cloc silc and otr
play

CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent - PowerPoint PPT Presentation

Jan 22, 2023 •500 likes •1.18k views

CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 Outline Describe AE schemes, CLOC, SILC and OTR Merged as CLOC and SILC for CAESAR Both are CAESAR

  1. CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India 1

  2. Outline � Describe AE schemes, CLOC, SILC and OTR � Merged as “CLOC and SILC” for CAESAR � Both are CAESAR third*round candidates � Both are blockcipher modes with provable security proofs � Topics: � Motivation � Design rationale � Idea of security proof � Implementations etc. 2

  3. CLOC and SILC 3

  4. CLOC and SILC � CLOC (Compact Low*overhead CFB) � presented at FSE 2014 [IMGM14] � Designers: � Tetsu Iwata (Nagoya University), � Jian Guo (Nanyang Technological University), � Sumio Morioka (Interstellar technologies), and myself � SILC (SImple Lightweight CFB) � presented at DIAC 2014 [IMGMK14] � Designers: CLOC designers + Eita Kobayashi (NEC) 4 [IMGM14] Iwata, M, Guo, Morioka: CLOC: Authenticated Encryption for Short Input. FSE 2014. [IMGMK14] Iwata, M, Guo, Morioka, Kobayashi: SILC: SImple Lightweight CFB. DIAC 2014.

  5. The story of CLOC In 2011, ANSI defined a new AE scheme called EAX’ (EAX* � prime) � for their standard ANSI*C12.22 defined for Smartgrid Based on EAX [BRW04], ANSI tried to optimize it in terms of � precomputation and memory � Suitable for constrained devices ANSI pushed EAX*prime to NIST, and NIST requested public � comments for inclusion it into NIST SP*800 series [MBPB11] Moise, Beroset, Phinney, Burns. EAX' Cipher Mode. [BRW04] Bellare, Rogaway, Wagner. The EAX Mode of Operation. FSE 2004. 5 [MLMI13] M, Lucks, Morita, Iwata. Attacks and Security Proofs of EAX-Prime. FSE 2013.

  6. The story of CLOC � While EAX comes with provably security results (reduction to blockcipher security), EAX*prime did not � In fact, EAX*prime was seriously broken [MLMI13] � Single*query forgery etc. � Still the original motivation of EAX*prime seems valuable anyway � Constrained devices, blockcipher*based, design simplicity, small footprint � Let’s do it in a right way! [MBPB11] Moise, Beroset, Phinney, Burns. EAX' Cipher Mode. [BRW04] Bellare, Rogaway, Wagner. The EAX Mode of Operation. FSE 2004. 6 [MLMI13] M, Lucks, Morita, Iwata. Attacks and Security Proofs of EAX-Prime. FSE 2013.

  7. Predecessors : CCM, EAX, and EAX*Prime � CCM (NIST SP 800*38C) � not online � EAX (ISO/IEC 19772) � Simple design, reusing CMAC � precomputation cost (L = E K (0), E K (1), and E K (2)) may be a problem for highly constrained devices � Time and memory � EAX*prime (ANSI C12.22) � reduced precomputation (L = E K (0)) from EAX � efficiently handles short input data with small memory � practical attacks 7

  8. CLOC’s design goal � Provably secure AEAD based on a blockcipher � Standard security notions for privacy and authenticity � Primary focus: � design simplicity � the precomputation complexity � the memory requirement � Efficient for short input data, say up to 64 bytes � Suitable for small microprocessors � Small word size and number of registers � High*cost for RAM access 8

  9. Short Input Data � Performance for short input data matters: � Low*power sensor networks � Zigbee: at most 127 bytes � Bluetooth Low Energy: at most 47 bytes � Electronic Product Code (EPC): typically 96 bits � For long input data, the efficiency of CLOC is the same as CCM, EAX, and EAX*prime � 2 blockcipher calls per 1 plaintext block 9

  10. CLOC Properties � Nonce*based AEAD � uses only the encryption of the blockcipher both for encryption and decryption � When |A| ≥ 1 , it makes |N| n + |A| n + 2|M| n blockcipher calls for a nonce N, associated data A, and a plaintext M � where |X| is the length of X in bits and |X| n is the length in n*bit blocks � 1 ≤ |N| ≤ n−1, so |N| n = 1 � No precomputation beyond the blockcipher key schedule � When |A| = 0, it needs |N| n + 1 + 2|M| n calls � It works with two state blocks (i.e. 2n bits) � Sequential 10

  11. CLOC Properties � For short input data � 1*block nonce, 1*block associated data, and 1*block plaintext � CCM: 5 or 6 calls � EAX: 7 calls (where 3 out of 7 can be precomputed) � EAX*prime: 5 calls (where 1 out of 5 can be precomputed) � CLOC: 4 calls 11

  12. Comparison with other modes (from [IMM14]) 12 [IMGM14] Iwata, M, Guo, Morioka: CLOC: Authenticated Encryption for Short Input. FSE 2014.

