a new look at counters don t run like marathon in a
play

A New Look at Counters: Dont Run Like Marathon in a Hundred Meter - PowerPoint PPT Presentation

Nov 24, 2023 •258 likes •673 views

A New Look at Counters: Dont Run Like Marathon in a Hundred Meter Race Directions in Authenticated Ciphers 16, Nagoya Avijit Dutta, Ashwin Jha and Mridul Nandi September 27, 2016 Indian Statistical Institute Kolkata Counters in

  1. A New Look at Counters: Don’t Run Like Marathon in a Hundred Meter Race Directions in Authenticated Ciphers ’16, Nagoya Avijit Dutta, Ashwin Jha and Mridul Nandi September 27, 2016 Indian Statistical Institute Kolkata

  2. Counters in Cryptography Classical View: • Prevents collisions on the inputs to the underlying primitive. • Encoded within message blocks: HAIFA , XORMAC , LightMAC . 1 ⟨ 0 ⟩ s , ⟨ 1 ⟩ s , ⟨ 2 ⟩ s , ⟨ 3 ⟩ s , . . . , ⟨ 2 s − 1 ⟩ s where ⟨ i ⟩ s is the s -bits binary representation of i for some fixed s . • Standalone input: CTR mode, HAIFA , GCM , SIV .

  3. log 2 L , L being Counter-Based Input Encoding Injective: X j X i j i Blockwise Collision-free: Security Needs M t n n f 2 n n M X n X Rate signifies Efficiency rate STD n s n where s the maximum permissible message length. Example For n 128 and s 64, the rate is 0 5 for any message lengths. Can we have better rate for smaller messages? M 2 X 1 n X 2 X b n f 1 f 1 n f 1 CTR n n − ℓ − n − n − n ⟨ 1 ⟩ s ∥ M 1 ⟨ 2 ⟩ s ∥ M 2 ⟨ b ⟩ s ∥ M b · · · X := � �� � � �� � � �� � − − − − − − | · · · | | |

  4. Counter-Based Input Encoding Security Needs n M n n n n f 2 n n t Blockwise Collision-free: n Injective: Rate signifies Efficiency n the maximum permissible message length. Example For n 128 and s 64, the rate is 0 5 for any message lengths. Can we have better rate for smaller messages? n n 2 f 1 X b X 1 X 2 CTR f 1 f 1 − ℓ ∀ i ̸ = j , X i ̸ = X j . − n − n − n ∀ M ̸ = M ′ , X ̸ = X ′ . ⟨ 1 ⟩ s ∥ M 1 ⟨ 2 ⟩ s ∥ M 2 ⟨ b ⟩ s ∥ M b · · · X := � �� � � �� � � �� � − − − rate STD = n − s where s = log 2 L , L being − − − | · · · | | |

  5. Counter-Based Input Encoding n n M n n n n n f 2 n t n Security Needs Blockwise Collision-free: Injective: Rate signifies Efficiency n the maximum permissible message length. Example Can we have better rate for smaller messages? n 2 f 1 CTR X 2 X b X 1 f 1 f 1 − ℓ ∀ i ̸ = j , X i ̸ = X j . − n − n − n ∀ M ̸ = M ′ , X ̸ = X ′ . ⟨ 1 ⟩ s ∥ M 1 ⟨ 2 ⟩ s ∥ M 2 ⟨ b ⟩ s ∥ M b · · · X := � �� � � �� � � �� � − − − rate STD = n − s where s = log 2 L , L being − − − | · · · | | | For n = 128 and s = 64, the rate is 0 . 5 for any message lengths.

  6. approximation of STD opt in this case? STD opt : Length Dependent Counter Scheme n Comparison Catch What if we don’t know the length? Can we have a close 3 • Computes the optimal counter size ( ≈ log 2 ℓ ) for the given message length ℓ . rate STD opt = n − log 2 ℓ • For ℓ < L , rate STD opt > rate STD . For n = 128 bits and ℓ = 2 10 bits, the rate is 0 . 92.

  7. STD opt : Length Dependent Counter Scheme n Comparison Catch What if we don’t know the length? Can we have a close 3 • Computes the optimal counter size ( ≈ log 2 ℓ ) for the given message length ℓ . rate STD opt = n − log 2 ℓ • For ℓ < L , rate STD opt > rate STD . For n = 128 bits and ℓ = 2 10 bits, the rate is 0 . 92. approximation of STD opt in this case?

