./diffp -- Differential Pattern Search Program for MD6. This software is used to reestablish the differential resistance of MD6. It uses a classification system of differential weight patterns that allows us to extend previous analysis to prove that MD6 is resistant to differential cryptanalysis. Our analysis allows us to more than double the se…
C Python
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
output
src
Makefile
README.txt

README.txt

*=============================================================================*
|                                                                             |
*         [ ./diffp -- Differential Pattern Search Program for MD6 ]          *
|                                                                             |
*=============================================================================*

> diffp is a program for finding the Active And Gate lower bound of differential 
patterns in MD6. It was used to find the results presented in 'Restoring the 
Differential Security of MD6'. Included with diffp is assorted scripts for 
parsing and assembling lower bounds generated by diffp.

I.List of files:
==============================================================================*

  + README.txt        - This file.
  + Makefile          - Makefile for compiling diffc source code.
  
  + src\ 
    + diffp.c         - diffp source code file.
    + arg_handler.c   - diffp source code file. 
    + md6parts.c      - diffp source code file. 
    + test.c          - diffp unit test source code file.
    + parse_diffp.py  - python script for parsing json diffp output. 
    + lb.py           - python script for assembling lower bounds.

  + output\
    + ntp_0_192_16__2.txt       - output file used in results (non-trivial).
    + ntp_96_288__e4_r__2.txt   - output file used in results (non-trivial).
    + tp_0_1120_16__2.txt       - output file used in results (trivial).


II. Setup:
==============================================================================*
  * Within the diffp working directory
     make compile

  * To run unit tests (the tests take a while to run) 
     make run_test


III. Running diffp
==============================================================================*
  * ./diffp to run with no options set (referred to in 'Restoring the 
     Differential Security of MD6' as the corrected program).
  
  * ./diffp --help for instructions on options.

  * To replicate results presented in 'Restoring the Differential Security of 
     MD6' run the following commands:

     ./diffp -t -a 0 -b 1120 -i 16 -j > tp_0_1120_16__2.txt

       These options tell the checker to start at step 0 and end at step 1120, 
     increment the current step by 16 (1 round) and to only compute trivial 
     patterns (patterns with 3 or less positions of difference in the first 89 
     steps). 

     ./diffp -n -a 0 -b 192 -i 16 -j > ntp_0_192_16__2.txt

       These options specify (step 0 to step 192 by 16 step increments) and to 
     only compute non-trivial patterns (patterns with 4 or more positions of 
     difference each rotation (89 steps)).

     ./diffp -n -a 96 -b 288 -i 16 -r -e 4 -j > ntp_96_288__e4_r__2.txt

       Same as above but skip computing the first rotation (-r) and assume 
     that we activated at least 4 AND gates in the first rotation(-e 4).

       Note: these commands may take an extremely long time to complete, the 
     output files in the output directory are the result of three weeks 
     compute time after which these processes were manually terminated. 


IV. Assembling the lower bounds:
===============================================================================*

    * To assemble the lower bounds that the above diffp commanded created run:
    
       python src/lb.py 153 <(python src/parse_diffp.py tp_0_1120_16__2.txt) <(python src/parse_diffp.py ntp_0_192_16__2.txt ntp_96_288__e4_r__2.txt)

         Tries every logically possible combination of the these paths within 
       the rounds given (153) and outputs the minimum AAG cost.
    
    * We have supplied example outputs in the outputs directory so that one
       don't need run diffp for three weeks to play with lp.py. We present 
       an example run below for 153 rounds (168 - 15 round security margin): 

       python src/lb.py 153 <(python src/parse_diffp.py output/tp_0_1120_16__2.txt) <(python src/parse_diffp.py output/ntp_0_192_16__2.txt output/ntp_96_288__e4_r__2.txt)

         For output we get: Minimum Pattern 333333331T, Cost 289  (T stands for a
       trivial pattern, the numbers stand for the number of repeated 
       non-trivial patterns). Thus our output shows that for 153 rounds we must
       activate at least 289 AND gates, well beyond the 256 AAGs necessary for 
       diff security. 
         Furthermore if we supply 137 rounds instead of 153 rounds lp.py's 
       output shows us that at least 257 AND gates are activated. This 
       establishes that md6 has a security margin of 31 rounds!


V. Change List:
===============================================================================*

Changes from diff10.c to diffp.c ~ Ethan Heilman
 
  1. Added test code to test AAG counting and lower bounding logic.

  2. Added ability to supply constraints on md6 input (trivial and non-trivial 
       patterns).

  3. Added argument parser.

  4. Refactored constants so that we can swap in MD6 variants with an include. 

  5. Altered output to bring it more in line with the aims of change 2.

  6. Added options to allow users to more specifically state the space they
       wish to search.

  7. Added makefile as code is now in more than one place ( diffp.c, test.c, 
       arg_handler.c )

  8. Added python scripts lb.py and parse_diffp.py so that output files 
       generated in by diffp can be assembled into a full lower bound.

  9. Added performance metrics such as number of recursions and time taken for 
       a particular search.


VI. License for diffp, assorted scripts and documentation:
==============================================================================*

The MIT License (MIT)
Copyright (c) 2011 Ron Rivest, Yiqun Yin, Yuncheng Lin, Emily Shen, and Ethan Heilman.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.