do doma main spe pecifi fic ciph phers
play

do doma main spe pecifi fic ciph phers Carlos Cid Royal - PowerPoint PPT Presentation

Apr 03, 2024 •360 likes •683 views

do doma main spe pecifi fic ciph phers Carlos Cid Royal Holloway University of London Simula UiB bl block ciph pher research bef before e AES ES : a handful of block ciphers available, eg DES, IDEA, Blowfish af after AES :

  1. do doma main spe pecifi fic ciph phers Carlos Cid Royal Holloway University of London Simula UiB

  2. bl block ciph pher research • bef before e AES ES : a handful of block ciphers available, eg DES, IDEA, Blowfish • af after AES : there are 100+ 100+ block ciphers to choose from. • more new designs appear every year (particularly li lightw tweight ), but the vast majority will never be used in applications. • AES works well in most non-constrained applications, is widely supported in crypto-libraries, and has special hardware instructions on many modern processors. • th this ta talk lk : look at ciphers for applications for which AES is not that good..

  4. dom domain s spec pecific c ciph pher ers • past few years have seen a number of new applications for symmetric-key cryptography – beyond traditional confidentiality and authentication in two-party communication. • in many cases requiring dedicated symmetric-key designs, to support and/or enable these new applications. • security goal may be defined based on the constraints of the application. • Fo Format Preservin ing Encryp yptio ion (legacy systems) • Wh White-Box Box cry ryptog togra raphy (obfuscation for deployment on untrusted systems) • Al Algebraic ciphers fo for advanced applications (MPC, FHE, ZKP)

  5. Form Format Pre Prese servi rving En Encry ryption on (FPE) (FPE) • Fo Format Preservin ing Encryp yptio ion: : symmetric-key ciphers that encrypt plaintext in some particular format into the same format. • example: 16-digit credit card numbers, social security number, image files, or even ANSI C programs • important application: deployment in legacy systems, as drop-in replacement of plaintext values with their ciphertexts (eg retail systems handling CC numbers) • requirement: deterministic, tweakable, flexibility • off-the-shelf ciphers (eg AES) generally not suitable for non-binary formats

  6. FPE FPE – co cons nstr tructio ctions ns • generic FPE construction: ranking + cycle walking • ranking: bijection between D and Z N • cycle walking: embed Z N into GF(2 n ), inducing permutation on Z N from n-bit cipher • generally not efficient • preferred design strategy • Feistel network over Z N x Z M , round function based on block cipher • Feistel is good if enough rounds are used • FPE as (AES) mode of operation • NIST standards (SP 800-38G): FF1 & FF3 • problems with security, exploiting flexibility (small domain), size of tweak space, (small) number of rounds • efficiency: a few AES calls per round • re researc rch c challenge : non-Feistel, secure, efficient FPE designs figure source: Draft NIST Special Publication 800-38G, Revision 1

  7. wh whit ite-box box c crypt yptogr ograph phy • cryptographic systems for deployment on untrusted systems. • solution: embed key into the cipher implementation, and obfuscate it. • applications: card emulation into mobile phone; DRM systems • proposed approach: transform implementation into collection of TLUs • WB WB-in ing tr trad aditi tional al ciphers (eg eg AE AES) is hard! • strong diffusion means number of TLUs soon explodes • WhibOx challenges: 100+ white-boxed AES-128 implementations… all broken • call for dedicated, WB-friendly designs (maybe for specific threat model) • re researc rch challenge : security, acceptance figure source: http://www.whiteboxcrypto.com/

  8. alg algebrai aic ciphers for or ad advan vanced ap appli licat ation ons • specialised designs for em emer ergi ging g new ew appl pplication ons of symmetric cryptography: MP MPC, FH FHE, ZKP KPs • ciphers typically aim to mi minimi mize some metric of relevance to the efficiency of these applications: • low multiplicative complexity and depth of (binary) circuit • simple algebraic structure, natively defined over a large finite field • often the goal is not confidentiality, eg we may be interested in constructing collision-resistance hash functions.