  8. A Race over Unknown Distance 200 m 400 m 10000 m 4

  9. A Race over Unknown Distance 200 m 400 m 10000 m 4

  10. A Race over Unknown Distance 200 m 400 m 10000 m 4

  11. A Race over Unknown Distance 200 m 400 m 10000 m 4

  12. A Race over Unknown Distance 5

  13. A Race over Unknown Distance 5

  14. A Race over Unknown Distance 5

  15. A Candidate Length Independent Counter • Length Independent. • rate rate STD opt . • But, is this blockwise collision-free? Trivial Collision For n 8 and M 0 abcdefghijklmabcdef we have X 1 00 abcdef X 2 1 ghijklm and X 3 00 abcdef . Clearly, X 1 X 3 . 6 0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

  16. A Candidate Length Independent Counter 8 and M X 3 . 00 abcdef . Clearly, X 1 1 ghijklm and X 3 00 abcdef X 2 X 1 0 abcdefghijklmabcdef we have For n Trivial Collision • But, is this blockwise collision-free? rate STD opt . • rate • Length Independent. 6 0 , 1 , 00 , 01 , 10 , 11 , 000 . . . ✓

  17. A Candidate Length Independent Counter 8 and M X 3 . 00 abcdef . Clearly, X 1 1 ghijklm and X 3 00 abcdef X 2 X 1 0 abcdefghijklmabcdef we have For n Trivial Collision • But, is this blockwise collision-free? • Length Independent. 6 0 , 1 , 00 , 01 , 10 , 11 , 000 . . . ✓ • rate > rate STD opt . ✓

  18. A Candidate Length Independent Counter 8 and M X 3 . 00 abcdef . Clearly, X 1 1 ghijklm and X 3 00 abcdef X 2 X 1 0 abcdefghijklmabcdef we have For n Trivial Collision • But, is this blockwise collision-free? • Length Independent. 6 0 , 1 , 00 , 01 , 10 , 11 , 000 . . . ✓ • rate > rate STD opt . ✓ ✗

  19. A Candidate Length Independent Counter • Length Independent. • But, is this blockwise collision-free? Trivial Collision 6 0 , 1 , 00 , 01 , 10 , 11 , 000 . . . ✓ • rate > rate STD opt . ✓ ✗ For n = 8 and M := 0 abcdefghijklmabcdef we have X 1 = 00 abcdef , X 2 = 1 ghijklm , and X 3 = 00 abcdef . Clearly, X 1 = X 3 .

  20. log 2 log 2 L , for L 2 64 bits, and 2 10 bits, the rate is 0.89. VAR: Message Length Independent Counter n 128 bits, L For n Comparison n log 2 2 r n . rate VAR • Add a small fixed length (r) counter that gets updated with the c n 2 n 2 c n • r • Blockwise Collision-free and Injective. • Length Independent. change in counter size. 7 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . .

  21. log 2 log 2 L , for L 2 64 bits, and 2 10 bits, the rate is 0.89. VAR: Message Length Independent Counter rate VAR 128 bits, L For n Comparison n log 2 2 r n c n n . • Add a small fixed length (r) counter that gets updated with the 2 n 2 c n • r • Blockwise Collision-free and Injective. • Length Independent. change in counter size. 7 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . . ✓ ✓

  22. VAR: Message Length Independent Counter • Add a small fixed length (r) counter that gets updated with the change in counter size. • Length Independent. • Blockwise Collision-free and Injective. n n Comparison 7 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . . ✓ ✓ • r ≈ log 2 log 2 L , for L < 2 c ( n ) , 2 ≤ c ( n ) < n . rate VAR ≈ n − r + 2 − log 2 ℓ For n = 128 bits, L = 2 64 bits, and ℓ = 2 10 bits, the rate is 0.89.

