constructing tweakable block ciphers in the random
play

Constructing Tweakable Block Ciphers in the Random Permutation Model - PowerPoint PPT Presentation

May 03, 2023 •577 likes •1.79k views

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

  1. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

  2. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

  3. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

  4. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion TBCs: Dedicated Designs Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this talk: SPN ciphers (more gen. key-alternating ciphers) Yannick Seurin Constructing TBCs in the RPM ASK 2015 8 / 36

  5. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

  6. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

  7. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Key-Alternating Ciphers k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s map k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED. . . ) • a.k.a. (iterated) Even-Mansour construction Yannick Seurin Constructing TBCs in the RPM ASK 2015 9 / 36

  8. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions k f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

  9. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

  10. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

  11. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

  12. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tweakable Even-Mansour Constructions ( k , t ) f 0 f 1 f r y x P 1 P 2 P r • let the round keys depend on the key and the tweak t • ⇒ “tweakable” Even-Mansour (TEM) construction(s) • f i ’s = “tweak and key schedule” (TKS) • high-level abstraction of the TWEAKEY constructions [JNP14] • analysis in the Random Permutation Model Yannick Seurin Constructing TBCs in the RPM ASK 2015 10 / 36

  13. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

  14. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

  15. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

  16. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Random Permutation Model (RPM) ( k , t ) f 0 f 1 f r · · · P 1 P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • complexity measure of the adversary: • q c = # construction queries = pt/ct pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security Yannick Seurin Constructing TBCs in the RPM ASK 2015 11 / 36

  17. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Formalization of the Security Experiment Real world Ideal world ( k , t ) f 0 f 1 f r � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 0 / 1 0 / 1 • real world: TEM construction with random master key k • ideal world: random tweakable permutation � P 0 independent from P 1 , . . . , P r • RPM: D has oracle access to P 1 , . . . , P r in both worlds Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36

  18. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Formalization of the Security Experiment Real world Ideal world ( k , t ) f 0 f 1 f r � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 0 / 1 0 / 1 • real world: TEM construction with random master key k • ideal world: random tweakable permutation � P 0 independent from P 1 , . . . , P r • RPM: D has oracle access to P 1 , . . . , P r in both worlds Yannick Seurin Constructing TBCs in the RPM ASK 2015 12 / 36

  19. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Outline Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives Yannick Seurin Constructing TBCs in the RPM ASK 2015 13 / 36

  20. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS k k y x P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  21. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS k ⊕ t k ⊕ t y x P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  22. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  23. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 u v k ⊕ t 1 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  24. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) k ⊕ t 1 k ⊕ t 2 • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  25. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  26. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  27. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion First Try: One Round, Linear TKS P 1 ( t 1 , x 1 ) y 1 = v ⊕ k ⊕ t 1 x 1 ⊕ x 2 = t 1 ⊕ t 2 u v ( t 2 , x 2 ) y 2 = v ⊕ k ⊕ t 2 k ⊕ t 1 k ⊕ t 2 Check that y 1 ⊕ y 2 = t 1 ⊕ t 2 ( ∗ ) • 2 queries to the encryption oracle, 0 queries to P 1 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 14 / 36

  28. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  29. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  30. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 k ⊕ t 1 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  31. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) u ′ v ′ 2 2 y 2 k ⊕ t 1 k ⊕ t 2 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  32. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ 1 1 2 2 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  33. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  34. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  35. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  36. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  37. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  38. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Second Try: Two Rounds, Linear TKS P 1 P 2 y 1 ( t 1 , x 1 ) u 1 v 1 u 2 v 2 ( t 2 , x 2 ) ( t 3 , y 3 ) x 3 u ′ v ′ u ′ v ′ ( t 4 , y 4 ) 1 1 2 2 x 4 y 2 k ⊕ t 1 k ⊕ t 2 k ⊕ t 3 k ⊕ t 4 t 1 ⊕ t 2 ⊕ t 3 ⊕ t 4 = 0 Check that x 3 ⊕ x 4 = t 3 ⊕ t 4 ( ∗ ) • 4 queries to the enc/dec oracle, 0 queries to P 1 , P 2 • ( ∗ ) holds with proba. 1 for the TEM construction • ( ∗ ) holds with proba. 2 − n for a random tweakable permutation • works for any linear TKS Yannick Seurin Constructing TBCs in the RPM ASK 2015 15 / 36

  39. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

  40. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

  41. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

  42. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Security for Three Rounds k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 Theorem ([CS15, FP15]) The 3-round TEM with linear TKS is a strong tweakable PRP: + 4 q 2 Adv ( q c , q p ) ≤ 6 q c q p c 2 n . 2 n Proof sketch: • adversary can create collisions at input of P 1 or output of P 3 • but proba. to create a collision at P 2 is � q 2 c / 2 n • no collision at P 2 ⇒ ∼ single-key security of 1-round EM � q c q p / 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 16 / 36

  43. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

  44. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

  45. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

  46. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Tightness of the Bound k ⊕ t k ⊕ t k ⊕ t k ⊕ t x y P 1 P 2 P 3 • can be written � E ( k , t , x ) = E ( k ⊕ t , x ) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2 n / 2 queries at best by a simple collision attack: E k ∗ ( t i , 0 ) = E ( k ∗ ⊕ t i , 0 ) for 2 n / 2 tweaks t i 1. query c i = � E k j ( 0 , 0 ) = E ( k j , 0 ) for 2 n / 2 keys k j j = � 2. compute c ′ 3. look for a collision c i = c ′ j 4. w.h.p., the real key is k ∗ = t i ⊕ k j • ⇒ increasing the number of rounds does not improve security Question Construction with less permutations? Yannick Seurin Constructing TBCs in the RPM ASK 2015 17 / 36

  47. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ⊗ t k ⊗ t k ′ y x E • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  48. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ′ k ′ P k ⊗ t k ⊗ t k ′ y x E • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  49. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction ( k ⊗ t ) ⊕ k ′ ( k ⊗ t ) ⊕ k ′ y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  50. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction ( k ⊗ t ) ⊕ k ′ ( k ⊗ t ) ⊕ k ′ y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  51. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction k ⊗ t k ⊗ t y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  52. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction Non-Linear Tweakable Even-Mansour (NL-TEM) construction k ⊗ t k ⊗ t y x P • provably secure in the RPM up to ∼ 2 n / 2 queries [FP15, CLS15]: Adv ( q c , q p ) ≤ q 2 2 n + 2 q c q p c . 2 n • t � = 0 ⇒ k ′ is superfluous ( k ⊗ t unif. random for any t � = 0) Yannick Seurin Constructing TBCs in the RPM ASK 2015 18 / 36

  53. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

  54. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

  55. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

  56. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Birthday-Bound Security: Wrap-up Two constructions provably secure up to the birthday bound: 1. linear TKS k ⊕ t k ⊕ t k ⊕ t k ⊕ t y x P 1 P 2 P 3 2. nonlinear TKS k ⊗ t k ⊗ t y x P Question Constructions secure beyond the birthday-bound? Yannick Seurin Constructing TBCs in the RPM ASK 2015 19 / 36

  57. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Outline Background: Tweakable Block Ciphers Tweakable Even-Mansour Constructions Birthday-Bound Secure Constructions Beyond-Birthday-Bound Secure Constructions Conclusion and Perspectives Yannick Seurin Constructing TBCs in the RPM ASK 2015 20 / 36

  58. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t x E k 1 • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

  59. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

  60. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

  61. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

  62. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Yannick Seurin Constructing TBCs in the RPM ASK 2015 21 / 36

  63. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the NL-TEM Construction • k 1 , k 2 independent n -bit keys k 1 ⊗ t k 2 ⊗ t y x P 1 P 2 Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 2 2 n / 3 queries in the RPM: + 30 √ q c q p Adv ( q c , q p ) ≤ 34 q 3 / 2 c . 2 n 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36

  64. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Cascading the NL-TEM Construction • k 1 , k 2 independent n -bit keys k 1 ⊗ t k 2 ⊗ t y x P 1 P 2 Theorem ([CLS15]) The 2-round NL-TEM construction is secure up to ∼ 2 2 n / 3 queries in the RPM: + 30 √ q c q p Adv ( q c , q p ) ≤ 34 q 3 / 2 c . 2 n 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 22 / 36

  65. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

  66. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

  67. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Proof Technique: H-coefficients Real world Ideal world k 1 ⊗ t k 2 ⊗ t k r ⊗ t � P 1 , . . . , P r P 1 , . . . , P r P 0 y x P 1 P 2 P r q p q p q c q c 1. consider the transcript of all queries of D to the construction and to the inner permutations 2. define bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world Yannick Seurin Constructing TBCs in the RPM ASK 2015 23 / 36

  68. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  69. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  70. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  71. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 u 2 v 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  72. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 u 1 v 1 u 2 v 2 ( t , x ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  73. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  74. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  75. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  76. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) ( t ′ , x ′ ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  77. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Bad Transcripts • one needs to avoid “two-fold” collisions: k 1 ⊗ t k 2 ⊗ t x y P 1 P 2 q c q 2 u 1 v 1 u 2 v 2 ( t , x ) p proba ≤ 2 2 n ( t , x ) proba ≤ q 2 c 2 2 n ( t ′ , x ′ ) Yannick Seurin Constructing TBCs in the RPM ASK 2015 24 / 36

  78. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion The Ten “Bad Collision” Cases P 1 P 2 ( t , x ) u 1 v 2 ( t , y ) ( t , x ) u 1 v 1 u 2 v 1 u 2 v 2 ( t , y ) ( t , x ) ( t , y ) ( t ′ , x ′ ) ( t ′′ , y ′′ ) ( t , x ) ( t , y ) ( t ′ , x ′ ) ( t ′ , y ′ ) u 1 v 2 ( t , x ) ( t , y ) ( t , x ) ( t , y ) ( t ′ , y ′ ) ( t ′ , x ′ ) u 1 v 1 u 2 v 2 ( t , x ) ( t , y ) ( t ′ , x ′ ) u ′ v ′ u ′ v ′ ( t ′ , y ′ ) 1 1 2 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 25 / 36

  79. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Distribution of Good Transcripts • assuming there are no P 1 P 2 bad collisions, show that Q U 1 � � U 2 V 2 the answers of the TEM U 1 V 1 construction are close to answers of a random Q V 2 � � U 1 V 1 tweakable permutation U 2 V 2 • for each query, there is a “fresh” value of P 1 or U ′ V ′ U ′ V ′ Q X 1 1 2 2 P 2 which randomizes the output U ′′ V ′′ U ′′ V ′′ Q Y 2 2 1 1 Q 0 Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36

  80. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Distribution of Good Transcripts • assuming there are no P 1 P 2 bad collisions, show that Q U 1 � � U 2 V 2 the answers of the TEM U 1 V 1 construction are close to answers of a random Q V 2 � � U 1 V 1 tweakable permutation U 2 V 2 • for each query, there is a “fresh” value of P 1 or U ′ V ′ U ′ V ′ Q X 1 1 2 2 P 2 which randomizes the output U ′′ V ′′ U ′′ V ′′ Q Y 2 2 1 1 Q 0 Yannick Seurin Constructing TBCs in the RPM ASK 2015 26 / 36

  81. Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Longer Cascades of the NL-TEM Construction k 1 ⊗ t k 2 ⊗ t k r ⊗ t y x P 1 P 2 P r • r rounds, r even, with independent keys k 1 , . . . , k r secure up to ( r / 2 ) n rn ( r / 2 )+ 1 queries r + 2 = 2 ∼ 2 • proof: 1. non-adaptive security for r / 2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn r + 1 queries • conjecture: secure up to ∼ 2 Yannick Seurin Constructing TBCs in the RPM ASK 2015 27 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with: Christof Beierle Stefan Klbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

472 views • 33 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016 The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S.

