Multiplicative Complexity Reductions in Cryptography and Cryptanalysis
|
|
- Charlene Newton
- 5 years ago
- Views:
Transcription
1 Multiplicative Complexity Reductions in Cryptography and Cryptanalysis THEODOSIS MOUROUZIS SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 1
2 Presentation Overview Linearity and Four Measures of Nonlinearity - Linearity - Non-Linearity - Algebraic Degree - Annihilator Immunity - Multiplicative Complexity (MC) Multiplicative Complexity (MC) - MC Reductions - Matrix Multiplication (MM) - Automated MC Reduction - Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 2
3 Presentation Overview Reductions of MC in Cryptanalysis - MC and Algebraic Attacks - MC and One-Wayness property References SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 3
4 Notation Let x F n 2 and f: F n 2 F 2 a Boolean function B n = f f: F n 2 F 2 } : The set of Boolean functions on n variables HW(x): Hamming weight of x S : Cardinality of a set S d f, g = x F n 2 f x g x } : Distance between two function f, g B n SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 4
5 Notation Algebraic Normal Form of f if defined by f x 1, x 2,, x n = S {1,2,..,n} a S i S x i, where a s 0,1 for all S and we define i x i to be 1 - a S = 0 for S > 1 we say that f is affine - If above holds and a = 0 we say that f is linear - If a S = a s whenever S = S we say that f is symmetric Σ n k : k-th elementary symmetric Boolean function. Sum of all terms where S = k SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 5
6 Linearity and Four Measures of Nonlinearity Cryptographic Applications are designed with the following properties in mind : Efficient circuit (hardware) implementation Efficient software implementation Resistant against known form of attacks such as linear/differential cryptanalysis [Informally] Cryptographic functions are required to be hard to invert, i.e. linear algebra is not applicable to the problem of saying something about x given f(x) (sufficient distant from linear)[bp2013] Several measures of how much non-linear or linear a Boolean function is, were proposed by the community [BP2013] Linearity is a more concrete concept, but nonlinearity much more complex to be described SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 6
7 Linearity and Four Measures of Nonlinearity Linearity: L f is defined by max a F 2 n fw a, where f W a is the Walsh Coefficient at a given by x F 2 n 1 Maximum value is 2 n and obtained iff f is affine/linear function Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has linearity 4 - S 1 x 1, x 2 = x 1 + x 2 has linearity 4 - S 1 x 1, x 2 = x 1 x 2 + x 2 has linearity 2 f x +a.x SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 7
8 Linearity and Four Measures of Nonlinearity Boyar and Peralta discuss in [3][BP2013] four measures of nonlinearity for a Boolean function: 1. Nonlinearity (NL) 2. Algebraic Degree (AD) 3. Annihilator Immunity(AI) 4. Multiplicative Complexity (MC) All these measures intuitively capture the notion of nonlinearity These measures are shown to be incomparable => Need to be studied separately For each pair of measures μ 1, μ 2 there exist functions f 1, f 2 with μ 1 f 1 > μ 1 f 2 but μ 2 f 1 < μ 2 f 2 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 8
9 Linearity and Four Measures of Nonlinearity Nonlinearity - Hamming distance to the closest affine function 0 NL f 2 n 1 2 n 2 1 Affine functions have nonlinearity 0 Functions with maximum nonlinearity exists if and only if n is even (Bent functions) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/2015 9
10 Linearity and Four Measures of Nonlinearity Algebraic Degree (deg f ): The number of variables in the highest order term with non-zero coefficient in the ANF Optimal value is n Example: - MAJ x 1, x 2, x 3 = x 1 x 2 + x 1 x 3 + x 2 x 3 has algebraic degree 2 - S 1 x 1, x 2, x 3, x 4 = x 1 x 3 x 4 + x 1 + x has algebraic degree 3 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
11 Linearity and Four Measures of Nonlinearity Annihilator Immunity Let f a Boolean function on n inputs. Then, the annihilator immunity (AI) is given by AI f = min g deg(g), such that fg = 0 or f + 1 g = 0. The function g is called an annihilator Closely related to algebraic degree 0 AI f n 2 [Courtois-Meier 2003] Functions are known to achieve these bounds [Courtois-Meier 2003] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
12 Linearity and Four Measures of Nonlinearity Definition of MC [Informal] Every function can be represented as a sum of non linear functions (a certain number of multiplications is required) and linear functions over a finite field/ring We call Multiplicative Complexity (MC) the number of multiplications required to compute the function MC computation is one of the most important problems in Computer Science (immediate positive effect in other areas discussed later) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
