some cryptanalytic results on triad
play

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, - PowerPoint PPT Presentation

Dec 22, 2022 •343 likes •1.1k views

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu) Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium

  1. Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu)

  2. Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium -like ciphers Our Contribution Conclusion

  4. ◮ Call for Lightweight Cryptographic Algorithms

  5. ◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1

  6. ◮ Call for Lightweight Cryptographic Algorithms ◮ Total 56 candidates selected for Round 1 ◮ TRIAD [2] is one of them

  7. TRIAD Family 4 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data

  8. TRIAD Family 4 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

  9. TRIAD Family 5 TRIAD TRIAD-AE TRIAD-HASH Triad-SC Triad-MAC ◮ TRIAD-AE provides authenticated encryption with associated data ◮ TRIAD-HASH follows the extended sponge based construction

  10. TRIAD adopts Trivium -like Structure

  11. TRIAD - AE Vs Trivium

  12. TRIAD - AE Vs Trivium State size 256 bits 288 bits

  13. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits

  14. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits

  15. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round

  16. TRIAD - AE Vs Trivium State size 256 bits 288 bits Key size 128 bits 80 bits Nonce/IV size 96 bits 80 bits Initialization 1024 round 1152 round Type AEAD - AEAD - Authenticated encryption with associated data

  17. Attacks on Trivium -like ciphers

  18. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009

  19. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key

  20. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack

  21. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks

  22. Cube Attack 9 ◮ Introduced by Dinur and Shamir [3] in 2009 ◮ Attempts to guess atleast one bit of secret key ◮ With complexity less than the brute-force attack ◮ Cube attacks are closely related to higher order differential attacks ◮ Cube attacks use algebraic rather than statistical techniques to find the secret key

  23. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009

  24. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction

  25. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario

  26. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties

  27. Cube Tester 10 ◮ Introduced by Aumasson et. al [1] in 2009 ◮ Cube testers detect non-random behavior rather than performing key extraction ◮ Cube tester distinguishes a given cipher from a truly random scenario ◮ Cube testers are based on efficient testing properties Distinguisher Non-randomness (control over the public variables only) (control over the public and private variables both)

  28. Structure of TRIAD-AE 11 z t = f ( K, IV ), where f is a Boolean function

  29. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2

  30. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly

  31. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly ◮ { n 1 , n 2 } involved in term are referred as cube variables

  32. Cube and Superpoly 12 Example ◮ f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = k 1 + k 1 k 2 n 1 + k 3 n 1 n 2 + n 1 n 2 ◮ Rewrite f as term ���� f ( k 1 , k 2 , k 3 , n 1 , n 2 , n 3 ) = ( k 3 + 1) n 1 n 2 +( k 1 + k 1 k 2 n 1 ) � �� � superpoly ◮ { n 1 , n 2 } involved in term are referred as cube variables ◮ Observe � f ( · ) = k 3 + 1 = superpoly { n 1 ,n 2 }∈ F 2 2

  33. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient

  34. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2

  35. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks

  36. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation?

  37. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem.

  38. Algebraic Degree 13 ◮ The no. of variables in the highest order monomial with non-zero coefficient Ex. The algebraic degree of f w.r.t. IV as variable is 2 ◮ Cryptographic primitives with low algebraic degree are vulnerable to many attacks Question: Can we do the algebraic calculation? Answer: It is a hard problem. Since after sufficient no. of rounds, a well-designed stream cipher has complicated expression

  39. Our Contribution

  40. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE

  41. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube

  42. Our Contribution 15 ◮ We give an algorithm which iteratively approximates the algebraic degree of TRIAD-AE ◮ We provide a method to search good cube ◮ We observe some cubes in the reduced version of the cipher

  43. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by 1 Non-linear feedback shift registers

  44. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by A t = ( a t , a t − 1 , . . . , a t − n A +1 ) , B t = ( b t , b t − 1 , . . . , b t − n B +1 ) , C t = ( c t , c t − 1 , . . . , c t − n C +1 ) . And the corresponding feedback functions are given by a t = c t − i 1 · c t − i 2 ⊕ l A ( s ( t − 1) ) , b t = a t − j 1 · a t − j 2 ⊕ b t − j 3 · c t − j 3 ⊕ l B ( s ( t − 1) ) , c t = b t − k 1 · b t − k 2 ⊕ l C ( s ( t − 1) ) , 1 Non-linear feedback shift registers

