a new version of grain 128 with authentication
play

A New Version of Grain-128 with Authentication Martin Agren 1 - PowerPoint PPT Presentation

Nov 25, 2022 •193 likes •443 views

A New Version of Grain-128 with Authentication Martin Agren 1 Martin Hell 1 Thomas Johansson 1 Willi Meier 2 1 Lund University, Sweden 2 FHNW, Switzerland 110216 / Lyngby Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The

  1. A New Version of Grain-128 with Authentication Martin ˚ Agren 1 Martin Hell 1 Thomas Johansson 1 Willi Meier 2 1 Lund University, Sweden 2 FHNW, Switzerland 110216 / Lyngby

  2. Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 2 / 16

  3. Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 3 / 16

  4. Motivation and Goals ◮ Grain-128 is lightweight but some nonlinearities are too lightweight. ◮ Some applications need built-in authentication ◮ . . . but leaving it out should be possible. ◮ Allow for easy updating of existing implementations. ◮ . . . and trust! M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 4 / 16

  5. Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 5 / 16

  6. The Old Grain-128 g f NFSR LFSR h ◮ 128-bit key, 96-bit IV. ◮ An LFSR provides a large period. ◮ An NFSR with degree two updates the state nonlinearly. ◮ An output function of degree three produces nonlinear output. ◮ State bits are added linearly to ensure resiliency. ◮ Initialize in 256 rounds: feed output into the registers. ◮ Make faster by duplicating Boolean functions. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 6 / 16

  7. IV Padding Sliding Property g f NFSR LFSR h ◮ The 96-bit IV goes into a 128-bit register and is padded with 111. . . 111. With high probability, a shifted key and a shifted IV will produce the exact same keystream, only with a shift. [K¨ u¸ c¨ uk06], [DeCaK¨ uPre08] ◮ Related-key Chosen-IV. [LeeJeongSungHong08] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 7 / 16

  8. Too Little Nonlinearity or Initialization ◮ Cube, 237/256 [AumDinHenMeiSha09] ◮ Maxterm, 256/256 [Stankovski10] Looking at the first keystream bits, the equations, in unknown key bits, are not complicated enough. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 8 / 16

  9. Too Little Nonlinearity and Similar Bits ◮ Chosen-IV (cube): Assuming ten specific key bits to be zero, the equations simplify “enough”. [DinSha11] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16

  10. Too Little Nonlinearity and Similar Bits ◮ Chosen-IV (cube): Assuming ten specific key bits to be zero, the equations simplify “enough”. [DinSha11] g f NFSR LFSR h ◮ Also, b i +95 and s i +95 are multiplied together. During initialization, they are too similar, meaning the complexity doesn’t grow as much as wanted. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 9 / 16

  11. Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 10 / 16

  12. Changes from Grain-128 g f NFSR LFSR h Grain-128 with changes: ◮ Pad the IV with 111. . . 11 0 . ◮ NFSR has nonlinearity four . ◮ Change a tap into the output function: b i +95 , s i + 94 , so that we don’t multiply bits that are “similar”. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 11 / 16

  13. Authentication The above algorithm is used to produce pre-output stream . Use different parts of it for different things: ◮ Encryption ◮ Authentication M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16

  14. Authentication The above algorithm is used to produce pre-output stream . Use different parts of it for different things: ◮ Encryption ◮ Authentication m i c i Message Ciphertext Key Pre-output t Tag MAC generator IV z 0 z 1 . . . z 63 . . . . . . z 64+2 i z 65+2 i . . . M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 12 / 16

  15. Authentication Accumulator m i . . . bits from pre-output Shift register ◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16

  16. Authentication Accumulator m i . . . bits from pre-output Shift register ◮ A Wegman-Carter approach. ◮ Initialize both registers with pre-output bits. ◮ We multiply the message bit vector by a Toeplitz matrix. ◮ P S is the prob. that an attack succeeds. ◮ With perfectly random input to the shift register, P S = 2 − 32 . ◮ We have P S < 2 − 32 + 2 ǫ . [Krawczyk95], [˚ AHJ11], [Maximov06] M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 13 / 16

  17. Hardware Characteristics Several nice aspects: ◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w -bit tags for 2 − w . M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16

  18. Hardware Characteristics Several nice aspects: ◮ We can still increase the speed up to 32x. ◮ We can leave out the authentication. ◮ . . . or part of it. w -bit tags for 2 − w . The cheapest one — a version that produces one bit per clock: ◮ Grain-128: 2133 gate equivalents ◮ Grain-128a: 2243 gate equivalents; a five per cent increase (as a bonus, we initialize faster.) Adding authentication, we’d get a total of 2867 gate equivalents. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 14 / 16

  19. Outline 1 Introduction Motivation and Goals 2 The Old Grain-128 The Algorithm Attacks and Observations 3 The New Grain-128a The New Grain-128a Authentication 4 Conclusion M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 15 / 16

  20. Conclusion Grain-128a ◮ is at least as secure than Grain-128, ◮ resists all current cryptanalysis on Grain-128, ◮ has optional authentication, ◮ is still hardware-efficient. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

  21. Conclusion Thank you! M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

  22. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

  23. On Cube/Maxterm/AIDA/... number of rounds 256 200 150 100 50 bitset size 5 10 15 20 25 30 35 40 How does a greedy strategy aid in finding good bitsets? Upper curve: Stankovski’s on Grain-128. Lower curve: Ours on the pre-output of Grain-128a. M. ˚ Agren, M. Hell, T. Johansson, W. Meier, Lund University and FHNW 16 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
WHAT IS THE GRAIN INNOVATION HUB? GRAIN = WHAT IS THE GRAIN INNOVATION HUB? OUTCOME Manitoba as

