indifferentiability of confusion diffusion networks
play

Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis - PowerPoint PPT Presentation

Aug 27, 2022 •447 likes •1.23k views

Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis (NYU), Martijn Stam (Bristol), John Steinberger (Tsinghua), Tianren Liu (MIT) Wednesday, May 11, 16 Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis (NYU),

  1. Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis (NYU), Martijn Stam (Bristol), John Steinberger (Tsinghua), Tianren Liu (MIT) Wednesday, May 11, 16

  2. Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis (NYU), Martijn Stam (Bristol), John Steinberger (Tsinghua), Liu Tianren (MIT) Wednesday, May 11, 16

  3. Substitution-Permutation Network (ex: AES): S S S S S S S S π π π π S S S S k 0 k 1 k 2 k 3 k 4 S S S S Wednesday, May 11, 16

  4. Substitution-Permutation Network (ex: AES): S S S S S S S S π π π π S S S S k 0 k 1 k 2 k 3 k 4 S S S S S-boxes (small input size) (permutations!) Wednesday, May 11, 16

  5. Substitution-Permutation Network (ex: AES): S S S S S S S S π π π π S S S S k 0 k 1 k 2 k 3 k 4 S S S S S-boxes “Diffusion” (small input size) (permutations!) Permutations (big input size, simple structure) Wednesday, May 11, 16

  6. Substitution-Permutation Network (ex: AES): S S S S S S S S π π π π S S S S k 0 k 1 k 2 k 3 k 4 S S S S S-boxes Subkeys! “Diffusion” (small input size) (permutations!) Permutations (big input size, simple structure) Wednesday, May 11, 16

  7. Confusion-Diffusion Network: S S S S S S S S S S π π π π S S S S S S S S S S Wednesday, May 11, 16

  8. Confusion-Diffusion Network: S S S S S S S S S S π π π π S S S S S S S S S S ...same, but no keys! Wednesday, May 11, 16

  9. Confusion-Diffusion Network: S S S S S S S S S S π π π π S S S S S S S S S S ...same, but no keys! • can be seen as a domain extension mechanism for permutations (from S-box to “full” permutation) Wednesday, May 11, 16

  10. Confusion-Diffusion Network: S S S S S S S S S S π π π π S S S S S S S S S S ...same, but no keys! • can be seen as a domain extension mechanism for permutations (from S-box to “full” permutation) • terminology goes back to Shannon (1949), but the design paradigm seems to be Feistel’s (1970) Wednesday, May 11, 16

  11. This work’s high-level goals • Investigate the theoretical soundness of CD (confusion-diffusion!) networks as a design paradigm for cryptographic permutations • Fundamental question: (efficient) domain extension of a public random permutation • Work in an ideal model (S-boxes are independent random permutations, D-boxes are fixed, explicit permutations) • Does the network “emulate” a random permutation? How many rounds are necessary, and what kinds of D-boxes do we need?? Wednesday, May 11, 16

  12. This work’s high-level goals • Investigate the theoretical soundness of CD (confusion-diffusion!) networks as a design paradigm for cryptographic permutations • Fundamental question: (efficient) domain extension of a public random permutation • Work in an ideal model (S-boxes are independent random permutations, D-boxes are fixed, explicit permutations) • Does the network “emulate” a random permutation? How many rounds are necessary, and what kinds of D-boxes do we need?? Wednesday, May 11, 16

  13. This work’s high-level goals • Investigate the theoretical soundness of CD (confusion-diffusion!) networks as a design paradigm for cryptographic permutations • Fundamental question: (efficient) domain extension of a public random permutation • Work in an ideal model (S-boxes are independent random permutations, D-boxes are fixed, explicit permutations) • Does the network “emulate” a random permutation? How many rounds are necessary, and what kinds of D-boxes do we need?? Wednesday, May 11, 16

  14. This work’s high-level goals • Investigate the theoretical soundness of CD (confusion-diffusion!) networks as a design paradigm for cryptographic permutations • Fundamental question: (efficient) domain extension of a public random permutation • Work in an ideal model (S-boxes are independent random permutations, D-boxes are fixed, explicit permutations) • Does the network “emulate” a random permutation? How many rounds are necessary, and what kinds of D-boxes do we need?? Wednesday, May 11, 16

  15. vaguely related work • Miles & Viola prove an indistinguishability result for SPN networks where the S-boxes are secret (part of the key) and one-way (so not really an SPN network after all) Wednesday, May 11, 16

