on the construction of partial difference distribution
play

On the Construction of Partial Difference Distribution Tables for - PowerPoint PPT Presentation

Aug 12, 2023 •35 likes •475 views

Motivation Partial DDT-s Results Conclusions On the Construction of Partial Difference Distribution Tables for ARX Ciphers A. Biryukov V. Velichkov LACS, Luxembourg University ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg

  1. Motivation Partial DDT-s Results Conclusions On the Construction of Partial Difference Distribution Tables for ARX Ciphers A. Biryukov V. Velichkov LACS, Luxembourg University ESC 2013, January 14-18, Mondorf-les-Bains, Luxembourg (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 1 / 37

  2. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 2 / 37

  3. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 3 / 37

  4. Motivation Partial DDT-s Results Conclusions Differential Cryptanalysis [Biham,Shamir,1991] α = P ⊕ P ⋆ P ⋆ P round round X ⋆ X 1 ∆ X 1 1 round round X ⋆ X 2 ∆ X 2 2 round round β = C ⊕ C ⋆ C ⋆ C DP ( α → β ) =? (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 4 / 37

  5. Motivation Partial DDT-s Results Conclusions Substitution Box (S-box): a Source of Non-linearity An example 4-bit S-box: a S b = S [ a ] 0 1 2 3 4 5 6 7 8 9 A B C D E F a E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 S [ a ] The differential probability of an S-box: DP ( α → β ) = # { a : S [ a ⊕ α ] ⊕ S [ a ] = β } . # { a } S-boxes make differential cryptanalysis harder (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 5 / 37

  6. Motivation Partial DDT-s Results Conclusions Difference Distribution Table (DDT) for 4-bit S-box 0 1 2 3 4 5 6 7 8 9 A B C D E F α , β 0 16 . . . . . . . . . . . . . . . 1 . . . 2 . . . 2 . 2 4 . 4 2 . . 2 . . . 2 . 6 2 2 . 2 . . . . 2 . 3 . . 2 . 2 . . . . 4 2 . 2 . . 4 4 . . . 2 . . 6 . . 2 . 4 2 . . . 5 . 4 . . . 2 2 . . . 4 . 2 . . 2 6 . . . 4 . 4 . . . . . . 2 2 2 2 7 . . 2 2 2 . 2 . . 2 2 . . . . 4 8 . . . . . . 2 2 . . . 4 . 4 2 2 9 . 2 . . 2 . . 4 2 . 2 2 2 . . . A . 2 2 . . . . . 6 . . 2 . . 4 . B . . 8 . . 2 . 2 . . . . . 2 . 2 C . 2 . . 2 2 2 . . . . 2 . 6 . . D . 4 . . . . . 4 2 . 2 . 2 . 2 . E . . 2 4 2 . . . 6 . . . . . 2 . F . 2 . . 6 . . . . 4 . 2 . . 2 . (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 6 / 37

  7. Motivation Partial DDT-s Results Conclusions DDT: Analyzing the Differential Properties of an S-box A DDT reflects the differential properties of an S-box Many useful parameters can be computed from the DDT e.g. the maximum differential probability: α,β DP ( α → β ) = DP ( 0xB → 0x2 ) = 8 max 16 = 0 . 5 . Used to estimate the strength against DC e.g. set upper bound on the max. probability of a differential (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 7 / 37

  8. Motivation Partial DDT-s Results Conclusions Cipher Designs that Use S-boxes Many cipher designs use S-boxes as a component S S S S P Examples: DES, AES, PRESENT, etc. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 8 / 37

  9. Motivation Partial DDT-s Results Conclusions Modular Addition and XOR as Sources of Non-linearity a a b b a + b a ⊕ b ADD XOR ADD is non-linear w.r.t. XOR differences: ( a ⊕ α )+( b ⊕ β ) � = ( a + b ) ⊕ ( α + β ) . XOR is non-linear w.r.t. ADD differences ( a + α ) ⊕ ( b + β ) � = ( a ⊕ b ) + ( α ⊕ β ) . (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 9 / 37

