how to construct an ideal cipher from a small set of
play

How to Construct an Ideal Cipher from a Small Set of Public - PowerPoint PPT Presentation

Aug 24, 2022 •124 likes •1.06k views

How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI ASIACRYPT 2013 December 3, 2013 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public

  1. How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI ASIACRYPT 2013 — December 3, 2013 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 1 / 38

  2. Summary Summary We show how to construct an ideal cipher from a small set of n -bit public random permutations { P 1 , . . . , P r } The construction we consider is the single-key iterated Even-Mansour cipher ( aka key-alternating cipher) with 12 rounds: k k k y x P 1 P 2 P 12 ⇒ this yields a family of 2 n permutations indexed by the n -bit key k from only 12 public n -bit permutations We show that this construction “behaves” as an ideal cipher with n -bit blocks and n -bit keys using the indifferentiability framework We also show that at least 4 rounds are necessary to achieve indifferentiability from an ideal cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 2 / 38

  3. Summary Summary We show how to construct an ideal cipher from a small set of n -bit public random permutations { P 1 , . . . , P r } The construction we consider is the single-key iterated Even-Mansour cipher ( aka key-alternating cipher) with 12 rounds: k k k y x P 1 P 2 P 12 ⇒ this yields a family of 2 n permutations indexed by the n -bit key k from only 12 public n -bit permutations We show that this construction “behaves” as an ideal cipher with n -bit blocks and n -bit keys using the indifferentiability framework We also show that at least 4 rounds are necessary to achieve indifferentiability from an ideal cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 2 / 38

  4. Summary Summary We show how to construct an ideal cipher from a small set of n -bit public random permutations { P 1 , . . . , P r } The construction we consider is the single-key iterated Even-Mansour cipher ( aka key-alternating cipher) with 12 rounds: k k k y x P 1 P 2 P 12 ⇒ this yields a family of 2 n permutations indexed by the n -bit key k from only 12 public n -bit permutations We show that this construction “behaves” as an ideal cipher with n -bit blocks and n -bit keys using the indifferentiability framework We also show that at least 4 rounds are necessary to achieve indifferentiability from an ideal cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 2 / 38

  5. Summary Summary We show how to construct an ideal cipher from a small set of n -bit public random permutations { P 1 , . . . , P r } The construction we consider is the single-key iterated Even-Mansour cipher ( aka key-alternating cipher) with 12 rounds: k k k y x P 1 P 2 P 12 ⇒ this yields a family of 2 n permutations indexed by the n -bit key k from only 12 public n -bit permutations We show that this construction “behaves” as an ideal cipher with n -bit blocks and n -bit keys using the indifferentiability framework We also show that at least 4 rounds are necessary to achieve indifferentiability from an ideal cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 2 / 38

  6. Outline Outline Background on the Iterated Even-Mansour Cipher 1 Indifferentiability of the IEM cipher 2 Formalizing the problem Which key schedule? At least 4 rounds are necessary Indifferentiability proof for 12 rounds 3 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 3 / 38

  7. Background on the Iterated Even-Mansour Cipher Outline Background on the Iterated Even-Mansour Cipher 1 Indifferentiability of the IEM cipher 2 Formalizing the problem Which key schedule? At least 4 rounds are necessary Indifferentiability proof for 12 rounds 3 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 4 / 38

  8. Background on the Iterated Even-Mansour Cipher Iterated Even-Mansour cipher ( aka key-alternating cipher) Iterated Even-Mansour (IEM) with r rounds: K K K γ 0 γ 1 γ r y x P 1 P 2 P r The P i ’s are public permutations on { 0 , 1 } n K ∈ { 0 , 1 } ℓ is the (master) key The γ i ’s are key derivation functions mapping K to n -bit values Also named key-alternating cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 5 / 38

  9. Background on the Iterated Even-Mansour Cipher Iterated Even-Mansour cipher ( aka key-alternating cipher) Iterated Even-Mansour (IEM) with r rounds: K K K γ 0 γ 1 γ r y x P 1 P 2 P r The P i ’s are public permutations on { 0 , 1 } n K ∈ { 0 , 1 } ℓ is the (master) key The γ i ’s are key derivation functions mapping K to n -bit values Also named key-alternating cipher Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 5 / 38

  10. Background on the Iterated Even-Mansour Cipher Iterated Even-Mansour cipher ( aka key-alternating cipher) Most (if not all) SPN ciphers can be described as key-alternating ciphers. E.g. for AES-128, one has r = 10, the γ i ’s are efficiently invertible permutations, and: P 1 = . . . = P 9 = SubBytes ◦ ShiftRows ◦ MixColumns P 10 = SubBytes ◦ ShiftRows When the P i ’s are fixed permutations, one can prove results like: the best differential characteristic over r ′ < r rounds has probability at most p the best linear approximation over r ′ < r rounds has probability at most p ′ This gives upper bounds on the distinguishing probability of very specific adversaries Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 6 / 38

  11. Background on the Iterated Even-Mansour Cipher Iterated Even-Mansour cipher ( aka key-alternating cipher) Most (if not all) SPN ciphers can be described as key-alternating ciphers. E.g. for AES-128, one has r = 10, the γ i ’s are efficiently invertible permutations, and: P 1 = . . . = P 9 = SubBytes ◦ ShiftRows ◦ MixColumns P 10 = SubBytes ◦ ShiftRows When the P i ’s are fixed permutations, one can prove results like: the best differential characteristic over r ′ < r rounds has probability at most p the best linear approximation over r ′ < r rounds has probability at most p ′ This gives upper bounds on the distinguishing probability of very specific adversaries Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 6 / 38

