elastic block ciphers
play

Elastic Block Ciphers Dott. Emanuele Bellini 1 Dott. Marco Coppola 2 - PowerPoint PPT Presentation

Jul 29, 2023 •306 likes •507 views

Introduction Bellare-Rogaway solution Our Work Elastic Block Ciphers Dott. Emanuele Bellini 1 Dott. Marco Coppola 2 Dott. Guglielmo Morgari 1 - Universit` a degli Studi di Trento, Lab di Matematica Industriale e Crittografia 2 - Telsy S.p.a.

  1. Introduction Bellare-Rogaway solution Our Work Elastic Block Ciphers Dott. Emanuele Bellini 1 Dott. Marco Coppola 2 Dott. Guglielmo Morgari 1 - Universit` a degli Studi di Trento, Lab di Matematica Industriale e Crittografia 2 - Telsy S.p.a. 12 Settembre 2011 E. Bellini Elastic Block Ciphers

  2. Introduction Bellare-Rogaway solution Our Work Problem How to encrypt data of varying length, such as database fields or rows, or network packets, etc.? Solutions: Padding ⇒ Overhead of encryption A-doc cipher ⇒ Analize security Modes of Encryption ⇒ Loss of security Stream Cipher ⇒ Less secure than block ciphers ?? Elastic Cipher! E. Bellini Elastic Block Ciphers

  3. Introduction Bellare-Rogaway solution Our Work What is an Elastic Cipher? Definition Let m , n ∈ N , n ≥ 1. Let { 0 , 1 } ≥ n denote the set of all binary strings with length at least n . A message space M is a nonempty subset of { 0 , 1 } ≥ n for which M ∈ M implies that M ′ ∈ M for all M ′ of the same length of M . The key space is K = { 0 , 1 } m . An elastic cipher is a family of pseudo-random-permutations F : K × M → M . When M is restricted to a set of messages of the same length we talk about a fixed length block cipher or simply a block cipher . E. Bellini Elastic Block Ciphers

  4. Introduction Bellare-Rogaway solution Our Work Bellare-Rogaway Elastic Cipher - Idea The idea is to use an existing block cipher and to use it as a black box , which it is assumed to be secure. This black box is then inserted inside a circuit allowing only certain primitives, such as bitwise addition, padding, or hash functions. E. Bellini Elastic Block Ciphers

  5. Introduction Bellare-Rogaway solution Our Work Bellare-Rogaway Elastic Cipher - How to prove security Bellare-Rogaway criterion for the security of a block cipher: show that the block cipher is indistinguishible from a pseudorandom permutation Bellare-Rogaway criterion for the security of an elastic cipher: show that the elastic cipher is indistinguishible from a pseudorandom permutation if the underlying block cipher has this property E. Bellini Elastic Block Ciphers

  6. Introduction Bellare-Rogaway solution Our Work Bellare-Rogaway Elastic Cipher - Adversary Advantage Let F 0 and F 1 be two function families that have both identical domains and ranges. Definition The adversary advantage of A in distinguishing F 0 from F 1 is: ← F 0 : A f = 1) − Pr ( g ← F 1 : A g = 1) R R Adv A ( F 0 , F 1 ) = Pr ( f where the probabilities are taken over the choice of f and A ’s internal coin tosses. E. Bellini Elastic Block Ciphers

  7. Introduction Bellare-Rogaway solution Our Work Bellare-Rogaway Elastic Cipher - Proof of security Theorem A cipher C will be considered secure against any attack which uses time t, q queries and memory m, if Adv PRP ( t , q , m ) = | ∀ At , q , m − adversary { Adv A ( C , PRP ) }| ≤ ǫ max C Let E be the elastic version of C . Then Bellare and Rogaway show that Adv PRP is bounded by Adv PRP plus a term q 2 , which means E C the security of E depends on the security of C and degrades with the number of queries allowed. E. Bellini Elastic Block Ciphers

