Presentation is loading. Please wait.

Presentation is loading. Please wait.

Good afternoon, everyone.

Published byEsther Foster Modified over 6 years ago

Similar presentations

Presentation on theme: "Good afternoon, everyone."— Presentation transcript:

1 Good afternoon, everyone.
This presentation is about Extending the Applicability of the Mixed-integer Programming Technique in Automatic Differential Cryptanalysis. I am the reporter, Xiaoshuang Ma.

2 Here is the outline.

3 First, I’ll give a brief introduction of the MIP-based method for automatic differential analysis.

4 Automatic differential analysis is studied under the framework of constraint programming. The methods given before by Nicky Mouha, Shengbao Wu and Siwei Sun et al, converted the problem of counting the minimum number of differentially active S-boxes into an MIP problem which can be solved automatically with open source or commercially available optimizers. These methods have been applied in evaluating the security against differential attacks of many block ciphers involving the following three operations: bit-wise XOR, permutation and S-box. In Asiacrypt 2014, two systematic methods for generating linear inequalities describing the differential properties of an arbitrary S-box were given. However, these tools cannot be used to find the actual differential characteristics directly.

5 In this work, we attempt to use the MIP-based method in a clever way such that more work in differential analysis can be done automatically. First, We treat the modulo addition in the key schedule algorithm of PRIDE as an 8 × 8 S-box and partially model its differential behavior with MIP method. I’ll show how to enumerate high probability 2-round iterative related-key differential characteristics of PRIDE whose key schedule algorithm containing modulo addition operations. Moreover, by using constraints from the H-representation of a specific convex hull, we give a method for constructing MIP models whose feasible regions are exactly the sets of all possible differential characteristics for SIMON. In addition, We present an MIP-based method for automating the analysis of the propagation of the differences at the ends of a differential distinguisher. Although this approach is of no theoretical interest, it has been proved in our daily work that such tool is very convenient and more reliable than other methods.

6 In the second part, I’ll show how to enumerate high probability 2-round iterative related-key differential characteristics of PRIDE whose key schedule algorithm containing modulo addition operations.

7 Here I’ll give a brief introduction of PRIDE.
PRIDE is a block cipher based on FX-construction whose block size and key size are 64-bit and 128-bit respectively. It consists of 20 rounds of iterations of which the first 19 rounds are identical, and the overall structure of PRIDE is depicted in the figure.

8 The round function of PRIDE is an SPN structure: the state is XORed with the round key fi(k1) permuted with a bit permutation, fed into 16 parallel 4-bit S-boxes and then processed by the linear layer involving bit permutations and linear transformations, as we can see in the picture.

9 The 128-bit master key of PRIDE is divided into two 64-bit words k0 and k1, and k0 is used as the pre- and post-whitening keys. The subkey fi(k1) of the i-th round of PRIDE is defined as follows : where k1,i is the i-th nibble of k1 and gi(j)(·)’s are defined as follows

10 Taking the function gi(0)(·) for example, one of its operands is 193 times i which is a constant for a given i. Hence, gi(0)can be treated as an 8 × 8 S-box whose differential behavior can be modeled by the convex hull computation method. For the sake of simplicity, we demonstrate our method on g1(0)(·). For other functions it can be analyzed in the same way. Firstly, compute the differential distribution table of g1(0)(·). Secondly, from the DDT, select a set H of differential patterns such that the probability of the differential from x to y is big enough. Thirdly, using the convex hull computation method, we compute the H-representation of the convex hull of H, from which we can derive the critical set OH which is an exact linear inequality description of the differential patterns contained in H.

11 The differential patterns contained in the set H are listed here.
And this is the system of linear inequalities OH .

12 At this point, we can construct an MIP model partially describing the differential behavior of PRIDE in the related-key model . With this approach, we construct an MIP model for PRIDE in the related-key setting and enumerate its 2-round iterative related-key differential characteristics with probability 2 to the power of minus four(2^-4). Finally, we can construct an 18-round related- key differential of the PRIDE with probability at least 2 to the power of minus thirty-six(2^-36).

13 In the next part, I’ll show how to construct MIP models whose feasible regions are exactly the sets of all possible differential characteristics of SIMON.

