kangarootwelve draft viguier kangarootwelve 00
play

KangarooTwelve draft-viguier-kangarootwelve-00 t Viguier 1 Beno - PowerPoint PPT Presentation

Dec 13, 2022 •124 likes •355 views

KangarooTwelve draft-viguier-kangarootwelve-00 t Viguier 1 Beno CFRG Meeting, July 18, 2017 1 Radboud University, Nijmegen, The Netherlands 1 / 12 What is KangarooTwelve ? An extendable output function (XOF) like SHAKE128, with: an

  1. KangarooTwelve draft-viguier-kangarootwelve-00 ıt Viguier 1 Benoˆ CFRG Meeting, July 18, 2017 1 Radboud University, Nijmegen, The Netherlands 1 / 12

  2. What is KangarooTwelve ? An extendable output function (XOF) like SHAKE128, with: ◮ an “embarassingly” parallel mode on top • Parallelism grows automatically with input size • No penalty for short messages ◮ a smaller number of rounds • Reduced from 24 to 12 General hash function, parallel mode transparent for the user 2 / 12

  3. How secure is KangarooTwelve ? ◮ Parallel mode with proven generic security [EuroCrypt 2008] [IJIS 2014] [ACNS 2014] ◮ Sponge function on top of Keccak - p [1600 , n r = 12] • Same round function as Keccak /SHA-3 ⇒ cryptanalysis since 2008 still valid • Safety margin: from rock-solid to comfortable 3 / 12

  4. Status of Keccak ◮ Collision attacks up to 5 rounds • Also up to 6 rounds, but for non-standard parameters ( c = 160) [Song, Liao, Guo, CRYPTO 2017] ◮ Stream prediction in 8 rounds (2 128 time, prob. 1) [Dinur, Morawiecki, Pieprzyk, Srebrny, Straus, EUROCRYPT 2015] Round function unchanged since 2008 http://keccak.noekeon.org/third_party.html 4 / 12

  5. How fast is KangarooTwelve ? ◮ At least twice as fast as SHAKE128 on short inputs ◮ Much faster when parallelism is exploited on long inputs Short input Long input Intel Core i5-4570 (Haswell) 4.15 c/b 1.44 c/b Intel Core i5-6500 (Skylake) 3.72 c/b 1.22 c/b Intel Xeon Phi 7250 (Knights Landing) ∗ (4.56 c/b) 0.74 c/b ∗ Thanks to Romain Dolbeau 5 / 12

  6. Why is it interesting for the IETF? ◮ Keccak / KangarooTwelve is an open design • Public design rationale • Result of an open international competition • Long-standing active scrutiny from the crypto community ◮ Best security/speed trade-off • Speed-up without wasting cryptanalysis resources (no tweaks) ◮ Scalable parallelism • As much parallelism as the implementation can exploit • With one parameter set 6 / 12

  7. Backup slides 6 / 12

  8. Analyzing the sponge construction 7 / 12

  9. Analyzing the sponge construction 7 / 12

  10. Generic security of the sponge construction [EuroCrypt 2008] http://sponge.noekeon.org/SpongeIndifferentiability.pdf 8 / 12

  11. Generic security of the sponge construction [EuroCrypt 2008] http://sponge.noekeon.org/SpongeIndifferentiability.pdf Theorem, explained Pr[attack] ≤ N 2 2 c +1 (or so) ⇒ if N ≪ 2 c / 2 , then the probability is negligible 8 / 12

  12. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs 9 / 12

  13. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive 9 / 12

  14. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! 9 / 12

  15. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! ⇒ open design rationale 9 / 12

  16. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! ⇒ open design rationale ⇒ cryptanalysis! 9 / 12

  17. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! ⇒ open design rationale ⇒ third-party cryptanalysis! 9 / 12

  18. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! ⇒ open design rationale ⇒ lots of third-party cryptanalysis! 9 / 12

  19. Two pillars of security in cryptography ◮ Generic security • Strong mathematical proofs ⇒ scope of cryptanalysis reduced to primitive ◮ Security of the primitive • No proof! ⇒ open design rationale ⇒ lots of third-party cryptanalysis! • Confidence ⇐ sustained cryptanalysis activity and no break ⇐ proven properties 9 / 12