  9. cip ciphe hers fo for MP MPC C and and FHE • symmetric-key designs (binary) mi minimi mizing mu multi tiplicati tive comp omplexity ty (MC) and/or mu multi tiplicati tive depth th (total and per-bit) • in MPC and FHE applications, number of multiplications and the multiplicative depth of circuit strongly affect complexity (communication/computation), while linear operations (XOR) are essentially free! • applications: secure computation of encryption operation; hybrid FHE. • AES is not a particularly suitable construction in these environments. • modern ciphers balance linear/non-linear components. • MPC/FHE ciphers call for a more unbalanced design approach.

  10. cip ciphe hers fo for MP MPC C and and FHE – co cons nstr tructio ctions ns • Lo LowMC : SPN cipher with partial layer of (3-bit) S-boxes and randomly-generated affine layer • number of S-boxes per round, size of the block and key, number of rounds are all parameters • eg n=128, m=31, k=80, r=12, #ANDs=1116 • n=128, m=1, k=128, r=252, #ANDs= 756 • challenges: efficient way to generate affine layer; security of ciphers with partial S-Box layer is not very well-understood. • note: experiments show XOR is not entirely free (when number is very large) • deployed in NIST PQC candidate PICNIC • other designs: Ke Keyv yvrium ium and FL FLIP stream ciphers Albrecht et al. Ciphers for MPC and FHE -- https://eprint.iacr.org/2016/687 PRESENT: lightweight cipher, 64-bit blocks, 80/128-bit keys, 31 Rounds, 1075 GE.ISO standard for lightweight block cipher

  11. cip ciphe hers fo for zk zk pr proof oof s sys ystem ems • ZK (zero-knowledge) proof systems: schemes that allow prover to “convince” a verifier of a particular statement, eg “ I know an input x that produces y = F(x) ” such that the verifier learns nothing that it did not know before (apart of the validity of the statement) • properties: completeness, soundness and zero-knowledge • proofs are typically done by producing an en encoded oded transcript pt of the execution of F on x, which the verifier ”queries” to become convinced the statement is true.

  12. cip ciphe hers fo for zk zk pr proof oof s sys ystem ems • modern popular application: deploying zk proof systems in blockchains, to ity (to transaction parties) and co lity (to provide an anonymity confidentiali transaction amounts) • proofs are produced and stored in the blockchain, which users can verify to get convinced of integrity of blockchain data • examples: Zcash, Monero • we want proof systems that produce compact proofs, can be efficiently verified, and scale well. • typical statement to be proved: “I know a leaf of a Merkle tree with root y ” ie transcripts will correspond to repeated invocations of cryptographic hash functions when running through an authentication path on a MT .

  13. cip ciphe hers fo for zk zk pr proof oof s sys ystem ems • modern proof systems transform the computational execution into an algebraic circuit: represent execution as a set of al algeb ebraic aic constr strain aints ts , ie equations over a finite field, satisfied by a valid transcript. • these will be then represented by a large univariate polynomial that is used to convince the verifier. • the size of the transcript and the number and degree of these equations directly affect the efficiency of the zk proof systems – yo you want t to to minimize e th them em! • therefore, when computation is Merkle tree traversing, we would like ZK ZKP- iendly hash functions: fr frien • natively defined via algebraic operations of low degree on a small state of variables over a finite field, executed a small number of times.

  14. zk zk-SN SNARK • z ero- k nowledge S uccinct N on-interactive A rgument of K nowledge. Main features: • succinctness (fast verification and small proofs) and non-interactive (does not require interaction between prover and verifier). • requires CRS shared between prover and verifier (trusted set-up) • security assumption: knowledge of exponent assumption. • zk-SNARK converts computation into arithmetic circuit, with bilinear gates over finite (prime) field • then construct Ra Rank 1 Constraint System (R1CS), which can be used to verify the assignments into the circuit satisfy the constraints of the gates (ie correct computation) • these are bundled together into very large univariate polynomials ( QAP QAP form ), and verification is done by checking t(x).h(x) = r(x).u(x) • succinctness means that verifier only needs to check equality for a random secret value x = s.

