Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
*=============================================================================* | | * [ ./diffp -- Differential Pattern Search Program for MD6 ] * | | *=============================================================================* > diffp is a program for finding the Active And Gate lower bound of differential patterns in MD6. It was used to find the results presented in 'Restoring the Differential Security of MD6'. Included with diffp is assorted scripts for parsing and assembling lower bounds generated by diffp. I.List of files: ==============================================================================* + README.txt - This file. + Makefile - Makefile for compiling diffc source code. + src\ + diffp.c - diffp source code file. + arg_handler.c - diffp source code file. + md6parts.c - diffp source code file. + test.c - diffp unit test source code file. + parse_diffp.py - python script for parsing json diffp output. + lb.py - python script for assembling lower bounds. + output\ + ntp_0_192_16__2.txt - output file used in results (non-trivial). + ntp_96_288__e4_r__2.txt - output file used in results (non-trivial). + tp_0_1120_16__2.txt - output file used in results (trivial). II. Setup: ==============================================================================* * Within the diffp working directory make compile * To run unit tests (the tests take a while to run) make run_test III. Running diffp ==============================================================================* * ./diffp to run with no options set (referred to in 'Restoring the Differential Security of MD6' as the corrected program). * ./diffp --help for instructions on options. * To replicate results presented in 'Restoring the Differential Security of MD6' run the following commands: ./diffp -t -a 0 -b 1120 -i 16 -j > tp_0_1120_16__2.txt These options tell the checker to start at step 0 and end at step 1120, increment the current step by 16 (1 round) and to only compute trivial patterns (patterns with 3 or less positions of difference in the first 89 steps). ./diffp -n -a 0 -b 192 -i 16 -j > ntp_0_192_16__2.txt These options specify (step 0 to step 192 by 16 step increments) and to only compute non-trivial patterns (patterns with 4 or more positions of difference each rotation (89 steps)). ./diffp -n -a 96 -b 288 -i 16 -r -e 4 -j > ntp_96_288__e4_r__2.txt Same as above but skip computing the first rotation (-r) and assume that we activated at least 4 AND gates in the first rotation(-e 4). Note: these commands may take an extremely long time to complete, the output files in the output directory are the result of three weeks compute time after which these processes were manually terminated. IV. Assembling the lower bounds: ===============================================================================* * To assemble the lower bounds that the above diffp commanded created run: python src/lb.py 153 <(python src/parse_diffp.py tp_0_1120_16__2.txt) <(python src/parse_diffp.py ntp_0_192_16__2.txt ntp_96_288__e4_r__2.txt) Tries every logically possible combination of the these paths within the rounds given (153) and outputs the minimum AAG cost. * We have supplied example outputs in the outputs directory so that one don't need run diffp for three weeks to play with lp.py. We present an example run below for 153 rounds (168 - 15 round security margin): python src/lb.py 153 <(python src/parse_diffp.py output/tp_0_1120_16__2.txt) <(python src/parse_diffp.py output/ntp_0_192_16__2.txt output/ntp_96_288__e4_r__2.txt) For output we get: Minimum Pattern 333333331T, Cost 289 (T stands for a trivial pattern, the numbers stand for the number of repeated non-trivial patterns). Thus our output shows that for 153 rounds we must activate at least 289 AND gates, well beyond the 256 AAGs necessary for diff security. Furthermore if we supply 137 rounds instead of 153 rounds lp.py's output shows us that at least 257 AND gates are activated. This establishes that md6 has a security margin of 31 rounds! V. Change List: ===============================================================================* Changes from diff10.c to diffp.c ~ Ethan Heilman 1. Added test code to test AAG counting and lower bounding logic. 2. Added ability to supply constraints on md6 input (trivial and non-trivial patterns). 3. Added argument parser. 4. Refactored constants so that we can swap in MD6 variants with an include. 5. Altered output to bring it more in line with the aims of change 2. 6. Added options to allow users to more specifically state the space they wish to search. 7. Added makefile as code is now in more than one place ( diffp.c, test.c, arg_handler.c ) 8. Added python scripts lb.py and parse_diffp.py so that output files generated in by diffp can be assembled into a full lower bound. 9. Added performance metrics such as number of recursions and time taken for a particular search. VI. License for diffp, assorted scripts and documentation: ==============================================================================* The MIT License (MIT) Copyright (c) 2011 Ron Rivest, Yiqun Yin, Yuncheng Lin, Emily Shen, and Ethan Heilman. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.