advanced block cipher design
play

Advanced Block Cipher Design My crazy boss asked me to design a new - PowerPoint PPT Presentation

Aug 12, 2023 •344 likes •914 views

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

  1. Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. What’s next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  2. Outline • High-Level Schemes • Confusion • Diffusion • Key-Schedule • Beyond the Design Pascal Junod -- Advanced Block Cipher Design 2 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  3. Introduction Pascal Junod -- Advanced Block Cipher Design 3 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  4. Some Simple Facts • As of today, nobody knows how to design a (mathematically proven) secure block cipher. • Problem related to fundamental open questions in mathematics/computer science • A secure block cipher is a block cipher that nobody can break... • A good block cipher is a secure block cipher that people like to implement. Pascal Junod -- Advanced Block Cipher Design 4 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  5. So many Designs in the Wild... Hierocrypt G-DES LOKI MacGuffin LION RC2 Coconut98 Akellare DFC Square Twofish E0 Anubis CAST Skipjack CS-Cipher DEAL Shark Rijndael RC5 IDEA Camellia Aria Present Noekeon DES-X Magenta Threefish Seed RC6 Mars FOX Serpent GOST BassOmatic 3-Way DES MESH E2 TEA Blowfish Misty Triple DES XTEA BEAR FEAL Cipherunicorn CLEFIA XXTEA Madryga 5

  6. Designing a New Block Cipher • Several good and bad reasons: • Faster/smaller than any other one ✔ • With «better» security guarantees than any ✔ ✔ other one • My boss crazily asked me to design a new, ~ secret (!) and patented (!!) block cipher • Not enough proposals/diversity in the wild ✖ • I desperately need to publish something to ✖ finish my PhD thesis ! Pascal Junod -- Advanced Block Cipher Design 6 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  7. Designing a New Block Cipher • Claude E. Shannon somewhat defined how to build a good cipher: Two methods (other than recourse to ideal systems) suggest themselves for frustrating a statistical analysis. These we may call the methods of diffusion and confusion . Pascal Junod -- Advanced Block Cipher Design 7 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  8. Designing a New Block Cipher • Several decisions to take • Platform target • Security target • High-level scheme • Inner confusion/diffusion elements • Key-Schedule Pascal Junod -- Advanced Block Cipher Design 8 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  9. Designing a New Block Cipher • Platform target • low-end CPU (4-bit, 8-bit, 16-bit, 32-bit micro- controller) • RAM/ROM/code size • high-end CPU (Intel/AMD/...) • SIMD instructions / L1 cache size • FPGA/ ASIC • low/high gate/cells budget (RFID vs. high- speed encryption card) Pascal Junod -- Advanced Block Cipher Design 9 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  10. Designing a New Block Cipher • Security target (1) • Encryption • Authenticated encryption • Hashing • Key size (..., 64, 80, 128, 256, 512, 1024, ...) • Block size (..., 32, 48, 64, 96, 128, 256, 512, 1024, ...) Pascal Junod -- Advanced Block Cipher Design 10 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  11. Designing a New Block Cipher It is probably • Security target (2) the most powerful way to break a protected implementation as of • Side-channel attacks today ! • Fault attacks • (Resistance to reverse engineering, software emulation, ...) Pascal Junod -- Advanced Block Cipher Design 11 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  12. Designing a New Block Cipher • High-Level Scheme • None (?) • Iterated • Feistel • Generalized Feistel • Substitution-Permutation Network • Lai-Massey Pascal Junod -- Advanced Block Cipher Design 12 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  13. Designing a New Block Cipher • Inner confusion/diffusion elements • Substitution boxes • Key-dependent non-linear operations • (Non-)linear diffusion layers Pascal Junod -- Advanced Block Cipher Design 13 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  14. Designing a New Block Cipher • Key-schedule algorithm • Light • Diffusive • Diffusive and non-linear • One-way • Efficient in both directions Pascal Junod -- Advanced Block Cipher Design 14 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  15. High-Level Schemes Pascal Junod -- Advanced Block Cipher Design 15 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  16. Iterated Schemes • Main principle: • Take a (rather weak) keyed permutation, i.e., a round function • Iterate this function several times, by adding new randomness • Hopefully get something more secure ! • Well illustrated e.g. by Vaudenay’s decorrelation theory (information-theoretic setting) and Tessaro et al. (computational setting) very recent results Pascal Junod -- Advanced Block Cipher Design 16 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  17. Iterated Schemes • Well-known «Zürcher» cryptographer joke: • « Most ciphers are secure after sufficiently many rounds» ( L. O’Connor) • «Most ciphers are too slow after sufficiently many rounds» (J. Massey) Pascal Junod -- Advanced Block Cipher Design 17 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  18. Feistel Scheme • Feistel Scheme (aka Feistel Network, Feistel Cipher, ...) • Named after his inventor, Horst Feistel • Scheme behind the DES • Allow to transform any (possibly non-invertible function) in a permutation Pascal Junod -- Advanced Block Cipher Design 18 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  19. Feistel Scheme • Has «provable security» properties [LubyRackoff, Patarin,...] • PRP after 3 (7) rounds 2 ) n and less than O (2 O (2 n (1 − ε ) ) ( ) queries • SPRP after 4 (10) rounds 2 ) n and less than O (2 O (2 n (1 − ε ) ) ( ) queries Pascal Junod -- Advanced Block Cipher Design 19 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  20. Generalized Feistel Schemes • Many, many different variants (see e.g. [HoangRogaway -2010]) • Rather slow diffusion Pascal Junod -- Advanced Block Cipher Design 20 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  21. Substitution Permutation Networks • Used by AES, Present, Square and many others. • Works on the full cipher width • Large body of literature available on its security towards various attacks (linear, differential, saturation, ...) Pascal Junod -- Advanced Block Cipher Design 21 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  22. Lai-Massey Scheme • High-level structure behind the IDEA cipher • Recycled e.g. by FOX • Has some provable properties (see e.g. [Vaudenay-1999]) Pascal Junod -- Advanced Block Cipher Design 22 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  23. Confusion Pascal Junod -- Advanced Block Cipher Design 23 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  24. Substitution Boxes • Substitution boxes • Non-linear mapping bits n − → m • Usual values: 3 − → 3 4 − → 4 6 − → 4 7 − → 7 8 − → 8 9 − → 9 8 − → 32 Pascal Junod -- Advanced Block Cipher Design 24 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  25. Substitution Boxes • Main criteria to look at: • DP and LP coefficients • Algebraic degree • + many, many others... Pascal Junod -- Advanced Block Cipher Design 25 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  26. Substitution Boxes • Differential (Linear) Probability coefficient • Measures the resistance of an S-box to differential (linear) cryptanalysis Pascal Junod -- Advanced Block Cipher Design 26 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  27. Substitution Boxes • Algebraic Degree • Measures the «complexity» of the Boolean equations representing the S-box • Is equal to the number of variables of the largest monomial in the polynomial representation of the S-box. Pascal Junod -- Advanced Block Cipher Design 27 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  28. Substitution Boxes • Other criteria: • No single-bit difference • Efficient Boolean representation • Efficient Boolean representation of the inverse mapping • ... Pascal Junod -- Advanced Block Cipher Design 28 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  29. Substitution Boxes • How to find «good» S-boxes ? • Three main approaches: • Random search • Algebraic construction • Iterated construction Pascal Junod -- Advanced Block Cipher Design 29 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  30. Substitution Boxes • Random search • Plug an AES in counter mode to a Knuth shuffle • Generate random permutations • Test for your preferred criteria • Repeat the process until you are happy ! Pascal Junod -- Advanced Block Cipher Design 30 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides
Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 - Barcelona Topics Short w3af introduction Whats new in w3af Automating Web application exploitation The problem and how other tools are

