the additive differential probability of arx
play

The Additive Differential Probability of ARX V. Velichkov N. Mouha - PowerPoint PPT Presentation

Dec 09, 2023 •302 likes •789 views

Introduction ARX S-functions adp ARX Experiments The Additive Differential Probability of ARX V. Velichkov N. Mouha C. De Cannire B. Preneel ESAT/COSIC, K.U.Leuven; IBBT FSE 2011, February 14-16, Lyngby, Denmark 1 / 47 Introduction

  1. Introduction ARX S-functions adp ARX Experiments The Additive Differential Probability of ARX V. Velichkov N. Mouha C. De Cannière B. Preneel ESAT/COSIC, K.U.Leuven; IBBT FSE 2011, February 14-16, Lyngby, Denmark 1 / 47

  2. Introduction ARX S-functions adp ARX Experiments Outline Introduction ARX S-functions adp ARX Experiments 2 / 47

  3. Introduction ARX S-functions adp ARX Experiments Outline Introduction ARX S-functions adp ARX Experiments 3 / 47

  4. Introduction ARX S-functions adp ARX Experiments Differential Cryptanalysis p 1 ∆ p p 2 a 1 a 2 ∆ a b 1 ∆ b b 2 c 1 ∆ c c 2 P (∆ p → ∆ c ) =? 4 / 47

  5. Introduction ARX S-functions adp ARX Experiments Addition, Rotation, XOR Combining ⊞ , ≪ , ⊕ improves resistance to differential cryptanalysis a 1 ◮ Addition ( ⊞ ) : non-linearity ◮ Rotation ( ≪ ) : diffusion within a ARX single word ◮ XOR ( ⊕ ): diffusion between words b 1 5 / 47

  6. Introduction ARX S-functions adp ARX Experiments Differential Properties of Addition, Rotation, XOR: Previous Work P ARX ⊞ ≪ ⊕ adp ≪ adp ⊕ adp ARX ∆ + 1 xdp ARX ⇔ xdp + xdp + ∆ ⊕ 1 1 adp : additive differential probability xdp : xor differential probability 6 / 47

  7. Introduction ARX S-functions adp ARX Experiments Outline Introduction ARX S-functions adp ARX Experiments 7 / 47

  8. Introduction ARX S-functions adp ARX Experiments The ARX Operation ARX ( a , b , d , r ) = (( a + b ) ≪ r ) ⊕ d = e a b d ≪ r e 8 / 47

  9. Introduction ARX S-functions adp ARX Experiments adp ARX : the Additive Differential Probability of ARX → ∆ e ) � |{ ( c 1 , d 1 ) : e 2 − e 1 = ∆ e }| r adp ARX (∆ c , ∆ d − |{ ( c 1 , d 1 ) }| ( a 1 , a 1 + ∆ a ) ( b 1 , b 1 + ∆ b ) ( d 1 , d 1 + ∆ d ) ≪ r ( c 1 , c 1 + ∆ c ) ( e 1 , e 2 ) : ∆ e 9 / 47

  10. Introduction ARX S-functions adp ARX Experiments Estimation of adp ARX using adp ≪ and adp ⊕ r r adp ARX (∆ c , ∆ d → ∆ e ) ≈ adp ≪ (∆ c → ∆ q i ) · adp ⊕ (∆ q i , ∆ d → ∆ e ) � − − i ∆ a ∆ b ∆ d adp ≪ ≪ r ∆ c ∆ q i ∆ e adp ⊕ 10/ 47

  11. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 ≪ 1 ∆ e = 1 11/ 47

  12. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 1 ≪ 1 ∆ c = 8 ∆ e = 1 12/ 47

  13. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 2 − 1 1 ≪ 1 ∆ c = 8 ∆ q 1 = 1 ∆ e = 1 13/ 47

  14. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 2 − 1 2 − 1 1 ≪ 1 ∆ c = 8 ∆ q 1 = 1 , ∆ q 2 = 15 ∆ e = 1 14/ 47

  15. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 2 − 1 2 − 1 1 ≪ 1 ∆ c = 8 ∆ q 1 = 1 , ∆ q 2 = 15 2 − 1 . 54 ∆ e = 1 2 − 1 . 54 15/ 47

  16. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ adp ≪ · adp ⊕ = 2 − 1 · 2 − 1 . 54 + 2 − 1 · 2 − 1 . 54 = 2 − 1 . 54 � � = adp ARX = 2 − 1 16/ 47

  17. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 ∆ q = 1 ≪ 1 ∆ c = 8 ( q 1 , q 2 ) = ( 1 , 2 ) ∆ e = 1 17/ 47

