trail bound techniques in primitives with weak alignment
play

Trail Bound Techniques in Primitives with Weak Alignment Silvia - PowerPoint PPT Presentation

Jan 23, 2023 •143 likes •644 views

Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work with Joan Daemen 2 and Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University APBC 2018 Outline 1 Differential trails 2 Tree search 3 Bounds in

  1. Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work with Joan Daemen 2 and Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University APBC 2018

  2. Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  3. Differential trails Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  4. Differential trails Differential trails in iterated mappings

  5. Differential trails Differential trails and weight w = − log 2 ( DP )

  6. Differential trails Trail extension

  7. Differential trails Trail extension

  8. Differential trails Trail extension

  9. Differential trails Trail extension

  10. Differential trails Trail cores min min

  11. Differential trails Bounding the weight of trails ◮ We restrict to trail cores... ◮ ...up to a given target weight T ◮ We start from 2-round trail cores and then extend min min

  12. Tree search Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  13. Tree search Definition Set U of units with a total order relation ≺ Tree ◮ Node: subset of U , represented as a unit list a = ( u i ) i =1 ,..., n u 1 ≺ u 2 ≺ · · · ≺ u n ◮ Children of a node a : a ∪ { u n +1 } ∀ u n +1 : u n ≺ u n +1 ◮ Root: the empty set a = ∅

  14. Tree search Bounding the cost Goal: tree traversal up to given cost target T Cost-related functions ◮ Cost function: γ ( a ) (e.g. w rev ( a ) + w dir ( a )) ◮ Cost bounding function: L ( a ) s.t. for all descendants a ′ of a γ ( a ′ ) ≥ L ( a ) ⇒ Prune all the subtrees with L ( a ) > T

  15. Tree search Example: active bit positions

  16. Bounds in Keccak - f Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  17. Bounds in Keccak - f Keccak - f Keccak - f Operates on 3D state: Round function with 5 steps: ◮ θ : mixing layer ◮ ρ : inter-slice bit transposition ◮ π : intra-slice bit transposition ◮ χ : non-linear layer state y ◮ ι : round constants z # rounds: 12 + 2 ℓ for width b = 2 ℓ 25 x ◮ 12 rounds in Keccak - f [25] ◮ (5 × 5)-bit slices ◮ 24 rounds in Keccak - f [1600] ◮ 2 ℓ -bit lanes ◮ parameter 0 ≤ ℓ < 7 [Bertoni, Daemen, Peeters, Van Assche, 2008]

  18. Bounds in Keccak - f Keccak - f Properties of θ + = column parity θ e ff ect combine ◮ The θ map adds a pattern, that depends on the parity, to each plane. ◮ Affected columns are complemented ◮ Unaffected columns are not changed

  19. Bounds in Keccak - f Keccak - f The parity Kernel + = column parity θ effect combine ◮ θ acts as the identity if parity is zero ◮ A state with parity zero is in the kernel (or in | K | ) ◮ A state with parity non-zero is outside the kernel (or in | N | )

  20. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  21. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  22. Bounds in Keccak - f Trails in Keccak - f Differential trails in Keccak - f Round: linear step λ = π ◦ ρ ◦ θ and non-linear step χ ◮ a i fully determines b i = λ ( a i ) ◮ χ has degree 2: w ( b i − 1 ) independent of a i ◮ Minimum reverse weight: w rev ( a 1 ) � min b 0 w ( b 0 )

  23. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 6-round trail cores Lemma A 6-round trail of weight W always contains a 3-round trail of � W � weight below or equal to 2

  24. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Space split based on parity of a i ◮ Four classes: | K | K | , | K | N | , | N | K | and | N | N |

  25. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 1 , b 1 ) ◮ Extending forward by one round

  26. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 1 , b 1 ) ◮ Extending forward by one round

  27. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 2 , b 2 ) ◮ Extending backward by one round

