rotational cryptanalysis in the presence of constants
play

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur - PowerPoint PPT Presentation

Jun 02, 2023 •383 likes •1.12k views

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

  1. Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1

  2. Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 2

  3. ARX 3

  4. ARX • Symmetric-key designs 3

  5. ARX • Symmetric-key designs • Addition + Rotation + XOR 3

  6. ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis 3

  7. ARX • Symmetric-key designs • Addition + Rotation + XOR • Differential cryptanalysis and linear cryptanalysis • Rotational cryptanalysis 3

  8. Differences 4

  9. Differences XOR difference x ⊕ δ x E k E k y y ⊕ ∆ 4

  10. Differences Modular difference XOR difference x x ⊞ δ x ⊕ δ x E k E k E k E k y y ⊞ ∆ y y ⊕ ∆ 4

  11. Differences Modular difference Rotational difference XOR difference x x ⊞ δ x x ≪ r x ⊕ δ x E k E k E k E k E k E k y y y ≪ r y ⊞ ∆ y y ⊕ ∆ 4

  12. Rotational Cryptanalysis 5

  13. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) 5

  14. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) XOR ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r 5

  15. Rotational Cryptanalysis Circular Rotation ( x ≪ r ) ≪ s = x ≪ ( r + s ) XOR ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p 5

  16. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p 6

  17. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p When r = 1 , p achieves the maximum. p = 2 − 1 . 415 6

  18. Rotational Cryptanalysis Modular Addition ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r with probability p When r = 1 , p achieves the maximum. p = 2 − 1 . 415 Denote x ≪ 1 by ← − x for simplicity. 6

  19. Rotational Cryptanalysis Rotational Cryptanalysis (v1), [KN10] The probability that a rotational distinguisher holds for an ARX primitive is determined by the number of modular additions. Pr = (2 − 1 . 415 ) # ⊞ [KN10]: D. Khovratovich, I. Nikolic: Rotational Cryptanalysis of ARX, FSE 2010 7

  20. Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. 8

  21. Rotational Cryptanalysis Rotational Cryptanalysis (v2), [KNP+15] The probability that a rotational distinguisher holds for an ARX primitive is dependent with the chained modular additions. ( x ≪ r ) ⊞ ( y ≪ r ) = ( x ⊞ y ) ≪ r ( x ≪ r ) ⊞ ( y ≪ r ) ⊞ ( z ≪ r ) = ( x ⊞ y ⊞ z ) ≪ r [KNP+15]: D. Khovratovich, I. Nikolic, J. Pieprzyk, P. Sokolowski, R. Steinfeld: Rotational Cryptanalysis of ARX Revisited. FSE 2015 8

  22. Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment Verification Conclusion 9

  23. ARX with constants 10

  24. ARX with constants • Complete system ARX-C 10

  25. ARX with constants • Complete system ARX-C • Constants come with keys and round constants 10

  26. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r 10

  27. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r XOR with a constant ( x ≪ r ) ⊕ k 10

  28. ARX with constants • Complete system ARX-C • Constants come with keys and round constants XOR with a rotational variable ( x ≪ r ) ⊕ ( y ≪ r ) = ( x ⊕ y ) ≪ r XOR with a constant ( x ≪ r ) ⊕ k • Previous analyses: experiment 10

  29. Rotational cryptanalysis on ARX-C 11

  30. Rotational cryptanalysis on ARX-C x ≪ r x E k E k y y ≪ r 11

  31. Rotational cryptanalysis on ARX-C x ′ = x ≪ r x x ≪ r x E k E k E k E k y y ≪ r y y ′ ⊕ δ = y ≪ r 11

  32. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) 12

  33. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) 12

  34. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) (( a 1 , a 2 ) , γ ) -Rotational-XOR difference (RX-difference) ( x ⊕ a 1 , ( x ≪ γ ) ⊕ a 2 ) 12