  18. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 ∆ q = 1 ≪ 1 ∆ c = 8 ( q 1 , q 2 ) = ( 1 , 2 ) ∆ e = 1 18/ 47

  19. Introduction ARX S-functions adp ARX Experiments 4-bit Example: adp ARX � = � adp ≪ · adp ⊕ ∆ a = 8 ∆ b = 0 ∆ d = 0 ∆ q = 1 ≪ 1 ∆ c = 8 � = ∆ c ′ = 9 ( q 1 , q 2 ) = ( 1 , 2 ) ≫ 1 ∆ e = 1 19/ 47

  20. Introduction ARX S-functions adp ARX Experiments ARX as a Single Operation ∆ a ∆ b ∆ d ≪ r ∆ c ∆ q ∆ e 20/ 47

  21. Introduction ARX S-functions adp ARX Experiments Outline Introduction ARX S-functions adp ARX Experiments 21/ 47

  22. Introduction ARX S-functions adp ARX Experiments S-function [Mouha et al.,SAC 2010] Simple 4-bit example: a + b = c ( c [ i ] , S [ i + 1 ]) = f ( a [ i ] , b [ i ] , S [ i ]) , 0 ≤ i < 4 . a [ 3 ] b [ 3 ] a [ 2 ] b [ 2 ] a [ 1 ] b [ 1 ] a [ 0 ] b [ 0 ] S [ 4 ] S [ 3 ] S [ 2 ] S [ 1 ] S [ 0 ] c [ 3 ] c [ 2 ] c [ 1 ] c [ 0 ] 22/ 47

  23. Introduction ARX S-functions adp ARX Experiments S-functions: General Case An S-function accepts n -bit words a 1 , a 2 , . . . , a k and an n -digit input state S , and produces an n -bit output word b : ( b [ i ] , S [ i + 1 ]) = f ( a 1 [ i ] , a 2 [ i ] , . . . , a k [ i ] , S [ i ]) , 0 ≤ i < n . a 1 [ n − 1] a 2 [ n − 1] a k [ n − 1] a 1 [1] a 2 [1] a k [1] a 1 [0] a 2 [0] a k [0] . . . . . . . . . S [ n ] S [ n − 1] S [2] S [1] S [0] f f f . . . b [ n − 1] b [1] b [0] 23/ 47

  24. Introduction ARX S-functions adp ARX Experiments S-function for adp ⊕ (∆ e [ i ] , S [ i + 1 ]) = f ( c 1 [ i ] , d 1 [ i ] , ∆ c [ i ] , ∆ d [ i ] , S [ i ]) , 0 ≤ i < n ∆ c ∆ d c 2 ← c 1 + ∆ c ,    d 2 ← d 1 + ∆ d ,      e 1 ← c 1 ⊕ d 1 , e 2 ← c 2 ⊕ d 2 ,      ∆ e ← e 2 − e 1   ∆ e 24/ 47

  25. Introduction ARX S-functions adp ARX Experiments The State S The state S [ i + 1 ] at time i + 1 is composed of two carries and one borrow : S [ i + 1 ] ← ( s 1 [ i + 1 ] , s 2 [ i + 1 ] , s 3 [ i + 1 ]) , where s 1 [ i + 1 ] ← ( c 1 [ i ] + ∆ c [ i ] + s 1 [ i ]) ≫ 1 , s 2 [ i + 1 ] ← ( d 1 [ i ] + ∆ d [ i ] + s 2 [ i ]) ≫ 1 , s 3 [ i + 1 ] ← ( e 2 [ i ] − e 1 [ i ] + s 3 [ i ]) ≫ 1 . The initial state is S [ 0 ] = ( 0 , 0 , 0 ) 25/ 47

  26. Introduction ARX S-functions adp ARX Experiments All States S [ i ] has fixed size of 3 bits. There are 8 states in total: S [ i ] 0 1 2 3 4 5 6 7 s 1 [ i ] , s 2 [ i ] , s 3 [ i ] 0,0,-1 1,0,-1 0,1,-1 1,1,-1 0,0,0 1,0,0 0,1,0 1,1,0 ◮ One adjacency matrix describes ◮ all transitions S [ i ] → S [ i + 1 ] for fixed (∆ c [ i ] , ∆ d [ i ] , ∆ e [ i ]) ◮ Eight adjacency matrices in total ◮ one for each 3-tuple (∆ c [ i ] , ∆ d [ i ] , ∆ e [ i ]) ◮ computed using the S-function for adp ⊕ 26/ 47