  20. Impact of parallelism Keccak - f [1600] × 1 1070 cycles Keccak - f [1600] × 2 1360 cycles Keccak - f [1600] × 4 1410 cycles CPU: Intel Core i5-6500 (Skylake) with AVX2 256-bit SIMD 10 / 12

  21. Tree hashing Example: ParallelHash [SP 800-185] function instruction set cycles/byte Keccak [ c = 256] × 1 x86 64 6.29 Keccak [ c = 256] × 2 AVX2 4.32 Keccak [ c = 256] × 4 AVX2 2.31 CPU: Intel Core i5-6500 (Skylake) with AVX2 256-bit SIMD 11 / 12

  22. KangarooTwelve ’s mode Final node growing with kangaroo hopping and Sakura coding [ACNS 2014] 12 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bookmarks for Cryptographers Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier

Bookmarks for Cryptographers Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier

Bookmarks for Cryptographers Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier https://www.viguier.nl Student talk 5th June 2017 Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen 1 Tikz

467 views • 19 slides
Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier https://www.viguier.nl DS Lunch talk 9th December 2016 Institute for Computing and Information Sciences Digital Security Radboud

761 views • 29 slides
Bookmarks for Cryptographers Beno t Viguier ( x y. x@y.nl ) benoit viguier CHES 2017

Bookmarks for Cryptographers Beno t Viguier ( x y. x@y.nl ) benoit viguier CHES 2017

Bookmarks for Cryptographers Beno t Viguier ( x y. x@y.nl ) benoit viguier CHES 2017 Rump Session Taipei, 26th September 2017 Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen 1 Tikz

436 views • 19 slides
Advanced Use of Git Beno t Viguier DS-Lunch Talk, Nijmegen, October 25th, 2019 1

Advanced Use of Git Beno t Viguier DS-Lunch Talk, Nijmegen, October 25th, 2019 1

Advanced Use of Git Beno t Viguier DS-Lunch Talk, Nijmegen, October 25th, 2019 1 Disclaimer If you dont like command line interface, this talk is not for you. 2 Minimal Git Commands git clone git@gitlab.science.ru.nl:user/repo

1.16k views • 66 slides
Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek Wiedijk Journ ee GT M ethodes Formelles pour la S ecurit e March 18 th , 2019 Institute for Computing and Information Sciences

621 views • 47 slides
Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1

Formal Methods in Differential and Linear Trail Search Beno t Viguier October 7, 2016 1 Overview Introduction Keccak Differential Cryptanalysis Semantics of Trees and Iterators Proven Iterator Conclusion 2 Introduction Hashing vs

977 views • 56 slides
DRAFT DRAFT A service of Maryland Health Benefit Exchange Broker Information DRAFT DRAFT 2

DRAFT DRAFT A service of Maryland Health Benefit Exchange Broker Information DRAFT DRAFT 2

Broker & TPA JAD May 23, 2013 DRAFT DRAFT A service of Maryland Health Benefit Exchange Broker Information DRAFT DRAFT 2 Broker Topics Transaction files Broker XSD Group file 834 Individual initial enrollment with broker

730 views • 25 slides
PRESENTATION OF THE DRAFT RESOLUTIONS AND TEXT OF THE DRAFT RESOLUTIONS FIRST AND SECOND

PRESENTATION OF THE DRAFT RESOLUTIONS AND TEXT OF THE DRAFT RESOLUTIONS FIRST AND SECOND

MANAGEMENT REPORT AND DRAFT RESOLUTIONS PRESENTATION OF THE DRAFT RESOLUTIONS AND TEXT OF THE DRAFT RESOLUTIONS FIRST AND SECOND RESOLUTIONS Approval of the separate and consolidated fi nancial statements for fi scal year 2017 In the fi rst

352 views • 10 slides
DRAFT - Do not cite or quote DRAFT - Do not cite or quote DRAFT - Do not cite or quote 2017

DRAFT - Do not cite or quote DRAFT - Do not cite or quote DRAFT - Do not cite or quote 2017

