innovations in symmetric cryptography
play

Innovations in symmetric cryptography Joan Daemen - PowerPoint PPT Presentation

Sep 28, 2022 •171 likes •762 views

Innovations in symmetric cryptography Joan Daemen STMicroelectronics, Belgium SSTIC, Rennes, June 5, 2013 1 / 46 Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 2 / 46 The origins

  1. Innovations in symmetric cryptography Joan Daemen STMicroelectronics, Belgium SSTIC, Rennes, June 5, 2013 1 / 46

  2. Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 2 / 46

  3. The origins Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 3 / 46

  4. The origins Symmetric crypto around ’89 Stream ciphers: LFSR-based schemes no actual design many mathematical papers on linear complexity Block ciphers: DES design criteria not published DC [Biham-Shamir 1990] : “DES designers knew what they were doing” LC [Matsui 1992] : “well, kind of” Popular paradigms, back then (but even now) property-preservation: strong cipher requires strong S-boxes confusion (nonlinearity): distance to linear functions diffusion: (strict) avalanche criterion you have to trade them off 4 / 46

  5. The origins The banality of DES Data encryption standard: datapath 5 / 46

  6. The origins The banality of DES Data encryption standard: F-function 6 / 46

  7. The origins Cellular automata based crypto A different angle: cellular automata Simple local evolution rule, complex global behaviour Popular 3-bit neighborhood rule: 7 / 46 a ′ i = a i − 1 ⊕ ( a i OR a i + 1 )

  8. The origins Cellular automata based crypto Crypto based on cellular automata CA guru Stephen Wolfram at Crypto ’85: looking for applications of CA concrete stream cipher proposal Crypto guru Ivan Damgård at Crypto ’89 hash function from compression function proof of collision-resistance preservation compression function with CA Both broken stream cipher in [Meier-Staffelbach, Eurocrypt ’91] hash function in [Daemen et al., Asiacrypt ’91] 8 / 46

  9. The origins Cellular automata based crypto The trouble with Damgård’s compression function 9 / 46

  10. The origins Cellular automata based crypto The trouble with Damgård’s compression function 9 / 46

  11. Early work Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 10 / 46

  12. Early work Salvaging CA-based crypto First experiments: investigate cycle distributions The following rule exhibited remarkable cycle lengths: Invertible if periodic boundary conditions and odd length 11 / 46 γ : flip the bit iff 2 cells at the right are not 01

  13. Early work Salvaging CA-based crypto First experiments: investigate cycle distributions The following rule exhibited remarkable cycle lengths: nonlinear , but unfortunately, weak diffusion 11 / 46 γ : flip the bit iff 2 cells at the right are not 01

  14. Early work Salvaging CA-based crypto, second attempt Found invertible 5-bit neighborhood rules with good diffusion 12 / 46 Turned out to be composition of γ and following rule θ : add to bit the sum of 2 cells at the right modulo 2 Idea: alternate γ (nonlinearity) and variant of θ (mixing)

  15. Early work Salvaging CA-based crypto, second attempt Found invertible 5-bit neighborhood rules with good diffusion diffusion much better but still slow 12 / 46 Turned out to be composition of γ and following rule θ : add to bit the sum of 2 cells at the right modulo 2

  16. Early work Salvaging CA-based crypto, third attempt Abandon locality by adding in bit transpositions: 13 / 46 π : move bit in cell i to cell 9 i modulo the length Round function: R = π ◦ θ ◦ γ

  17. Early work Salvaging CA-based crypto, third attempt Abandon locality by adding in bit transpositions: full diffusion after few rounds! 13 / 46 π : move bit in cell i to cell 9 i modulo the length

  18. Early work hash/stream cipher modules wide trail strategy correlation matrices branch number Supporting concepts introduced in [PhD Thesis Daemen, 1995] Theoretical basis: DC and LC 3-Way and BaseKing (1993-94): block ciphers Subterranean (1992), StepRightUp (1994) and Panama (1997): Resulting designs Cellhash (1991): hash function Designs directly resulting from this Round function composed of specialized steps 14 / 46 γ : non-linearity θ : mixing π : transposition ι : addition of some constants for breaking symmetry

  19. Rijndael Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 15 / 46

  20. Rijndael Cryptanalysis contest in 1994 Yes, it can! But can it be fixed? Published [Vaudenay, 1996] In F-function In S-box: weak keys Exploiting collisions Won by Serge Vaudenay Very high diffusion March 1995: last month at COSIC, after PhD defense Only 4 TLU and 3 additions Great potential My impression Derived from key 8-to-32-bit Sboxes F function: , 1993] Blowfish [Schneier 16 / 46