  28. Bounds in Keccak - f Generating 3-round trail cores Covering the space of 3-round trail cores ◮ Generating ( a 2 , b 2 ) ◮ Extending backward by one round

  29. Bounds in Keccak - f Generating trail cores in | K | Orbitals ◮ orbital = [ z , x , y 1 , y 2 ] 2 1 0 -1 -2 y

  30. Bounds in Keccak - f Generating trail cores in | K | Orbitals (continued) ◮ y ′ 1 > y 2 2 1 0 -1 -2 y

  31. Bounds in Keccak - f Generating trail cores in | K | Generating trail cores in | K | ◮ Root: the empty state ◮ Units: orbitals = [ z , x , y 1 , y 2 ] ◮ Bound: cost of the node itself

  32. Bounds in Keccak - f Generating trail cores in | N | Parity-bare states Parity-bare state: a state with the minimum number of active bits before and after θ for a given parity ◮ 0 active bits in unaffected even columns ◮ 1 active bit in unaffected odd column ◮ 5 active bits in affected column either before or after θ θ

  33. Bounds in Keccak - f Generating trail cores in | N | States in | N | Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ

  34. Bounds in Keccak - f Generating trail cores in | N | States in | N | Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ

  35. Bounds in Keccak - f Generating trail cores in | N | Orbital tree ◮ Root: a parity-bare state ◮ Units: orbitals in unaffected columns ◮ Bound: cost of the trail itself

  36. Bounds in Keccak - f Generating trail cores in | N | Run tree ◮ Root: the empty state ◮ Units: column assignments (x, z, odd/affected, column value) ◮ Bound: cost minus potential loss due to new CAs

  37. Bounds in Keccak - f Extending trails Trail extension

  38. Bounds in Keccak - f Extending trails Tree-search on affine space ◮ Affine space: o + � b 1 , . . . , b m � � a = o + α j b j j ◮ Unit set U = { b 1 , . . . , b m } ◮ Root: a = o ◮ Node: a = ( b i ) : α i = 1 ◮ Define L ( a ) to take advantage of stable active bits

  39. Experimental results Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  40. Experimental results Experimental results ◮ All 3-round trail cores with weight ≤ 45 10 4 Keccak - f [200] Keccak - f [400] 10 3 Keccak - f [800] # cores Keccak - f [1600] 10 2 10 1 20 22 24 26 28 30 32 34 36 38 40 42 44 T 3 ◮ No 6-round trail with weight ≤ 91

  41. Experimental results Trails for parity profile | K | K | | K | N | 10 4 10 4 10 3 10 3 # cores # cores 10 2 10 2 10 10 1 1 20 22 24 26 28 30 32 34 36 38 40 42 44 28 30 32 34 36 38 40 42 44 T 3 T 3 | N | K | | N | N | 10 4 10 3 10 3 10 2 # cores # cores 10 2 10 10 1 1 27 29 31 33 35 37 39 41 43 45 38 39 40 41 42 43 44 45 T 3 T 3

  42. Experimental results Bounds rounds b = 200 b = 400 b = 800 b = 1600 2 8 8 8 8 3 20 24 32 32 4 46 [48,63] [48,104] [48,134] 5 [50,89] [50,147] [50,247] [50,372] 6 [92,142] [92,278] [92,556] [92,1112] [276, · ] [280, · ] [292, · ] [368, · ] n r

  43. Symmetry properties Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

  44. Symmetry properties Invariance by translation or rotation E.g., in Keccak - f , w ( τ z a ) = w ( a ) for any translation τ z along z

  45. Symmetry properties Canonicity Canonical representation ◮ Define an order relation on states ◮ Define the canonical representation as the minimum one, e.g., a canonical ⇔ a = min τ z a z