13 Linearity and Four Measures of Nonlinearity We discuss MC computation applied to: Tri-linear problems (Matrix Multiplication) Vectorial Boolean functions (known in cryptography as S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
14 Linearity and Four Measures of Nonlinearity Multiplicative Complexity: The smallest number of AND gates necessary and sufficient to compute the function using the circuit over the basis (XOR,AND,1) i.e. using arithmetic over F 2 MC is at least zero with equality iff the function is an affine function Bounds for f: n even: MC 2 n 2 +1 n 2 2 [Lupanov] n odd: MC n 2 +1 n+3 2 [Boyar-Peralta-Pochuev] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
15 Linearity and Four Measures of Nonlinearity These notions are incomparable [BP2013] NonLinearity Algebraic Degree Annihilator Immunity Multiplicative Complexity Σ 2 n (n odd) 2 n 1 2 n n 2 Σ n n 1 n 1 n 1 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
16 Multiplicative Complexity Relation between MC and nonlinearity [3] [BP2013] If a functions has low nonlinearity, this gives bound on the MC If f B n with MC n, it has nonlinearity at most 2 2n 1 2 n MC 1 For f with MC = n 2 there exist a simple function with this nonlinearity [3] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
17 Multiplicative Complexity In the rest of this talk we focus on three major problems: Matrix Multiplication MC Computation Optimization of vectorial Boolean functions (S-boxes) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
18 Multiplicative Complexity All these problems are still intractable Most of the existing algorithms are based on well-chosen ad-hoc heuristics Not formally proven that the existing techniques that can yield optimal solutions Improvements in such problems might lead to direct improvements in other fields SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
19 Multiplicative Complexity o Commercial software such as MATLAB o Forecasting techniques o Statistical analysis of large data sets o Gauss Elimination algorithm for solving a system of equations o Computer Graphics o Reduction in required silicon to implement digital circuits SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
20 Multiplicative Complexity o Cryptanalysis based on SAT-solvers benefits immediately from MC reductions as the time taken for a SAT solver to find a solution depends on the compactness of the circuit o Develop certain bitslice parallel-simd software implementations of block ciphers o Optimization wrt MC is a countermeasure against Side Channel Attacks (SCA) on smart cards such as Differential Power Analysis. XOR gates are easier to protect against such attacks. o Block ciphers with lower MC are less resistant against algebraic attacks (heuristically demonstrated in [4,5]) o A lot of energy and silicon in smart cards and hardware devices to handle SSL traffic in web servers can be saved with crypto with less multiplications (RSA, ECC, Diffie Hellman Key Exchange algorithm) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
21 Multiplicative Complexity Boyar and Peralta heuristic [BP2013] to obtain more efficient implementations of arbitrary digital circuits with respect to Boolean Complexity is based on the notion of MC: (2-step) Optimize wrt AND gates Optimize with respect to XOR gates separately equivalent to gate optimization problems of circuits for linear functions (NP-hard [BMP2013]) No formal method (and unlikely to be true in general) that optimization wrt to AND gates yields circuits with optimal Boolean Complexity However, this technique gives sufficiently good results. Applied to AES S-box and gave the smallest circuit known (32 AND, 83 XOR/XNOR gates) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
22 Multiplicative Complexity Boyar and Peralta results [BP2013]: Inversion in F 2 8 : 5 AND, 11 XOR SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
23 Multiplicative Complexity AES S-box: 32 AND (115 gates in total) [BP2013] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
24 Multiplicative Complexity Automated tool based on SAT-solvers which can compute optimal values in MM and MC computational problems [4,5,8]. It consists of 3 major steps: 1. Write the problem as a set of algebraic equations based on the target value of MC 2. Convert it to its Conjunctive Normal Form (CNF) 3. Attempt to solve this using SAT solvers SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
