ketje and keyak
play

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles - PowerPoint PPT Presentation

Dec 26, 2023 •9 likes •339 views

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors DIAC 2014 1 / 19 Overview Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current

  1. Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors DIAC 2014 1 / 19

  2. Overview Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 2 / 19

  3. Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]

  4. Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]

  5. Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]

  6. Overview MonkeyWrap construction round function + Cryptanalysis Stream-oriented #rounds in phases A (thin) round function Ketje : Two approaches permutation-level Cryptanalysis Block-oriented fixed #rounds A (strong) permutation DuplexWrap Keyak : 4 / 19

  7. Overview MonkeyWrap construction round function + Cryptanalysis Stream-oriented #rounds in phases A (thin) round function Ketje : Two approaches permutation-level Cryptanalysis Block-oriented fixed #rounds A (strong) permutation DuplexWrap Keyak : 4 / 19

  8. Keyak Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 5 / 19

  9. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  10. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  11. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  12. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  13. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  14. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  15. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  16. Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow

  17. Keyak Duplex layer 7 / 19 Keccak - p [ 1600 , n r = 12 ] or Keccak - p [ 800 , n r = 12 ]

  18. Keyak DuplexWrap layer DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs. 8 / 19 A (1) B (1) 0 1 C (1) T (1) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.

  19. Keyak DuplexWrap layer DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs. 8 / 19 A (1) B (1) 0 1 C (1) T (1) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.

  20. Keyak works on sequences of header-body pairs. DuplexWrap layer 8 / 19 DuplexWrap is a nonce-based authenticated encryption mode; A (1) B (1) A (2) B (2) 0 1 C (1) T (1) C (2) T (2) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.

  21. Keyak works on sequences of header-body pairs. DuplexWrap layer 8 / 19 is a nonce-based authenticated encryption mode; DuplexWrap A (1) B (1) A (2) B (2) A (3) 0 1 C (1) T (1) C (2) T (2) T (3) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.

  22. Keyak Inside DuplexWrap 9 / 19 +00 +00 +10 0 0 d d d d

  23. Keyak Inside DuplexWrap 9 / 19 +00 +00 +01 +11 +10 0 0 d d d d d d

  24. Keyak 1 not ideal on constrained platforms reasonable on high- and middle-end platforms Working memory footprint short messages: 24 rounds long messages: about 50 % of SHAKE128 Processing for Lake Keyak 1 800 River Keyak 1600 Keyak instances and efficiency Lake Keyak 2 1600 Sea Keyak 4 1600 Ocean Keyak Parallelism P Width b Name 10 / 19

  25. Keyak Security of Keyak Generic security of Keyak thanks to a combination of results: Sound tree hashing modes [IJIS 2013] for parallelized modes Keyed sponge indistinguishability [SKEW 2011 + work in progress] SpongeWrap generic security [SAC 2011] , adapted to DuplexWrap Safety margin against shortcut attacks: Practical attacks up to 6 rounds [Dinur et al. SHA-3 2014] Academic attacks up to 9 rounds [Dinur et al. SHA-3 2014] 11 / 19

  26. Ketje Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 12 / 19

  27. Ketje Ketje goals Nonce-based AE function 96-bit or 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Small footprint Target niche: secure channel protocol on secure chips banking card, ID, (U)SIM, secure element, FIDO, etc. secure chip has strictly incrementing counter implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 13 / 19 Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ] , to allow

  28. Ketje Inside Ketje : the MonkeyDuplex layer 14 / 19 n start = 12 rounds should provide strong instance separation n step = 1 , r = 2 b / 25 should avoid single-instance state retrieval n stride = 6 rounds should avoid a forgery with one instance

  29. Ketje Inside MonkeyWrap 15 / 19 1 +00 +00 +01 +11 +10 0 stride start step step step step step

  30. Ketje per session 7 rounds 9 rounds per message 8-byte tag comp. 1 round 1 round per block wrapping 12 rounds 12 rounds initialization Ketje instances and lightweight features computational cost processing 4 bytes 2 bytes block size 50 bytes 25 bytes state size Ketje Sr Ketje Jr feature 16 / 19

  31. Conclusions and Current Developments Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 17 / 19

  32. Conclusions and Current Developments Current developments Optimized software implementations Gross estimations can be derived from Keccak Lake Keyak expected twice faster than SHAKE128 There might be interesting improvement with new AVX512 (VPTERNLOG, rotations and 32 registers) Hardware implementations 18 / 19

  33. Conclusions and Current Developments Conclusions Thanks for your attention! Q? 19 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang

Cube-like Attack on Round-Reduced Initialization of Ketje Sr Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline--divided into 3 parts u Ketje u Related Works u Cube-like