  15. zk zk-SN SNARK K complexity • complexity of zk-SNARK (size of proofs and verification time) are directly affected by the size of the polynomials t(x), h(x), r(x) and u(x). • which follow from the size of the R1CS system • for notable application: in Zcash, shielded transactions don’t use digital signatures, but rather employ zk-SNARK to prove transactions are valid and in the Merkle tree that stores all coins. • so we want to use hash functions that minimize number of multiplications in GF(p), reducing the number of constraints and the degree of the polynomials.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Se Semi-Su Supervise sed QA with Ge Generative Do Doma main-Ad Adaptive N e Nets C arnegie

Se Semi-Su Supervise sed QA with Ge Generative Do Doma main-Ad Adaptive N e Nets C arnegie

Se Semi-Su Supervise sed QA with Ge Generative Do Doma main-Ad Adaptive N e Nets C arnegie M ellon U niversity Zhilin Yang , Junjie Hu, Ruslan Salakhutdinov, William W. Cohen Xiachong Feng Ou Outline Author Overview

337 views • 23 slides
A DOMA MAIN S SPECIF ECIFIC A IC APPR PROACH CH TO H HETER EROGENEO ENEOUS US PARALLE

A DOMA MAIN S SPECIF ECIFIC A IC APPR PROACH CH TO H HETER EROGENEO ENEOUS US PARALLE

A DOMA MAIN S SPECIF ECIFIC A IC APPR PROACH CH TO H HETER EROGENEO ENEOUS US PARALLE LLELI LISM Hassan Chafi , Arvind Sujeeth, Kevin Brown, HyoukJoong Lee, Anand Atreya, Kunle Olukotun Stanford University Pervasive Parallelism

772 views • 40 slides
Contributions to Analysis and Functional Analysis in memoriam Pawe l Doma nski Dietmar

Contributions to Analysis and Functional Analysis in memoriam Pawe l Doma nski Dietmar

Contributions to Analysis and Functional Analysis in memoriam Pawe l Doma nski Dietmar Vogt Bergische Universit at Wuppertal Pawe l Doma nski Memorial Conference Bedlewo 2018 Contributions to: Real analytic functions

758 views • 72 slides
IN INDUC NG NG A DOM DOMA N INDEPENDENT DEPENDENT SENT SENT ME MENT NT LEX LEX CO

IN INDUC NG NG A DOM DOMA N INDEPENDENT DEPENDENT SENT SENT ME MENT NT LEX LEX CO

IN INDUC NG NG A DOM DOMA N INDEPENDENT DEPENDENT SENT SENT ME MENT NT LEX LEX CO CON N M ALA ALAY Mohammad Darwich, Shahrul Azman Mohd Noah, Nazlia Omar Center fo Artificial Intelligence Technology (CAIT), Faculty of

452 views • 17 slides
& D & Doma omain in Sp Spli litt tting ing Computer ter Sc Scienc nce e cpsc

& D & Doma omain in Sp Spli litt tting ing Computer ter Sc Scienc nce e cpsc

CS CSPs: s: Arc rc Co Cons nsist sten ency cy & D & Doma omain in Sp Spli litt tting ing Computer ter Sc Scienc nce e cpsc sc32 322, 2, Lect ctur ure e 13 (Te Text xtbo book ok Chpt 4.5 ,4.6 .6) Oct, ct, 04,

619 views • 23 slides
Convolution operators in discrete Ces` aro spaces Werner Ricker Pawe Doma nski Memorial

Convolution operators in discrete Ces` aro spaces Werner Ricker Pawe Doma nski Memorial

Convolution operators in discrete Ces` aro spaces Werner Ricker Pawe Doma nski Memorial Conference Banach Center in Bedlewo Poland 1-7 July 2018 Werner Ricker Convolution in discrete Ces` aro spaces Doma nski Memorial Conference

467 views • 13 slides
Immigration Issues for Binational Couples After DOMA MCLE Training for ALRP San Francisco

Immigration Issues for Binational Couples After DOMA MCLE Training for ALRP San Francisco

Immigration Issues for Binational Couples After DOMA MCLE Training for ALRP San Francisco September 26, 2013 www.mccownevans.com United States v. Windsor Edie Windsors spouse, Thea Spyer, passed away in 2009, leaving her entire estate

311 views • 11 slides
ERISA and Employment Benefits Post-DOMA and IRS Ruling Amending Plans to Comply with New Mandates

