-
Notifications
You must be signed in to change notification settings - Fork 7
/
README.txt
140 lines (94 loc) · 6.66 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
*=============================================================================*
| |
* [ ./diffp -- Differential Pattern Search Program for MD6 ] *
| |
*=============================================================================*
> diffp is a program for finding the Active And Gate lower bound of differential
patterns in MD6. It was used to find the results presented in 'Restoring the
Differential Security of MD6'. Included with diffp is assorted scripts for
parsing and assembling lower bounds generated by diffp.
I.List of files:
==============================================================================*
+ README.txt - This file.
+ Makefile - Makefile for compiling diffc source code.
+ src\
+ diffp.c - diffp source code file.
+ arg_handler.c - diffp source code file.
+ md6parts.c - diffp source code file.
+ test.c - diffp unit test source code file.
+ parse_diffp.py - python script for parsing json diffp output.
+ lb.py - python script for assembling lower bounds.
+ output\
+ ntp_0_192_16__2.txt - output file used in results (non-trivial).
+ ntp_96_288__e4_r__2.txt - output file used in results (non-trivial).
+ tp_0_1120_16__2.txt - output file used in results (trivial).
II. Setup:
==============================================================================*
* Within the diffp working directory
make compile
* To run unit tests (the tests take a while to run)
make run_test
III. Running diffp
==============================================================================*
* ./diffp to run with no options set (referred to in 'Restoring the
Differential Security of MD6' as the corrected program).
* ./diffp --help for instructions on options.
* To replicate results presented in 'Restoring the Differential Security of
MD6' run the following commands:
./diffp -t -a 0 -b 1120 -i 16 -j > tp_0_1120_16__2.txt
These options tell the checker to start at step 0 and end at step 1120,
increment the current step by 16 (1 round) and to only compute trivial
patterns (patterns with 3 or less positions of difference in the first 89
steps).
./diffp -n -a 0 -b 192 -i 16 -j > ntp_0_192_16__2.txt
These options specify (step 0 to step 192 by 16 step increments) and to
only compute non-trivial patterns (patterns with 4 or more positions of
difference each rotation (89 steps)).
./diffp -n -a 96 -b 288 -i 16 -r -e 4 -j > ntp_96_288__e4_r__2.txt
Same as above but skip computing the first rotation (-r) and assume
that we activated at least 4 AND gates in the first rotation(-e 4).
Note: these commands may take an extremely long time to complete, the
output files in the output directory are the result of three weeks
compute time after which these processes were manually terminated.
IV. Assembling the lower bounds:
===============================================================================*
* To assemble the lower bounds that the above diffp commanded created run:
python src/lb.py 153 <(python src/parse_diffp.py tp_0_1120_16__2.txt) <(python src/parse_diffp.py ntp_0_192_16__2.txt ntp_96_288__e4_r__2.txt)
Tries every logically possible combination of the these paths within
the rounds given (153) and outputs the minimum AAG cost.
* We have supplied example outputs in the outputs directory so that one
don't need run diffp for three weeks to play with lp.py. We present
an example run below for 153 rounds (168 - 15 round security margin):
python src/lb.py 153 <(python src/parse_diffp.py output/tp_0_1120_16__2.txt) <(python src/parse_diffp.py output/ntp_0_192_16__2.txt output/ntp_96_288__e4_r__2.txt)
For output we get: Minimum Pattern 333333331T, Cost 289 (T stands for a
trivial pattern, the numbers stand for the number of repeated
non-trivial patterns). Thus our output shows that for 153 rounds we must
activate at least 289 AND gates, well beyond the 256 AAGs necessary for
diff security.
Furthermore if we supply 137 rounds instead of 153 rounds lp.py's
output shows us that at least 257 AND gates are activated. This
establishes that md6 has a security margin of 31 rounds!
V. Change List:
===============================================================================*
Changes from diff10.c to diffp.c ~ Ethan Heilman
1. Added test code to test AAG counting and lower bounding logic.
2. Added ability to supply constraints on md6 input (trivial and non-trivial
patterns).
3. Added argument parser.
4. Refactored constants so that we can swap in MD6 variants with an include.
5. Altered output to bring it more in line with the aims of change 2.
6. Added options to allow users to more specifically state the space they
wish to search.
7. Added makefile as code is now in more than one place ( diffp.c, test.c,
arg_handler.c )
8. Added python scripts lb.py and parse_diffp.py so that output files
generated in by diffp can be assembled into a full lower bound.
9. Added performance metrics such as number of recursions and time taken for
a particular search.
VI. License for diffp, assorted scripts and documentation:
==============================================================================*
The MIT License (MIT)
Copyright (c) 2011 Ron Rivest, Yiqun Yin, Yuncheng Lin, Emily Shen, and Ethan Heilman.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.