  13. Overview of the Scheme � Encrypt*then*PRF paradigm � uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part 13

  14. Tools � The one*zero padding function: ozp � For 0 ≤ |X| ≤ n � ozp(X) = X if |X|=n, and ozp(X) = X||10…0 otherwise � The tweak functions: f 1 , f 2 , g 1 , g 2 , and h � use them to directly update the state � Word*based linear functions � The bit fixing functions: fix0 and fix1 � fix0(X): fix msb 1 (X) to 0 � fix1(X): fix msb 1 (X) to 1 � fix1(0000) = 1000, fix1(1100) = 1100 14

  15. V <* HASH K (A,N) � A variant of CBC MAC � 1 ≤ |N| ≤ n−1 15

  16. V <* HASH K (A,N) � A variant of CBC MAC � 1 ≤ |N| ≤ n−1 16

  17. V <* HASH K (A,N) � A variant of CBC MAC � 1 ≤ |N| ≤ n−1 17

  18. V <* HASH K (A,N) � A variant of CBC MAC � 1 ≤ |N| ≤ n−1 18

  19. C <* ENC K (V,M) � A variant of CFB mode 19

  20. T <* PRF K (V,C) � A variant of CBC MAC 20

  21. T <* PRF K (V,C) � A variant of CBC MAC � g 1 is used when |C|=0 21

  22. Rationale � The bit fixing functions � used to logically separate CBC MAC and CFB mode � otherwise, attacks are possible 22

  23. Rationale � The tweak functions � There are 55 differential probability constraints � K xor f 1 (K), f 1 (K) xor g 1 (f 1 (h(K))), . . . � Each term should be close to uniform when K is uniform � optimality result: any lack of single constraint would lead to attack [KMI15] 23 [KMI15] Kobayashi, M, Iwata. Optimality of Tweak Functions in CLOC. IEICE Transactions 2015.

  24. Rationale � Constant multiplications over GF(2 n ) can work � 2X = X multiplied by the generator of the field, called doubling [R04] � 3X = 2X+X and so on � 2X needs 1*bit shift and conditional XOR of constant � But we want to avoid bit*level functions (for embedded processors ) 24 [Ro04] Rogaway : Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. ASIACRYPT 2004

  25. Rationale � Instead, we define a matrix M as � K � M = (K[1], K[2], K[3], K[4]) � M = (K[2], K[3], K[4], K[1] xor K[2]) � We specify tweak functions as f 1 : M i1 , f 2 : M i2 , g 1 : M i3 , g 2 : M i4 , h: M i5 With (i 1 , i 2 , i 3 , i 4 , i 5 ) = (8, 1, 2, 1, 4) � Computer*aided search for secure and efficient ones 25

  26. 26

  27. Works with Two State Blocks 27

  28. Security � Privacy: standard Nonce*based AE (NAE) privacy notion � Indistinguishability of ciphertexts from random bits against nonce*respecting adversaries in a chosen plaintext attack setting 28

  29. Security � Authenticity: � Unforgeability against nonce*reusing adversaries in a chosen ciphertext attack setting � A stronger adversary than standard one for NAE 29

  30. Software Implementation � Embedded software � Atmel AVR ATmega128 � 8*bit microprocessor � AES from [AVR*Crypto*Lib] written in assembler � 156.7 cpb for encryption, 196.8 cpb for decryption � CLOC, EAX, and OCB3 � modes are written in C � OCB3 code from official cite [OCB] w/ small modification � doubling operations are on*line, large precomputation may not be suitable to handle short input data for microprocessors � compiled with Atmel Studio 6 30 [OCB] web.cs.ucdavis.edu/~rogaway/ocb/news/ [AVR-Crypto-Liv] https://www.das-labor.org/wiki/AVR-Crypto-Lib/en

