building secure block ciphers on generic attacks
play

Building Secure Block Ciphers on Generic Attacks Assumptions - PowerPoint PPT Presentation

Jan 30, 2023 •366 likes •539 views

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

  1. Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 – August 14-15, 2008

  2. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion the context security of symmetric primitives is mainly heuristic, e.g. lack of attacks whose complexity is less than brute-force attacks partial provable security ( e.g. against linear and differential cryptanalysis for AES) provable security when some components are “idealized” ( e.g. for DES in the Luby-Rackoff model where internal functions are pseudorandom) very few examples of symmetric primitives with reductionist security proofs: VSH [ContiniLS06], QUAD [BerbainGP06] our work: we propose to build efficient symmetric primitives (mostly block ciphers here) whose security can be reduced to the problem of generic attacks on simple schemes SAC 2008 – Patarin, Seurin 1/16 Orange Labs

  3. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion outline the general idea of the Russian Dolls construction generic attacks on Feistel schemes example of construction with Feistel schemes practical instantiations conclusion and further work SAC 2008 – Patarin, Seurin 2/16 Orange Labs

  4. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion the Russian Dolls construction aims at using the results on “generic attacks” to build secure symmetric primitives “generic attack“ means any attack performed on a scheme where components are “idealized”: e.g. on a Feistel scheme with perfectly random internal functions $ − Func ( { 0, 1 } n , { 0, 1 } n ) , i ∈ [ 1..r ] f i ← SAC 2008 – Patarin, Seurin 3/16 Orange Labs

  5. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion the Russian Dolls construction the design strategy is as follows: starting from a Feistel scheme with r rounds and perfectly inner random functions from n bits to n bits, we evaluate its security in view of the best generic attacks we decrease the size of the key r × n2 n by instantiating each inner random function by a Feistel scheme with r ′ rounds and inner random functions from n/2 bits to n/2 bits, again evaluating the security in view of the best generic attacks we iterate the process until the size of the key (made of the innermost random functions) reaches a practical size . . . SAC 2008 – Patarin, Seurin 4/16 Orange Labs

  6. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion IT-secure block ciphers previously proposed provably secure block-ciphers such as C and KFC [BaignèresF06] are information-theoretically secure against limited adver- saries however information-theoretic results give a security in Ω ( 2 n ) queries for a number of rounds r � 5 ; it decreases with the size of blocks and are useless in the Russian Dolls construction on the contrary, we start from complexity assumptions on generic attacks and obtain primitives with a reductionist security proof SAC 2008 – Patarin, Seurin 5/16 Orange Labs

  7. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion security of the Russian Dolls construction the security of the construction is characterized by the following theorem: if E is an ( ǫ, T ) -secure PRP with key space Perm ( D 1 ) ×· · ·× Perm ( D l ) , and E ( i ) , i = 1..l , are ( ǫ i , T ) -secure PRPs on D i with key space K i , then E ′ defined on key space K 1 × · · · × K l by E ′ K 1 ,...,K l ( · ) = E E ( 1 ) ( · ) K1 ,...,E ( l ) Kl is an ( ǫ + � l i = 1 ǫ i , T ) -secure PRP . SAC 2008 – Patarin, Seurin 6/16 Orange Labs

  8. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion generic attacks on Feistel schemes brute-force attacks: exhaustive search on the key space, q = O ( r2 n ) queries, T = O ( 2 2rn2 n ) computations on 3 and 4 rounds, best attacks match the information-theoretic bound: on Ψ ( 3 ) , CPA attack with q, T = O ( 2 n/2 ) , CPCA attack with q, T = 3 on Ψ ( 4 ) , CPA attack with q, T = O ( 2 n/2 ) “signature” attacks: a Feistel permutation has always an even signa- ture; this leads to a distinguisher with q = O ( 2 2n ) , T = O ( 2 2n ) ; this is independent of the number of rounds!... but once this “global” property is suppressed ( i.e. one tries to distinguish a Feistel scheme from an even random permutation), complexity of best generic attacks grows exponentially with the number of rounds SAC 2008 – Patarin, Seurin 7/16 Orange Labs

  9. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion generic attacks on Feistel schemes best known attacks against r -round Feistel schemes, r � 5 have been described in [Patarin04] these are iterated attacks of order 2, and are based on the computa- tion of the transition probabilities (a.k.a. “H coefficients”) for couples of plaintexts/ciphertexts pairs ( x 1 , y 1 ) , ( x 2 , y 2 ) : � � $ − Func ( { 0, 1 } n , { 0, 1 } n ) : Ψ ( r ) f 1 ,...,f r ( x 1 ) = y 1 , Ψ ( r ) Pr f 1 , . . . , f r f 1 ,...,f r ( x 2 ) = y 2 ← closed formula have been given for these transitions probabilities in [Patarin01], and enable to compare them to the transition probability for a random permutation: � � 1 $ Pr ∗ = Pr − Perm ( { 0, 1 } 2n ) : P ( x 1 ) = y 1 , P ( x 2 ) = y 2 P = ← 2 2n ( 2 2n − 1 ) SAC 2008 – Patarin, Seurin 8/16 Orange Labs