  45. Approximation of Algebraic Degree of TRIAD-AE 16 Let A t , B t and C t be the corresponding states of NFSRs 1 A , B and C (resp. of length n A , n B and n C ) at clock t given by A t = ( a t , a t − 1 , . . . , a t − n A +1 ) , B t = ( b t , b t − 1 , . . . , b t − n B +1 ) , C t = ( c t , c t − 1 , . . . , c t − n C +1 ) . And the corresponding feedback functions are given by a t = c t − i 1 · c t − i 2 ⊕ l A ( s ( t − 1) ) , b t = a t − j 1 · a t − j 2 ⊕ b t − j 3 · c t − j 3 ⊕ l B ( s ( t − 1) ) , c t = b t − k 1 · b t − k 2 ⊕ l C ( s ( t − 1) ) , where 1 ≤ j 1 < j 2 < n A and j 2 < j 3 < n B = n C . 1 Non-linear feedback shift registers

  46. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max

  47. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t ◮ ( t − j 1 ) ≤ 0

  48. Algorithm 1 17 ◮ To estimate the degree of b t , calculate the degree of quadratic and linear part separately and take their max ◮ Handle 4 different cases for clock t ◮ ( t − j 1 ) ≤ 0 ◮ 1 + j 1 ≤ t ≤ j 2

Recommend

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup

THE TRIAD THE TRIAD APPROACH APPROACH The Triad Approach to make contaminated sites cleanup projects better and more cost-effective. Case: Complementary laboratory (ICP, etc) and field XRF analysis Drs Ben Keet

411 views • 30 slides
Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF,

Some cryptanalytic results on Stream ciphers with short internal states Subhadeep Banik EPF, Lausanne Invited Talk to ASK 2019 14th December 2019 Outline Introduction Sprout (FSE15) Previous Work Attack by Esgin/Kara (SAC 2015)

597 views • 46 slides
Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki

T-79.514 Special Course on Cryptology September 30, 2004 Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki University of Technology mjos@tcs.hut.fi T.79-514 Markku-Juhani O. Saarinen 1 Terminology

646 views • 35 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Managed by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los Alamos National Laboratory STILTS you Or why LANL doesnt use HSM nt wo Brad Settlemyer May 22, 2019 Managed by Triad National Security, LLC for

246 views • 7 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein

The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

1.53k views • 130 slides
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of

Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack Square Attack D.

305 views • 16 slides
The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom

The Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on

784 views • 55 slides
6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be

6. (3 pts) What three things form the deadly triad the three things that cannot be combined in the same learning situation without risking divergence? (circle three) (a) eligibility traces (b) bootstrapping (c) sample backups (d)

146 views • 14 slides
eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait

eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait

eric gilbert | asst prof | georgia tech [Gilbert &amp; Karahalios. CHI 2009] Triad Trait Example design problem When chatting with A and C, 1. Visibility A C how does B not highlight the forbidden triad? B 2. Visibility B hears

508 views • 13 slides
Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an

Energy-Efficient ARM64 Cluster with Cryptanalytic Applications 80 Cores That Do Not Cost You an ARM and a Leg Latincrypt 2017, 21st September 2017 1/19 Thom Wiggers Outline Introduction Building a cheap cluster The Cortex-A53 Breaking ECC

741 views • 70 slides
Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer

Multiple NewMITM Dissection Summary Multiple Encryption New Cryptanalytic Algorithms and Applications Orr Dunkelman Computer Science Department University of Haifa 4th July, 2013 Orr Dunkelman Multiple Encryption 1/ 35 Multiple

1.49k views • 110 slides
A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg

A Side-Channel Assisted Cryptanalytic Attack Against QcBits Mlissa Rossi Mike Hamburg Michael Hutter Mark E. Marson Possible path for post-quantum security Error-correcting codes Quantum computers may threaten the mathematical