  23. Counter Function Family (CFF) Definition: fixed length CFF; variable length CFF otherwise. What can we say about the security relevant properties? 8 CTR is a family of counter functions { ctr ℓ : ℓ ≤ L } where ∀ ℓ ≤ L , ctr ℓ : N → { 0 , 1 } < n . • Length Independent: For STD counter function family std ℓ ( i ) = ⟨ i ⟩ s , ∀ ℓ, i . • Length Dependent: For STD opt counter function family opt ℓ ( i ) = ⟨ i ⟩ log 2 ℓ , ∀ ℓ, i . • For a given ℓ , if ∀ i ̸ = j , | ctr ℓ ( i ) | = | ctr ℓ ( j ) | , we say that CTR is a

  24. Counter Function Family (CFF) Definition: fixed length CFF; variable length CFF otherwise. What can we say about the security relevant properties? 8 CTR is a family of counter functions { ctr ℓ : ℓ ≤ L } where ∀ ℓ ≤ L , ctr ℓ : N → { 0 , 1 } < n . • Length Independent: For STD counter function family std ℓ ( i ) = ⟨ i ⟩ s , ∀ ℓ, i . • Length Dependent: For STD opt counter function family opt ℓ ( i ) = ⟨ i ⟩ log 2 ℓ , ∀ ℓ, i . • For a given ℓ , if ∀ i ̸ = j , | ctr ℓ ( i ) | = | ctr ℓ ( j ) | , we say that CTR is a

  25. M i and b Prefix-free and Injective CFFs b What about injective property? prefix-free CFF. CTR is a blockwise collision-free encoding if and only if it is CTR is a Blockwise Collision-free Lemma: Prefix-free n ctr i n 1 i is the least integer b that satisfies, 1 Prefix-free: ctr i X i , where each X b X 1 length message M , CTR M For any CFF as an Encoding Function: CTR is prefix-free if 9 ∀ ℓ ≤ L , ∀ i ̸ = j ∈ b ( ℓ ) , ctr ℓ ( i ) is not a prefix of ctr ℓ ( j ) .

  26. Prefix-free and Injective CFFs Prefix-free: What about injective property? prefix-free CFF. CTR is a blockwise collision-free encoding if and only if it is CTR is a Blockwise Collision-free Lemma: Prefix-free 9 CFF as an Encoding Function: b CTR is prefix-free if ∀ ℓ ≤ L , ∀ i ̸ = j ∈ b ( ℓ ) , ctr ℓ ( i ) is not a prefix of ctr ℓ ( j ) . For any ℓ length message M , CTR ( M ) = ( X 1 , . . . , X b ( ℓ ) ) , where each X i = ctr ℓ ( i ) ∥ M i and b ( ℓ ) is the least integer b that satisfies, ∑ ℓ + 1 ≤ ( n − | ctr ℓ ( i ) | ) ≤ ℓ + n . i = 1

  27. Prefix-free and Injective CFFs Prefix-free: What about injective property? prefix-free CFF. CTR is a blockwise collision-free encoding if and only if it is CTR is a b CFF as an Encoding Function: CTR is prefix-free if 9 ∀ ℓ ≤ L , ∀ i ̸ = j ∈ b ( ℓ ) , ctr ℓ ( i ) is not a prefix of ctr ℓ ( j ) . For any ℓ length message M , CTR ( M ) = ( X 1 , . . . , X b ( ℓ ) ) , where each X i = ctr ℓ ( i ) ∥ M i and b ( ℓ ) is the least integer b that satisfies, ∑ ℓ + 1 ≤ ( n − | ctr ℓ ( i ) | ) ≤ ℓ + n . i = 1 Lemma: Prefix-free ⇔ Blockwise Collision-free

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Timers and Counters Hardware Timing, Counters What are Timers/Counters Hardware provided

Timers and Counters Hardware Timing, Counters What are Timers/Counters Hardware provided

Timers and Counters Hardware Timing, Counters What are Timers/Counters Hardware provided module which counts Timers count clock cycles Counters count arbitrary signal change Counts up to threshold then sets interrupt flag CPU

328 views • 31 slides
Hardware Counters for non-Intel Systems (and tools for Frontier) AMD CPU Counters @Gruber

Hardware Counters for non-Intel Systems (and tools for Frontier) AMD CPU Counters @Gruber

Hardware Counters for non-Intel Systems (and tools for Frontier) AMD CPU Counters @Gruber (LIKWID) the PFM hardware unit hasnt changed in years IBS still works some counters lie (important ones like vector ops and

422 views • 6 slides
LA Marathon-SRLA Presentation Marathon Pacing Strategies Pacing Strategies Getting Started