  10. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion generic attacks on Feistel schemes the attack proceeds as follows (for r even): one asks for the encryption of random pairs ( x 1 , x 2 ) , y 1 = E ( x 1 ) , y 2 = E ( x 2 ) , such that x 1R = x 2R the probability that x 1L ⊕ x 2L = y 1L ⊕ y 2L is slightly higher in the case of Ψ ( r ) than for a random permutation: � � � � 1 Ψ ( r ) = Pr ∗ Pr ( x 1 , x 2 ) − − → ( y 1 , y 2 ) 1 + 2 ( r/2 − 2 ) n this is detectable when one does ≃ 2 ( r − 3 ) n tests the total complexity of the attack is O ( 2 ( r − 4 ) n ) (note: for r � 7 one needs > 1 permutation) SAC 2008 – Patarin, Seurin 9/16 Orange Labs

  11. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion conjecture on the best generic attacks we conjecture that the previously described attacks are the best possible ones Let n � 2 and r � 5 be two integers. Then the best advantage of any adversary trying to distinguish Ψ ( r ) from an even T random permutation with less than T computations is 2 ( r − 4 ) n . arguments in favor of this conjecture: best attacks on Ψ ( 3 ) and Ψ ( 4 ) are iterated attacks of order 2: this conjecture is a generalization of the cases r = 3, 4 the computation of transition probabilities for t -uples, t � 3 be- comes very involved: best attacks are probably iterated attacks of order 2 SAC 2008 – Patarin, Seurin 10/16 Orange Labs

  12. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion construction with balanced Feistel schemes SAC 2008 – Patarin, Seurin 11/16 Orange Labs

  13. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion construction with balanced Feistel schemes we want to build a block cipher from 2n bits to 2n bits, with security 2 α , using balanced Feistel schemes we denote s the number of iterations of the Russian Dolls construction and r 1 , . . . , r s the number of rounds of the Feistel schemes at the i -th iteration of the construction n at iteration i , the internal functions of the Feistel scheme are from 2 i − 1 n bits to 2 i − 1 bits; hence we choose the number of rounds such that n 2 ( r i − 4 ) 2i − 1 > 2 α we stop the process when the number of bits to store r s + 1 functions from n n 2 s bits to 2 s bits is greater then the number of bits to store one function n n of 2 s − 1 bits to 2 s − 1 bits SAC 2008 – Patarin, Seurin 12/16 Orange Labs

  14. intro the Russian Dolls construction generic attacks application to Feistel example parameters conclusion construction with balanced Feistel schemes the key is constituted by the r 1 × r 2 · · · × r s innermost random functions; the length of the key is r 1 · r 2 · · · r s · n n 2 s − 1 · 2 2s − 1 and encryption/decryption requires r 1 × r 2 · · · × r s table look-ups asymptotically, for s = log ( n ) − c ( i.e. the key is constituted from func- tions from 2 c + 1 bits to 2 c + 1 bits): the number of rounds at each iteration is r i = poly ( n ) the length of the key is poly ( n ) log ( n ) the security, according to our conjecture, is T Adv � 2 poly ( n )− O ( log 2 n ) SAC 2008 – Patarin, Seurin 13/16 Orange Labs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic

AFRICACRYPT 2010 STIAS Stellenbosch Stellenbosch South Africa G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents Protex: First electronic crypto device in designed in South Africa designed in South Africa Keeloq: A simple

659 views • 61 slides
Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and

Stream Ciphers: Cryptanalytic Techniques Thomas Johansson Department of Electrical and Information Technology. Lund University, Sweden ECRYPT Summer school 2007 (Lund University) Stream Ciphers: Cryptanalytic Techniques Summer school 2007 1

706 views • 57 slides
Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R.

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort

1.03k views • 76 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic

Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic

Course Information Course materials: http://squall.cs.ntou.edu.tw/CryptoIntro/ Overview Basic course contents: Fundamental cryptography and its applications in constructing secure information infrastructure:

459 views • 12 slides
Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16

Some Cryptanalytic Results on TRIAD Abhishek Kesarwani IIT Madras, India INDOCRYPT 2019 16 December 2019 (Joint work Santanu Sarkar and Ayineedi Venkateswarlu) Outline 2 Introduction TRIAD adopts Trivium -like Structure Attacks on Trivium

1.1k views • 75 slides
CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An

CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An

CS 225 Data Structures Ma March 13 BT BTree An Analysis G G Carl Evans BT BTree An Analysis The height of the BTree determines maximum number of ____________ possible in search data. and the height of the structure is:

916 views • 16 slides
CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch

CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch

CS 225 Data Structures Mar March h 13 13 Ha Hashing Wade Fa Wa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles Has Hashi hing ng Has Hashi hing ng Goals: We want to define a keyspace , a (mathematical)

658 views • 17 slides

More recommend