  35. Rotational-XOR difference Combine rotational difference with XOR difference ( x, ( x ≪ γ ) ⊕ a ) (( a 1 , a 2 ) , γ ) -Rotational-XOR difference (RX-difference) ( x ⊕ a 1 , ( x ≪ γ ) ⊕ a 2 ) equivalent to (˜ x, (˜ x ≪ γ ) ⊕ ( a 1 ≪ γ ) ⊕ a 2 ) 12

  36. Rotational-XOR difference through ARX 13

  37. Rotational-XOR difference through ARX Rotation ≪ γ x → x ≪ γ − − − ≪ γ → ← − − − − ← − x ⊕ a x ≪ γ ⊕ ( a ≪ γ ) − − − ≪ γ ⇒ ((0 , a ) , 1) → ((0 , a ≪ γ ) , 1) − − − 13

  38. Rotational-XOR difference through ARX Rotation ≪ γ x → x ≪ γ − − − ≪ γ → ← − − − − ← − x ⊕ a x ≪ γ ⊕ ( a ≪ γ ) − − − ≪ γ ⇒ ((0 , a ) , 1) → ((0 , a ≪ γ ) , 1) − − − XOR ⊕ x, y → x ⊕ y − − → ← − − − ← x ⊕ a, ← − − ⊕ y ⊕ b x ⊕ y ⊕ ( a ⊕ b ) − − ⊕ ⇒ ((0 , a ) , 1) , ((0 , b ) , 1) → ((0 , a ⊕ b ) , 1) − − 13

  39. Rotational-XOR difference through ARX Modular addition 14

  40. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 14

  41. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: 14

  42. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: x = L ( x ) R ( x ) = L 0 ( x ) R 0 ( x ) γ bits γ bits 14

  43. Rotational-XOR difference through ARX Modular addition ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 = ( ← x ⊕ a 2 ) ⊞ ( ← − − y ⊕ b 2 ) ⊕ ∆ 2 Sketch of proof: x = L ( x ) R ( x ) = L 0 ( x ) R 0 ( x ) γ bits γ bits The addition of two variables: L ( x ) R ( x ) L ( y ) R ( y ) x one bit of carry � L ( x ) � L ( y ) � C 1 R ( x ) � R ( y ) n − γ 14

  44. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) 15

  45. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) = (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) || (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 n − γ ) ⊕ L (∆ 1 ) . 15

  46. proof continued LHS: ← − − − − − − − − − − − − − − − − − − ( x ⊕ a 1 ) ⊞ ( y ⊕ b 1 ) ⊕ ∆ 1 ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 = n − γ ) ⊕ L (∆ 1 ) || (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) = (( R ( x ) ⊕ R ( a 1 )) ⊞ ( R ( y ) ⊕ R ( b 1 ))) ⊕ R (∆ 1 ) || (( L ( x ) ⊕ L ( a 1 )) ⊞ ( L ( y ) ⊕ L ( b 1 )) ⊞ C 1 n − γ ) ⊕ L (∆ 1 ) . RHS: ( ← − x ⊕ a 2 ) ⊞ ( ← − y ⊕ b 2 ) ⊕ ∆ 2 ′ ( a 2 )) ⊞ ( R ( y ) ⊕ L ′ ( b 2 )) ⊞ C 2 ′ (∆ 2 ) || = (( R ( x ) ⊕ L γ ) ⊕ L ′ ( a 2 )) ⊞ ( L ( y ) ⊕ R ′ ( b 2 ))) ⊕ R ′ (∆ 2 ) . (( L ( x ) ⊕ R 15

Recommend

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National

Rotational-XOR cryptanalysis on ARX and AND-RX ciphers Yunwen Liu ASK 2019 at Kobe National University of Defense Technology 1 Acknowledgement This talk is based on the joint works with: Tomer Ashur, Adrin Ranea & Glenn De Witte from

552 views • 31 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents

1 AP Physics C Mechanics Rotational Motion 20151203 www.njctl.org 2 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational Kinetic Energy Angular Momentum

1.46k views • 130 slides
AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of

