New techniques for trail bounds and application to differential trails in Keccak

Similar documents
Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Algebraic properties of SHA-3 and notable cryptanalysis results

Innovations in permutation-based crypto

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

On Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013

Keccak sponge function family main document

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

New attacks on Keccak-224 and Keccak-256

Version 3.0 January 14, STMicroelectronics 2 NXP Semiconductors

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Cryptanalysis of 1-Round KECCAK

Unaligned Rebound Attack: Application to Keccak

Higher-order differential properties of Keccak and Luffa

Chapter 3 Deterministic planning

Characterization of Column Parity Kernel and Differential Cryptanalysis of Keccak

Lecture 12: Block ciphers

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Alpha-Beta Pruning: Algorithm and Analysis

Practical CCA2-Secure and Masked Ring-LWE Implementation

Shortest paths with negative lengths

D B M G Data Base and Data Mining Group of Politecnico di Torino

Association Rules. Fundamentals

Alpha-Beta Pruning: Algorithm and Analysis

Cryptanalysis of EnRUPT

D B M G. Association Rules. Fundamentals. Fundamentals. Elena Baralis, Silvia Chiusano. Politecnico di Torino 1. Definitions.

D B M G. Association Rules. Fundamentals. Fundamentals. Association rules. Association rule mining. Definitions. Rule quality metrics: example

Principles of AI Planning

Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

A Sound Method for Switching between Boolean and Arithmetic Masking

Space-Efficient Construction Algorithm for Circular Suffix Tree

Randomized Sorting Algorithms Quick sort can be converted to a randomized algorithm by picking the pivot element randomly. In this case we can show th

Higher-order differential properties of Keccak and Luffa

Alpha-Beta Pruning: Algorithm and Analysis

1 The Algebraic Normal Form

1 From previous lectures

Symmetric Crypto Systems

Module 2 Advanced Symmetric Ciphers

Run-length & Entropy Coding. Redundancy Removal. Sampling. Quantization. Perform inverse operations at the receiver EEE

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Computational Models Lecture 8 1

Cardinality Networks: a Theoretical and Empirical Study

Binary Search Trees. Lecture 29 Section Robb T. Koether. Hampden-Sydney College. Fri, Apr 8, 2016

Learning Decision Trees

Multimedia Systems WS 2010/2011

Information Theory with Applications, Math6397 Lecture Notes from September 30, 2014 taken by Ilknur Telkes

EXHAUSTIVELY generating a class of combinatorial objects

Variants of Turing Machine (intro)

Integer Programming for Phylogenetic Network Problems

10-704: Information Processing and Learning Fall Lecture 10: Oct 3

Higher-order differential properties of Keccak and Luffa

Principles of AI Planning

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Lecture 17: Trees and Merge Sort 10:00 AM, Oct 15, 2018

Search and Lookahead. Bernhard Nebel, Julien Hué, and Stefan Wölfl. June 4/6, 2012

Symmetric Crypto Systems

Unifying Büchi Complementation Constructions

Notes on MapReduce Algorithms

The space of located subsets

Distinguishing Stream Ciphers with Convolutional Filters

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Inductive Definitions

Homework 2 Foundations of Computational Math 1 Fall 2018

Analysis of Algorithms I: Asymptotic Notation, Induction, and MergeSort

New Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC

Optimal Tree-decomposition Balancing and Reachability on Low Treewidth Graphs

Linear Cryptanalysis of Reduced-Round PRESENT

Topic Contents. Factoring Methods. Unit 3: Factoring Methods. Finding the square root of a number

3.3 Accumulation Sequences

arxiv: v2 [cs.ds] 3 Oct 2017

Quiz 1 Solutions. (a) f 1 (n) = 8 n, f 2 (n) = , f 3 (n) = ( 3) lg n. f 2 (n), f 1 (n), f 3 (n) Solution: (b)

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

A Polynomial Description of the Rijndael Advanced Encryption Standard

Decision Diagrams and Dynamic Programming

Integer Programming in Computational Biology. D. Gusfield University of California, Davis Presented December 12, 2016.!

Computational Models Lecture 8 1

CS 161 Summer 2009 Homework #2 Sample Solutions

Integer Sorting on the word-ram

CSE 431/531: Analysis of Algorithms. Dynamic Programming. Lecturer: Shi Li. Department of Computer Science and Engineering University at Buffalo

Data Mining Concepts & Techniques

Lecture 23 Branch-and-Bound Algorithm. November 3, 2009

New successor rules for constructing de Bruijn sequences

p 3 p 2 p 4 q 2 q 7 q 1 q 3 q 6 q 5

Algorithms and Data Structures 2016 Week 5 solutions (Tues 9th - Fri 12th February)

Rotational cryptanalysis of round-reduced Keccak

RadioGatún, a belt-and-mill hash function

Reading: Chapter 9.3. Carnegie Mellon

Bit-Pattern Based Integral Attack

Analysis of Algorithms. Outline 1 Introduction Basic Definitions Ordered Trees. Fibonacci Heaps. Andres Mendez-Vazquez. October 29, Notes.