  16. vaguely related work CD indifferentiability • Miles & Viola prove an indistinguishability result for SPN networks where the S-boxes are secret (part of the key) and one-way (so not really an SPN network after all) public two-way Wednesday, May 11, 16

  17. S 1 , 3 S 2 , 3 S 3 , 3 S 4 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 4 , 2 π 1 π 2 π 3 S 1 , 1 S 2 , 1 S 3 , 1 S 4 , 1 Wednesday, May 11, 16

  18. n S 1 , 3 S 2 , 3 S 3 , 3 S 4 , 3 n S 1 , 2 S 2 , 2 S 3 , 2 S 4 , 2 π 1 π 2 π 3 n S 1 , 1 S 2 , 1 S 3 , 1 S 4 , 1 n = wire length Wednesday, May 11, 16

  19. n S 1 , 3 S 2 , 3 S 3 , 3 S 4 , 3 n w = 3 S 1 , 2 S 2 , 2 S 3 , 2 S 4 , 2 π 1 π 2 π 3 n S 1 , 1 S 2 , 1 S 3 , 1 S 4 , 1 n = wire length w = “width” (no. S-boxes per round) Wednesday, May 11, 16

  20. r = 4 n S 1 , 3 S 2 , 3 S 3 , 3 S 4 , 3 n w = 3 S 1 , 2 S 2 , 2 S 3 , 2 S 4 , 2 π 1 π 2 π 3 n S 1 , 1 S 2 , 1 S 3 , 1 S 4 , 1 n = wire length w = “width” (no. S-boxes per round) r = number of rounds Wednesday, May 11, 16

  21. { 0 , 1 } wn = domain of CD network r = 4 n S 1 , 3 S 2 , 3 S 3 , 3 S 4 , 3 n w = 3 S 1 , 2 S 2 , 2 S 3 , 2 S 4 , 2 π 1 π 2 π 3 n S 1 , 1 S 2 , 1 S 3 , 1 S 4 , 1 n = wire length w = “width” (no. S-boxes per round) r = number of rounds Wednesday, May 11, 16

  22. Security Model (indifferentiability) ? D ? ? Wednesday, May 11, 16

  23. Security Model (indifferentiability) REAL WORLD ? D ? IDEAL WORLD ? Wednesday, May 11, 16

  24. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 D ? IDEAL WORLD ? Wednesday, May 11, 16

  25. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 D ? IDEAL WORLD ? Wednesday, May 11, 16

  26. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 D ? IDEAL WORLD ? Q Wednesday, May 11, 16

  27. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 D ? Insert Simulator IDEAL WORLD ? Here Q Wednesday, May 11, 16

  28. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 D ? Insert Simulator IDEAL WORLD ? S S S Here Q S S S S S S Wednesday, May 11, 16

  29. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 D ? Insert Simulator IDEAL WORLD ? S S S Here Q S S S S S S S Q Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q Wednesday, May 11, 16

  30. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 “For so-and-so many rounds, for such-and-such ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 diffusion permutations, and with such-and-such D a simulator, the distinguisher cannot distinguish ? Insert Simulator using so-and-so-many queries.” IDEAL WORLD ? S S S Here Q S S S S S S ⊆ { Q Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q Wednesday, May 11, 16

  31. Security Model (indifferentiability) REAL WORLD S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 3 S 2 , 3 S 3 , 3 S 1 , 2 S 2 , 2 S 3 , 2 S 1 , 2 S 2 , 2 S 3 , 2 π 1 π 2 “For so-and-so many rounds, for such-and-such ? S 1 , 1 S 2 , 1 S 3 , 1 S 1 , 1 S 2 , 1 S 3 , 1 diffusion permutations, and with such-and-such D a simulator, the distinguisher cannot distinguish ? Insert Simulator using so-and-so-many queries.” IDEAL WORLD ? S S S Here Q S S S S S S ⊆ { Q Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q Wednesday, May 11, 16

  32. Combinatorial Properties of the Diffusion Permutations, by name: 1. Entry-Wise Randomized Preimage Resistance (RPR) 2. Entry-Wise Randomized Collision Resistance (RCR) 3. Conductance (& “all-but-one Conductance”) Wednesday, May 11, 16

  33. RPR $ → x 1 ? = y ∗ x 2 y 2 2 π x 3 x 4 Wednesday, May 11, 16

  34. RPR $ → x 1 ? = y ∗ x 2 y 2 2 π x 3 x 4 For any fixed values of , and x 2 x 3 , and for any , there is low y ∗ x 4 2 probability that over the y 2 = y ∗ 2 randomness in x 1 Wednesday, May 11, 16

