minimizing the two round even mansour cipher
play

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe - PowerPoint PPT Presentation

Mar 07, 2024 •187 likes •1.07k views

Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick Seurin 4 John Steinberger 1 1 Tsinghua University, China 2 University of Versailles, France 3 Sejong University, Korea 4 ANSSI, France August 18, 2014

  1. Minimizing the Two-Round Even-Mansour Cipher Shan Chen 1 Rodolphe Lampe 2 Jooyoung Lee 3 Yannick Seurin 4 John Steinberger 1 1 Tsinghua University, China 2 University of Versailles, France 3 Sejong University, Korea 4 ANSSI, France August 18, 2014 - CRYPTO 2014 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 1 / 29

  2. Outline Context: Security Proofs for Key-Alternating Ciphers 1 Overview of our Results 2 Sketch of the Security Proof 3 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 2 / 29

  3. Key-alternating ciphers n k γ 0 γ 1 γ r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher k ∈ { 0 , 1 } n is the (master) key, x the plaintext, y the ciphertext The P i ’s are public permutations on { 0 , 1 } n The γ i ’s are key derivation functions mapping k to n -bit “round keys” prominent example: AES-128 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 3 / 29

  4. Key-alternating ciphers n k γ 0 γ 1 γ r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher k ∈ { 0 , 1 } n is the (master) key, x the plaintext, y the ciphertext The P i ’s are public permutations on { 0 , 1 } n The γ i ’s are key derivation functions mapping k to n -bit “round keys” prominent example: AES-128 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 3 / 29

  5. Proving the security of key-alternating ciphers n k γ 0 γ 1 γ r n y x P 1 P 2 P r Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P 1 , . . . , P r , count active S-boxes, etc. against generic attacks: Random Permutation Model for P 1 , . . . , P r Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

  6. Proving the security of key-alternating ciphers n k γ 0 γ 1 γ r n y x P 1 P 2 P r Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P 1 , . . . , P r , count active S-boxes, etc. against generic attacks: Random Permutation Model for P 1 , . . . , P r Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

  7. Proving the security of key-alternating ciphers n k γ 0 γ 1 γ r n y x P 1 P 2 P r Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P 1 , . . . , P r , count active S-boxes, etc. against generic attacks: Random Permutation Model for P 1 , . . . , P r Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

  8. Proving the security of key-alternating ciphers n k γ 0 γ 1 γ r n y x P 1 P 2 P r Question How can we “prove” security? (for this talk, security = pseudorandomness) against a general adversary: too hard! (unconditional complexity lower bound) against specific attacks (differential, linear. . . ): use specific design of P 1 , . . . , P r , count active S-boxes, etc. against generic attacks: Random Permutation Model for P 1 , . . . , P r Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 4 / 29

  9. Analyzing KA ciphers in the Random Permutation Model n k γ 0 γ 1 γ r n y x P 1 P 2 P r the P i ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to P i and P − 1 ). i trades complexity for randomness and allows for a completely information-theoretic proof ( ≃ Random Oracle Model) complexity measure of the adversary: q e = number of queries to the cipher (plaintext/ciphertext pairs) q p = number of queries to each internal permutation oracle Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

  10. Analyzing KA ciphers in the Random Permutation Model n k γ 0 γ 1 γ r n y x P 1 P 2 P r the P i ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to P i and P − 1 ). i trades complexity for randomness and allows for a completely information-theoretic proof ( ≃ Random Oracle Model) complexity measure of the adversary: q e = number of queries to the cipher (plaintext/ciphertext pairs) q p = number of queries to each internal permutation oracle Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

  11. Analyzing KA ciphers in the Random Permutation Model n k γ 0 γ 1 γ r n y x P 1 P 2 P r the P i ’s are viewed as public random permutation oracles to which the adversary can only make black-box queries (both to P i and P − 1 ). i trades complexity for randomness and allows for a completely information-theoretic proof ( ≃ Random Oracle Model) complexity measure of the adversary: q e = number of queries to the cipher (plaintext/ciphertext pairs) q p = number of queries to each internal permutation oracle Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 5 / 29

  12. Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n 2 ) queries of the adversary to P and E : to O ( 2 k 0 k 1 y x P � �� � E Similar result when k 0 = k 1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model” Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

  13. Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n 2 ) queries of the adversary to P and E : to O ( 2 k k y x P � �� � E Similar result when k 0 = k 1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model” Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