LA Marathon-SRLA Presentation Marathon Pacing Strategies Pacing Strategies Getting Started

LA Marathon-SRLA Presentation Marathon Pacing Strategies Pacing Strategies Getting Started Choose your marathon goal Consider training technique Factor in race Conditions Getting Started-Marathon Goal Goal #1 Just finish

145 views • 10 slides
High resolution frequency counters E. Rubiola FEMTO-ST Institute, CNRS and Universit de

High resolution frequency counters E. Rubiola FEMTO-ST Institute, CNRS and Universit de

High resolution frequency counters E. Rubiola FEMTO-ST Institute, CNRS and Universit de Franche Comt 28 May 2008 Outline 1. Digital hardware 2. Basic counters 3. Microwave counters 4. Interpolation time-interval amplifier

565 views • 53 slides
TRAILS NORTH SYMPOSIUM 2016 MARATHON SNO-KICKERS The Marathon Sno-Kickers is a volunteer

TRAILS NORTH SYMPOSIUM 2016 MARATHON SNO-KICKERS The Marathon Sno-Kickers is a volunteer

TRAILS NORTH SYMPOSIUM 2016 MARATHON SNO-KICKERS The Marathon Sno-Kickers is a volunteer snowmobile club who are part of the Ontario Federation of Snowmobile Clubs and Algoma Snow Plan Affiliation. History of Marathon Sno-Kickers The club

845 views • 20 slides
Techniques for Digital Systems Registers, shift registers, counters SOURCE:

Techniques for Digital Systems Registers, shift registers, counters SOURCE:

CSE140L: Components and Design Techniques for Digital Systems Registers, shift registers, counters SOURCE: http://www.pitt.edu/~kmram/132/lectures/registers+counters.pdf 1 Sources: TSR, Katz, Boriello &amp; Vahid D Latch Truth Table CLK R

200 views • 15 slides
MARATHON TR TRAINING MIKE IKE GRATTON LONDON MARATHON WIN INNER 1983 BACKGROUND 1967:

MARATHON TR TRAINING MIKE IKE GRATTON LONDON MARATHON WIN INNER 1983 BACKGROUND 1967:

MARATHON TR TRAINING MIKE IKE GRATTON LONDON MARATHON WIN INNER 1983 BACKGROUND 1967: British Forces Schools 800m 2 nd 2:10 / age 13 1970: English Schools Inter 1,500m 7 th 4.07 /age 15 1974: English Schools Senior

318 views • 13 slides
A training guide for women with diabetes Katherine Clark Dr Kate Bramham Preparation for the

A training guide for women with diabetes Katherine Clark Dr Kate Bramham Preparation for the

PREGNANCY: THE KIDNEY MARATHON A training guide for women with diabetes Katherine Clark Dr Kate Bramham Preparation for the marathon Running the Marathon Finishing the marathon Diabetic nephropathy and pregnancy the perfect storm Poor

979 views • 81 slides
On the measurement of frequency and of its sample variance with high-resolution counters Enrico

On the measurement of frequency and of its sample variance with high-resolution counters Enrico

1 E. Rubiola &amp; Al. High-res. counters On the measurement of frequency and of its sample variance with high-resolution counters Enrico Rubiola#, Franois Vernotte%, Vincent Giordano# # FEMTO-ST Institute, Dept. LPMO, Besanon, France %

258 views • 15 slides
COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

REMOTE COLLECTION COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 Possibility of connecting in one line with low multidecks LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07

1k views • 82 slides
Counter/Timers Overview ATmega328P has two _____ and one ______ counters. Can configure to

Counter/Timers Overview ATmega328P has two _____ and one ______ counters. Can configure to

13.1 13.2 Counter/Timers Overview ATmega328P has two _____ and one ______ counters. Can configure to count at some frequency up to some value (a.k.a. ________________), generate an _____________ Unit 13 Timers and Counters and

646 views • 5 slides
REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell Eco-marathon 02 Introduction 03 Technical Aspects 04 Technical Budget 05 Sponsorships 06 Multi-Disciplinary Team 07 Off Track Awards 08 Exposure

234 views • 20 slides
Winter School Day 3: Decoding / Phrase-based models MT Marathon 28 January 2009 MT Marathon

Winter School Day 3: Decoding / Phrase-based models MT Marathon 28 January 2009 MT Marathon