  35. RCR $ → x 1 ? = y ′ x 2 , x ′ y 2 2 2 π x 3 , x ′ 3 x 4 , x ′ 4 Wednesday, May 11, 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of one character in the plaintext results in several characters changed in the ciphertext Confusion: the key does not relate in a simple way to the

512 views • 6 slides
Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed

Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed

Shannons Idea of Confusion and Diffusion The DES, AES and many block ciphers are designed using Shannons idea of confusion and diffusion. The objectives of this document is to introduce linear and nonlinear functions; and

451 views • 11 slides
Information Diffusion on Social Networks SMART Summer School 2017 Sylvain Lamprier LIP6 - UPMC

Information Diffusion on Social Networks SMART Summer School 2017 Sylvain Lamprier LIP6 - UPMC

Information Diffusion on Social Networks SMART Summer School 2017 Sylvain Lamprier LIP6 - UPMC MLIA Team 1 / 78 Information Diffusion 1 Diffusion on Networks Tasks Challenges Diffusion Models The Independent Cascade Model 2 Learning

994 views • 78 slides
An Empirical Study of Optimization for Maximizing Diffusion in Networks Kiyan Ahmadizadeh

An Empirical Study of Optimization for Maximizing Diffusion in Networks Kiyan Ahmadizadeh

An Empirical Study of Optimization for Maximizing Diffusion in Networks Kiyan Ahmadizadeh Bistra Dilkina, Carla P. Gomes, Ashish Sabharwal Cornell University Institute for Computational Sustainability Diffusion in Networks: Cascades Our

725 views • 55 slides
Pedestrian Pedestrian Pedestrian C Pedestrian C C Crossing confusion rossing confusion

Pedestrian Pedestrian Pedestrian C Pedestrian C C Crossing confusion rossing confusion

Pedestrian Pedestrian Pedestrian C Pedestrian C C Crossing confusion rossing confusion rossing confusion rossing confusion Bevan Woodward Transport Planner Whats happening overseas in countries with far better road safer and higher

312 views • 27 slides
Diffusion in Social Networks with Competing Products Krzysztof R. Apt (so not Krzystof and

Diffusion in Social Networks with Competing Products Krzysztof R. Apt (so not Krzystof and

Diffusion in Social Networks with Competing Products Krzysztof R. Apt (so not Krzystof and definitely not Krystof) CWI, Amsterdam, the Netherlands , University of Amsterdam based on joint work with E. Markakis Diffusion in Social Networks with

383 views • 22 slides
Media Diffusion: Cascading Behavior in Networks Epidemic Spread Influence Maximization 1

Media Diffusion: Cascading Behavior in Networks Epidemic Spread Influence Maximization 1

Online Social Networks and Media Diffusion: Cascading Behavior in Networks Epidemic Spread Influence Maximization 1 Introduction Diffusion: process by which a piece of information is spread and reaches individuals through interactions

1.84k views • 134 slides
Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam based on joint work with E. Markakis Athens University of Economics and Business Diffusion in Social Networks with

569 views • 37 slides
Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam based on joint work with E. Markakis Athens University of Economics and Business Diffusion in Social Networks with

462 views • 28 slides
Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam based on joint work with E. Markakis Athens University of Economics and Business Diffusion in Social Networks with

758 views • 31 slides
SNA 6: processes on networks Lada Adamic Processes on networks Diffusion (simple) ER

SNA 6: processes on networks Lada Adamic Processes on networks Diffusion (simple) ER

SNA 6: processes on networks Lada Adamic Processes on networks Diffusion (simple) ER graphs Scale-free graphs Small-world topologies Complex contagion/thresholds Collective action Innovation Problem

548 views • 43 slides
Trademark Law as to source) (are these forms of irrelevant confusion?): Prof. Madison 1.

Trademark Law as to source) (are these forms of irrelevant confusion?): Prof. Madison 1.