  10. Motivation Partial DDT-s Results Conclusions Designs Based on ADD and XOR (ARX) ADD and XOR provide non-linearity similarly to an S-box ≪ ≪ ≪ ≪ Examples: FEAL, MD4, MD5, Salsa20, Skein, etc. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 10 / 37

  11. Motivation Partial DDT-s Results Conclusions The XOR Differential Probability of Modular Addition α , β , γ are XOR differences: α β xdp + γ xdp + ( α, β → γ ) = # { ( a , b ) : (( a ⊕ α ) + ( b ⊕ β ) ⊕ ( a + b )) = γ } . # { ( a , b ) } (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 11 / 37

  12. Motivation Partial DDT-s Results Conclusions The Additive Differential Probability of XOR α , β , γ are additive ( ADD ) differences: α β adp ⊕ γ adp ⊕ ( α, β → γ ) = # { ( a , b ) : (( a + α ) ⊕ ( b + β )) − ( a + b ) = γ } . # { ( a , b ) } (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 12 / 37

  13. Motivation Partial DDT-s Results Conclusions A DDT for ADD (resp. XOR )? Viewing the ADD operation as an S-box: S c = a + b = S [ a || b ] ( a , b ) The DDT of this S-box is huge: 2 64 × 2 32 Infeasible to compute and store the full table! Maybe we can only store part of the DDT, say, the top k differentials: k ≪ 2 64 × 2 32 . (1) A partial DDT? (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 13 / 37

  14. Motivation Partial DDT-s Results Conclusions Outline Motivation 1 Partial DDT-s 2 Results 3 Computation of pDDT-s: Timings Preliminary Results on TEA Conclusions 4 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 14 / 37

  15. Motivation Partial DDT-s Results Conclusions Partial DDT for XOR and ADD Definition A partial difference distribution table D for ADD (resp. XOR ) is a DDT that contains all XOR (resp. ADD ) differentials ( α, β → γ ) whose probabilities are larger than or equal to a pre-defined threshold p thres : ⇒ DP ( α, β → γ ) ≥ p thres . ( α, β, γ ) ∈ D ⇐ (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 15 / 37

  16. Motivation Partial DDT-s Results Conclusions Computation of a Partial DDT Proposition The differential probabilities (DP) of ADD and XOR (resp. xdp + and adp ⊕ ) are monotonously decreasing with the word size n of the differences α, β, γ : p n ≤ . . . ≤ p k + 1 ≤ p k ≤ p k − 1 ≤ . . . ≤ p 1 , where p k = DP ( α k , β k → γ k ) , n ≤ k ≤ 1 , and x k denotes the k LSB-s of the difference x. (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 16 / 37

  17. Motivation Partial DDT-s Results Conclusions The DP of ADD and XOR is Decreasing with n For ADD , the proposition follows from a result by [LM01]: i = 0 ¬ eq ( α [ i ] ,β [ i ] ,γ [ i ]) , xdp + ( α, β → γ ) = 2 − � n − 2 where eq ( α [ i ] , β [ i ] , γ [ i ]) = 1 ⇐ ⇒ α [ i ] = β [ i ] = γ [ i ] . Is also true for adp ⊕ . [LM01] Lipmaa, Moriai: Efficient Algorithms for Computing Differential Properties of Addition. FSE 2001: 336-350 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 17 / 37

  18. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 1 α β 0 1 1 . 0 1 γ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  19. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 2 α β 10 01 0 . 5 01 γ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  20. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 3 α β 110 001 0 . 25 001 γ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  21. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 4 α β 1110 0001 0 . 125 0001 γ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  22. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 5 α β 01110 00001 0 . 0625 00001 γ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  23. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 6 α β 101110 000001 0 . 0625 100001 γ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  24. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 7 α β 0101110 1000001 0 . 03125 1100001 γ 0 . 03125 ≤ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

  25. Motivation Partial DDT-s Results Conclusions Example: the DP of ADD is Decreasing with n n = 8 α β 00101110 11000001 0 . 015625 11100001 γ 0 . 015625 ≤ 0 . 03125 ≤ 0 . 0625 ≤ 0 . 0625 ≤ 0 . 125 ≤ 0 . 25 ≤ 0 . 5 ≤ 1 . 0 (Luxembourg University) On the Construction of DDTs for ARX ESC 2013 18 / 37