  27. Introduction ARX S-functions adp ARX Experiments The Adjacency Matrices (∆ c [ i ] , ∆ d [ i ] , ∆ e [ i ]) = ( 0 , 1 , 1 ) S [ i ] Interpretation: 0 1 2 3 4 5 6 7 There are 4 pairs   0 0 1 0 0 1 0 0 0 ( c 1 [ i ] , d 1 [ i ]) 1 0 1 0 0 0 0 0 0   for which   2 0 1 4 0 1 0 0 1   (∆ c [ i ] , ∆ d [ i ] → ∆ e [ i ]) ,   3 0 1 0 0 0 0 0 1 S [ i + 1 ]     and 4 0 0 0 0 1 0 0 0   S [ i ] = 2 → S [ i + 1 ] = 2   5 0 0 0 0 0 0 0 0     6 0 0 0 0 1 0 0 1   7 0 0 0 0 0 0 0 1 A 011 27/ 47

  28. Introduction ARX S-functions adp ARX Experiments Example: adp ⊕ (∆ c , ∆ d → ∆ e ) MSB LSB 0 0 0 1 ∆ c 0 0 0 0 ∆ d 0 0 0 1 ∆ e 28/ 47

  29. Introduction ARX S-functions adp ARX Experiments Example: adp ⊕ (∆ c , ∆ d → ∆ e ) MSB LSB 0 0 0 1 ∆ c 0 0 0 0 ∆ d 0 0 0 1 ∆ e 0 2 3 0 6 7 0 6 7 6 7 A 101 0 6 7 6 7 ← S [ 0 ] = ( 0 , 0 , 0 ) 1 6 7 6 7 0 6 7 6 7 0 4 5 0 29/ 47

  30. Introduction ARX S-functions adp ARX Experiments Example: adp ⊕ (∆ c , ∆ d → ∆ e ) MSB LSB 0 0 0 1 ∆ c 0 0 0 0 ∆ d 0 0 0 1 ∆ e 0 2 3 0 6 7 0 6 7 6 7 A 000 A 101 0 6 7 6 7 ← S [ 0 ] = ( 0 , 0 , 0 ) 1 6 7 6 7 0 6 7 6 7 0 4 5 0 30/ 47

  31. Introduction ARX S-functions adp ARX Experiments Example: adp ⊕ (∆ c , ∆ d → ∆ e ) MSB LSB 0 0 0 1 ∆ c 0 0 0 0 ∆ d 0 0 0 1 ∆ e 0 2 3 0 6 7 0 6 7 6 7 A 000 A 000 A 101 0 6 7 6 7 ← S [ 0 ] = ( 0 , 0 , 0 ) 1 6 7 6 7 0 6 7 6 7 0 4 5 0 31/ 47

  32. Introduction ARX S-functions adp ARX Experiments Example: adp ⊕ (∆ c , ∆ d → ∆ e ) MSB LSB 0 0 0 1 ∆ c 0 0 0 0 ∆ d 0 0 0 1 ∆ e T 0 1 2 3 2 3 0 1 6 7 6 7 1 0 6 7 6 7 6 7 6 7 � 4 A 000 A 000 A 000 A 101 0 2 − 1 . 54 = 1 6 7 6 7 � 1 6 7 ← S [ 0 ] = ( 0 , 0 , 0 ) 6 7 1 1 4 6 7 6 7 6 7 6 7 0 1 6 7 6 7 6 7 6 7 0 1 4 5 4 5 0 1 32/ 47

  33. Introduction ARX S-functions adp ARX Experiments Outline Introduction ARX S-functions adp ARX Experiments 33/ 47

  34. Introduction ARX S-functions adp ARX Experiments ARX : Circumventing the Intermediate Values a 1 [ i ] b 1 [ i ] d 1 [ i ] ≪ r c 1 [ i ] q 1 [ i ]= c 1 [ i − r ] e 1 [ i ] 34/ 47

  35. Introduction ARX S-functions adp ARX Experiments ARX : Circumventing the Intermediate Values a 1 [ i ] b 1 [ i ] d 1 [ i + r ] ≪ r c 1 [ i ] q 1 [ i + r ]= c 1 [ i ] e 1 [ i + r ] 35/ 47

  36. Introduction ARX S-functions adp ARX Experiments ARX : Circumventing the Intermediate Values a 1 [ i ] b 1 [ i ] d 1 [ i + r ] ≪ r c 1 [ i ] q 1 [ i + r ]= c 1 [ i ] e 1 [ i + r ] 36/ 47