  12. Background on the Iterated Even-Mansour Cipher Analysis in the Random Permutation Model (RPM) Recently, a lot of results have been obtained in the Random Permutation Model: the P i ’s are viewed as oracles to which the adversary can make black-box queries (both to P i and P − 1 ). i Interpretation: gives a guarantee against any adversary which does not use particular properties of the P i ’s In fact, this model was already considered 15 years ago by Even and Mansour for r = 1 round: they showed that the following cipher is pseudorandom up to O ( 2 n / 2 ) queries of the adversary, when P 1 is a public random permutation: k 0 k 1 y x P 1 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 7 / 38

  13. Background on the Iterated Even-Mansour Cipher Analysis in the Random Permutation Model (RPM) Recently, a lot of results have been obtained in the Random Permutation Model: the P i ’s are viewed as oracles to which the adversary can make black-box queries (both to P i and P − 1 ). i Interpretation: gives a guarantee against any adversary which does not use particular properties of the P i ’s In fact, this model was already considered 15 years ago by Even and Mansour for r = 1 round: they showed that the following cipher is pseudorandom up to O ( 2 n / 2 ) queries of the adversary, when P 1 is a public random permutation: k 0 k 1 y x P 1 Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 7 / 38

  14. Background on the Iterated Even-Mansour Cipher Pseudorandomness of the IEM cipher (in the RPM) The following results have been successively obtained for the pseudorandomness of the IEM cipher (notation: N = 2 n ): 1 2 ) queries [EM97] for r = 1 round, security up to O ( N 2 3 ) queries [BKL + 12] for r ≥ 2, security up to O ( N 3 4 ) queries [Ste13] for r ≥ 3, security up to O ( N r r + 2 ) queries [LPS12] for any even r , security up to O ( N r r + 1 ) queries [CS13] tight result: for r rounds, security up to O ( N Results for independent round keys ( k 0 , k 1 , . . . , k r ) k 0 k 1 k r y x P 1 P 2 P r Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 8 / 38

  15. Background on the Iterated Even-Mansour Cipher Pseudorandomness of the IEM cipher (in the RPM) The following results have been successively obtained for the pseudorandomness of the IEM cipher (notation: N = 2 n ): 1 2 ) queries [EM97] for r = 1 round, security up to O ( N 2 3 ) queries [BKL + 12] for r ≥ 2, security up to O ( N 3 4 ) queries [Ste13] for r ≥ 3, security up to O ( N r r + 2 ) queries [LPS12] for any even r , security up to O ( N r r + 1 ) queries [CS13] tight result: for r rounds, security up to O ( N Results for independent round keys ( k 0 , k 1 , . . . , k r ) k 0 k 1 k r y x P 1 P 2 P r Lampe & Seurin (UVSQ & ANSSI) Ideal Cipher from Public Permutations 8 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn Stam 2 John

The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn Stam 2 John

The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn Stam 2 John Steinberger 3 1 Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea 2 Department of Computer Science, University of Bristol,

647 views • 52 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
test Overview on IDeAl Integrated DEsign and AnaLysis of small population group trials

test Overview on IDeAl Integrated DEsign and AnaLysis of small population group trials

test Overview on IDeAl Integrated DEsign and AnaLysis of small population group trials Ralf-Dieter Hilgers IDeAl-Coordinator with Malgorzata Bogdan, Carl-Fredrik Burman, Holger Dette, Mats Karlson, Franz K onig, Christoph Male, France

305 views • 15 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
How SMPng Works and Why It Doesn't Work The Way You Think NYC*BUG February 6, 2013 John Baldwin

How SMPng Works and Why It Doesn't Work The Way You Think NYC*BUG February 6, 2013 John Baldwin

How SMPng Works and Why It Doesn't Work The Way You Think NYC*BUG February 6, 2013 John Baldwin jhb@FreeBSD.org Ideal SMP Ideal Ideal SMP Ideal Best Ideal SMP Ideal Best Decent Ideal SMP Ideal Best Decent Hump Ideal SMP Ideal

886 views • 21 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript ECMAScript is based on JavaScript, and JavaScript is based on ECMAScript ... 2 First of all, what is ECMA? Ecma International

779 views • 55 slides
Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh

ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh

ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh Doshi, SpinSpire @spinspire_com Screencast video and Source code for this presentation. Motivation Drupal is your favorite CMS AJAX apps and

820 views • 13 slides
USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations

USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations

CSC 210 1 USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations Monday, April 28 Wednesday, April 30 CSC 210 Scrum Masters 3 Backslash MICHAEL HOLUPKA C.O.D.E.

496 views • 32 slides
Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems

Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems

Motivation Introduction Concurrency and Multi-Threading Distribution over Asynchronous Network Concluding Remarks Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems Sandeep K. Shukla FERMAT Lab

548 views • 54 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
LL Parsing Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer

LL Parsing Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer

Introduction LL Parsing Breaking LL Parsers LL Parsing Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction LL Parsing Breaking LL Parsers Objectives The topic for this lecture is a

565 views • 12 slides
Chapter 7. Inclusion-Exclusion a.k.a. The Sieve Formula Prof. Tesler Math 184A Winter 2017

Chapter 7. Inclusion-Exclusion a.k.a. The Sieve Formula Prof. Tesler Math 184A Winter 2017

Chapter 7. Inclusion-Exclusion a.k.a. The Sieve Formula Prof. Tesler Math 184A Winter 2017 Prof. Tesler Ch. 7. Inclusion-Exclusion Math 184A / Winter 2017 1 / 24 Venn diagram and set sizes 5&amp; 6&amp; A = { 1 , 2 , 3 , 4 , 5 }

575 views • 24 slides

More recommend