Slide 1 / 130 Slide 2 / 130 AP Physics C - Mechanics Rotational Motion 2015-12-03 www.njctl.org Slide 3 / 130 Table of Contents Click on the topic to go to that section Rotational Kinematics Review Rotational Dynamics Rotational

562 views • 54 slides
Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the

Rotational Dynamics I Rotational Kinetic Energy Moment of Inertia Calculating the Moment of Inertia Vector Product Torque Newtons 2nd Law for Rotation Homework 1 Rotational Kinetic Energy K i = 1 i = 1 2 m i v 2 2 m

538 views • 15 slides
Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass

Rotation of a Rigid Body Topics: Rotational Motion Rotation About the Center of Mass Rotational Energy Calculating Moment of Inertia Torque Rotational Dynamics Rotation About a Fixed Axis Static Equilibrium

160 views • 3 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational

Rotational-vibrational spectroscopy: Rotation and Vibration Rotational-vibrational spectroscopy Energy states provided by sum of rotational and vibrational energy: n,J = ( n +1/2) + B J(J+1) CO spectrum

310 views • 10 slides
6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will

6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will

6. A Constants and IOL Formula www.medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will learn About A Constants, Optical and Ultrasound How to calculate IOL Power? Which constants used in di ff erent formula? What is ELP

297 views • 25 slides
Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories

Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories

20/05/2010 20/05/2010 IHES IHES Fundamental constants, gravitation and cosmology Jean-Philippe UZAN Constants Physical theories involve constants These parameters cannot be determined by the theory that introduces them. These arbitrary

702 views • 52 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Constants Objectives Describe ways to create constants const readonly enum 2

Constants Objectives Describe ways to create constants const readonly enum 2

Constants Objectives Describe ways to create constants const readonly enum 2 Motivation Idea of constant is useful makes programs more readable allows more compile time error checking 3 Const Keyword const used

253 views • 23 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation

A New Post-processing Method to Deal with the Rotational Indeterminacy Problem in MCMC Estimation Kensuke Okada 1 Shin-ichi Mayekawa 2 1 Senshu University 2 Tokyo Institute of Technology August 26 2010 Rotational indeterminacy Infinite

317 views • 19 slides
3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3

Joints = rotations Rotational DOFs are widely used in character animation 3 translational DOFs 3D orientation 48 rotational DOFs Each joint can have up to 3 DOFs 1 DOF: knee 2 DOF: wrist 3 DOF: arm representation of Orientation Translation

361 views • 10 slides
AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the

AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the

Slide 1 / 42 Slide 2 / 42 AP Physics C Rotational Motion Multiple Choice www.njctl.org Slide 3 / 42 1 Torque is the rotational analogue of: A kinetic energy B linear momentum C acceleration D force E mass Slide 4 / 42 2 A wooden square

617 views • 14 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need

k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need

The Art of Fabricating a Rotational Accelerometer by Mike Insalaco k ISTLER The Art of Fabricating a Rotational Accelerometer OBJECTIVE Briefly review the need for a device Discuss difficulty using commercial hardware Review

527 views • 16 slides
Rotational Motion www.njctl.org Slide 3 / 132 Slide 4 / 132 Table of Contents How to Use this

Rotational Motion www.njctl.org Slide 3 / 132 Slide 4 / 132 Table of Contents How to Use this

Slide 1 / 132 Slide 2 / 132 Rotational Motion www.njctl.org Slide 3 / 132 Slide 4 / 132 Table of Contents How to Use this File Click on the topic to go to that section Each topic is composed of brief direct instruction Rotational

604 views • 22 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Macros Eric McCreath Constants Macros provide a simple way of creating constants in your code.

Macros Eric McCreath Constants Macros provide a simple way of creating constants in your code.

Macros Eric McCreath Constants Macros provide a simple way of creating constants in your code. #define MAXLEN 200 #define HEIGHT 5.98 They really are just text replacement rules. #define MYSIZE 100 + 5 x = 5 * MYSIZE; // would turn into x

300 views • 4 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides

More recommend