermediate values. Here we have a single “big” plaintext • Solution: Split the “block cipher” also vertically into n/4-bit blocks 0 0 0 0 {ɛ 1 ,ɛ 2 …ɛ n/4 } X 1 {ɛ n/4+1 ,…,ɛ n/2 } X 2 { ɛ n/2+1 ,…,ɛ 3n/4 } X 3 {ɛ 3n/4+1 ,…,ɛ n } S 4 S 2 S 3 S 1

  26. Representing Knapsack as 4-Fold Encryption • Problem: D ependency between the “vertical” chunks through addition carries AC 3 AC 2 AC 1 {ɛ 1 ,ɛ 2 …ɛ n/4 } X 1 {ɛ n/4+1 ,…,ɛ n/2 } X 2 { ɛ n/2+1 ,…,ɛ 3n/4 } X 3 {ɛ 3n/4+1 ,…,ɛ n } • Solution: Guess the intermediate encryption values in their natural order (from right to left)

Recommend

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been

Part II: Cow Eye Dissection Dissection of a Cow s Eye After the front of the eye has been removed from the back, the internal parts can be seen. This view of the back of the eyeball, seen from inside, shows the retina as a translucent

95 views • 5 slides
Chronic Aortic Dissection Treatment of Chronic Aortic Dissection Is Evolving 40% of repairs of

Chronic Aortic Dissection Treatment of Chronic Aortic Dissection Is Evolving 40% of repairs of

4/16/2015 Chronic Aortic Dissection Treatment of Chronic Aortic Dissection Is Evolving 40% of repairs of the descending thoracic aorta have chronic dissection Chronic Aortic Dissection Previous Ascending Repairs performed in 41% New

180 views • 4 slides
EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J. Lee 1 , J.-S. Kim 2 , M. Cho 3* 1 School of Mechanical and Aerospace Engineering, Seoul

454 views • 6 slides
Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1

Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1

Composite Correlation Qantization for Efficient Multimodal Retrieval Mingsheng Long 1 , Yue Cao 1 , Jianmin Wang 1 , and Philip S. Yu 12 1 School of Sofware Tsinghua University 2 Department of Computer Science University of Illinois, Chicago ACM

414 views • 28 slides
Type B Dissection Sub-Categories Acute Complicated Rupture Malperfusion Title

Type B Dissection Sub-Categories Acute Complicated Rupture Malperfusion Title

Disclosure Nothing to disclose Type B Dissection On Whom to Operate on and When to do it Charles Eichler Professor, Department of Surgery Division of Vascular and Endovascular Surgery University of California San Francisco 4/14/2016 2 TBAD

277 views • 6 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides
1 A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE

1 A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE

1 A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE CERVICAL CANCER A Gynecologic Cancer Intergroup (GCIG) Trial led by the

430 views • 15 slides
VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE CERVICAL CANCER A Gynecologic Cancer Intergroup (GCIG) Trial led by the CCTG

410 views • 3 slides
VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE

A RANDOMIZED TRIAL COMPARING RADICAL HYSTERECTOMY AND PELVIC NODE DISSECTION VS SIMPLE HYSTERECTOMY AND PELVIC NODE DISSECTION IN PATIENTS WITH LOW-RISK, EARLY- STAGE CERVICAL CANCER A Gynecologic Cancer Intergroup (GCIG) Trial led by the CCTG

477 views • 5 slides
GAN Dissection: Visualizing and Understanding Generative Adversarial Networks David Bau, Jun-Yan

GAN Dissection: Visualizing and Understanding Generative Adversarial Networks David Bau, Jun-Yan

GAN Dissection: Visualizing and Understanding Generative Adversarial Networks David Bau, Jun-Yan Zhu, Hendrik Strobelt, Bolei Zhou, Joshua B. Tenenbaum, William T. Freeman, Antonio Torralba Ing. Jakub Zitn y Faculty of Information

391 views • 21 slides
Plan Composite Likelihood Methods What are composite likelihoods? David Firth Where are

Plan Composite Likelihood Methods What are composite likelihoods? David Firth Where are

Composite Likelihood Methods Outline Plan Composite Likelihood Methods What are composite likelihoods? David Firth Where are composite likelihoods used? Department of Statistics University of Warwick Some open areas i-like Launch Event,

235 views • 5 slides
Unusual presentation of tension pneumoperitoneum during endo- scopic submucosal dissection of

Unusual presentation of tension pneumoperitoneum during endo- scopic submucosal dissection of

Crit Care Shock (2019) 22:72-75 Images in clinical medicine Unusual presentation of tension pneumoperitoneum during endo- scopic submucosal dissection of early gastric tumor Phui Sze Au Yong, Gek Kim Sharon Ong Introduction aesthesia was

315 views • 4 slides
and Outcomes in Patients With Uncomplicated Type B Aortic Dissection Matthew Aizpuru BA 1 ,

and Outcomes in Patients With Uncomplicated Type B Aortic Dissection Matthew Aizpuru BA 1 ,

Racial Differences In Patterns of Presentation and Outcomes in Patients With Uncomplicated Type B Aortic Dissection Matthew Aizpuru BA 1 , Xiaoying Lou MD 2 , Jaime Benarroch-Gampel MD 1 , William D Jordan Jr. MD 1 , Bradley G Leshnower MD 2 ,

879 views • 29 slides
Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau,

Network Dissection: Quantifying Interpretability of Deep Visual Representations By David Bau, Bolei Zhou, Aditya Khosla, Aude Oliva, Antonio Torralba CS 381V Thomas Crosley and Wonjoon Goo Detectors Credit: slide from the original paper Unit