25 Multiplicative Complexity Tricky part: derivation of the algebraic representation encoding step Conversion from ANF to CNF can be done by ready software (e.g. Courtois-Bard-Jefferson) We have applied this methodology to three areas: 1. Matrix Multiplication [4,6,7,8] 2. MC computation of circuits [4,6,7] 3. Optimization of digital circuits with respect to more complex metrics [7] [Important] We can achieve optimal results for sufficiently small problems e.g. S-boxes from 4-bits to 4-bits, multiplication of matrices up to dimension 4 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
26 Matrix Multiplication One of the most important problem in Computer Science (well-studied) Multiplication of n n matrices with entries over arbitrary rings Naïve algorithm: O n 3 Coppersmith-Winograd (1987): O n Andrew Stothers (2010): O n Virginia Vassilevska (2011): O n SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
27 Matrix Multiplication [However,] solving for smaller instances of the same problem (e.g. 3x3 matrices) might yield to improvements in the general case (Divide-and-Conquer paradigm) Strassen s algorithm for multiplying 2x2 matrices in 7 multiplications instead of 8 Applying this algorithm recursively: O(n ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
28 Matrix Multiplication Brent Equations as form of encoding for discovering tri-linear algorithms of specified number of multiplications [6,7,8] We solved it firstly over F 2 and then heuristically lifted the solution to more general rings SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
29 Matrix Multiplication Applied to multiplication of 3x3 matrices Result: Another tri-linear algorithm with 23 multiplications Proved to be non-isomorphic with Laderman s solution Doing with 22 is a big challenge (if feasible) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
30 Matrix Multiplication SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
31 Automated MC Reduction Computing MC for arbitrary digital circuits is more complex! Encoding step (tricky part) [Important] A method to show that no better can be done do not exist - We present one which works BUT for sufficiently small dimensions (based on SAT-solvers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
32 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
33 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
34 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x a n x n where x 1, x 2,, x n S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
35 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
36 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
37 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
38 Automated MC Reduction Input: Truth Table, MC Output: A circuit representation of desired MC [7,8] STEPS: Encode the circuit as a straight-line program Start with the input variables x 1, x 2,, x n in the circuit and let S = {x 1, x 2,, x n } Allow new variable z to be the product of two elements of the form a 1 x 1 + a 2 x a n x n where x 1, x 2,, x n S Insert z in S and repeat generating MC such variables Write affine equations that make each output of the circuit an affine combination from elements in S Substitute all input/output pairs from the truth table of the circuit to generate more equations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
39 Automated MC Reduction Optimality SAT obtained for K = k Keep decreasing K until UNSAT MC: minimum k with SAT but UNSAT for all K < k Constraints: Works sufficiently well for small problems Complexity of SAT solver performance is unpredicted SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
40 Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
41 Automated MC Reduction Applied to PRESENT S-box Naïve Implementation 39 gates MC=4 (proved) Further optimizations: Best-known bitslice implementation with 14 gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
42 Automated MC Reduction 4-bits to 4-bits S-boxes Applied to the 8 principal GOST S-boxes GOST is a 256-bits key block cipher that operates on 64-bits inputs (32 rounds) maximum MC is 5 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
43 Automated MC Reduction Applied to Majority Function [7,8] 3 inputs 5 inputs 7 inputs SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
44 Automated MC Reduction SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
45 Automated MC Reduction Number of Inputs Time taken with MiniSat (s) (Intel i7 1.73GHz/4GB RAM) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