Recommend

Recap 1. We can use the t-distribution to estimate the probability of a difference between

Recap 1. We can use the t-distribution to estimate the probability of a difference between

Unit 3: Inference for Categorical and Numerical Data 3. Difference of many means (Chapter 4.4) 3/2/2020 Recap 1. We can use the t-distribution to estimate the probability of a difference between unpaired values. 2. Degrees of freedom

652 views • 28 slides
Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates Venice Grigsby Steps of a Partial Estimate (Creation Payment) Construction Project Closeout Chris Durbin Process

1.09k views • 54 slides
Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates

Construction Payment Venice Grigsby HQ Construction Audit Section Agenda Partial Estimates Venice Grigsby Steps of a Partial Estimate (Creation Payment) Construction Project Closeout Chris Durbin Process

837 views • 54 slides
Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang

Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang

Reconstructing an S-box from its Difference Distribution Table Orr Dunkelman, Senyang Huang Department of Computer Science, University of Haifa, Haifa, Israel 2020 . 11 . 5 Background and Motivation Difference Distribution Table (DDT) of an

830 views • 48 slides
Hadamard difference sets and corresponding regular partial difference sets in groups of order 144

Hadamard difference sets and corresponding regular partial difference sets in groups of order 144

Hadamard difference sets and corresponding regular partial difference sets in groups of order 144 Tanja Vu ci ci c University of Split, Croatia March 17, 2015 Tanja Vu ci ci c (University of Split, Croatia) ALCOMA15,Kloster

848 views • 51 slides
Partial Model Construction Given a clause set N and an ordering we can construct a (partial)

Partial Model Construction Given a clause set N and an ordering we can construct a (partial)

Partial Model Construction Given a clause set N and an ordering we can construct a (partial) model N I for N as follows: N C := D C D if D = D P , P strictly maximal and N D | { P } = D D := otherwise

394 views • 15 slides
Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem:

Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem:

Partial Operator Induction with Beta Distribution Nil Geisweiller AGI-18 Prague 1 Problem: Combining Models from Different Contexts Theory: Solomonoff Operator Induction and Beta Distribution Practice: Inference Control Meta-Learning 2

715 views • 33 slides
Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New

Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New

Partial difference equations over compact Abelian groups Tim Austin Courant Institute, NYU New York, NY, USA tim@cims.nyu.edu SETTING Z a compact (metrizable) Abelian group U 1 , . . . , U k closed subgroups of Z F ( Z ) { measurable

711 views • 27 slides
New examples of partial difference sets in finite nonabelian groups Eric Swartz The University

New examples of partial difference sets in finite nonabelian groups Eric Swartz The University

New examples of partial difference sets in finite nonabelian groups Eric Swartz The University of Western Australia 5 August 2013 Introduction Definitions Definition The groups, graphs, etc., considered in this talk will be finite.

717 views • 22 slides
Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical

Numerical Solutions to Partial Differential Equations Zhiping Li LMAM and School of Mathematical Sciences Peking University Finite Difference Methods for Hyperbolic Equations Finite Difference Schemes for Advection-Diffusion Equations A Model

555 views • 42 slides
Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle

Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle

Construction of Rate ( n 1) / n Non-Binary LDPC Convolutional Codes via Difference Triangle Sets Gianira N. Alfarano, Julia Lieb, Joachim Rosenthal University of Zurich gianiranicoletta.alfarano@math.uzh.ch ISIT 2020: IEEE International

654 views • 39 slides
Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in difference Card & Krueger (1995,AER) Rise in minimum wage from 4,2$ to 5,05$ in April 1992 in the State of New Jersey. Research question:

405 views • 28 slides
Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we

Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we

Unit 3: Inference for Categorical and Numerical Data 3. Difference of two means (Chapter 4.3) 2/26/2020 Quiz 3 - Difference of Proportions and T-values Recap 1. When our samples are too small, we shouldnt use the Normal distribution. We

353 views • 20 slides
Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst

Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst

Construction of malaria gene expression network using partial correlations Raya Khanin and Ernst Wit Department of Statistics University of Glasgow, UK www.stats.gla.ac.uk/~raya/suppldata.html The analytical objective Construct gene