  31. Software Implementation � 1*block AD, no static AD computation � cycle counting is obtained by the simulation of Atmel Studio 6 � RAM is measured with a public tool [EZSTACK] � In CLOC, the RAM usage is low and Init is fast, and it is fast for short input data, up to around 128 bytes 31

  32. Software Implementation � Performance on Intel processor, Core i5*3427U 1.80GHz (Ivy Bridge family) � AES*128, using AES*NI � CLOC: about 4.9 cpb for long input data (more than 2 20 blocks) � AES calls in CFB mode and CBC MAC (in tag generation) can be done in parallel 32

  33. Software Implementation � General purpose CPU � Intel processor, Core i5*3427U 1.80GHz (Ivy Bridge family) � AES*128, AES*NI � CLOC: about 4.9 cpb for long input data (more than 2 20 blocks) � AES runs in 4.3 cpb 33

  34. Software Implementation � AES calls in CFB mode and CBC MAC (in tag generation) can be done in parallel 34

  35. Software Implementation � AES calls in CFB mode and CBC MAC (in tag generation) can be done in parallel 35

  36. Software Implementation � AES calls in CFB mode and CBC MAC (in tag generation) can be done in parallel Latest performance at public menchmark (SUPERCOP by D. Bernstein) Intel Core i5-6600 (Skylake) : 2.82 C/B for long message, 7.81 C/B for 64-byte message 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti

554 views • 32 slides
Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific Research (B), Grant

317 views • 30 slides
1 MPI-based SILC system Data transfer: the sequential case Currently based on a client-server

1 MPI-based SILC system Data transfer: the sequential case Currently based on a client-server

Outline Workshop on State-of-the-Art in Scientific and Parallel Computing (PARA '06) Ume, Sweden, June 18-21, 2006 Background Ways of using matrix computation libraries Distributed SILC: An easy-to-use Distributed SILC interface

232 views • 4 slides
Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with

Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with

Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with Analysis of the SILC Protocol with Stands for Stands for S S ecure ecure I I nternet nternet L L ive ive C C onferencing. onferencing. Murphi

475 views • 5 slides
William S. Richardson School Of Law Community Legal Outreach Center (CLOC) UHM 12-306 University

William S. Richardson School Of Law Community Legal Outreach Center (CLOC) UHM 12-306 University

William S. Richardson School Of Law Community Legal Outreach Center (CLOC) UHM 12-306 University of Hawaii at Mnoa COMMUNITY LEGAL OUTREACH CENTER (CLOC) June, 2015 Circulation Library Stacks Utility/Restrooms Classrooms Student Areas

306 views • 11 slides
Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections

Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections

Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections of the CW Linac (v7) of the CW Linac (v7) J.-F. Ostiguy APC/Fermilab ostiguy@fnal.gov JFO/20090910 Assumptions Assumptions Type 4 cryostat

276 views • 26 slides
Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC

Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC

Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC poverty rates High quality indicators on national- but estimates on sub-national level have poor accuracy SAE-Methods modelling

729 views • 15 slides
Cloc ock Del elta Com ompres ession on for for Scalable e Order er-R -Rep eplay of Non

Cloc ock Del elta Com ompres ession on for for Scalable e Order er-R -Rep eplay of Non

Cloc ock Del elta Com ompres ession on for for Scalable e Order er-R -Rep eplay of Non of on-D -Det eter erministic Pa Parallel el Application ons SC15 Kento Sato , Dong H. Ahn, Ignacio Laguna, Gregory L. Lee, Martin Schulz

590 views • 47 slides
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu,

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March 3, 2014, London, UK 1 Outline A new

668 views • 33 slides
IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello,

IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello,

35 th IARIW GENERAL CONFERENCE SESSION 12: IMPROVING THE MEASUREMENT OF HOUSEHOLD FINANCES IN SURVEYS IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello, D. Frattarola, M. Spaziani Italian National

222 views • 19 slides
Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24,

Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24,

Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24, 2006, in Tokyo, Japan A model-based analysis of the benefits and cost in the SILC framework SILC: A simple interface for matrix computation

701 views • 4 slides
Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research

Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research

Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research commissioned by the Belgian Combat Poverty Service and sponsored by BELSPO This project has received funding from the European Unions Seventh

