improved differential linear cryptanalysis of 7 round
play

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with - PowerPoint PPT Presentation

Feb 20, 2024 •161 likes •540 views

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

  1. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gaëtan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K ′ K ′ π π π τ K Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 1 / 19

  2. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Chaskey N. Mouha, B. Mennink, A. Van Herrewege, D. Watanabe, B. Preneel, I. Verbauwhede Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers SAC 2014 m 0 m 1 m 2 K ′ K ′ π π π τ K Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 2 / 19

  3. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Chaskey ◮ Message Authentication Code ◮ Authenticity ◮ τ = MAC K ( m ) Computed by Alice 1 Transmitted with m 2 Verified by Bob (same key) 3 ◮ For microcontrollers ◮ Typical use-case: sensor network (lightweight) ◮ “Ten times faster than AES” ◮ Considered for ISO standardisation m 0 m 1 m 2 K ′ K ′ π π π τ K Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 2 / 19

  4. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Chaskey ◮ CBC-MAC with an Even-Mansour cipher ◮ Permutation based (sponge-like) ◮ Birthday security ◮ 128-bit key ( K ′ = 2 · K ) ◮ 128-bit state ◮ Security claim: 2 48 data, 2 80 time ( TD > 2 128 ). m 0 m 1 m 2 K ′ K ′ π π π τ K Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 2 / 19

  5. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Chaskey permutation v 1 v 0 v 2 v 3 ◮ 32-bit words 5 8 ◮ 128-bit state 16 ◮ ARX scheme ◮ Additions ( mod 2 32 ) ◮ Rotations (bitwise) ◮ Xor 7 13 ◮ Same structure as Siphash 16 ◮ 8 rounds Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 3 / 19

  6. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Cryptanalysis of Chaskey Exploiting properties of the π permutation ◮ Use single-block messages ◮ Chaskey becomes an Even-Mansour cipher ◮ No decryption oracle ◮ Previous work: 4-round bias by the designers ◮ 5-round attack? K ⊕ K ′ K ′ m π τ Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 4 / 19

  7. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Main Cryptanalysis Techniques Differential Cryptanalysis Linear Cryptanalysis Track difference propagation Track linear approximations [Biham & Shamir, 1990] [Matsui, 1992] ◮ Input/output differences δ P , δ C ◮ Input/output masks χ P , χ C ◮ E ( x ⊕ δ P ) ≈ E ( x ) ⊕ δ C ◮ E ( x )[ χ C ] ≈ x [ χ P ] � − 1 � � � p = Pr E ( P ⊕ δ P ) = E ( P ) ⊕ δ C ε = 2 Pr E ( x )[ χ C ] = x [ χ P ] ◮ Concatenate trails: ε = ∏ ε i ◮ Concatenate trails: p = ∏ p i ◮ Complexity 1 / ε 2 ◮ Complexity 1 / p ◮ Require ε ≫ 2 − n / 2 ◮ Require p ≫ 2 − n x [ χ 1 . . . χ ℓ ] = x [ χ 1 ] ⊕ x [ χ 2 ] · · · x [ χ ℓ ] Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 5 / 19

  8. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Cryptanalysis of ARX schemes ◮ No iterative differential/linear trails ◮ Small difference in the middle and propagate ◮ Only short trails with high probability Complexity Rounds Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 6 / 19

  9. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Cryptanalysis of ARX schemes ◮ No iterative differential/linear trails ◮ Small difference in the middle and propagate ◮ Only short trails ◮ Can we combine two trails? with high probability Complexity Rounds Rounds Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 6 / 19