454 views • 27 slides
r Pr

r Pr

r Pr ttt rt r t tt rs 1

681 views • 36 slides
LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC

LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC

LHC An invitation to further reading. Mike Lamont CERN/AB 1 CERNs accelerators LHC 2 LHC LHC 3 LHC - overview Eight sectors plus: Point 1: Atlas Point 2: Alice, injection Point 3: Momentum cleaning Point 4: RF Point 5: CMS Point 6:

897 views • 60 slides
Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945

Center for Information Services and High Performance Computing (ZIH) Debugger Usage at HRSK 2009-03-19 Zellescher Weg 12 Willers-Bau A106 Tel. +49 351 - 463 - 31945 Matthias Lieber (Matthias.Lieber@tu-dresden.de) Why using a Debugger? Your

759 views • 47 slides
Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals

A Universal Program (4) Theory of Computation Course note based on Computability, Complexity, and Languages: Fundamentals of Theoretical Computer Science , 2nd edition, authored by Martin Davis, Ron Sigal, and Elaine J. Weyuker. course note

832 views • 48 slides
CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

source: computer-networks-webdesign.com CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu These slides are adapted from the textbook slides by J.F. Kurose and K.W. Ross Chapter 5: The Data Link

898 views • 71 slides
Power Recall (or learn) that Power is a measure of: _____________________________________

Power Recall (or learn) that Power is a measure of: _____________________________________

17.1 17.2 Power Recall (or learn) that Power is a measure of: _____________________________________ EE 109 Unit 17 - Pulse Width In an electronic circuit, P = ______________ Power = Current & Voltage (each may be

465 views • 7 slides
Adaptive GPS Duty Cycling with Radio Ranging for Energy-Efficient Localization CSIRO ICT Centre

Adaptive GPS Duty Cycling with Radio Ranging for Energy-Efficient Localization CSIRO ICT Centre

Adaptive GPS Duty Cycling with Radio Ranging for Energy-Efficient Localization CSIRO ICT Centre Raja Jurdak Queensland University of Technology Peter Corke INSA Lyon Dhinesh Dharman Guillaume Salagnac Wednesday, 24 November 2010 Motivation

549 views • 42 slides
Leveraging IP for Sensor Network Deployment Simon Duquennoy, Niklas Wirstr om, Nicolas

Leveraging IP for Sensor Network Deployment Simon Duquennoy, Niklas Wirstr om, Nicolas

Leveraging IP for Sensor Network Deployment Simon Duquennoy, Niklas Wirstr om, Nicolas Tsiftes, Adam Dunkels IP+SN Workshop, Chicago, IL April 11th 2011 Incremental Sensornet Deployment Target deployments Heterogeneous networks

487 views • 16 slides
Analog to Digital Conversion and Pulse Width Modulation ECE Senior Design 28 February 2017

Analog to Digital Conversion and Pulse Width Modulation ECE Senior Design 28 February 2017

Analog to Digital Conversion and Pulse Width Modulation ECE Senior Design 28 February 2017 Analog to Digital Conversion 2 n -1 111 = 110 2 101 10-bit Conversion and V ref = 5V Digital Value 100 011 5 5

334 views • 20 slides
Latest results of the Pierre Auger Observatory Isabelle Lhenry-Yvon for the Pierre Auger

Latest results of the Pierre Auger Observatory Isabelle Lhenry-Yvon for the Pierre Auger

Latest results of the Pierre Auger Observatory Isabelle Lhenry-Yvon for the Pierre Auger Collaboration IPN Orsay, Universit Paris XI, CNRS/IN2P3 1 Isabelle Lhenry-Yvon, TAUP 2019 , 9-13 of September, Toyama Outline The Pierre Auger

708 views • 42 slides
A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch,

A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch,

A Distributed Algorithm for Large-Scale Generalized Matching Faraz Makari, Baruch Awerbuch, Rainer Gemulla, Rohit Khandekar, Julin Mestre, Mauro Sozio Recommender systems Given: A user-item feedback matrix Goal: Recommend additional

433 views • 40 slides
Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is

Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is

Security and DRM Joseph Chou Texas Instruments IETF 60 PERM BOF 1 Security and DRM DRM is Based on Security Principals Authentication (device, user, service) Key management, data encryption and signature for data confidentiality

204 views • 6 slides
The top ology of the p ermutation pattern p oset Eina r Steingrmsson Universit y

The top ology of the p ermutation pattern p oset Eina r Steingrmsson Universit y

The top ology of the p ermutation pattern p oset Eina r Steingrmsson Universit y of Strathlyde W o rk b y Jason P . Smith and joint w o rk with P eter MNama ra and with A. Burstein, V. Jelnek and E.