WHAT IS THE GRAIN INNOVATION HUB? GRAIN = WHAT IS THE GRAIN INNOVATION HUB? OUTCOME Manitoba as

WHAT IS THE GRAIN INNOVATION HUB? GRAIN = WHAT IS THE GRAIN INNOVATION HUB? OUTCOME Manitoba as an exceptional environment for collaborative innovation. Manitoba in an advanced state of business activity driven by innovation. Governments

738 views • 34 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Transitioning from refined grain to wholegrain as part of a sustainable diet Dr. J. de Vries

Transitioning from refined grain to wholegrain as part of a sustainable diet Dr. J. de Vries

Transitioning from refined grain to wholegrain as part of a sustainable diet Dr. J. de Vries Healthgrain Forum Network of universities, institutes and industries interested in grain and grain-based products. Vision: Whole grain and high

351 views • 17 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version 4 Khanh Hoang Huynh Jason Kerssens Supervisors: Alex Stavroulakis (KPMG) Aristide Bouix (KPMG) Introduction AWS As of 2018, AWS has a

636 views • 26 slides
ICT International Grain Farm Installation Transmission Distances 2200 Ha Grain Farm The

ICT International Grain Farm Installation Transmission Distances 2200 Ha Grain Farm The

Enabling better global research outcomes in soil, plant &amp; environmental monitoring. ICT International Grain Farm Installation Transmission Distances 2200 Ha Grain Farm The satellite image depicts the Grain Farm. Red markers 1

468 views • 14 slides
Potential of Flavocide TM as a new grain protectant to manage major resistant stored grain pests:

Potential of Flavocide TM as a new grain protectant to manage major resistant stored grain pests:

Potential of Flavocide TM as a new grain protectant to manage major resistant stored grain pests: an Australian case study Dr Manoj Nayak Leader, Postharvest Grain Protection Team Department of Agriculture and Fisheries, Queensland, Australia

383 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Covered Commodities Wheat, Oats, Barley, Corn, Grain Sorghum, Long Grain Rice, Medium Grain

Covered Commodities Wheat, Oats, Barley, Corn, Grain Sorghum, Long Grain Rice, Medium Grain

Covered Commodities Wheat, Oats, Barley, Corn, Grain Sorghum, Long Grain Rice, Medium Grain Rice, Pulse Crops, Soybeans, Other Oilseeds and Peanuts Other Oilseeds Sunflower seed, Rapeseed, Canola, Safflower, Flaxseed, Mustard Seed,

637 views • 37 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Iowa Grain Warehouse Best Management Practices Related to Grain Receiving and Fee Collection

Iowa Grain Warehouse Best Management Practices Related to Grain Receiving and Fee Collection

Iowa Grain Warehouse Best Management Practices Related to Grain Receiving and Fee Collection June 2, 2020 DISCLAIMER The information presented in this presentation is for general guidance only. It is essential to consult with your legal

559 views • 17 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your

Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your

STATISTICAL THINKING IN PYTHON II Darwin's finches: A full-blown statistical analysis Statistical Thinking in Python II Your well-equipped toolbox Graphical and quantitative EDA Parameter estimation Confidence interval

608 views • 23 slides
Welcome to the course! Statistical Thinking in Python II You will be able to Estimate

Welcome to the course! Statistical Thinking in Python II You will be able to Estimate

STATISTICAL THINKING IN PYTHON II Welcome to the course! Statistical Thinking in Python II You will be able to Estimate parameters ! a t a Compute confidence intervals d l a Perform linear regressions e r h t

628 views • 37 slides
The Simba Simulation Romeel Dav (Edinburgh) CCA: Daniel Angls-Alczar (CCA) Florida: Desika

The Simba Simulation Romeel Dav (Edinburgh) CCA: Daniel Angls-Alczar (CCA) Florida: Desika

The Simba Simulation Romeel Dav (Edinburgh) CCA: Daniel Angls-Alczar (CCA) Florida: Desika Narayanan, Qi Li (Florida) UWC: Mika Rafieferantsoa, Nicole Thomas Edinburgh: Weiguang Cui, Katarina Kraljic, Sarah Appleby, Dylan Robson, Jacob

348 views • 18 slides
Low-z CGM Absorption in the Mufasa Simulations Kate Storey-Fisher (UWC, NYU) Romeel Dav (UWC,

Low-z CGM Absorption in the Mufasa Simulations Kate Storey-Fisher (UWC, NYU) Romeel Dav (UWC,

Low-z CGM Absorption in the Mufasa Simulations Kate Storey-Fisher (UWC, NYU) Romeel Dav (UWC, Edinburgh) What are the physical processes that shape the CGM on large (kpc) scales? What is the relation between the CGM and galaxy

279 views • 15 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October

Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October

Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October 2014 1 Outline Motivation Review of Grand Unified Theories Overview of Group Theory Model Building Groups and Representations Theories and

1.13k views • 78 slides
Grand Unified Theory with SU (5) Modular Symmetry A 4 Predicting Fermion Mass Matrices Elena

Grand Unified Theory with SU (5) Modular Symmetry A 4 Predicting Fermion Mass Matrices Elena

&lt;latexit

524 views • 36 slides
Axion predictions in Grand Unified Theories Axion-WIMP workshop 2018 DESY Hamburg, 19/06/18 Anne

Axion predictions in Grand Unified Theories Axion-WIMP workshop 2018 DESY Hamburg, 19/06/18 Anne

Axion predictions in Grand Unified Theories Axion-WIMP workshop 2018 DESY Hamburg, 19/06/18 Anne Ernst based on JHEP 02(2018)103 , in collaboration with Andreas Ringwald and Carlos Tamarit Motivation search for a well-motivated model solving

809 views • 62 slides

More recommend