  8. Introduction Bellare-Rogaway solution Our Work Bellare-Rogaway Elastic Cipher - Problems 1 Low efficiency. The underlying block cipher is applied at least twice even if the message length is only one bit more than the block cipher length. 2 Hard to prove security. It is hard (maybe impossible) to prove that there is no ( t , q , m ) − distinguisher for a certain cipher. 3 Security guaranteed for only one model. In the oracle model proofs of security are based on indistinguishability from pseudo-random permutations, which means the elastic cipher is secure only against chosen plaintext attacks. E. Bellini Elastic Block Ciphers

  9. Introduction Bellare-Rogaway solution Our Work Cook’s Elastic Cipher and our work Given a block cipher of length L Cook’s elastic cipher allows to encrypt messages of variable length from L to 2 L . Given some conditions on the key schedule, Cook’s elastic cipher is secure against any key recovery attack if the underlying block cipher is, and it achieves complete diffusion in at most q + 1 rounds if the underlying block cipher achieves it in q rounds. We extend Cook’s construction inductively, obtaining an elastic cipher for any message length greater than L with the same properties of security as Cook’s elastic cipher. E. Bellini Elastic Block Ciphers

  10. Introduction Bellare-Rogaway solution Our Work Cook’s Elastic Cipher - How to prove security Cook’s critera for the security of an elastic cipher: achieve complete diffusion resist against key recovery attacks if the underlying BC does produce output bit strings which look like random bit sequences E. Bellini Elastic Block Ciphers

  11. Introduction Bellare-Rogaway solution Our Work One round of Cook’s Elastic Cipher Definition The cycle of a block cipher is a Boolean Cycle of the Block Cipher function made of the least, over any key, number of consecutive rounds such that each bit of the cycle output is a Sum with the round key function of at least two input bits. a a E.g., AES cycle coincides with its round; DES cycle is the composition of two consecutive round. ⊕ More informally, a cycle of a BC is the minimum sequence of steps in which all input bits are processed by the round function. E. Bellini Elastic Block Ciphers

  12. Introduction Bellare-Rogaway solution Our Work Key schedule requirements 1 the key schedule should be a stand-alone algorithm that is usable to any BC; 2 the expanded-key bits should be (or as close to) pseudorandom (as practical); 3 the expanded-key rate for elastic block cipher should be a small multiple of the key expansion rate of a standard BC. This three requirements can be satisfied if we use a pseudorandom generator (e.g. RC4). E. Bellini Elastic Block Ciphers

  13. Introduction Bellare-Rogaway solution Our Work Extension of Cook’s Elastic Cipher - Idea Our idea is to expand the elastic extension as it was a fixed length block cipher. We call E 0 the underlying BC of length L , E 1 Cook’s extension of E 0 , E 2 Cook’s extension of E 1 taken with fixed length between L and 2 L , and so on... Our proofs rely the security of any extension E n to that of E 0 , and allow to increase the number of computations linearly with the input length. E. Bellini Elastic Block Ciphers

  14. Introduction Bellare-Rogaway solution Our Work Extension of Cook’s Elastic Cipher - Scheme of E 2 P 0 P 0 P 0 B A Y C 00 ( . ) ⊕ K B R 10 ( . ) ⊕ C 10 ( . ) C 01 ( . ) R 20 ( . ) ⊕ K ′ ⊕ K Y B ⊕ ⊕ P 1 P 1 P 1 A B Y Figura: Details of the first round of E 2 . E. Bellini Elastic Block Ciphers

  15. Introduction Bellare-Rogaway solution Our Work Proof of security - Diffusion Theorem (Complete/Ideal Diffusion) If complete/ideal diffusion occurs after q cycles in E n − 1 (an elastic cipher working with length message 2 n − 1 L), then it occurs after at most q + 1 rounds in E n (the elastic version of E n − 1 ). E. Bellini Elastic Block Ciphers

  16. Introduction Bellare-Rogaway solution Our Work Proof of security - key recovery Theorem (Security Against Key Recovery) Given an elastic cipher, E n − 1 of level n − 1 (without initial and final whitening and key-dependent permutation), working on 2 n − 1 L-bit blocks and its elastic version, E n , that works on (2 n − 1 L + y ) -bit blocks, where 0 ≤ y ≤ 2 n − 1 L, if there exists an attack, A n , on E n that allows the round keys to be determined for r consecutive rounds of E n using t A n operation, then there exists an attack A n − 1 on E n − 1 with r cycles that finds the expanded key for E n − 1 and that uses t A n − 1 < O ( sr 2 + rt A n ) , assuming there are no message-dependent expanded key, meaning any expanded-key bits utilized in E n − 1 depend only on the key and do not vary across plaintext or ciphertext inputs. In particular, if A n is polynomial then A n − 1 is polynomial. E. Bellini Elastic Block Ciphers