1.55k views • 18 slides
SCHOOLS MAKE A CHILDHOOD ORIGINS WHAT SCHOOLS HUGE DIFFERENCE OF CRIME CAN DO (partial

SCHOOLS MAKE A CHILDHOOD ORIGINS WHAT SCHOOLS HUGE DIFFERENCE OF CRIME CAN DO (partial

18/09/2017 CHILDHOOD ORIGINS OF ADULT HAPPINESS (partial correlation coefficients) MENTAL HEALTH IN Highest .07 qualification ADULT SCHOOLS LIFE Behaviour .03 at 16 SATIS- Richard Layard Emotional FACTION .10 12 September 2017

606 views • 4 slides
Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting in German Partial VPs Partial APs Kordula De Kuthy Detmar Meurers Partial NPs Interaction: Partial constituents embedded in VPs

224 views • 7 slides
CENTRAL FLORIDA EXPRESSWAY AUTHORITY CONSTRUCTION UPDATE: FEB. 2015 Ben Dreiling, P .E. |

CENTRAL FLORIDA EXPRESSWAY AUTHORITY CONSTRUCTION UPDATE: FEB. 2015 Ben Dreiling, P .E. |

CENTRAL FLORIDA EXPRESSWAY AUTHORITY CONSTRUCTION UPDATE: FEB. 2015 Ben Dreiling, P .E. | Director of Construction & Maintenance CONSTRUCTION UPDATE Recent Accomplishments SR 417 Partial Interchange w/ Floridas Turnpike Work

695 views • 40 slides
Partial Groups and Homology Groups, Partial Groups, Homology, Topology The homology of a

Partial Groups and Homology Groups, Partial Groups, Homology, Topology The homology of a

Partial Groups and Homology Groups, Partial Groups, Homology, Topology The homology of a group. The bar construction. Can the homology of a group be computed effectively? Partial Groups. Examples from Topology. How is the

754 views • 30 slides
JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the first order) by A.J.Hobson 14.1.1 Functions of several variables 14.1.2 The definition of a partial derivative UNIT 14.1 PARTIAL DIFFERENTIATION

295 views • 8 slides
Incremental Basis Construction from Temporal Difference Error Yi Sun, Faustino Gomez, Mark Ring,

Incremental Basis Construction from Temporal Difference Error Yi Sun, Faustino Gomez, Mark Ring,

Incremental Basis Construction from Temporal Difference Error Yi Sun, Faustino Gomez, Mark Ring, J urgen Schmidhuber IDSIA, USI & SUPSI, Switzerland June 2011 Sun,Gomez,Ring,Schmidhuber (IDSIA) Incremental Basis Construction 06/11 1 /

1.03k views • 84 slides
Recap from last time 1. You can use the Normal approximation for the difference of two

Recap from last time 1. You can use the Normal approximation for the difference of two

Unit 3: Inference for Categorical and Numerical Data 3. The t -distribution (Chapter 4.1-4.2) 2/24/2020 Recap from last time 1. You can use the Normal approximation for the difference of two proportions 2. The margin of error is not just

879 views • 33 slides
Controllability and stability of difference equations and applications Guilherme Mazanti

Controllability and stability of difference equations and applications Guilherme Mazanti

Controllability and stability of difference equations and applications Guilherme Mazanti Nonlinear Partial Differential Equations and Applications A conference in the honor of Jean-Michel Coron for his 60 th birthday Paris June 20 th , 2016

1.13k views • 55 slides
Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents

Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents Fine-Mesh Finite Difference Formulations Inhyung Kim a and Yonghee Kim

1.01k views • 4 slides
Partial pro-drop = zero exponence + deblocking? Eric Fu, Goethe University Frankfurt Amsterdam,

Partial pro-drop = zero exponence + deblocking? Eric Fu, Goethe University Frankfurt Amsterdam,

Partial pro-drop = zero exponence + deblocking? Eric Fu, Goethe University Frankfurt Amsterdam, 16.01.2009 1. Introduction Availability of null subjects: Typological difference between Italian (Spanish, Greek ... ) vs. English (German,

473 views • 12 slides

More recommend