14 A method for constructing MIP models whose feasible regions are exactly the sets of all possible differential (or linear) characteristics for a wide range of block ciphers is presented in this paper, by Siwei Sun and Lei Hu et al. However, for the case of SIMON, this method is not exact anymore. That is, the feasible region of the MIP model constructed for SIMON contains invalid differential characteristics due to the dependent input bits of the AND operations, and these invalid characteristics must be filtered out by other methods. In the following, by using constraints from the H-representation of a specific convex hull, we give a method for constructing MIP models whose feasible regions are exactly the sets of all possible differential characteristics for SIMON. We will focus on the case of SIMON32 with block size 32 bits, for other cases the method is similar.

15 The nonlinear layer of SIMON32 can be described by a non-linear function F, the dot here is the bitwise AND operation. Let big delta and delta be the input and output difference respectively, then the differential from big delta to delta is valid for F, if and only if the following system of equations of xi has a solution . To generate exact models for SIMON, we need to introduce a new set of variables for every round of SIMON, and include the constraints which dictating that the system of equations listed here has a solution.

16 (1) Taking the first equation for example, let formula one be the set of all 0-1 solutions for this equation. Then the vectors in formula one are given here: Now, we can compute the critical set O of the H-representation of the convex hull of formula one by the method presented before.

17 The H-representation of the convex hull of formula one is given here
The H-representation of the convex hull of formula one is given here. where every 6-dimensional vector denotes a linear inequality .

18 From the H-representation we can derive the critical set O, which is listed here.
O is a set of 9 linear inequalities involving the 5 variables here. For every equation given before, we can derive a corresponding critical set. Then we can add all these sets of linear constraints into the overall MIP model. Now, we come to an MIP model for SIMON whose feasible region is exactly the set of all differential characteristics for SIMON .

19 In the forth part, we give an MIP-based method for automating the analysis of the propagation of the differences at the ends of a differential distinguisher.

20 In a typical differential attack, after a good differential has been identified and therefore a distinguisher is built, the attacker then attempts to recover some secret key bits from the outer rounds of the distinguisher. To accomplish this, the attacker must analyze how the differences at the two ends of the distinguisher evolve through the outer rounds of the cipher under consideration . At first glance, our approach seems to be a overkill since it converts a simple task which can be done manually into a task of solving many small MIP instances. But as has long been recognized by the programming and computer engineering community, we support the Rule of Economy which states that programmer time is expensive; conserve it in preference to machine time. The advantage of the method presented in this section is that it can be integrated into the MIP framework for automatic differential analysis, therefore reduce the burden of cryptanalyst significantly.

21 Here comes the conclusion.

22 All in all, This work makes some contribution to the MIP-based method for automatic differential analysis, and further strengthens the position of the MIP as a promising tool in automatic differential cryptanalysis.

23 Here are part of the references.

24 Thank you for your attention.

Download ppt "Good afternoon, everyone."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Lect.3 Modeling in The Time Domain Basil Hamed

Lect.3 Modeling in The Time Domain Basil Hamed
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
1 Transportation problem The transportation problem seeks the determination of a minimum cost transportation plan for a single commodity from a number.

1 Transportation problem The transportation problem seeks the determination of a minimum cost transportation plan for a single commodity from a number.
ECE 8443 – Pattern Recognition ECE 3163 – Signals and Systems Objectives: Review Resources: Wiki: State Variables YMZ: State Variable Technique Wiki: Controllability.

ECE 8443 – Pattern Recognition ECE 3163 – Signals and Systems Objectives: Review Resources: Wiki: State Variables YMZ: State Variable Technique Wiki: Controllability.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.

FEAL FEAL 1.
Approximation Algorithms

Approximation Algorithms
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptanalysis. The Speaker  Chuck Easttom  

Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.

Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Cryptography and Network Security

Cryptography and Network Security
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
5.3 Geometric Introduction to the Simplex Method The geometric method of the previous section is limited in that it is only useful for problems involving.

5.3 Geometric Introduction to the Simplex Method The geometric method of the previous section is limited in that it is only useful for problems involving.
DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.

DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.
Data Encryption Standard CS-471/971. Category of Standard: Computer Security. Explanation: The Data Encryption Standard (DES) specifies a FIPS approved.

Data Encryption Standard CS-471/971. Category of Standard: Computer Security. Explanation: The Data Encryption Standard (DES) specifies a FIPS approved.

Similar presentations

Ads by Google