Languages, logics and automata

CSE 202 Homework 4 Matthias Springer, A

Decision Trees. CSC411/2515: Machine Learning and Data Mining, Winter 2018 Luke Zettlemoyer, Carlos Guestrin, and Andrew Moore

Further discussion of Turing machines

1 Last time and today

On improving matchings in trees, via bounded-length augmentations 1

HW #4. (mostly by) Salim Sarımurat. 1) Insert 6 2) Insert 8 3) Insert 30. 4) Insert S a.

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

State of the art Image Compression Techniques

5 Quiver Representations

HAMILTON CYCLES IN RANDOM REGULAR DIGRAPHS

Cache Oblivious Stencil Computations

Transcription:

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1,2 Joan Daemen 1,3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017 S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 1 / 31

Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 2 / 31

Introduction Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 3 / 31

Introduction Differential trails Differential trails in iterated mappings Trail: the sequence of differences after each round DP(Q): fraction of pairs that exhibit q i differences S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 4 / 31

Introduction Differential trails Differential trails and weight w = log 2 (DP) The weight is the number of binary conditions that a pair must satisfy to exhibit q i differences If independent conditions and w(q) < b: #pairs(q) 2 b w(q) S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 5 / 31

Introduction Differential trails Trail extension Given a trail, we can extend it forward: iterate over all differences R-compatible with q 5 backward: iterate over all differences R 1 -compatible with q 1 Extension can be done recursively S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 6 / 31

Introduction Differential trails Trail extension Given a trail, we can extend it forward: iterate over all differences R-compatible with q 5 backward: iterate over all differences R 1 -compatible with q 1 Extension can be done recursively S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 6 / 31

Introduction Differential trails Trail extension Given a trail, we can extend it forward: iterate over all differences R-compatible with q 5 backward: iterate over all differences R 1 -compatible with q 1 Extension can be done recursively S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 6 / 31

Introduction Differential trails Trail extension Given a trail, we can extend it forward: iterate over all differences R-compatible with q 5 backward: iterate over all differences R 1 -compatible with q 1 Extension can be done recursively S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 6 / 31

Introduction Differential trails Trail cores Minimum reverse weight: w rev (q 1 ) min q 0 w(q 0, q 1 ) Can be used to lower bound set of trails Trail core: set of trails with q 1, q 2,... in common S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 7 / 31

Introduction Goals of this work Goals of this work Present general techniques to generate trails Improve bounds of differential trails in Keccak-f By extending the space of trails in Keccak-f that can be scanned with given computation resources rounds Keccak-f [200] Keccak-f [400] Keccak-f [800] Keccak-f [1600] 2 8 8 8 8 3 20 this work this work 32 4 46 this work this work this work 5 this work this work this work this work 6 this work this work this work this work S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 8 / 31

Generating trails Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 9 / 31

Generating trails Second-order approach Generation of n-round trails of weight T First-order approach Starting from 1-round differentials with weight T n Second-order approach Starting from 2-round trails with weight 2T n Fact The number of 2-round trails with weight 2L is much smaller than the number of 1-round differentials with weight L. Example: AES AES has more than 10 11 round differentials with weight 15, but no 2-round trail with weight 30 S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 10 / 31

Generating trails Tree traversal Generating 2-round trails as tree traversal 2-round trails are arranged in a tree Children are generated by adding groups of active bits without removing bits already added Pruning by lower bounding the weight of a node and its children S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 11 / 31

Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 12 / 31

Keccak-f Keccak-f Operates on 3D state: state y z x (5 5)-bit slices 2 l -bit lanes parameter 0 l < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2l for width b = 2 l 25 12 rounds in Keccak-f [25] 24 rounds in Keccak-f [1600] S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 13 / 31

Keccak-f Keccak-f Operates on 3D state: slice y z x (5 5)-bit slices 2 l -bit lanes parameter 0 l < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2l for width b = 2 l 25 12 rounds in Keccak-f [25] 24 rounds in Keccak-f [1600] S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 13 / 31

Keccak-f Keccak-f Operates on 3D state: row y z x (5 5)-bit slices 2 l -bit lanes parameter 0 l < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2l for width b = 2 l 25 12 rounds in Keccak-f [25] 24 rounds in Keccak-f [1600] S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 13 / 31

Keccak-f Keccak-f Operates on 3D state: column y z x (5 5)-bit slices 2 l -bit lanes parameter 0 l < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2l for width b = 2 l 25 12 rounds in Keccak-f [25] 24 rounds in Keccak-f [1600] S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 13 / 31

Keccak-f Properties of θ + = column parity θ effect combine The θ map adds a pattern, that depends on the parity, to the state. Affected columns are complemented Unaffected columns are not changed S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 14 / 31

Keccak-f The parity Kernel + = column parity θ effect combine θ acts as the identity if parity is zero A state with parity zero is in the kernel (or in K ) A state with parity non-zero is outside the kernel (or in N ) S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 15 / 31

Trails in Keccak-f Differential trails in Keccak-f Round: linear step λ = π ρ θ and non-linear step χ a i fully determines b i = λ(a i ) χ has degree 2: w(b i 1 ) independent of a i Minimum reverse weight: w rev (a 1 ) min b 0 w(b 0 ) S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 16 / 31