46 Optimization of Circuits wrt other metrics Another 3 more complex metrics Bitslice Gate Complexity: The minimum number of 2-input gates of type XOR, OR, AND, NOT needed to compute a given circuit (Bitslice implementation of block ciphers on standard CPUs) Gate Complexity: The minimum number of 2-input gates of type XOR, AND, OR, NAND, NOR, NXOR needed to compute a given circuit (Bitslice parallel-simd implementations of block ciphers) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
47 Optimization of Circuits wrt other metrics NAND complexity: The minimum number of 2-input NAND gates required to compute a circuit The encoding part becomes trickier. Consider six sort of variables for this problem [7,8] x: input to the truth table y: output of the truth table q, q : inputs of internal gates t: output of gates b: variables which define the function of this gate (of the form b uv + b u + v + b ) a: variables which will be the unknown connections between different gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
48 Optimization of Circuits wrt other metrics Each element of the set S (as previously defined) can be a combination of other variables which corresponds to an allowed gate representation which is encoded through b coefficients Variables a are used in order to ensure that the combination of two elements yield only one gate avoid extra XOR gates SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
49 Optimization of Circuits wrt other metrics SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
50 Optimization of Circuits wrt other metrics Applied to CTC S-box (3-bits to 3-bits) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
51 Optimization of Circuits wrt other metrics Bitslice Gate Complexity is 8 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
52 Optimization of Circuits wrt other metrics Gate Complexity is 6 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
53 Extension to Optimization of Circuits wrt other metrics NAND complexity is 12 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
54 MC Reductions in Cryptanalysis (GOST) Official Encryption standard of Russian Federation Declassified in 1994 Submitted to ISO to become an international standard of encryption 32-round Feistel Network 256-bits key and 64-bit blocks Very simple key algorithm Round Function: - Linear: XOR and Rotation by 11 bits to the left - Non-linear: 8 4-bits to 4-bits S-boxes, 2 32 modular addition SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
55 MC Reductions in Cryptanalysis We applied an algebraic attack to an optimized version (wrt MC) of GOST cipher using SAT solvers [4,5]: 1. Write all the equations in their ANF: - For the S-boxes use the optimized versions (wrt MC) - Do not further optimize with respect to XOR gates ( more linearity ) - For modular addition use the following encoding which is optimal and has MC=31 [4,5,8] SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
56 MC Reductions in Cryptanalysis 2. For each input of each AND gate we add one new variable. All the other gates give linear equations over F 2 3. Convert to CNF using ready software 4. Solve using SAT solver Successful in all random cases we tried. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
57 MC Reductions in Cryptanalysis MC Reductions might yield better results in algebraic attacks (heuristically demonstrated) MC Reduction as pre-processing in algebraic attacks Algebraic attack on SIMON cipher [eprint 2013/404] (MC=32 per round) of very low MC: [Courtois et al, SECRYPT 2013] - (10/44) round broken faster than brute-force using SAT-solvers (using truncated differentials of low Hamming Distance) - No key guessing is required SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
58 MC Reductions in Cryptanalysis Elliptic Curves over GF(2 n ) In char 2 and most common NIST curves the P1+P2=P3 (P3 fixed) corresponds to Semaev S3 Equation as follows: In a model where linearized polynomials (with powers of 2) are for free (x3 fixed) Lemma: This equation can be written with MC=1 over GF(2 n ) by a suitable variable change Consequence: all known very compact representations of this equation over GF(2) will be derived from this fact. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
59 MC Reductions in Cryptanalysis Open Problem: Relation between MC and algebraic attacks MC Reduction might speed up algebraic attacks (?) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
60 MC Reductions in Cryptanalysis Multiplicative Reductions And One-wayness SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
61 MC Reductions in Cryptanalysis MC and One-Wayness [BP2013] If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] MC f n 2 NL 2n 1 2 n MC 1 [3] Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
62 MC Reductions in Cryptanalysis If a function f has multiplicative complexity MC, then it can be inverted in at most 2 MC evaluations of f [3] [Sketch of Proof]: - Consider a circuit C for f with MC AND gates and suppose y has a non-empty pre-image under f. - Guessing the Boolean value of one input of each AND gate results in a linear system of equations L - Solve L to obtain a candidate input x and test if f(x) = y - This finds a pre-image of y after at most 2 MC iterations SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
63 MC Reductions in Cryptanalysis Theorem [Boyar and Peralta -2013]: Collision resistance of a function f: F 2 n F 2 m requires that MC f n m [Sketch of Proof]: Let C be a circuit of f and wlog assume C has no negations (negations can be pushed to the outputs of the circuit without changing the number of AND gates) - Search for two inputs tat map to 0 - Since there are no negations, one such point is 0 SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
64 MC Reductions in Cryptanalysis We next show how to obtain a second pre-image of 0 - Pick a topologically minimal AND gate and set one of its inputs to 0 (this generates one homogeneous linear equation on the inputs to f and allows us to remove the AND gate from C ) SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
65 MC Reductions in Cryptanalysis - Repeat until no AND gates are left in C -> Homogeneous system S with at most MC equations plus a circuit C which computes a homogeneous linear system with m equations. The system has 2 n m MC distinct solutions If m + MC < n then standard linear algebra yields non-zero solutions These are second pre-images of 0. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
66 End of Presentation THANKS! SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
67 References [1] Boyar, J., Matthews, P., & Peralta, R. (2013). Logic minimization techniques with applications to cryptology. Journal of cryptology, 26(2), [2] Boyar, J., & Peralta, R. (2010). A new combinational logic minimization technique with applications to cryptology. In Experimental Algorithms (pp ). Springer Berlin Heidelberg. [3] Boyar, J., & Peralta, R. (2013). Four Measures of Nonlinearity. In Algorithms and Complexity (pp ). Springer Berlin Heidelberg. [4] Courtois, N., Hulme, D., & Mourouzis, T. (2011). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. IACR Cryptology eprint Archive,2011, 475. [5] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. SHARCS Workshop, [6] Courtois, N., Hulme, D., & Mourouzis, T. (2012). Multiplicative Complexity and Solving Generalized Brent Equations With SAT Solvers. In COMPUTATION TOOLS 2012, The Third International Conference on Computational Logics, Algebras, Programming, Tools, and Benchmarking (pp ). [7] Courtois, N., Mourouzis, T., & Hulme, D. (2013). Exact Logic Minimization and Multiplicative Complexity of Concrete Algebraic and Cryptographic Circuits. International Journal On Advances in Intelligent Systems, 6(3 and 4), [8] Mourouzis, T. (2015). Optimizations in Algebraic and Differential Cryptanalysis(Doctoral dissertation, UCL (University College London)). [9] Courtois, N. Extended Slides on the topic of Multiplicative Complexity. SECURITY OF SYMMETRIC CIPHERS IN NETWORK PROTOCOLS - ICMS - EDINBURGH MAY/
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis
Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis Nicolas T. Courtois 1,2, Daniel Hulme 1,2, Theodosis Mourouzis 1 1 University College London, UK 2 NP-Complete Ltd, UK Two Interesting
More informationMultiplicative Complexity
Nicolas T. Courtois University College London, UK Roadmap bi-linear and tri-linear problems such as complex / matrix multiplication general case arbitrary vectorial Boolean functions in cryptography called
More informationMultiplicative Complexity
Nicolas T. Courtois University College London, UK Definition [informal] Every function can be represented as a number of multiplications + linear functions over a finite field/ring. We call MC () the minimum
More informationImproved upper bounds for the expected circuit complexity of dense systems of linear equations over GF(2)
Improved upper bounds for expected circuit complexity of dense systems of linear equations over GF(2) Andrea Visconti 1, Chiara V. Schiavo 1, and René Peralta 2 1 Department of Computer Science, Università
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationSmart Hill Climbing Finds Better Boolean Functions
Smart Hill Climbing Finds Better Boolean Functions William Millan, Andrew Clark and Ed Dawson Information Security Research Centre Queensland University of Technology GPO Box 2434, Brisbane, Queensland,
More informationXOR - XNOR Gates. The graphic symbol and truth table of XOR gate is shown in the figure.