  46. Symmetry properties Tree search restricted to canonical representations Reminder ◮ Set U of units with a total order relation ≺ ◮ Unit list: a = ( u i ) i =1 ,..., n with u 1 ≺ u 2 ≺ · · · ≺ u n Lemma Assuming that ◮ ≺ lex is the lexicographic order on unit lists ◮ canonicity is defined w.r.t. ≺ lex then the parent of a canonical pattern is canonical. ⇒ Complete non-canonical subtrees can be pruned [Mella, Daemen, Van Assche, FSE 2017]

  47. Symmetry properties Testing for canonicity Basic algorithm ◮ Input: unit list a = ( u i ) i =1 ,..., n ◮ For each i ◮ Transform a such that τ ( u i ) is ≺ -minimum ◮ Sort the resulting unit list ◮ Compare it (using ≺ lex ) to the currently minimum unit list ◮ Output: canonical representation (or just true/false)

  48. Conclusions Outline 1 Differential trails 2 Tree search 3 Bounds in Keccak - f 4 Experimental results 5 Symmetry properties 6 Conclusions

Recommend

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT New alignment Existing Hamblen gravel Elem School trail PUBLIC PRESENTATIONS Initial presentation to adjacent property owners in late

505 views • 24 slides
Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT

Ben Burr Trail PROJECT ALIGNMENT Project alignment Hamblen Elem School PROJECT ALIGNMENT New alignment Existing Hamblen gravel Elem School trail COMPREHENSIVE PLAN Spokane features three major transportation pathways or

696 views • 25 slides
PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY

PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY

PUBLIC MEETING &amp; WORKSHOP THE PROJECT TRAIL ALIGNMENT TYPICAL CROSS SECTIONS WATER QUALITY FEATURES DESIGN CONCEPTS January 20, 2016 1 m e n g n t l i A T a i l r NM 313 R S E L A R R TRAIL ALIGNMENT O C 6 5 5

364 views • 8 slides
1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no denial of service during transient network partitions - supports massive

319 views • 8 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU

Introduction Three Easy, Automated Techniques Tools for Cryptography Conclusion Cryptanalysis of Symmetric-Key Primitives: Automated Techniques Nicky Mouha ESAT/COSIC, KU Leuven, Belgium IBBT, Belgium Summer School on Tools, Mykonos

886 views • 77 slides
Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder + Chair Ludlam Trail Im a neighbor! Biscayne Trail Ludlam Trail Southern Glades Trail The Underline Amelia Trail South Dade Greenway

516 views • 20 slides
Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder +

Community Engagement and the Ludlam Trail Friends of the Ludlam Trail Tony Garcia , Cofounder + Chair Ludlam Trail Im a neighbor! Biscayne Trail Ludlam Trail Southern Glades Trail The Underline Amelia Trail South Dade Greenway

563 views • 17 slides
E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context

E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context

E&amp;N TRAIL Downtown South Alignment &amp; Costing Study Council Update May 11, 2015 Context Supporting Plans Parks, Recreation &amp; Culture Master Plan (2004) Regional District of Nanaimo Regional Parks &amp; Trails Plan (2005) PRC

584 views • 30 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth

Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth

Campus Connector Trail TAC August 2019 Healthy Duluth Active Living Cmte Healthy Duluth Proposed Campus Connector Trail Campus Connector Trail Alignment Options North Star East Academy High UMD Ordean East CSS Congdon 2016

538 views • 17 slides
Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project

Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project

Ballona Creek/Baldwin Hills Park to Playa Regional Trail Corridor y g Project Location Project Location Trail Alignment Making Connections Trail Signage Making Connections Trail Access Making Connections Project History &amp;

231 views • 9 slides
To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people, that by all means I might save some. I do it all for the sake of the gosepl, that I might share with them in its blessing. Do you not know that in

652 views • 40 slides
The Probabilistic Method Techniques Union bound Argument from expectation Alterations The

The Probabilistic Method Techniques Union bound Argument from expectation Alterations The

The Probabilistic Method Techniques Union bound Argument from expectation Alterations The second moment method The (Lovasz) Local Lemma And much more Alon and Spencer, The Probabilistic Method Bolobas, Random Graphs Hung Q.