Trails in Keccak-f Differential trails in Keccak-f Round: linear step λ = π ρ θ and non-linear step χ a i fully determines b i = λ(a i ) χ has degree 2: w(b i 1 ) independent of a i Minimum reverse weight: w rev (a 1 ) min b 0 w(b 0 ) S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 16 / 31

Trails in Keccak-f Differential trails in Keccak-f Round: linear step λ = π ρ θ and non-linear step χ a i fully determines b i = λ(a i ) χ has degree 2: w(b i 1 ) independent of a i Minimum reverse weight: w rev (a 1 ) min b 0 w(b 0 ) S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 16 / 31

Generating 3-round trail cores Covering the space of 3-round trail cores Space split based on parity of a i Four classes: K K, K N, N K and N N S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 17 / 31

Generating 3-round trail cores Covering the space of 3-round trail cores Generating (a 1, b 1 ) Extending forward by one round S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 17 / 31

Generating 3-round trail cores Covering the space of 3-round trail cores Generating (a 1, b 1 ) Extending forward by one round S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 17 / 31

Generating 3-round trail cores Covering the space of 3-round trail cores Generating (a 2, b 2 ) Extending backward by one round S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 17 / 31

Generating 3-round trail cores Covering the space of 3-round trail cores Generating (a 2, b 2 ) Extending backward by one round S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 17 / 31

Generating trail cores in K as tree traversal Generating trail cores in K To stay in K units are orbitals = pairs of active bits in the same column A state a is a set of orbitals a = {u i } i=1,...,n In the tree: the children of a node a are a {u n+1 } S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 18 / 31

Generating trail cores in K as tree traversal Order relation over units A total order relation over units allows avoiding duplicates With a total order over units, a state is an ordered list of units: a = (u i ) i=1,...,n s.t. u 1 u 2 u n In the tree: the children of a node a are a {u n+1 } u n+1 s.t. u n u n+1 For orbitals: the lexicographic order [z, x, y 1, y 2 ] S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 19 / 31

Generating trail cores in K as tree traversal Pruning by lower bounding the weight The weight is monotonic in the addition of orbitals The weight of a lower bounds the weight of all descendants of a As soon as the search encounters a with weight above the limit, a and all its descendants can be safely pruned S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 20 / 31

Generating trail cores in N as tree traversal Parity-bare states Parity-bare state: a state with the minimum number of active bits before and after θ for a given parity 0 active bits in unaffected even columns 1 active bit in unaffected odd column 5 active bits in affected column either before or after θ θ S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 21 / 31

Generating trail cores in N as tree traversal States in N Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 22 / 31

Generating trail cores in N as tree traversal States in N Lemma Each state can be decomposed in a unique way in a parity-bare state and a list of orbitals θ S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 22 / 31

Generating trail cores in N as tree traversal Orbital tree Root: a parity-bare state Units: orbitals in unaffected columns Order: the lexicographic order on [z, x, y 1, y 2 ] Bound: weight of the trail itself S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 23 / 31

Generating trail cores in N as tree traversal Run tree Root: the empty state Units: column assignments Bound: by estimating maximum weight lost due to addition of new column assignments S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 24 / 31

Extending trails Trail extension forward: iterate a 4 over all differences χ-compatible with b 3 backward: iterate b 1 over all differences χ 1 -compatible with a 0 in the kernel: restrict to differences with parity zero outside the kernel: restrict to differences with parity non-zero K N N K S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 25 / 31

Extending trails Forward extension Set of compatible states is an affine space A(b r ) = e + V Basis transformation: V = V K + V N Extension in K by scanning e K + V K possible e K exists Extension in N by scanning e + V K + V N Scanning as a tree traversal root: is the offset children: by incrementally adding basis vectors bound: by estimating the maximum weight lost due to addition of basis vectors not already added S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 26 / 31

Experimental results Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 27 / 31

Experimental results Experimental results All 3-round trail cores with weight 45 # cores 10 4 10 3 10 2 10 Keccak-f [200] Keccak-f [400] Keccak-f [800] Keccak-f [1600] 1 20 22 24 26 28 30 32 34 36 38 40 42 44 T 3 No 6-round trail with weight 91 S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 28 / 31

Conclusions Outline 1 Introduction 2 Generating trails 3 Scanning space of trails in Keccak-f 4 Experimental results 5 Conclusions S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 29 / 31

Conclusions Conclusions General formalism to generate differential patterns as simple and efficient tree traversal New bounds for Keccak-f and new trails with the lowest known weight rounds b = 200 b = 400 b = 800 b = 1600 2 8 8 8 8 3 20 24 32 32 4 46 [48,63] [48,104] [48,134] 5 [50,89] [50,147] [50,247] [50,372] 6 [92,142] [92,278] [92,556] [92,1112] Table: Current bounds for the minimum weight of differential trails S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 30 / 31

Conclusions Thanks for your attention S. Mella, J. Daemen, G. Van Assche New techniques for trail bounds and application to differential trails in Keccak 31 / 31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback