dial c for cipher
play

Dial C for Cipher Le chiffrement etait presque parfait Thomas - PowerPoint PPT Presentation

Jan 25, 2024 •219 likes •644 views

Dial C for Cipher Le chiffrement etait presque parfait Thomas Baign` eres Matthieu Finiasz Selected Areas in Cryptography, 2006 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 1 / 1 A High Overview of C C : { 0 , 1 }

  1. Dial C for Cipher Le chiffrement ´ etait presque parfait Thomas Baign` eres Matthieu Finiasz Selected Areas in Cryptography, 2006 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 1 / 1

  2. A High Overview of C • C : { 0 , 1 } 128 → { 0 , 1 } 128 is an iterated block cipher • K ∈ { 0 , 1 } 128 is the secret key • Each round i is parameterized by a round key K i • K 1 , . . . , K 10 are derived from K through the key schedule T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 2 / 1

  3. C is Based on AES’s SPN C is based on a Substitution-Permutation Network (SPN) Each round is made of: • A layer of substitution boxes � confusion • A linear layer � diffusion • The S ( j ) i ’s are independent and perfectly random permutations on { 0 , 1 } 8 • The linear layer L is exactly the one used in AES → elements of GF(2 8 ) 16 . • Intermediate text values are called a states − T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 3 / 1

  4. Key Schedule Based on a Cryptographically Secure PRNG • The Blum-Blum-Shub PRNG generates a long bit string... • ... from which we extract 160 integers in [0 , 2 8 ! − 1] . • Each of these defines one of the 160 permutations • The random permutations are computationally indistinguish- able from independent and perfectly random permutations. • We call K 1 , . . . , K 160 the ex- tended key. • ≈ 300 000 bits need to be gen- erated. T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 4 / 1

  5. C key vs. C rand T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 5 / 1

  6. Previously Known Security Results on C rand • Complexity of linear cryptanalysis against C rand is on average inversely proportional to ELP C rand ( a, b ) = E C rand � (2Pr X [ a • X = b • C rand ( X )] − 1) 2 � • Assuming that all the substitution boxes are independent and perfectly random, Baign` eres and Vaudenay showed at SAC’05 how to compute the exact value of max a � =0 ,b ELP C rand ( a, b ) : 2 rounds 3 rounds 4 rounds 6 rounds 8 rounds 9 rounds 2 − 33 . 98 2 − 55 . 96 2 − 127 . 91 2 − 127 . 99 2 − 128 . 00 2 − 128 . 00 C rand behaves like the perfect cipher w.r.t. LC and DC when r → ∞ Denoting by C ∗ the perfect cipher, for all non-zero a, b ∈ { 0 , 1 } 128 ELP C [ r ] ( a, b ) − r →∞ ELP C ∗ ( a, b ) EDP C [ r ] ( a, b ) − r →∞ EDP C ∗ ( a, b ) − − → and − − → T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 6 / 1

  7. About the validity of LC and DC’s Security Proofs • Usual Approximation (red single path): ELP C rand ( a 0 , a r ) ≈ � r i =1 ELP Round i ( a i − 1 , a i ) • Not always accurate. Leads for AES to max a � =0 ,b ELP AES ( a, b ) 2 − 300 ≈ whereas max a � =0 ,b ELP C ∗ ( a, b ) ≈ 2 − 128 • The approximation is sufficient for an attack, not for a security proof. • One needs to consider Nyberg’s linear hulls (blue multy paths): � ELP C rand ( a 0 , a r ) = � r i =1 ELP Round i ( a i − 1 , a i ) a 1 ,...,a r − 1 • LC and DC security proofs for C rand do take into account linear hulls and differential effects. T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 7 / 1

  8. About the validity of LC and DC’s Security Proofs • Usual Approximation (red single path): ELP C rand ( a 0 , a r ) ≈ � r i =1 ELP Round i ( a i − 1 , a i ) • Not always accurate. Leads for AES to max a � =0 ,b ELP AES ( a, b ) 2 − 300 ≈ whereas max a � =0 ,b ELP C ∗ ( a, b ) ≈ 2 − 128 • The approximation is sufficient for an attack, not for a security proof. • One needs to consider Nyberg’s linear hulls (blue multy paths): � ELP C rand ( a 0 , a r ) = � r i =1 ELP Round i ( a i − 1 , a i ) a 1 ,...,a r − 1 • LC and DC security proofs for C rand do take into account linear hulls and differential effects. T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 7 / 1

  9. From LC to Iterated Attacks of Order 1 • Vaudenay’s iterated attacks of order 1 are a generalization of LC. • In both cases, one bit of information is derived from each text pair. • LC derives the bit in a linear way. • No such constraint for Iterated Attacks � any kind of binary projection can be used. Can iterated attack behave any better than LC? Yes! (see Baign` eres, Junod, and Vaudenay’s Asiacrypt’04 paper). Provable security of C rand against iterated attacks of order 1 Seven rounds of C rand are sufficient to obtain provable security against any iterated attack of order 1. T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 8 / 1

  10. Proof (sketch) of the Security of C rand against Iterated Attacks of Order 1 • From the Decorrelation Theory, proving the security against the best non-adaptive 2-limited distinguisher is enough. 2 ||| [ C rand ] 2 − [ C ∗ ] 2 ||| ∞ where • Its advantage is equal to 1 [ C rand ] 2 ( x 1 ,x 2 ) , ( y 1 ,y 2 ) = Pr C rand [ C rand ( x 1 ) = y 1 , C rand ( x 2 ) = y 2 ] • Rounds are mutually independent � [ C rand ] 2 = ([ Round ] 2 ) 10 • The trouble is. . . we have to deal with 2 256 × 2 256 matrices! • Hopefully, the symmetries in the cipher induces symmetries in the matrices. • Exploiting them leads to computations on 625 × 625 matrices. 6 rounds 7 rounds 8 rounds 9 rounds 10 rounds 11 rounds 2 − 71 . 0 2 − 126 . 3 2 − 141 . 3 2 − 163 . 1 2 − 185 . 5 2 − 210 . 8 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 9 / 1

  11. Proof (sketch) of the Security of C rand against Iterated Attacks of Order 1 • From the Decorrelation Theory, proving the security against the best non-adaptive 2-limited distinguisher is enough. 2 ||| [ C rand ] 2 − [ C ∗ ] 2 ||| ∞ where • Its advantage is equal to 1 [ C rand ] 2 ( x 1 ,x 2 ) , ( y 1 ,y 2 ) = Pr C rand [ C rand ( x 1 ) = y 1 , C rand ( x 2 ) = y 2 ] • Rounds are mutually independent � [ C rand ] 2 = ([ Round ] 2 ) 10 • The trouble is. . . we have to deal with 2 256 × 2 256 matrices! • Hopefully, the symmetries in the cipher induces symmetries in the matrices. • Exploiting them leads to computations on 625 × 625 matrices. 6 rounds 7 rounds 8 rounds 9 rounds 10 rounds 11 rounds 2 − 71 . 0 2 − 126 . 3 2 − 141 . 3 2 − 163 . 1 2 − 185 . 5 2 − 210 . 8 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 9 / 1

  12. Proof (sketch) of the Security of C rand against Iterated Attacks of Order 1 • From the Decorrelation Theory, proving the security against the best non-adaptive 2-limited distinguisher is enough. 2 ||| [ C rand ] 2 − [ C ∗ ] 2 ||| ∞ where • Its advantage is equal to 1 [ C rand ] 2 ( x 1 ,x 2 ) , ( y 1 ,y 2 ) = Pr C rand [ C rand ( x 1 ) = y 1 , C rand ( x 2 ) = y 2 ] • Rounds are mutually independent � [ C rand ] 2 = ([ Round ] 2 ) 10 • The trouble is. . . we have to deal with 2 256 × 2 256 matrices! • Hopefully, the symmetries in the cipher induces symmetries in the matrices. • Exploiting them leads to computations on 625 × 625 matrices. 6 rounds 7 rounds 8 rounds 9 rounds 10 rounds 11 rounds 2 − 71 . 0 2 − 126 . 3 2 − 141 . 3 2 − 163 . 1 2 − 185 . 5 2 − 210 . 8 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 9 / 1

  13. Proof (sketch) of the Security of C rand against Iterated Attacks of Order 1 • From the Decorrelation Theory, proving the security against the best non-adaptive 2-limited distinguisher is enough. 2 ||| [ C rand ] 2 − [ C ∗ ] 2 ||| ∞ where • Its advantage is equal to 1 [ C rand ] 2 ( x 1 ,x 2 ) , ( y 1 ,y 2 ) = Pr C rand [ C rand ( x 1 ) = y 1 , C rand ( x 2 ) = y 2 ] • Rounds are mutually independent � [ C rand ] 2 = ([ Round ] 2 ) 10 • The trouble is. . . we have to deal with 2 256 × 2 256 matrices! • Hopefully, the symmetries in the cipher induces symmetries in the matrices. • Exploiting them leads to computations on 625 × 625 matrices. 6 rounds 7 rounds 8 rounds 9 rounds 10 rounds 11 rounds 2 − 71 . 0 2 − 126 . 3 2 − 141 . 3 2 − 163 . 1 2 − 185 . 5 2 − 210 . 8 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 9 / 1

  14. Proof (sketch) of the Security of C rand against Iterated Attacks of Order 1 • From the Decorrelation Theory, proving the security against the best non-adaptive 2-limited distinguisher is enough. 2 ||| [ C rand ] 2 − [ C ∗ ] 2 ||| ∞ where • Its advantage is equal to 1 [ C rand ] 2 ( x 1 ,x 2 ) , ( y 1 ,y 2 ) = Pr C rand [ C rand ( x 1 ) = y 1 , C rand ( x 2 ) = y 2 ] • Rounds are mutually independent � [ C rand ] 2 = ([ Round ] 2 ) 10 • The trouble is. . . we have to deal with 2 256 × 2 256 matrices! • Hopefully, the symmetries in the cipher induces symmetries in the matrices. • Exploiting them leads to computations on 625 × 625 matrices. 6 rounds 7 rounds 8 rounds 9 rounds 10 rounds 11 rounds 2 − 71 . 0 2 − 126 . 3 2 − 141 . 3 2 − 163 . 1 2 − 185 . 5 2 − 210 . 8 T. Baign` eres, M. Finiasz (EPFL) Dial C for Cipher SAC 2006 9 / 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Maintaining Member Motivation Dial: 877-853-5257 Webinar ID: 926-465-688 Todays Speaker Dial:

Maintaining Member Motivation Dial: 877-853-5257 Webinar ID: 926-465-688 Todays Speaker Dial:

Maintaining Member Motivation Dial: 877-853-5257 Webinar ID: 926-465-688 Todays Speaker Dial: 877-853-5257 ID: 926-465-688 Andy King AmeriCorps VISTA Senior Training Specialist Dial: 877-853-5257 Session Goals ID: 926-465-688 Examine

498 views • 12 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos

Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos

Querying Probabilistic Information Extraction Daisy Zhe Wang, Michael J. Franklin, Minos Garofalakis, Joseph M. Hellerstein VLDB, Singapore, 16 th September, 2010 Outline Information Extraction Systems Information Extraction (IE)

324 views • 29 slides
Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the Foundations of

Introduction Natural numbers objects in monoidal categories Weak representability of partial recursive functions Strong representability of partial recursive functions Partial Recursive Functions and Finality Gordon Plotkin Laboratory for the

800 views • 58 slides
Red-Black Trees ! Motivation: a binary search tree that is guaranteed to be balanced (operations

Red-Black Trees ! Motivation: a binary search tree that is guaranteed to be balanced (operations

Red-Black Trees ! Motivation: a binary search tree that is guaranteed to be balanced (operations take time in the ( ) O lg n worst-case). Red-Black Trees ! A red-black tree is a binary search tree where each node has a color

259 views • 4 slides
Seminario di Teoria delle Categorie Universit degli Studi di Milano 9.30 - 10:15 - Semidirect

Seminario di Teoria delle Categorie Universit degli Studi di Milano 9.30 - 10:15 - Semidirect

Luned 24 Giugno 2013 Seminario di Teoria delle Categorie Universit degli Studi di Milano 9.30 - 10:15 - Semidirect products of topological semi-abelian algebras Andrea Montoli - Universidade de Coimbra M.M.Clementino and F.Borceux [1] proved

256 views • 7 slides
Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE

Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE

Counters and Async Infrastructures Proposal for Code Contribution Guy Sela, Senior Engineer, HPE Who am I ? Senior Engineer at HPE Served as a developer and team leader at the Israeli NSA Developing software since 2004 E-mail:

496 views • 48 slides
Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19

Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19

Project Team: Valiant Visionaries Samantha Parfait, Indies Guercin and Emily Murdock Supporting Small Businesses Post COVID-19 BY: THE VALIANT VISIONARIES SAMANTHA PARFAIT, INDIES GUERCIN, & EMILY MURDOCK OUR TOPIC The American Economy

440 views • 13 slides
MINCS - The Container in the Shell (script) - Masami Hiramatsu

MINCS - The Container in the Shell (script) - Masami Hiramatsu

MINCS - The Container in the Shell (script) - Masami Hiramatsu <masami.hiramatsu@linaro.org> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami Hiramatsu - Linux

911 views • 48 slides
Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17

Dual Execution and Comparison For Genode Components Performance Penalty And Challenges FOSDEM Micro-kernel Devroom, 04/02/17 Parfait T okponnon Marc Lobelle mahoukpego.tokponnon@uclouvain.be marc.lobelle@uclouvain.be Outline 2

406 views • 29 slides

More recommend