553 views • 54 slides
Outline Multiprocessors Flynn taxonomy SIMD architectures Vector architectures MIMD

Outline Multiprocessors Flynn taxonomy SIMD architectures Vector architectures MIMD

POLITECNICO DI MILANO Advanced Topics on Heterogeneous System Architectures Multiprocessors Politecnico di Milano SeminarRoom, Bld 20 30 November, 2017 Antonio Miele Marco Santambrogio Politecnico di Milano Outline

964 views • 57 slides
Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc <ike.pan@canonical.com>

Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc <ike.pan@canonical.com>

Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc <ike.pan@canonical.com> License: CC-BA-SA How we have Linux kernel Preemptible Preemptible Suspend to RAM Suspend to RAM Linux for PowerPC Linux for PowerPC USB UHCI USB

370 views • 20 slides
"Systemized" Static Analysis Harry Xu University of California, Los Angeles Overview

"Systemized" Static Analysis Harry Xu University of California, Los Angeles Overview

"Systemized" Static Analysis Harry Xu University of California, Los Angeles Overview of My Work Systems PL 2 Static Analysis: Has the Problem Been Solved? Academia Industry Hundreds of papers published in Less than a dozen

724 views • 47 slides
Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design phase - Everyone designs a cipher. Analysis phase - Everyone analyses the ciphers published. 2 / 9 Design phase The design of your cipher

264 views • 9 slides
RDF* and SPARQL* An Alternatjve Approach to Statement-Level Metadata in RDF Olaf Hartjg

RDF* and SPARQL* An Alternatjve Approach to Statement-Level Metadata in RDF Olaf Hartjg

RDF* and SPARQL* An Alternatjve Approach to Statement-Level Metadata in RDF Olaf Hartjg @olafiartjg Olaf Hartjg The RDF*/SPARQL* Approach to Statement-Level Metadata in RDF 2 Picture

527 views • 31 slides
Simplified RDB2RDF Mapping Claus Stadler, Jrg Unbehauen, Patrick Westphal, Mohamed Ahmed Sherif

Simplified RDB2RDF Mapping Claus Stadler, Jrg Unbehauen, Patrick Westphal, Mohamed Ahmed Sherif

Simplified RDB2RDF Mapping Claus Stadler, Jrg Unbehauen, Patrick Westphal, Mohamed Ahmed Sherif and Jens Lehmann presented by Axel-Cyrille Ngonga Ngomo 2015 May 19 Stadler et al. (Univ. Leipzig) Simplified RDB2RDF Mapping 2015 May 19 1 /

494 views • 32 slides
Systems Jan Pettersen Nytun, UiA 1 S O P Following Slides - Ref.: Chapter 4 Semantic Web

Systems Jan Pettersen Nytun, UiA 1 S O P Following Slides - Ref.: Chapter 4 Semantic Web

RDF Storage and Retrieval Systems Jan Pettersen Nytun, UiA 1 S O P Following Slides - Ref.: Chapter 4 Semantic Web application architecture - Semantic Web for the Working Ontologist, Second Edition: Effective Modeling in RDFS and OWL, May

754 views • 21 slides

More recommend