1.6k views • 135 slides
CIS 500 Software Foundations Fall 2005 Programming with OCaml CIS 500, Programming

CIS 500 Software Foundations Fall 2005 Programming with OCaml CIS 500, Programming

CIS 500 Software Foundations Fall 2005 Programming with OCaml CIS 500, Programming with OCaml 1 Functional programming with OCaml CIS 500, Programming with OCaml 2 OCaml and this course The

1.38k views • 99 slides
type date = int*int*int type name = string type bday = name*date type bdayset = bday set val s

type date = int*int*int type name = string type bday = name*date type bdayset = bday set val s

SE 3M04 SE 3M04 Fall 2003 Consider the following declarations type date = int*int*int type name = string type bday = name*date type bdayset = bday set val s : bdayset from a system that stores names and birthdays. Jacques Carette,

307 views • 5 slides
Markov Chains on Finite Groups Maarit Hietalahti Postgraduate Seminar in Theoretical Computer

Markov Chains on Finite Groups Maarit Hietalahti Postgraduate Seminar in Theoretical Computer

Markov Chains on Finite Groups Maarit Hietalahti Postgraduate Seminar in Theoretical Computer Science 17.11.2003 Based on Sections 15 and 16 of E. Behrends. Introduction to Markov Chains, with Special Emphasis on Rapid Mixing. Vieweg

329 views • 14 slides
- What is V aR? - V alue at Risk is the loss, whih is exeeded with some

- What is V aR? - V alue at Risk is the loss, whih is exeeded with some

- Qualit y of V alue-at-Risk App ro ximations b y Numerial Solutions of SDEs - Denis T ala y and Ziyu Zheng This w o rk is a joint ollab o ration b et w een the RiskLab and INRIA Sophia Antip olis.

555 views • 27 slides
Patterns in Trees Thomas Klausner TU Wien Joint work with Michael Drmota INRIA Rocquencourt,

Patterns in Trees Thomas Klausner TU Wien Joint work with Michael Drmota INRIA Rocquencourt,

Patterns in Trees Thomas Klausner TU Wien Joint work with Michael Drmota INRIA Rocquencourt, December 9, 2002 Supported by the Austrian Science Fund, Project S8302-MAT. Outline Present assumptions and basic techniques. Define patterns.

450 views • 30 slides
An Implementation of Algebraic Data Types in Java using the Visitor Pattern Anton Setzer 1.

An Implementation of Algebraic Data Types in Java using the Visitor Pattern Anton Setzer 1.

An Implementation of Algebraic Data Types in Java using the Visitor Pattern Anton Setzer 1. Algebraic Data Types. 2. Naive Modelling of Algebraic Types. 3. Defining Algebraic Types using Elimination Rules. 1 Anton Setzer: An implementation of

814 views • 62 slides
A regenerative modification of the multilevel splitting Alexandra Borodina and Evsey Morozov

A regenerative modification of the multilevel splitting Alexandra Borodina and Evsey Morozov

A regenerative modification of the multilevel splitting Alexandra Borodina and Evsey Morozov Institute of Applied Mathematical Research, Russian Academy of Sciences and Petrozavodsk University, Russia Supported by Russian Foundation for Basic

450 views • 41 slides
Summaries of Streaming Data Martin J. Strauss University of Michigan Sparse Approximation

Summaries of Streaming Data Martin J. Strauss University of Michigan Sparse Approximation

Summaries of Streaming Data Martin J. Strauss University of Michigan Sparse Approximation National retailer sees a stream of transactions: 2 Thomas sold, 1 Thomas returned, 1 TSP sold ... Implies vector x of item frequencies: 40 Thomas,

1.14k views • 113 slides
Making predictions involving pairwise data Aditya Menon and Charles Elkan University of

Making predictions involving pairwise data Aditya Menon and Charles Elkan University of

Making predictions involving pairwise data Aditya Menon and Charles Elkan University of California, San Diego September 17, 2010 1 / 44 Overview of talk Propose a new problem, dyadic label prediction, and explain its importance

954 views • 44 slides
Mining Closed Discriminative Dyadic Sequential Patterns David Lo 1 , Hong Cheng 2 , and Lucia 1 1

Mining Closed Discriminative Dyadic Sequential Patterns David Lo 1 , Hong Cheng 2 , and Lucia 1 1

Mining Closed Discriminative Dyadic Sequential Patterns David Lo 1 , Hong Cheng 2 , and Lucia 1 1 Singapore Management University 2 Chinese University of Hong Kong 1 Motivation: Sequence Pairs Much data is in sequential formats Sequence

808 views • 46 slides

More recommend