Recommend

Alex Psomas: Lecture 14. Probability Basics Review Probability is Additive Theorem Events,

Alex Psomas: Lecture 14. Probability Basics Review Probability is Additive Theorem Events,

Alex Psomas: Lecture 14. Probability Basics Review Probability is Additive Theorem Events, Conditional Probability, Independence, Bayes Rule (a) If events A and B are disjoint, i.e., A B = / 0 , then Setup: Random Experiment. Pr [ A

250 views • 7 slides
Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX

UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX

Introduction The UNAF Framework Salsa20 Applications Conclusions UNAF: A Special Set of Additive Differences with Application to the Differential Analysis of ARX V. Velichkov N. Mouha C. De Cannire B. Preneel COSIC, KU Leuven; IBBT FSE

444 views • 42 slides
The Free Algebra in a Two-sorted Variety of Probability Algebras TACL 2017 s Kroupa 1 Vincenzo

The Free Algebra in a Two-sorted Variety of Probability Algebras TACL 2017 s Kroupa 1 Vincenzo

The Free Algebra in a Two-sorted Variety of Probability Algebras TACL 2017 s Kroupa 1 Vincenzo Marra 2 Tom a 1 Czech Academy of Sciences 2 Universit` a degli Studi di Milano Probability Standard probability theory Finitely-additive

1.06k views • 21 slides
MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics Ahmed Abdelkhalek 1 , Yu Sasaki 2 , Yosuke Todo 2 , Mohamed Tolba 1 , and Amr M. Youssef 1 1:Concordia University, 2: NTT Talk @ ASK2017, 10 December 2017

567 views • 38 slides
Interactions In the additive model, the effect of one factor is not affected by the level of the

Interactions In the additive model, the effect of one factor is not affected by the level of the

ST 380 Probability and Statistics for the Physical Sciences Interactions In the additive model, the effect of one factor is not affected by the level of the other. For instance, 1 , 1 2 , 1 = 1 2 = 1 , 2 2 , 2 =

343 views • 20 slides
Strong approximation for additive functionals of geometrically ergodic Markov chains Florence

Strong approximation for additive functionals of geometrically ergodic Markov chains Florence

Strong approximation for additive functionals of geometrically ergodic Markov chains Florence Merlev` ede Joint work with E. Rio Universit e Paris-Est-Marne-La-Vall ee (UPEM) Cincinnati Symposium on Probability Theory and Applications

488 views • 23 slides
! Special Functions ! Differential Equations ! Fourier Series and Transforms ! Probability and

! Special Functions ! Differential Equations ! Fourier Series and Transforms ! Probability and

! Special Functions ! Differential Equations ! Fourier Series and Transforms ! Probability and Random Processes ! Linear System Analysis ME 437/537-Particle G. Ahmadi ME 437/537-Particle G. Ahmadi ( ) ( ) du t t Unit Step Unit Step

397 views • 10 slides
Generalized Additive Models September 10, 2019 Generalized Additive Models September 10, 2019 1

Generalized Additive Models September 10, 2019 Generalized Additive Models September 10, 2019 1

Generalized Additive Models September 10, 2019 Generalized Additive Models September 10, 2019 1 / 43 Motto My nature is to be linear, and when Im not, I feel really proud of myself. Cynthia Weil a songwriter Generalized Additive

786 views • 39 slides
Unit 2: Probability and distributions Lecture 1: Probability and conditional probability

Unit 2: Probability and distributions Lecture 1: Probability and conditional probability

Unit 2: Probability and distributions Lecture 1: Probability and conditional probability Statistics 101 Thomas Leininger May 21, 2013 Announcements Announcements 1 Probability 2 Randomness Defining probability Law of large numbers

1.36k views • 76 slides
Differential equations Programming of Differential Equations A differential equation (ODE)

Differential equations Programming of Differential Equations A differential equation (ODE)

5mm. Differential equations Programming of Differential Equations A differential equation (ODE) written in generic form: (Appendix E) u ( t ) = f ( u ( t ) , t ) The solution of this equation is a function u ( t ) Hans Petter Langtangen To

332 views • 8 slides
Differential equations Programming of Differential Equations A differential equation (ODE)

Differential equations Programming of Differential Equations A differential equation (ODE)

5mm. Differential equations Programming of Differential Equations A differential equation (ODE) written in generic form: (Appendix E) u ( t ) = f ( u ( t ) , t ) Hans Petter Langtangen The solution of this equation is a function u ( t ) To