  21. Rijndael optimize nonlinearity mixing layer Challenge: finding right S-box and Clearly big potential! optimize diffusion Linear mixing layer criteria defined by DC and LC just take a single one March 1995: a month in Limbo; the Spark! S-boxes COSIC … smuggled my idea out of 4 TLU and 4 XORs Both invertible 17 / 46 Mixing ◦ S-box

  22. Rijndael optimize nonlinearity mixing layer Challenge: finding right S-box and Clearly big potential! optimize diffusion Linear mixing layer criteria defined by DC and LC just take a single one March 1995: a month in Limbo; the Spark! S-boxes COSIC … smuggled my idea out of 4 TLU and 4 XORs Both invertible 17 / 46 Mixing ◦ S-box

  23. Rijndael optimize nonlinearity mixing layer Challenge: finding right S-box and Clearly big potential! optimize diffusion Linear mixing layer criteria defined by DC and LC just take a single one March 1995: a month in Limbo; the Spark! S-boxes COSIC … smuggled my idea out of 4 TLU and 4 XORs Both invertible 17 / 46 Mixing ◦ S-box

  24. Rijndael optimize nonlinearity mixing layer Challenge: finding right S-box and Clearly big potential! optimize diffusion Linear mixing layer criteria defined by DC and LC just take a single one March 1995: a month in Limbo; the Spark! S-boxes COSIC … smuggled my idea out of 4 TLU and 4 XORs Both invertible 17 / 46 Mixing ◦ S-box

  25. Rijndael optimize nonlinearity mixing layer Challenge: finding right S-box and Clearly big potential! optimize diffusion Linear mixing layer criteria defined by DC and LC just take a single one March 1995: a month in Limbo; the Spark! S-boxes COSIC … smuggled my idea out of 4 TLU and 4 XORs Both invertible 17 / 46 Mixing ◦ S-box

  26. Rijndael Two years earlier … Summer 1993: COSIC gets some classified contract work Supervisors decide to put on it: Joan Daemen and Vincent Rijmen 18 / 46

  27. Rijndael The road to Rijndael Switch back to autumn 1995 I decided to contact Vincent to work out my ideas this lead to the following results SHARK [SHARK, FSE 1996] link with maximum distance separable (MDS) codes S-box: multiplicative inverse in GF(2 8 ) [Nyberg, 1994] Square [ Square , FSE 1997] more efficient thanks to byte transposition layer BKSQ [BKSQ, Cardis 1998] : support for non-square states NIST AES call in autumn 1997 we defined Rijndael using these ideas and submitted it 19 / 46 state bytes arranged in a 4 × 4 square

  28. Rijndael AES finalists: speed on Pentium Percentage executed by the time Rijndael finishes: 20 / 46

  29. Rijndael up to a factor 4 more efficient than exhaustive key search Pelican-MAC: 2.5 times faster than AES CBC-MAC LC and DC statistics of random mappings new insights in differential propagation in AES-like functions , the reference of block cipher design Rijndael book at Springer Follow-up work with Vincent, some highlights , Bogdanov, 2011] Rijndael (team) after AES selection biclique attacks [Khovratovich, Rechberger current status: some dents in armor due to academic attacks several times announced broken, false alarms most heard criticism: too simple to be secure Security of AES October 2, 2000: NIST announces Rijndael will be AES 21 / 46

  30. The sponge construction and Keccak Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 22 / 46

  31. The sponge construction and Keccak Compression function and domain extension See how mainstream hash functions were going Mainstream hash functions have two layers: Fixed-input-length compression function Iterating mode: domain extension Merkle-Damgård iterating mode: very simple and elegant Yes, but can we have collision-resistance preservation? 23 / 46

  32. The sponge construction and Keccak Merkle-Damgård strengthening! The iterating mode Merkle-Damgård with strengthening Yes, but what about security when being used as a MAC? 24 / 46

  33. The sponge construction and Keccak Indifferentiable from a Random Oracle! The iterating mode Enveloped Merkle-Damgård Yes, but we often need long outputs, e.g., see PKCS#1, TLS, … 25 / 46

  34. The sponge construction and Keccak Brilliant! The iterating mode Mask generating function construction This does what we need! 26 / 46