1.91k views • 55 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Notes on Phase Errors in Linac Simulations Notes on Phase Errors in Linac Simulations + +

Notes on Phase Errors in Linac Simulations Notes on Phase Errors in Linac Simulations + +

Notes on Phase Errors in Linac Simulations Notes on Phase Errors in Linac Simulations + + Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From Losses due to H- Quadrupoles Arising From Losses due to

318 views • 20 slides
Transmission Charging Methodologies Forum & CUSC Issues Steering Group 12 September 2018 1

Transmission Charging Methodologies Forum & CUSC Issues Steering Group 12 September 2018 1

Transmission Charging Methodologies Forum & CUSC Issues Steering Group 12 September 2018 1 Welcome Rachel Tullis, National Grid ESO 2 Housekeeping Fire alarms Facilities Red Lanyards 3 Actions TCMF Agenda Target Month

1.3k views • 80 slides
Ernst and the King Myths and Facts about Chess and Game Theory Silvio Capobianco Institute of

Ernst and the King Myths and Facts about Chess and Game Theory Silvio Capobianco Institute of

Ernst and the King Myths and Facts about Chess and Game Theory Silvio Capobianco Institute of Cybernetics at TUT, Tallinn 8 April 2009 Revised: 17 April 2009 Silvio Capobianco Ernst and the King Abstract The very first theorem in game

757 views • 37 slides
Several Security Issues Yvo Desmedt Department of Computer Science University of Texas at Dallas

Several Security Issues Yvo Desmedt Department of Computer Science University of Texas at Dallas

Several Security Issues Yvo Desmedt Department of Computer Science University of Texas at Dallas September 16, 2016 c Yvo Desmedt 1. Reliable and Private Communication Classical results This goes back to World War I, after the cable ship

253 views • 14 slides
Question Answering Spring 2020 2020-04-02 Adapted from slides from Danqi Chen and Karthik

Question Answering Spring 2020 2020-04-02 Adapted from slides from Danqi Chen and Karthik

SFU NatLangLab CMPT 825: Natural Language Processing Question Answering Spring 2020 2020-04-02 Adapted from slides from Danqi Chen and Karthik Narasimhan (with some content from slides from Chris Manning) Question Answering Goal: build

921 views • 42 slides
Reducing I will NOT discuss off label/ investigational use of products. Liviu Klein MD, MS

Reducing I will NOT discuss off label/ investigational use of products. Liviu Klein MD, MS

12/1/17 Financial Relationship Disclosure Reducing Readmissions in Heart Failure Reducing I will NOT discuss off label/ investigational use of products. Liviu Klein MD, MS Readmissions Associate Professor The following financial

380 views • 15 slides
Suzanne White Brahmia Department of Physics University of Washington 11/17/17 1 Collabora've

Suzanne White Brahmia Department of Physics University of Washington 11/17/17 1 Collabora've

Yale University CTL Helmsley STEM EducaAon Series December 2014 Suzanne White Brahmia Department of Physics University of Washington 11/17/17 1 Collabora've Principal Inves'gators Andrew Boudreaux; Western Washington University Stephen

1.49k views • 105 slides
Slide 1 / 33 1 A Crookes Tube (a tube containing rarefied gas through which a current is

Slide 1 / 33 1 A Crookes Tube (a tube containing rarefied gas through which a current is

Slide 1 / 33 1 A Crookes Tube (a tube containing rarefied gas through which a current is passed between a cathode and an anode) was used in the discovery of the electron by: A R. A. Millikan B J. J. Thomson C J. S. Townsend D M. Planck E

584 views • 11 slides

More recommend