892 views • 66 slides
Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya

Cryptanalytic Extraction of Neural Network Models Nicholas Carlini 1 , Matthew Jagielski 12 , Ilya Mironov 13 1 Google, 2 Northeastern, 3 Facebook Solve For W Given: Given: Given: CAT Our Question: Given query access to a neural network,

1.8k views • 122 slides
he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los

he ur Operated by Triad National Security, LLC for the U.S. Department of Energy's NNSA Los Alamos National Laboratory LA-UR-19-24811 Understanding Storage System Challenges you for Parallel Scientific Simulations nt wo Brad Settlemyer

624 views • 27 slides
Studying the Dark Triad of Personality through Twitter Behavior Daniel Preot iuc-Pietro

Studying the Dark Triad of Personality through Twitter Behavior Daniel Preot iuc-Pietro

Studying the Dark Triad of Personality through Twitter Behavior Daniel Preot iuc-Pietro Jordan Carpenter, Salvatore Giorgi, Lyle Ungar Positive Psychology Center Computer and Information Science University of Pennsylvania October 26, 2016

436 views • 40 slides
How to Tame the Terrible Triad of the Elbow Michael D. McKee, MD, FRCS(C) Professor and

How to Tame the Terrible Triad of the Elbow Michael D. McKee, MD, FRCS(C) Professor and

How to Tame the Terrible Triad of the Elbow Michael D. McKee, MD, FRCS(C) Professor and Chair, Department of Orthopaedic Surgery University of Arizona, College of Medicine, Phoenix, AZ Bony structures Bony congruity

550 views • 19 slides
Studying the Dark Triad of Personality through Twitter Behavior Author: Daniel Preotiuc-Pietro,

Studying the Dark Triad of Personality through Twitter Behavior Author: Daniel Preotiuc-Pietro,

Studying the Dark Triad of Personality through Twitter Behavior Author: Daniel Preotiuc-Pietro, Jordan Carpenter, Salvatore Giorgi, Lyle Ungar Source: CIKM16 Advisor: Jia-Ling Koh Speaker: Avon Yu Date: 2016/11/22 1 Outline

892 views • 25 slides
COMMERCIAL SPACE REVITALIZATION Chairman/CEO, Triad Associates LARGE SQUARE FOOT AREAS ARE

COMMERCIAL SPACE REVITALIZATION Chairman/CEO, Triad Associates LARGE SQUARE FOOT AREAS ARE

BROAD APPROACHES TO Presented by: Michael Zumpino, COMMERCIAL SPACE REVITALIZATION Chairman/CEO, Triad Associates LARGE SQUARE FOOT AREAS ARE DIFFICULT TO LEASE OR SUBDIVIDE SUCH AS: Department Stores COMMON Bank Buildings Gas

388 views • 10 slides
Subcontractor Forum 2019 August 8, 2019 Managed by Triad National Security, LLC for the U.S.

Subcontractor Forum 2019 August 8, 2019 Managed by Triad National Security, LLC for the U.S.

Subcontractor Forum 2019 August 8, 2019 Managed by Triad National Security, LLC for the U.S. Department of Energys NNSA LA-UR-19-27983 Agenda Tewa Pre-Function 07:00 08:00 Registration Tewa Ballroom (General Session) 08:00 08:10

910 views • 54 slides
Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06 Class 2 Submission November 14, 2006 Brad Chamberlain, Steve Deitz, Mary Beth Hribar, Wayne Wong Chapel Team, Cray Inc. Overview Chapel:

927 views • 16 slides
Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06

Global HPCC Benchmarks in Chapel: STREAM Triad, Random Access, and FFT HPC Challenge BOF, SC06 Class 2 Submission November 14, 2006 Brad Chamberlain, Steve Deitz, Mary Beth Hribar, Wayne Wong Chapel Team, Cray Inc. Overview Chapel:

321 views • 15 slides
The Physician-Patient-Pharmacist Triad Physician examines and diagnoses patients complaint,

The Physician-Patient-Pharmacist Triad Physician examines and diagnoses patients complaint,

The Physician-Patient-Pharmacist Triad Physician examines and diagnoses patients complaint, and if appropriate prescribes a drug or treatment. No conflict of interest if physician does not profit from prescription. Patient, free of any

460 views • 23 slides

More recommend