  10. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x [Langford & Hellman, 1994] [Biham, Dunkelman & Keller, 2002] E ⊤ E ⊤ ◮ Divide E in two sub-ciphers E = E ⊥ ◦ E ⊤ γ ◮ Let y = E ⊤ ( x ) , z = E ⊥ ( y ) y ′ y α α ◮ Find a differential δ → γ for E ⊤ ◮ Pr [ E ⊤ ( x ⊕ δ ) = E ⊤ ( x ) ⊕ γ ] = p E ⊥ E ⊥ ◮ Find a linear approximation α → β of E ⊥ ◮ Pr [ y [ α ] = E ⊥ ( y )[ β ]] = 1 2 ( 1 + ε ) z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  11. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x [Langford & Hellman, 1994] [Biham, Dunkelman & Keller, 2002] E ⊤ E ⊤ ◮ Divide E in two sub-ciphers E = E ⊥ ◦ E ⊤ γ ◮ Let y = E ⊤ ( x ) , z = E ⊥ ( y ) y ′ y α α ◮ Find a differential δ → γ for E ⊤ ◮ Pr [ E ⊤ ( x ⊕ δ ) = E ⊤ ( x ) ⊕ γ ] = p E ⊥ E ⊥ ◮ Find a linear approximation α → β of E ⊥ ◮ Pr [ y [ α ] = E ⊥ ( y )[ β ]] = 1 2 ( 1 + ε ) z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  12. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x [Langford & Hellman, 1994] [Biham, Dunkelman & Keller, 2002] E ⊤ E ⊤ ◮ Divide E in two sub-ciphers E = E ⊥ ◦ E ⊤ γ ◮ Let y = E ⊤ ( x ) , z = E ⊥ ( y ) y ′ y α α ◮ Find a differential δ → γ for E ⊤ ◮ Pr [ E ⊤ ( x ⊕ δ ) = E ⊤ ( x ) ⊕ γ ] = p E ⊥ E ⊥ ◮ Find a linear approximation α → β of E ⊥ ◮ Pr [ y [ α ] = E ⊥ ( y )[ β ]] = 1 2 ( 1 + ε ) z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  13. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x ◮ Query a pair ( x , x ′ = x ⊕ δ ) : E ⊤ E ⊤ y ⊕ y ′ = γ proba p γ ( y ⊕ y ′ )[ α ] = γ [ α ] proba ≈ p + 1 / 2 ( 1 − p ) y ′ y α α z [ β ] = y [ α ] proba 1 / 2 ( 1 + ε ) z ′ [ β ] = y ′ [ α ] proba 1 / 2 ( 1 + ε ) proba 1 / 2 ( 1 + p ε 2 ) E ⊥ E ⊥ ( z ⊕ z ′ )[ β ] = γ [ α ] ◮ Distinguisher with complexity ≈ p − 2 ε − 4 z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  14. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x ◮ Query a pair ( x , x ′ = x ⊕ δ ) : E ⊤ E ⊤ y ⊕ y ′ = γ proba p γ ( y ⊕ y ′ )[ α ] = γ [ α ] proba ≈ p + 1 / 2 ( 1 − p ) y ′ y α α z [ β ] = y [ α ] proba 1 / 2 ( 1 + ε ) z ′ [ β ] = y ′ [ α ] proba 1 / 2 ( 1 + ε ) proba 1 / 2 ( 1 + p ε 2 ) E ⊥ E ⊥ ( z ⊕ z ′ )[ β ] = γ [ α ] ◮ Distinguisher with complexity ≈ p − 2 ε − 4 z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  15. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x ◮ Query a pair ( x , x ′ = x ⊕ δ ) : E ⊤ E ⊤ y ⊕ y ′ = γ proba p γ ( y ⊕ y ′ )[ α ] = γ [ α ] proba ≈ p + 1 / 2 ( 1 − p ) y ′ y α α z [ β ] = y [ α ] proba 1 / 2 ( 1 + ε ) z ′ [ β ] = y ′ [ α ] proba 1 / 2 ( 1 + ε ) proba 1 / 2 ( 1 + p ε 2 ) E ⊥ E ⊥ ( z ⊕ z ′ )[ β ] = γ [ α ] ◮ Distinguisher with complexity ≈ p − 2 ε − 4 z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  16. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x ◮ Query a pair ( x , x ′ = x ⊕ δ ) : E ⊤ E ⊤ y ⊕ y ′ = γ proba p γ ( y ⊕ y ′ )[ α ] = γ [ α ] proba ≈ 1 / 2 ( 1 + p ) y ′ y α α z [ β ] = y [ α ] proba 1 / 2 ( 1 + ε ) z ′ [ β ] = y ′ [ α ] proba 1 / 2 ( 1 + ε ) proba 1 / 2 ( 1 + p ε 2 ) E ⊥ E ⊥ ( z ⊕ z ′ )[ β ] = γ [ α ] ◮ Distinguisher with complexity ≈ p − 2 ε − 4 z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

  17. Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Differential-Linear Cryptanalysis δ x ′ x ◮ Query a pair ( x , x ′ = x ⊕ δ ) : E ⊤ E ⊤ y ⊕ y ′ = γ proba p γ ( y ⊕ y ′ )[ α ] = γ [ α ] proba ≈ 1 / 2 ( 1 + p ) y ′ y α α z [ β ] = y [ α ] proba 1 / 2 ( 1 + ε ) z ′ [ β ] = y ′ [ α ] proba 1 / 2 ( 1 + ε ) proba 1 / 2 ( 1 + p ε 2 ) E ⊥ E ⊥ ( z ⊕ z ′ )[ β ] = γ [ α ] ◮ Distinguisher with complexity ≈ p − 2 ε − 4 z ′ β z β Gaëtan Leurent (Inria, Paris) Differential-Linear Cryptanalysis of 7-round Chaskey Eurocrypt 2016 7 / 19

Recommend

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on A Tutorial on Linear and Differential Cryptanalysis by Howard Heys.] Modern block ciphers (like DES and AES): - proceed in rounds - each round has its own round key or subkey

644 views • 21 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1

Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1

Introduction Our Contributions Conclusion Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1 Information Science Technology Institute Zhengzhou, Henan, China 2 Xinyang Normal University Xinyang, Henan, China

1.23k views • 49 slides
Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 , Henri Gilbert 2 , Mara Naya-Plasencia 1 , Jean-Ren Reinhard 2 1 INRIA, France 2 ANSSI, France FSE 2014 - March 5, 2014 Canteaut, Fuhr, Gilbert,

507 views • 35 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks Jakob Wenzel Bauhaus-Universitt Weimar FSE 2014 March 27, 2014 March 27, 2014 Agenda Motivation Simon and Speck Our Method Results

533 views • 31 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis

On the behaviors of affine equivalent Sboxes regarding differential and linear cryptanalysis Anne Canteaut Inria, France Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ joint work with Jolle Rou ESC 2015, Clervaux,

540 views • 30 slides
Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C

Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis C eline Blondeau and Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi FSE 2017 TOKYO March 8, 2017 Outline Introduction

257 views • 24 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides

More recommend