ERISA and Employment Benefits Post-DOMA and IRS Ruling Amending Plans to Comply with New Mandates

Presenting a live 90-minute webinar with interactive Q&A ERISA and Employment Benefits Post-DOMA and IRS Ruling Amending Plans to Comply with New Mandates and Assessing Potential Retroactive Liability THURS DAY, OCTOBER 31, 2013 1pm East

617 views • 34 slides
Main and Subordinate Clauses Main Clauses: The Rules A main clause is a group of words that

Main and Subordinate Clauses Main Clauses: The Rules A main clause is a group of words that

Main and Subordinate Clauses Main Clauses: The Rules A main clause is a group of words that contains a verb and a subject which makes complete sense on its own . Main clauses could also be called simple sentences . Can you spot the verbs and

243 views • 11 slides
TOPIC #X: TOPIC NAME DATE, 2020 PRESENTATION OUTLINE Main topic #1 Main topic #2 Main

TOPIC #X: TOPIC NAME DATE, 2020 PRESENTATION OUTLINE Main topic #1 Main topic #2 Main

**PRESENTATION TEMPLATE** City of Northville Master Plan Update Informational Meeting TOPIC #X: TOPIC NAME DATE, 2020 PRESENTATION OUTLINE Main topic #1 Main topic #2 Main topic #3 Main topic #4 (Topics from - sub-committee

667 views • 8 slides
Master Plan STUDIO MAIN LLC AUGUST 12, 2019 ABOUT STUDIO MAIN Studio Main Americas Built

Master Plan STUDIO MAIN LLC AUGUST 12, 2019 ABOUT STUDIO MAIN Studio Main Americas Built

S tu dio M ain Studio Main City of Walhalla Downtown Greenway Master Plan STUDIO MAIN LLC AUGUST 12, 2019 ABOUT STUDIO MAIN Studio Main Americas Built from foundations of North leading landscape architects, planners and

606 views • 25 slides
Objectives You should be able to ... Parameter Passing Styles The function call is one of the

Objectives You should be able to ... Parameter Passing Styles The function call is one of the

Stack overflow during evaluation (looping recursion ? ) . x := z * z * y ; Main> foo () foo : () -> Int pi1 5 (foo ()) Main> let foo () = pi1 : a -> b -> a Main> let pi1 a b = a foo a b ( a + b ) let a = 10 in x + y (* is legal

194 views • 4 slides
Object Creation irb(main):003:0> b = 6 => 6 CAVEAT EMPTOR!!! irb(main):004:0>

Object Creation irb(main):003:0> b = 6 => 6 CAVEAT EMPTOR!!! irb(main):004:0>

4/23/2013 irb(main):001:0> a = 5 => 5 irb(main):002:0> a.object_id => 11 Object Creation irb(main):003:0> b = 6 => 6 CAVEAT EMPTOR!!! irb(main):004:0> b.object_id => 13 Addendum to unit 8 irb(main):005:0> b = a

63 views • 3 slides
Main Mes Main Messag age JonathanDade.com Leviticus 23: 3:1, 2, 4-8, 8, 4 43-44 44 1.

Main Mes Main Messag age JonathanDade.com Leviticus 23: 3:1, 2, 4-8, 8, 4 43-44 44 1.

Main Mes Main Messag age JonathanDade.com Leviticus 23: 3:1, 2, 4-8, 8, 4 43-44 44 1. Lord told Moses, to tell Israel (Jews) about Gods special days. (Luke 22:15 Jesus longed to keep the Passover, as well). 2. Month 1, Day 15 is

979 views • 14 slides
TNP TNPSC G SC GROUP OUP I MAIN MAIN PAPE PAPER R I: : UNI UNIT T II III Forma

TNP TNPSC G SC GROUP OUP I MAIN MAIN PAPE PAPER R I: : UNI UNIT T II III Forma

TNP TNPSC G SC GROUP OUP I MAIN MAIN PAPE PAPER R I: : UNI UNIT T II III Forma Format & t & Pres Presentation Sequ entation Sequence fo ence for Gen General eral Me Mental A tal Abilit bility GROUP I MAIN