219 views • 4 slides
Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How

Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How

Additive . . . It Is Important to . . . How Complexity Is . . . Open Problem Which Material Design Is Commonsense . . . Possible Under Additive Commonsense . . . How Accurate Is Any . . . Manufacturing: How to Combine . . . Our Result A

370 views • 16 slides
Additive Decompositions in Primitive Extensions Hao Du Key Laboratory for Mathematics

Additive Decompositions in Primitive Extensions Hao Du Key Laboratory for Mathematics

Additive Decompositions in Primitive Extensions Hao Du Key Laboratory for Mathematics Mechanization AMSS, Chinese Academy of Sciences Joint work with Shaoshi Chen and Ziming Li ISSAC18, July 1619, New York, 2018 Outline Additive

713 views • 34 slides
Overview of the Lecture II Probability of what The axioms of probability Joint

Overview of the Lecture II Probability of what The axioms of probability Joint

Overview of the Lecture II Probability of what The axioms of probability Joint probability distribution Probability of propositions Notation P(x) : read probability of x-pression Expressions are statements about the

332 views • 20 slides
Lattice and Non-Lattice Markov Additive Models Jevgenijs Ivanovs, Guy Latouche and Peter Taylor

Lattice and Non-Lattice Markov Additive Models Jevgenijs Ivanovs, Guy Latouche and Peter Taylor

Lattice and Non-Lattice Markov Additive Models Jevgenijs Ivanovs, Guy Latouche and Peter Taylor Univerity of Lausanne, Universit Libre de Bruxelles, University of Melbourne June 30, 2016 Slide 1 Markov Additive Processes A Markov additive

382 views • 11 slides
Exponential functionals of Markov additive processes Anita Behme joint work in progress with

Exponential functionals of Markov additive processes Anita Behme joint work in progress with

Exponential functionals of Markov additive processes Anita Behme joint work in progress with Apostolos Sideris May 24th 2019 Probability and Analysis Overview Exponential functionals of L evy processes From L evy processes to

843 views • 58 slides
1 A statistical definition of probability: frequentist 2 concepts: 1. Sam ple space , S , is the

1 A statistical definition of probability: frequentist 2 concepts: 1. Sam ple space , S , is the

Probability and Likelihood, a brief introduction in support of a course on m olecular evolution ( BI OL 3 0 4 6 ) Probability The subject of probability is a branch of mathematics dedicated to building models to describe conditions of

244 views • 12 slides
Unit 2: Probability and distributions 1. Probability and conditional probability GOVT 3990 -

Unit 2: Probability and distributions 1. Probability and conditional probability GOVT 3990 -

Unit 2: Probability and distributions 1. Probability and conditional probability GOVT 3990 - Spring 2017 Cornell University Dr. Garcia-Rios Slides posted at http://garciarios.github.io/govt_3990/ Outline 1. Main ideas 1. Disjoint and

451 views • 21 slides
The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with Octavio Arizmendi) Texas A&amp;M University March 25, 2016 Michael Anshelevich Exponential homomorphism Classical convolutions. Additive:

596 views • 23 slides
1 A statistical definition of probability: frequentist 2 concepts: 1. Sample space , S , is the

1 A statistical definition of probability: frequentist 2 concepts: 1. Sample space , S , is the

Probability and Likelihood, a brief introduction in support of a course on molecular evolution (BIOL 3046) Probability The subject of probability is a branch of mathematics dedicated to building models to describe conditions of uncertainty and

559 views • 12 slides
IDENTIFY THE VALUE IN AN ENTERPRISE-WIDE DEPLOYMENT OF ADDITIVE MANUFACTURING PROCESS

IDENTIFY THE VALUE IN AN ENTERPRISE-WIDE DEPLOYMENT OF ADDITIVE MANUFACTURING PROCESS

IDENTIFY THE VALUE IN AN ENTERPRISE-WIDE DEPLOYMENT OF ADDITIVE MANUFACTURING PROCESS INDUSTRIES Chris Krampitz, P.E. Stratasys Consulting Principal Consultant - Americas 1 OBJECTIVES Identify industry challenges addressed by Additive

605 views • 31 slides
Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3.

Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3.

Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3. Probability of non-disjoint events 4. Probability of complement of an event 5. Probability of independent events 6. Probability of a conditional

182 views • 14 slides
Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3.

Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3.

Chapter 2 Probability 1. Definition of Probability 2. Probability of disjoint events 3. Probability of non-disjoint events 4. Probability of complement of an event 5. Probability of independent events 6. Probability of a conditional

363 views • 13 slides

More recommend