XOR - XNOR Gates Lesson Objectives: In addition to AND, OR, NOT, NAND and NOR gates, exclusive-or (XOR) and exclusive-nor (XNOR) gates are also used in the design of digital circuits. These have special
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationFunctions on Finite Fields, Boolean Functions, and S-Boxes
Functions on Finite Fields, Boolean Functions, and S-Boxes Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Boolean Function
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationVirtual isomorphisms of ciphers: is AES secure against differential / linear attack?
Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]
More informationFast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function
Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function Yindong Chen a,, Fei Guo a, Liu Zhang a a College of Engineering, Shantou University, Shantou 515063, China Abstract Boolean functions
More informationHaar Spectrum of Bent Boolean Functions
Malaysian Journal of Mathematical Sciences 1(S) February: 9 21 (216) Special Issue: The 3 rd International Conference on Mathematical Applications in Engineering 21 (ICMAE 1) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationOn Various Nonlinearity Measures for Boolean Functions
On Various Nonlinearity Measures for Boolean Functions Joan Boyar Magnus Gausdal Find René Peralta July 7, 015 Abstract A necessary condition for the security of cryptographic functions is to be sufficiently
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationSeveral Masked Implementations of the Boyar-Peralta AES S-Box
Several Masked Implementations of the Boyar-Peralta AES S-Box Ashrujit Ghoshal 1[0000 0003 2436 0230] and Thomas De Cnudde 2[0000 0002 2711 8645] 1 Indian Institute of Technology Kharagpur, India ashrujitg@iitkgp.ac.in
More informationHadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights
Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights Qichun Wang Abstract It is known that correlation-immune (CI) Boolean functions used
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationAttacking AES via SAT
Computer Science Department Swansea University BCTCS Warwick, April 7, 2009 Introduction In the following talk, a general translation framework, based around SAT, is considered, with the aim of providing
More informationMatrix Power S-Box Construction
Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationA Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms Alex Biryukov, Christophe De Cannière, An Braeken, and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark
More informationAlgebraic Analysis of the Simon Block Cipher Family
Algebraic Analysis of the Simon Block Cipher amily Håvard Raddum Simula Research Laboratory, Norway Abstract. This paper focuses on algebraic attacks on the Simon family of block ciphers. We construct
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationConstruction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity
arxiv:cs/0605139v1 [cs.cr] 30 May 2006 Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity Na Li, Wen-Feng Qi Department of Applied Mathematics, Zhengzhou
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationOn Conversions from CNF to ANF
On Conversions from CNF to ANF Jan Horáček and Martin Kreuzer Faculty of Informatics and Mathematics University of Passau, D-94030 Passau, Germany Jan.Horacek@uni-passau.de, Martin.Kreuzer@uni-passau.de
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationNP-Completeness I. Lecture Overview Introduction: Reduction and Expressiveness
Lecture 19 NP-Completeness I 19.1 Overview In the past few lectures we have looked at increasingly more expressive problems that we were able to solve using efficient algorithms. In this lecture we introduce
More informationSubquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach
Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach M A Hasan 1 and C Negre 2 1 ECE Department and CACR, University of Waterloo, Ontario, Canada 2 Team
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi 1,2 and Matthieu Rivain 1 1 CryptoExperts, Paris, France 2 ENS, CNRS, INRIA and PSL Research University,
More informationSmashing the Implementation Records of AES S-box
Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha and Doaa Ashmawy Department of Electrical and Computer Engineering Western University, London, Ontario, Canada {areyhani,mtaha9,dashmawy}@uwo.ca
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationFormal Verification Methods 1: Propositional Logic
Formal Verification Methods 1: Propositional Logic John Harrison Intel Corporation Course overview Propositional logic A resurgence of interest Logic and circuits Normal forms The Davis-Putnam procedure
More informationOptimizing S-box Implementations for Several Criteria using SAT Solvers
Optimizing S-box Implementations for Several Criteria using SAT Solvers Ko Stoffelen Radboud University, Digital Security, Nijmegen, The Netherlands k.stoffelen@cs.ru.nl Abstract. We explore the feasibility
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationImproved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON
Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationCRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n
CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n S. M. DEHNAVI, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power
More informationLinear Algebra, Boolean Rings and Resolution? Armin Biere. Institute for Formal Models and Verification Johannes Kepler University Linz, Austria
Linear Algebra, Boolean Rings and Resolution? Armin Biere Institute for Formal Models and Verification Johannes Kepler University Linz, Austria ACA 08 Applications of Computer Algebra Symbolic Computation
More informationBiomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.