DRAFT - Do not cite or quote DRAFT - Do not cite or quote DRAFT - Do not cite or quote 2017 Regulation 85 Rulemaking Cleanup and Corrections Define Headwaters Cooling Towers - potentially remove from regulation

611 views • 10 slides
DRAFT This is a draft paper and numbers and impacts are subject to change as further work is

DRAFT This is a draft paper and numbers and impacts are subject to change as further work is

CONFIDENTIAL DRAFT FOR DISCUSSION SUBJECT TO CIC APPROVAL DRAFT This is a draft paper and numbers and impacts are subject to change as further work is carried out. Draft numbers were provided for capital so that the Committee could have the

459 views • 6 slides
Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team

Go 2 Draft Designs Hello everyone, Im here to talk about the draft designs that the Go team recently released for possible future additions to Go, specifically about two areas: improved error handling and parametric polymorphism (AKA generics),

411 views • 29 slides
DRAFT RESPONSE DOCUMENT 2017 DRAFT TAXATION LAWS AMENDMENT BILL (TLAB) AND DRAFT TAX

DRAFT RESPONSE DOCUMENT 2017 DRAFT TAXATION LAWS AMENDMENT BILL (TLAB) AND DRAFT TAX

DRAFT RESPONSE DOCUMENT 2017 DRAFT TAXATION LAWS AMENDMENT BILL (TLAB) AND DRAFT TAX ADMINISTRATION LAWS AMENDMENT BILL (TALAB) Standing Committee on Finance Presenters: National Treasury and SARS | 14 September 2017 Consultation process

410 views • 37 slides
Water Budgets and Modeling KGA Coordination Committee Meeting CA Water Foundation DRAFT DRAFT

Water Budgets and Modeling KGA Coordination Committee Meeting CA Water Foundation DRAFT DRAFT

Water Budgets and Modeling KGA Coordination Committee Meeting CA Water Foundation DRAFT DRAFT GSP Requirements Focus on current and historical budgets first Must cover entire subbasin DRAFT DRAFT KRGSA Water Budgets - GSP Develop

386 views • 25 slides
Master Plan Draft Document Master Plan Draft Document Accomplishments Master Plan Draft Document

Master Plan Draft Document Master Plan Draft Document Accomplishments Master Plan Draft Document

Master Plan Draft Document Master Plan Draft Document Accomplishments Master Plan Draft Document Accomplishments TEAMWORK! - 35 Kimley-Horn Staff Members - 4 Specialty Subconsultants - 3 Utility Owners - 6 Public Infrastructure

683 views • 44 slides
DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and

DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and

DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and policies 56 September 2014 Helsinki, Finland This is a draft version of a conference paper submitted for presentation at UNU-WIDERs conference,

608 views • 39 slides
DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and

DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and

DRAFT This paper is a draft submission to Inequality Measurement, trends, impacts, and policies 56 September 2014 Helsinki, Finland This is a draft version of a conference paper submitted for presentation at UNU-WIDERs conference,

468 views • 29 slides
The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R

The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R

Introduction Generalized Sponge Serial MDS PHOTON Security Conclusion The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin and Axel Poschmann I2R and NTU ECRYPT II Hash Workshop 2011 Tallinn, Estonia Introduction

579 views • 33 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd

1.27k views • 86 slides
Prt rt

Prt rt

Prt rt s rt rst trs st

626 views • 36 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020 Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of

519 views • 39 slides
EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O

EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O

EXPLICIT INSTRUCTION WEBINAR #5: ORGANIZING FOR INSTRUCTION P R E S E N T E D B Y: G I N A H O P P E R D I R E C T O R S E S TA ACKNOWLEDGEMENTS The content of this session is expanded in Chapter 4 of this book: Archer, A., & Hughes,

747 views • 64 slides
state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4 Stream Cipher

state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4 Stream Cipher

Ralph Ankele 1 Christian Rechberger 2 August 25, 2015 1 RHUL, Royal Holloway University of London, United Kingdom 2 DTU Compute, Technical University of Denmark, Denmark state-recovery analysis of spritz Stefan Klbl 2 rc4 and tls RC4

656 views • 62 slides

More recommend