131 views • 9 slides
SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. Eita Kobayashi, NEC Corporation DIAC 2014 August 23, 2014, Santa Barbara, USA

557 views • 30 slides
The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions

The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions

The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions for the Directorate Social Statistics Austrian case Summer school 'Reaching out to hard-to- survey groups among the poor' 30 May 3 June,

356 views • 35 slides
Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering

Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering

Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering sustainable solutions in a more competitive world Introduction to James Potter James has over 13 years experience in contaminated land investigation,

598 views • 34 slides
Mitigating E Egregi egiou ous A ACK CK Delays in Ce n Cellular Da Data Ne Networks b by

Mitigating E Egregi egiou ous A ACK CK Delays in Ce n Cellular Da Data Ne Networks b by

Mitigating E Egregi egiou ous A ACK CK Delays in Ce n Cellular Da Data Ne Networks b by Eliminating T TCP A CP ACK Cl CK Cloc ocking Wai Kay Leong, Yin Xu, Ben Leong, Zixiao Wang National University of Singapore Asymmetry i in C

551 views • 36 slides
Checking-in on Network Functions by Zeeshan Lakhani and Heather Miller @ The rise of network

Checking-in on Network Functions by Zeeshan Lakhani and Heather Miller @ The rise of network

Checking-in on Network Functions by Zeeshan Lakhani and Heather Miller @ The rise of network functions? Lakhani/Miller Checking-in on Network Functions 2 The rise of network functions? LB Firewall IDS Lakhani/Miller Checking-in on

846 views • 47 slides
A Tale of Two Checksums draft-ietf-fairhurst-udp-options-cco-00 Gorry Fairhurst, Tom Jones, Ra ff

A Tale of Two Checksums draft-ietf-fairhurst-udp-options-cco-00 Gorry Fairhurst, Tom Jones, Ra ff

A Tale of Two Checksums draft-ietf-fairhurst-udp-options-cco-00 Gorry Fairhurst, Tom Jones, Ra ff aele Zullo tom@erg.abdn.ac.uk IETF 103 - Bangkok 1 UDP Option Area IP transport payload

516 views • 23 slides
High Performance pgBackRest David Steele Crunchy Data PGConf.EU 2018 October 24, 2018 Agenda

High Performance pgBackRest David Steele Crunchy Data PGConf.EU 2018 October 24, 2018 Agenda

High Performance pgBackRest David Steele Crunchy Data PGConf.EU 2018 October 24, 2018 Agenda 1 Introduction 2 Core Commands 3 Archive Push 4 Backup Archive Get 5 Restore 6 Other Considerations 7 8 Questions? 2 / 16 About the

513 views • 16 slides
Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks performed by the transport layer v Services provided to the application layer v Services expected from the network layer q Multiplexing and

437 views • 8 slides
Library of Congress Classification: Module 3.1 1 Library of Congress Classification: Module 3.1

Library of Congress Classification: Module 3.1 1 Library of Congress Classification: Module 3.1

Library of Congress Classification: Module 3.1 1 Library of Congress Classification: Module 3.1 Over the next two modules, we will demonstrate how to use the functionality built into Classification Web to find classification numbers for

682 views • 55 slides
PCE Hierarchical SDNs draft-chen-pce-h-sdns-00 Huaimo Chen (huaimo.chen@huawei.com) Mehmet Toy

PCE Hierarchical SDNs draft-chen-pce-h-sdns-00 Huaimo Chen (huaimo.chen@huawei.com) Mehmet Toy

PCE Hierarchical SDNs draft-chen-pce-h-sdns-00 Huaimo Chen (huaimo.chen@huawei.com) Mehmet Toy (mehmet_toy@cable.comcast.com) Lei Liu (lliu@us.fujitsu.com) Vic Liu (liuzhiheng@chinamobile.com) Introduction Hierarchical PCE: RFC 6805 as

300 views • 8 slides
Completing your Needs Assessment Deliverable Packet Family Health Outcomes Project, UCSF March

Completing your Needs Assessment Deliverable Packet Family Health Outcomes Project, UCSF March

Completing your Needs Assessment Deliverable Packet Family Health Outcomes Project, UCSF March 27, 2019 Jennifer Rienks, PhD, and Adrienne Shatara, MPH Presentation Outline &amp; Objectives Demonstrate where to locate the Deliverables

305 views • 12 slides
Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user - Ex) parent

689 views • 51 slides

More recommend