innovations in permutation based encryption authentication
play

Innovations in permutation-based encryption & authentication . - PowerPoint PPT Presentation

Oct 16, 2023 •533 likes •855 views

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

  1. Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michaël Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University

  2. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 2

  3. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 3

  4. Pseudo-random function (PRF) . 4 input …

  5. Stream encryption . 5 nonce plaintext = ciphertext

  6. Message authentication (MAC) . 6 plaintext plaintext

  7. Authenticated encryption . 7 plaintext nonce plaintext = ciphertext

  8. String sequence input and incrementality . F K 8 packet #1 packet #1 ( P ( 1 ) )

  9. String sequence input and incrementality . F K 8 packet #1 packet #2 packet #1 packet #2 ( P ( 2 ) ◦ P ( 1 ) )

  10. String sequence input and incrementality . F K 8 packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 P ( 3 ) ◦ P ( 2 ) ◦ P ( 1 ) ) (

  11. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 9

  12. Session authenticated encryption (SAE) [Keccak Team, SAC 2011] . Wrap taking metadata A and plaintext P return tag T of length t Initialization taking nonce N 10 A (1) P (1) A (2) P (2) A (3) P (3) K, N 1 T (0) C (1) T (1) C (2) T (3) C (3) T (2) T ← 0 t + F K ( N ) history ← N C ← P + F K ( A ◦ history ) T ← 0 t + F K ( C ◦ A ◦ history ) history ← C ◦ A ◦ history return ciphertext C of length | P | and tag T of length t

  13. Synthetic initialization value (SIV), as in [Keccak Team, eprint 2016/1188] Wrap taking metadata A and plaintext P Variant of SIV of [Rogaway & Shrimpton, EC 2006] Unwrap taking metadata A , ciphertext C and tag T . 11 P A F K F K T C T ← 0 t + F K ( P ◦ A ) C ← P + F K ( T ◦ A ) return ciphertext C of length | P | and tag T P ← C + F K ( T ◦ A ) τ ← 0 t + F K ( P ◦ A ) if τ ̸ = T then return error! else return plaintext P of length | C |

  14. Wide block cipher (WBC), as in [Keccak Team, eprint 2016/1188] L Instance of HHFHFH of [Bernstein, Nandi & Sarkar, Dagstuhl 2016] R C . L 0 R 12 R 0 Encipher P with K and tweak W P ʹ left P ʹ right W ( L , R ) ← split ( P ) H K (... ° 0) ← R 0 + H K ( L ◦ 0 ) ← L + F K ( R ◦ W ◦ 1 ) F K (... ° 1) ← R + F K ( L ◦ W ◦ 0 ) ← L 0 + H K ( R ◦ 1 ) F K (... ° 0) ← L || H K (... ° 1) return ciphertext C of length | P | C left C right

  15. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 13

  16. Sponge [Keccak Team, Ecrypt 2008] . 14 M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing ◮ Pre-pending M with K gives PRF

  17. More efficient: donkeySponge [Keccak Team, DIAC 2012] . 15

  18. Incrementality: duplex [Keccak Team, SAC 2011] . 16 σ 0 σ 1 σ 2 Z 0 Z 1 Z 2 pad trunc pad trunc pad trunc r 0 f f f outer … inner c 0 initialize duplexing duplexing duplexing

  19. More efficient: MonkeyDuplex [Keccak Team, DIAC 2012] . Instances: Ketje + half a dozen other CAESAR submissions 17

  20. Consolidation: Full-state keyed duplex . [Mennink, Reyhanitabar, & Vizar, AC 2015], [Keccak Team & Mennink, 2016-2017] 18 Z ¾ Z ¾ Z ¾ K f f f … ± iv

  21. SAE with full-state keyed duplex: Motorist [Keccak Team, Keyak 2015] . 19 P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3)

  22. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 20

  23. A parallel sponge variant: early attempt [Keccak Team 2014-2016] . Problem: collisions with higher-order differentials if f has low degree Similar to Protected Counter Sums [Bernstein, "stretch", JOC 1999] 21 M 0 k k f f Z 0 0 0 M 1 k k f f Z 1 1 1 … … M i k k f f Z j i j