Biomedical Security Erwin M. Bakker Some Security News From: NYTimes Blockchains are not safe for voting (slashdot.org) : From Motherboard.vice.com ECDAA: Eliptic Curve Direct Anonymous Attestation for
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationBoolean Algebra. Philipp Koehn. 9 September 2016
Boolean Algebra Philipp Koehn 9 September 2016 Core Boolean Operators 1 AND OR NOT A B A and B 0 0 0 0 1 0 1 0 0 1 1 1 A B A or B 0 0 0 0 1 1 1 0 1 1 1 1 A not A 0 1 1 0 AND OR NOT 2 Boolean algebra Boolean
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationPARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM
PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM Nabihah Ahmad Department of Electronic Engineering, Faculty of Electrical and Electronic Engineering, Universiti
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationOn the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010
Introduction Boolean functions 2nd order nonlinearity Summary ARXH PROSTASIAS_APOLOGISMOS 2010.indd 1 20/04/2011 12:54 ΜΜ On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationComparison of cube attacks over different vector spaces
Comparison of cube attacks over different vector spaces Richard Winter 1, Ana Salagean 1, and Raphael C.-W. Phan 2 1 Department of Computer Science, Loughborough University, Loughborough, UK {R.Winter,
More informationconp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.
1 conp and good characterizations In these lecture notes we discuss a complexity class called conp and its relationship to P and NP. This discussion will lead to an interesting notion of good characterizations
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationA New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information
More informationTwo Philosophies For Solving Non-Linear Equations in Algebraic Cryptanalysis
Two Philosophies For Solving Non-Linear Equations in Algebraic Cryptanalysis Nicolas T. Courtois University College London, Computer Science, Room 6.18. Gower Street, WC1E 6BT, London, UK n.courtois@ucl.ac.uk
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationNew Gröbner Bases for formal verification and cryptography
New Gröbner Bases for formal verification and cryptography Gert-Martin Greuel Diamant/Eidma Symposium November 29th - November 30th November 29th, 2007 Introduction Focus of this talk New developements
More informationUSING SAT FOR COMBINATIONAL IMPLEMENTATION CHECKING. Liudmila Cheremisinova, Dmitry Novikov
International Book Series "Information Science and Computing" 203 USING SAT FOR COMBINATIONAL IMPLEMENTATION CHECKING Liudmila Cheremisinova, Dmitry Novikov Abstract. The problem of checking whether a
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationThe ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function
The ANF of the Composition of Addition and Multiplication mod 2 n with a Boolean Function An Braeken 1 and Igor Semaev 2 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit Leuven,
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More information1 The Algebraic Normal Form
1 The Algebraic Normal Form Boolean maps can be expressed by polynomials this is the algebraic normal form (ANF). The degree as a polynomial is a first obvious measure of nonlinearity linear (or affine)
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationCryptanalysis of Achterbahn
Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,
More informationOn the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking
On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking Dahmun Goudarzi and Matthieu Rivain CHES 2016, Santa-Barbara Higher-Order Masking x = x 1 + x 2 + + x d 2/28 Higher-Order
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationfunctions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**
Security Analysis of Cryptographic Algorithms by means of Boolean Functions E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS** * Department of Computer Science National Technical University of
More informationEncoding Basic Arithmetic Operations for SAT-Solvers
Encoding Basic Arithmetic Operations for SAT-Solvers Ramón BÉJAR 1, Cèsar FERNÁNDEZ and Francesc GUITART Computer Science Department, Universitat de Lleida (UdL) Abstract. In this paper we start an investigation
More informationHighly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design
Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1, Naofumi
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More information