1.39k views • 39 slides
Artery Dissection Diagnosis and Treatment in an Era of Uncertainty James C. Iannuzzi MD, MPH,

Artery Dissection Diagnosis and Treatment in an Era of Uncertainty James C. Iannuzzi MD, MPH,

4/4/2019 Spontaneous Visceral Artery Dissection Diagnosis and Treatment in an Era of Uncertainty James C. Iannuzzi MD, MPH, RPVI Assistant Professor of Surgery Division of Endovascular and Vascular Surgery Department of Surgery University of

502 views • 29 slides
Canadian Spontaneous Coronary Artery Dissection Cohort Study Jacqueline Saw, MD, Andrew

Canadian Spontaneous Coronary Artery Dissection Cohort Study Jacqueline Saw, MD, Andrew

Canadian Spontaneous Coronary Artery Dissection Cohort Study Jacqueline Saw, MD, Andrew Starovoytov, MD, Karin Humphries, DSc, Tej Sheth, MD, Derek So, MD, Kunal Minhas, MD, Neil Brass, MD, Andrea Lavoie, MD, Helen Bishop, MD, Shahar Lavi, MD,

246 views • 23 slides
Lab #5 4-Cylinder Single Overhead Cam Engine Dissection Equipment: 4-Cylinder Mazda 16 Valve

Lab #5 4-Cylinder Single Overhead Cam Engine Dissection Equipment: 4-Cylinder Mazda 16 Valve

Engr 3 Mission College Faculty: Kate Disney TA: Andrew Dina Lab #5 4-Cylinder Single Overhead Cam Engine Dissection Equipment: 4-Cylinder Mazda 16 Valve SOHC 92 (Manual Transmission) Ratchet with 2 and 12 extensions 17 mm socket

456 views • 20 slides
Acute Aortic Dissection: Lessons Learned from 9000 Patients Kim A. Eagle, M.D. On Behalf of the

Acute Aortic Dissection: Lessons Learned from 9000 Patients Kim A. Eagle, M.D. On Behalf of the

Acute Aortic Dissection: Lessons Learned from 9000 Patients Kim A. Eagle, M.D. On Behalf of the IRAD Investigators Kim A. Eagle, Christoph A. Nienaber, Santi Trimarchi, Himanshu J. Patel, Thomas G. Gleason, Daniel G. Montgomery, Reed E.

238 views • 21 slides
Aortic Syndromes Aortic Aneurysm Aortic Dissection Intramural Hematoma (IMH)

Aortic Syndromes Aortic Aneurysm Aortic Dissection Intramural Hematoma (IMH)

6/10/2013 Current Trends in Aortic Syndromes Aortic Syndromes Torin P. Fitton, MD Division of Cardiothoracic Surgery Lahey Clinic NO DISCLOSURES Aortic Syndromes Aortic Aneurysm Aortic Dissection Intramural Hematoma (IMH)

409 views • 25 slides
Genetic dissection of Natural Dry-On-Vine trait in grapevine Jonathan Fresnedo Ramrez

Genetic dissection of Natural Dry-On-Vine trait in grapevine Jonathan Fresnedo Ramrez

Genetic dissection of Natural Dry-On-Vine trait in grapevine Jonathan Fresnedo Ramrez Department of Horticulture and Crop Science July 2018 XII International Conference On Grapevine Breeding And Genetics Raisins, a little of context

618 views • 15 slides
Completion Axillary Lymph Node Dissection Is Not Required for Regional Control in Patients With

Completion Axillary Lymph Node Dissection Is Not Required for Regional Control in Patients With

Completion Axillary Lymph Node Dissection Is Not Required for Regional Control in Patients With Breast Cancer Who Have Micrometastasis in a Sentinel Node Anna Kaminski MD, Sara Yegiyants MD, J. Michael Guenther MD, L. Andrew DiFronzo MD

197 views • 15 slides
Slides by Nolan Dey Motivation Neural networks are often treated as a black box Network

Slides by Nolan Dey Motivation Neural networks are often treated as a black box Network

Slides by Nolan Dey Motivation Neural networks are often treated as a black box Network dissection attempts to describe what features individual neurons are focusing on Network Dissection 1. Identify a broad set of human-labeled visual

562 views • 13 slides
Local Statistical Filtering via Domain Dissection for Medical Imaging GTC 2016 San Jose, CA,

Local Statistical Filtering via Domain Dissection for Medical Imaging GTC 2016 San Jose, CA,

Local Statistical Filtering via Domain Dissection for Medical Imaging GTC 2016 San Jose, CA, USA Alexandros-Stavros Iliopoulos 1 Dimitris Floros 2 Nikos Pitsianis 2 , 1 Xiaobai Sun 1 Fang-Fang Yin 3 Lei Ren 3 1 Department of Computer Science,

1.23k views • 54 slides
Disclosures Spontaneous Coronary Artery I have nothing to disclose Dissection Jeffrey Zimmet,

Disclosures Spontaneous Coronary Artery I have nothing to disclose Dissection Jeffrey Zimmet,

12/18/16 Disclosures Spontaneous Coronary Artery I have nothing to disclose Dissection Jeffrey Zimmet, MD, PhD Associate Professor of Medicine, UCSF Director, Cardiac Catheterization Laboratory, SFVAMC SCAD: Major points SCAD: Major

257 views • 13 slides

More recommend