Winter School Day 3: Decoding / Phrase-based models MT Marathon 28 January 2009 MT Marathon Spring School, Lecture 3 28 January 2009 1 Statistical Machine Translation Components: Translation model, language model, decoder

572 views • 53 slides
Learning Outcomes I understand the control inputs to counters I can design logic to control

Learning Outcomes I understand the control inputs to counters I can design logic to control

2-2.1 2-2.2 Learning Outcomes I understand the control inputs to counters I can design logic to control the inputs of Spiral 2-2 counters to create a desired count sequence I understand how smaller adder blocks can be combined to

401 views • 16 slides
Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced

Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced

Detectors for Nuclear and Particle Physics Scintillation Counters Unlike many other particle detectors, which exploit the ionisation produced by the passage of a charged particle, scintillation counters rely on the atomic or molecular excitation

331 views • 5 slides
Docker &amp; Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker &amp; Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker &amp; Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker &amp; Mesos/Marathon 6

487 views • 19 slides
Detroit s Role in the Hazardous Waste

Detroit s Role in the Hazardous Waste

Detroit s Role in the Hazardous Waste Trade Petro-Chem 459,326 Tons 1 U.S. Liquids 2 U.S. Liquids 3,757 Tons 203,375 Tons 3 Dynecol, Inc. 1,095,109 Tons Detroit, Michigan is an

684 views • 22 slides
Turning a Marathon Runner into a Sprinter: Adopting Agile Testing Strategies and Practices at

Turning a Marathon Runner into a Sprinter: Adopting Agile Testing Strategies and Practices at

Turning a Marathon Runner into a Sprinter: Adopting Agile Testing Strategies and Practices at Microsoft Jean Hartmann Test Architect jeanhar@Microsoft.com Overview Embracing Change Quality-related themes Benefits &amp; Challenges

496 views • 15 slides
@ Welcome! About today Forum Protocols Post event support Forum Timings 9.45

@ Welcome! About today Forum Protocols Post event support Forum Timings 9.45

@ Welcome! About today Forum Protocols Post event support Forum Timings 9.45 Virtual registration 13.15 Session 3 14.45 Final Questions 10.00 Session 1 15.15 Close of session 10.45 Workshop discussion

767 views • 18 slides
What is a Mori enterprise? Economy An economy is a system Mori economy is What is an

What is a Mori enterprise? Economy An economy is a system Mori economy is What is an

What is a Mori enterprise? Economy An economy is a system Mori economy is What is an of actors (organisations, highly integrated economy? institutions, individuals withy the New etc) which interacts to Zealand economy produce

287 views • 16 slides
Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall

Managing Managing Microservices Microservices E ff ectively E ff ectively Daniel Hall (@smarthall) Daniel Hall (@smarthall) About Me About Me Systems Engineer at LIFX Making the 'Internet' in the Internet of Things About This Talk About

556 views • 18 slides
IBL CALCULUS Dr. Angie Hodge Northern Arizona University Angie Hodge, Ph.D. Who I am?

IBL CALCULUS Dr. Angie Hodge Northern Arizona University Angie Hodge, Ph.D. Who I am?

IBL CALCULUS Dr. Angie Hodge Northern Arizona University Angie Hodge, Ph.D. Who I am? Department of Mathematics and Statistics NAU Graduate of Purdue University (math and math ed) Project NeXT National Fellow (Sun dot)

829 views • 17 slides
The Cost of Immediacy for Corporate Bonds Jens Dick-Nielsen Marco Rossi The 3rd MIT Golub Center

The Cost of Immediacy for Corporate Bonds Jens Dick-Nielsen Marco Rossi The 3rd MIT Golub Center

The Cost of Immediacy for Corporate Bonds Jens Dick-Nielsen Marco Rossi The 3rd MIT Golub Center for Finance and Policy conference September 28-29, 2016 (CBS and Texas A&amp;M) 1 / 39 Corporate bond market: background OTC, dealer-driven

832 views • 59 slides
The Oakland REACH Making the powerless parent powerful

The Oakland REACH Making the powerless parent powerful

The Oakland REACH Making the powerless parent powerful oaklandreach.org #REACHforMore The Oakland REACH by the numbers 5,000+ 1:1s with parents in Oaklands lowest performing schools neighborhoods.

661 views • 22 slides

More recommend