  35. The sponge construction and Keccak The remaining problem: designing a compression function The compression function Let’s put in a block cipher Yes, but collisions are easy so collision-resistance preservation … 27 / 46

  36. The sponge construction and Keccak OK, OK, add a feedforward The compression function Block cipher in Davies-Meyer mode That’s it! 28 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

794 views • 62 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric Cryptosystems Course Technicalities Renate Scheidler 1 Department of Mathematics & Statistics Overview of Cryptography 2 Department of Computer

222 views • 9 slides
Adaptive video streaming with Ice and GStreamer Using ICE middleware with GStreamer to implement

Adaptive video streaming with Ice and GStreamer Using ICE middleware with GStreamer to implement

Motivation Our Results Summary Adaptive video streaming with Ice and GStreamer Using ICE middleware with GStreamer to implement real-time QoS-aware video streaming for remotely controlled vehicle. Andrey Nechypurenko andreynech@gmail.com

653 views • 26 slides
Functional Reactive Python On Introducing CS to High School Students John Peterson Western

Functional Reactive Python On Introducing CS to High School Students John Peterson Western

Functional Reactive Python On Introducing CS to High School Students John Peterson Western State College: Gunnison, CO jpeterson@western.edu Western State College? Danger! There will be no: Type rules Proofs Significant results

492 views • 33 slides
Deep Learning Techniques for Music Generation Recurrent (5) Jean-Pierre Briot

Deep Learning Techniques for Music Generation Recurrent (5) Jean-Pierre Briot

Deep Learning Techniques for Music Generation Recurrent (5) Jean-Pierre Briot Jean-Pierre.Briot@lip6.fr Laboratoire dInformatique de Paris 6 (LIP6) Sorbonne Universit CNRS Programa de Ps-Graduao em Informtica (PPGI) UNIRIO

610 views • 37 slides
Computer Graphics 1 Ludwig-Maximilians-Universitt Mnchen Summer semester 2020 Prof. Dr.-Ing.

Computer Graphics 1 Ludwig-Maximilians-Universitt Mnchen Summer semester 2020 Prof. Dr.-Ing.

Computer Graphics 1 Ludwig-Maximilians-Universitt Mnchen Summer semester 2020 Prof. Dr.-Ing. Andreas Butz lecture additions by Dr. Michael Krone, Univ. Stuttgart https://commons.wikimedia.org/wiki/File:Stanford_bunny_qem.png LMU Mnchen

1.11k views • 63 slides
CREATE-U Combining Research Experience and Technical Electives for Undergraduates B O R I S S T

CREATE-U Combining Research Experience and Technical Electives for Undergraduates B O R I S S T

CREATE-U Combining Research Experience and Technical Electives for Undergraduates B O R I S S T O E B E R , A D R I A N N A E Y K I N G , G R A H A M H E N D R A WHY RESEARCH? Because you like asking questions Because you can learn how to

521 views • 34 slides
CSI5180. MachineLearningfor BioinformaticsApplications Ensemble Learning by Marcel Turcotte

CSI5180. MachineLearningfor BioinformaticsApplications Ensemble Learning by Marcel Turcotte

CSI5180. MachineLearningfor BioinformaticsApplications Ensemble Learning by Marcel Turcotte Version December 5, 2019 Preamble Preamble 2/50 Preamble Ensemble Learning In this lecture, we consider several meta learning algorithms all based

1.11k views • 92 slides
Real Chip Evaluation of a Low Power CGRA with Optimized Application Mapping Takuya Kojima, Naoki

Real Chip Evaluation of a Low Power CGRA with Optimized Application Mapping Takuya Kojima, Naoki

Real Chip Evaluation of a Low Power CGRA with Optimized Application Mapping Takuya Kojima, Naoki Ando, Yusuke Matsushita, Hayate Okuhara, Nguyen Anh Vu Doan and Hideharu Amano Keio University, Japan International Symposium on Highly-Efficient

868 views • 27 slides
3D Vision Torsten Sattler and Martin Oswald Spring 2018 3D Vision Understanding geometric

3D Vision Torsten Sattler and Martin Oswald Spring 2018 3D Vision Understanding geometric

3D Vision Torsten Sattler and Martin Oswald Spring 2018 3D Vision Understanding geometric relations between images and the 3D world between images Obtaining 3D information describing our 3D world from images from

1.04k views • 82 slides

More recommend