  17. Introduction Bellare-Rogaway solution Our Work Idea of the proof In the picture it is shown how to convert a round key of E n to a cycle key of E n − 1 : 1 1010 ... 1000 0 1 1010 ... 1001 0 1111 ... 0001 0 1111 ... 0001 0 E. Bellini Elastic Block Ciphers

  18. Introduction Bellare-Rogaway solution Our Work Grazie per l’attenzione! E. Bellini Elastic Block Ciphers

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
TOF code status A.De Caro for the ALICE-TOF group 1 ALICE Offline week meeting CERN,

TOF code status A.De Caro for the ALICE-TOF group 1 ALICE Offline week meeting CERN,

TOF code status A.De Caro for the ALICE-TOF group 1 ALICE Offline week meeting CERN, 16/11/2010 Outline Simulation Reconstruction Trigger Savannah bugs Status of TOF code in v4-19-Release Status of TOF code in

701 views • 15 slides
Foundations of Language Science and Technology Discourse: Co-Reference Caroline Sporleder

Foundations of Language Science and Technology Discourse: Co-Reference Caroline Sporleder

Foundations of Language Science and Technology Discourse: Co-Reference Caroline Sporleder Universit at des Saarlandes Wintersemester 2009/10 11.01.2010 Caroline Sporleder csporled@coli.uni-sb.de FSLT: Discourse Discourse Caroline

1.42k views • 122 slides
BUILDING CONSISTENT DELIVERY Bank of America Merrill Lynch 2018 Global Metals, Mining and Steel

BUILDING CONSISTENT DELIVERY Bank of America Merrill Lynch 2018 Global Metals, Mining and Steel

BUILDING CONSISTENT DELIVERY Bank of America Merrill Lynch 2018 Global Metals, Mining and Steel Conference 15 May 2018 Diamonds Jwaneng mine, Botswana CAUTIONARY STATEMENT Disclaimer : This presentation has been prepared by Anglo American plc

368 views • 34 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

512 views • 39 slides
Computational aspects for the nonlinearity of Boolean functions Massimiliano Sala (with Alessio

Computational aspects for the nonlinearity of Boolean functions Massimiliano Sala (with Alessio

Computational aspects for the nonlinearity of Boolean functions Massimiliano Sala (with Alessio Meneghetti) University of Trento maxsalacodes@gmail.com BFA 2018 Loen (Norway) - June 19, 2018 Definitions ( F 2 ) n = { v 1 , . . . , v 2 n } , f

554 views • 38 slides
String-brane interactions from large to small distances Giuseppe DAppollonio Universit` a di

String-brane interactions from large to small distances Giuseppe DAppollonio Universit` a di

String-brane interactions from large to small distances Giuseppe DAppollonio Universit` a di Cagliari and INFN DAMTP Cambridge Galileo Galilei Institute, Firenze, 10 April 2019 String-brane interactions from large to small distances

581 views • 38 slides
Orlando Villalobos Baillie University of Birmingham 20 th November 2019 Plan of Talk SQM

Orlando Villalobos Baillie University of Birmingham 20 th November 2019 Plan of Talk SQM

Orlando Villalobos Baillie University of Birmingham 20 th November 2019 Plan of Talk SQM conference Heavy flavour and quarkonia Thermal Systems Small Systems Hyperon nucleon potentials and their uses Future experiments

1.09k views • 70 slides
Introduction So far, GR seems compatible with all observations. Several motivations for

Introduction So far, GR seems compatible with all observations. Several motivations for

Dark energy &amp; Modified gravity in scalar-tensor theories David Langlois (APC, Paris) Introduction So far, GR seems compatible with all observations. Several motivations for exploring modified gravity Quantum gravity effects

584 views • 37 slides

More recommend