Creative confusion theories (other than confusion Trademark Law as to source) (are these forms of irrelevant confusion?): Prof. Madison 1. Initial interest confusion: The defendants (junior) use of the mark attracts consumers to

431 views • 5 slides
Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the

Diffusion in Social Networks with Competing Products Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam based on joint work with E. Markakis Athens University of Economics and Business (SAGT 11) Diffusion in Social

735 views • 36 slides
Diffusion and Propagation Social and Economic Networks Jafar Habibi MohammadAmin Fazli Social

Diffusion and Propagation Social and Economic Networks Jafar Habibi MohammadAmin Fazli Social

Diffusion and Propagation Social and Economic Networks Jafar Habibi MohammadAmin Fazli Social and Economic Networks 1 ToC Diffusion and Propagation Information Cascades Cascading Behavior Epidemics Readings: Chapter 7

772 views • 50 slides
On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction Avradip Mandal 1 Jacques Patarin 2 Yannick Seurin 3 1 University of Luxembourg 2 University of Versailles, France 3 ANSSI, France March 20, TCC

1.05k views • 89 slides
A Quantitative Model and Analysis for Information Confusion in Social Networks Anand

A Quantitative Model and Analysis for Information Confusion in Social Networks Anand

A Quantitative Model and Analysis for Information Confusion in Social Networks Anand Santhanakrishnan Research Associate WINLAB Rutgers Outline Motivation Problem Formulation System Model Analysis Results Conclusion

382 views • 22 slides
1-means clustering and conductance Twan van Laarhoven Radboud University Nijmegen Open

1-means clustering and conductance Twan van Laarhoven Radboud University Nijmegen Open

1-means clustering and conductance Twan van Laarhoven Radboud University Nijmegen Open Universiteit Nederland November 27th, 2017 1 / 30 Outline Network community detection with conductance The relation to k -means clustering Algorithms

706 views • 52 slides
Generative Well-intentioned Networks Justin Cosentino ( justin@cosentino.io ) Jun Zhu (

Generative Well-intentioned Networks Justin Cosentino ( justin@cosentino.io ) Jun Zhu (

Generative Well-intentioned Networks Justin Cosentino ( justin@cosentino.io ) Jun Zhu ( dcszj@mail.tsinghua.edu.cn ) Department of Computer Science, Tsinghua University Oct. 30, 2019 Outline Motivation: Uncertainty & Classification w/

714 views • 42 slides
MIT 9.520/6.860, Fall 2019 Statistical Learning Theory and Applications Class 02: Statistical

MIT 9.520/6.860, Fall 2019 Statistical Learning Theory and Applications Class 02: Statistical

MIT 9.520/6.860, Fall 2019 Statistical Learning Theory and Applications Class 02: Statistical Learning Setting Lorenzo Rosasco Learning from examples rather than being explicitly programmed. theory. L.Rosasco, 9.520/6.860 Fall 2018

582 views • 32 slides
Lattice field theory and physics beyond the Standard Model C.-J. David Lin ( ) National

Lattice field theory and physics beyond the Standard Model C.-J. David Lin ( ) National

Lattice field theory and physics beyond the Standard Model C.-J. David Lin ( ) National Chiao Tung University, Taiwan 01/12/2020 National Taiwan University 1 High-energy physics frontiers Energy Frontier Origin of Mass CP Dark

941 views • 64 slides
How community-like is the structure of synthetically generated graphs? Arnau Prat-Prez David

How community-like is the structure of synthetically generated graphs? Arnau Prat-Prez David

How community-like is the structure of synthetically generated graphs? Arnau Prat-Prez David Dominguez-Sal Universitat Politcnica de Sparsity Technologies Catalunya Barcelona Barcelona Motivation Community Detection is typically

611 views • 12 slides
Machine learning, incomputably large data sets, and the string landscape 2017 Workshop on Data

Machine learning, incomputably large data sets, and the string landscape 2017 Workshop on Data

Machine learning, incomputably large data sets, and the string landscape 2017 Workshop on Data Science and String Theory Northeastern University December 1, 2017 Washington (Wati) Taylor, MIT Based in part on arXiv: 1510.04978, 1511.03209,

743 views • 35 slides
Making Contact with Supersymmetric AdS 5 Solutions Jerome Gauntlett Maxime Gabella, Eran Palti,

Making Contact with Supersymmetric AdS 5 Solutions Jerome Gauntlett Maxime Gabella, Eran Palti,

Making Contact with Supersymmetric AdS 5 Solutions Jerome Gauntlett Maxime Gabella, Eran Palti, James Sparks, Dan Waldram Supersymmetric AdS Solutions Consider most general AdS backgrounds of string/M-theory or equivalently the most general CFTs

459 views • 27 slides
D-branes at singularities and SUSY breaking Dmitry Malyshev Princeton university Madison

D-branes at singularities and SUSY breaking Dmitry Malyshev Princeton university Madison

D-branes at singularities and SUSY breaking Dmitry Malyshev Princeton university Madison September 6, 2007 SUSY breaking and D-branes 1/27 References Wijnholt, Large Volume Perspective on Branes at Singularities : quiver gauge

651 views • 28 slides

More recommend