131 views • 12 slides
Build Systems Neil Mitchell @ndm_haskell https://ndmitchell.com A simple build system main.exe

Build Systems Neil Mitchell @ndm_haskell https://ndmitchell.com A simple build system main.exe

Distributed Build Systems Neil Mitchell @ndm_haskell https://ndmitchell.com A simple build system main.exe : main.o gcc -o main.exe main.o main.o : main.c gcc -c main.c Make, 1976 (42 years ago, 12BG) Build system definition A build

425 views • 41 slides
REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already

REVELATION 15 GODS GREAT AND MARVELLOUS DEEDS AND OUR WORSHIP Series The future has already begun #12 IBC Eindhoven, 26 April 2020 Its not fair! HOW LONG? Revelation 6:10 + Psalm 13 + many others! REVELATION 15:1 Another great and

146 views • 10 slides
SEC 1 MEET THE PARENTS Briefing Outline Principals Opening Address The School Team

SEC 1 MEET THE PARENTS Briefing Outline Principals Opening Address The School Team

SEC 1 MEET THE PARENTS Briefing Outline Principals Opening Address The School Team Student Centric & Values Driven Holistic Education ECG Programmes in Bendemeer The School Team Vice-Principal Principal Vice-Principal

464 views • 45 slides
www.drupaleurope.org Donna Benjamin @kattekrab @catalyst_it_au Agency + Business Agile

www.drupaleurope.org Donna Benjamin @kattekrab @catalyst_it_au Agency + Business Agile

www.drupaleurope.org Donna Benjamin @kattekrab @catalyst_it_au Agency + Business Agile business analysis For Drupal agencies Agile business analysis For Drupal agencies Donna Benjamin @kattekrab @catalyst_it_au Whats this session

773 views • 28 slides
Changing Frequency, Comparison With SAVR, Diagnosis and Treatment in the Modern Era, and

Changing Frequency, Comparison With SAVR, Diagnosis and Treatment in the Modern Era, and

Changing Frequency, Comparison With SAVR, Diagnosis and Treatment in the Modern Era, and Use of Cerebral Protection Samir Kapadia, MD Professor of Medicine Section head, Interventional Cardiology Director, Cardiac Catheterization

623 views • 39 slides
Todays Agenda Upcoming Homework What to study for Exam 2 Section 4.1: Maximum and

Todays Agenda Upcoming Homework What to study for Exam 2 Section 4.1: Maximum and

Todays Agenda Upcoming Homework What to study for Exam 2 Section 4.1: Maximum and Minimum Values Lindsey K. Gamard, ASU SoMSS MAT 265: Calculus for Engineers I Monday, 26 October 2015 1 / 10 Upcoming Homework Study for Exam 2

148 views • 10 slides
The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced

The Marvellous Neutrino Carlo Rubbia CERN, Geneva, Switzerland Institute for Advanced Sustainability Studies Potsdam, Germany A tribute to Milla Baldo Ceolin Milla Baldo Ceolin, la signora dei neutrini MILLA.Nov2012 Slide# : 2 The high

761 views • 43 slides
Day 1 diary map.notebook June 04, 2020 Day 1 diary map.notebook June 04, 2020 Saturday 11.6.13

Day 1 diary map.notebook June 04, 2020 Day 1 diary map.notebook June 04, 2020 Saturday 11.6.13

Day 1 diary map.notebook June 04, 2020 Day 1 diary map.notebook June 04, 2020 Saturday 11.6.13 Dear Diary, Today has been great! It was my birthday today and I got a lot of presents from my friends and family. My favourite was a big, green

240 views • 9 slides
Growing Global Leaders Advancing Palliative Care Finding Vocal Power Ron Cameron-Lewis , BA ,

Growing Global Leaders Advancing Palliative Care Finding Vocal Power Ron Cameron-Lewis , BA ,

Growing Global Leaders Advancing Palliative Care Finding Vocal Power Ron Cameron-Lewis , BA , AGSM Professor Emeritus , Sheridan Institute , Canada LDI C2 RC2 October 21-28, 2012 Steps for this morning 1. Stretch , breathe , relax 2. Playing

405 views • 14 slides

More recommend