  24. A parallel sponge variant: early attempt [Keccak Team 2014-2016] . Problem: collisions with higher-order differentials if f has low degree Similar to Protected Counter Sums [Bernstein, "stretch", JOC 1999] 21 M 0 k k f f Z 0 0 0 M 1 k k f f Z 1 1 1 … … M i k k f f Z j i j

  25. Farfalle as in [Keccak Team, eprint 2016/1188] . Problem: generic higher-order differential attack if f at right has low-degree with k derived from arbitrary-length K using compression layer 22 M 0 k k f f Z 0 M 1 k k f f Z 1 … … M i k k f f Z j i j

  26. Farfalle as in [Keccak Team, eprint 2016/1188] . with k derived from arbitrary-length K using compression layer 22 M 0 k k f f Z 0 M 1 k k f f Z 1 … … M i k k f f Z j i j Problem: generic higher-order differential attack if f at right has low-degree

  27. Farfalle now [Keccak Team, eprint 2016/1188, update TODO] . 23 m 0 k k f f z 0 m 1 k k f f z 1 f … … m i k k f f z j i j ◮ Input mask rolling and f against accumulator collisions ◮ State rolling, f and output mask against state retrieval from output ◮ Middle f against higher-order DC ◮ Input-output attacks would span 3 f layers

  28. Outline . Pseudo-random functions PRF modes Sponge Farfalle Kravatte 24

  29. Kravatte = Farfalle with Keccak- p . 25 m 0 k k f f z 0 m 1 k k f f z 1 f … … m i k k f f z j i j ◮ Target security: 128 bits, incl. multi-target (claimed c = 256) ◮ f = Keccak- p [ 1600 , n r ] with n r = 6 , 4 , 4 ◮ Rolling function: operates on 4 lanes only, linear with order 2 256 − 1 • lightweight, taken from [Granger, Jovanonvic, Mennink & Neves, EC 2016] • protects against higher-order DC

  30. Thanks for your attention! . 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny 1

843 views • 35 slides
Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni, Seth Hoffert, Bart Mennink, Michal Peeters, Gilles Van Assche and Ronny Van Keer COINS Winter School, 5-10 May 2019, Finse 1 1 Radboud

986 views • 65 slides
Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 ECC, Nijmegen, November 14, 2017 1 / 35 Joan Daemen 1 , 2 1 STMicroelectronics 2

1.09k views • 65 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16 Stateless, Deterministic

198 views • 17 slides
Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montral Encryption & Authentication Schemes with

829 views • 62 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

880 views • 58 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

11/12/09 Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael Kirkpatrick, Elisa Bertino Purdue University Frederick Sheldon Oak Ridge National Laboratory DHS: S&T Workshop on Future Directions in

438 views • 4 slides
KangarooTwelve draft-viguier-kangarootwelve-00 t Viguier 1 Beno CFRG Meeting, July 18, 2017

KangarooTwelve draft-viguier-kangarootwelve-00 t Viguier 1 Beno CFRG Meeting, July 18, 2017

KangarooTwelve draft-viguier-kangarootwelve-00 t Viguier 1 Beno CFRG Meeting, July 18, 2017 1 Radboud University, Nijmegen, The Netherlands 1 / 12 What is KangarooTwelve ? An extendable output function (XOF) like SHAKE128, with: an

355 views • 22 slides
The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R

The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R

Introduction Generalized Sponge Serial MDS PHOTON Security Conclusion The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R and NTU ECRYPT II Hash Workshop 2011 Tallinn, Estonia Introduction

579 views • 33 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd

1.27k views • 86 slides
CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020 Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of

519 views • 39 slides
EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O

EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O

EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O P P E R D I R E C T O R S E S TA ACKNOWLEDGEMENTS The content of this session is expanded in Chapter 4 of this book: Archer, A., & Hughes,

747 views • 64 slides
state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4 Stream Cipher

state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4 Stream Cipher

Ralph Ankele 1 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of Denmark, Denmark state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4

656 views • 62 slides
Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University RIOT Summit 2017 Berlin, September 25-26, 2017 1 / 56 Joint work with Guido Bertoni, Joan Daemen 1 , 2 , Seth Hoffert,

871 views • 65 slides

More recommend