258 views • 9 slides
I NTENT ? Are you looking to build a trail or challenge? Do you have a trail

I NTENT ? Are you looking to build a trail or challenge? Do you have a trail

P OSITIONING YOUR T RAIL TO MAXIMIZE THE ECONOMIC IMPACT Michelle Clement Director of Destination Development Projects, ROOST I NTENT ? Are you looking to build a trail or challenge? Do you have a trail you want to

433 views • 17 slides
Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on extended formulation Kaibel, Razborovs Inform. SA Weltge symmetry arg. theory + Fourier COR/ yes yes yes ? TSP [KW13]

1.25k views • 108 slides
WEAK INTERPOLATION PROPERTY over THE MINIMAL LOGIC Larisa Maksimova Sobolev Institute of

WEAK INTERPOLATION PROPERTY over THE MINIMAL LOGIC Larisa Maksimova Sobolev Institute of

Abstract Weak interpolation and joint consistency Propositional J-logics Reduction of WIP Weak interpolation and weak amalgamation Weak interpolation and weak amalgamation Logics with WIP over Gl Description of logics with WIP over Gl and J

621 views • 41 slides
Sequence Alignment (chapter 6) The biological problem l Global alignment l Local alignment l

Sequence Alignment (chapter 6) The biological problem l Global alignment l Local alignment l

Sequence Alignment (chapter 6) The biological problem l Global alignment l Local alignment l Multiple alignment l Introduction to bioinformatics, Autumn 2006 22 Background: comparative genomics Basic question in biology: what properties

934 views • 44 slides
Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical

Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical

Lower Bound Techniques for QBF Proof Systems Meena Mahajan The Institute of Mathematical Sciences, HBNI, Chennai. Complexity, Algorithms, Automata, Logic Meeting CAALM 2019, CMI, India. 21-25 Jan 2019 24 Jan 2019 Meena Mahajan, IMSc Credits

980 views • 94 slides
1 Issues and Techniques for Weak Replication Issues and Techniques for Weak Replication Update

1 Issues and Techniques for Weak Replication Issues and Techniques for Weak Replication Update

Grapevine and Clearinghouse (Xerox) Grapevine and Clearinghouse (Xerox) Weakly consistent replication was used in earlier work at Xerox PARC: Grapevine and Clearinghouse name services Asynchronous Replication and Bayou Asynchronous

347 views • 8 slides
What is text alignment? Text alignment is the comparison of two or more parallel texts It

What is text alignment? Text alignment is the comparison of two or more parallel texts It

A tool for syntax-based intra-language text alignment Tariq Yousef, Chiara Palladino University of Leipzig Berlin Digital Classicist Seminars, November 29, 2016 What is text alignment? Text alignment is the comparison of two or more

688 views • 53 slides
Sentiers Chelsea Trails 1 1. Chelsea Community Trail 2. Notch/Mine Road Bike Lanes 3.

Sentiers Chelsea Trails 1 1. Chelsea Community Trail 2. Notch/Mine Road Bike Lanes 3.

Sentiers Chelsea Trails 1 1. Chelsea Community Trail 2. Notch/Mine Road Bike Lanes 3. Chelsea Park Trail Building 4. Des Pommiers Trail Bridge 5. Proposed Trail Connection Between Centre Village &amp; Gatineau/Ottawa Trail Networks 6.

392 views • 24 slides
Corridor C was removed due to the fact that there is an existing regional trail extremely

Corridor C was removed due to the fact that there is an existing regional trail extremely

Bruce Vento Regional Trail Corridor Search 2018 ` Bruce Vento Regional Trail Bruce Vento Regional Trail - Master Planning Summary Otter Bruce Vento Trail Extension Project - ) * 61 General Information: Lake Fish Lake Bald Eagle -

230 views • 3 slides

More recommend