  14. Analyzing KA ciphers in the Random Permutation Model This model was already considered 15 years ago by Even and Mansour [EM97] for r = 1 round: they showed that the following cipher is secure up n 2 ) queries of the adversary to P and E : to O ( 2 k k y x P � �� � E Similar result when k 0 = k 1 [DKS12] Wording: “(iterated) Even-Mansour cipher” = shorthand for “analyzing the class of key-alternating ciphers in the Random Permutation Model” Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 6 / 29

  15. Outline Context: Security Proofs for Key-Alternating Ciphers 1 Overview of our Results 2 Sketch of the Security Proof 3 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 7 / 29

  16. State of the art k 0 k 1 k r y x P 1 P 2 P r Closing a series of recent results [BKL + 12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming 1 independent round keys ( k 0 , k 1 , . . . , k r ) , 2 independent inner permutations P 1 , . . . , P r , KA ciphers are secure against generic attacks as long as rn r + 1 ) . q e and q p ≪ O ( 2 This result is tight (in terms of query complexity). Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 8 / 29

  17. State of the art k 0 k 1 k r y x P 1 P 2 P r Closing a series of recent results [BKL + 12, Ste12, LPS12], Chen and Steinberger [CS14] showed that assuming 1 independent round keys ( k 0 , k 1 , . . . , k r ) , 2 independent inner permutations P 1 , . . . , P r , KA ciphers are secure against generic attacks as long as rn r + 1 ) . q e and q p ≪ O ( 2 This result is tight (in terms of query complexity). Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 8 / 29

  18. Our problem Main question rn r + 1 ) bound when: Is it possible to prove a similar O ( 2 the round keys ( k 0 , . . . , k r ) are derived from an n -bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? n k γ 0 γ 1 γ r k 0 k 1 k r n x y P 1 P 2 P r 2 n 3 ) -security bound. We give a positive answer for r = 2 rounds: O ( 2 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

  19. Our problem Main question rn r + 1 ) bound when: Is it possible to prove a similar O ( 2 the round keys ( k 0 , . . . , k r ) are derived from an n -bit master key and/or when the same permutation P is used at each round as is the case in many concrete designs (AES-128, etc.)? n k γ 0 γ 1 γ r k 0 k 1 k r n x y P 1 P 2 P r 2 n 3 ) -security bound. We give a positive answer for r = 2 rounds: O ( 2 Chen, Lampe, Lee, Seurin, Steinberger Minimizing the 2-Round EM Cipher CRYPTO 2014 9 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg Peihan Miao Akshayaram Srinivasan What did we achieve? Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

628 views • 41 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 " 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange

The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results The LED Block Cipher Jian Guo, Thomas Peyrin, Axel Poschmann and Matt Robshaw I2R, NTU and Orange Labs CHES 2011 Nara, Japan

689 views • 33 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom May, 2017 www.iaik.tugraz.at Introduction AES is probably the most widely studied and used block cipher. So far, non-random

603 views • 42 slides
Simple Archive Architectures Lighton Phiri and Hussein Suleman Digital Libraries Laboratory

Simple Archive Architectures Lighton Phiri and Hussein Suleman Digital Libraries Laboratory

Simple Archive Architectures Lighton Phiri and Hussein Suleman Digital Libraries Laboratory Department of Computer Science University of Cape Town IFLA '15 Workshop on Digital Libraries: research methods and tools www.martinwest.uct.ac.za 2

719 views • 24 slides
Compiler Construction Compiler Construction 1 / 112 Mayer Goldberg \ Ben-Gurion University

Compiler Construction Compiler Construction 1 / 112 Mayer Goldberg \ Ben-Gurion University

Compiler Construction Compiler Construction 1 / 112 Mayer Goldberg \ Ben-Gurion University Thursday 3 rd December, 2020 Mayer Goldberg \ Ben-Gurion University Chapter 3 Roadmap Compiler Construction 2 / 112 Expressions in Scheme The

1.47k views • 112 slides
Physical Computing in Computer Science Education: Creative Learning

Physical Computing in Computer Science Education: Creative Learning

Physical Computing in Computer Science Education: Creative Learning with Interactive Objects Introduction Computer science in the form of interactive and embedded

298 views • 3 slides
Game with a Purpose for Verification of Mappings Between Wikipedia and WordNet 09.09.2016 Tomasz

Game with a Purpose for Verification of Mappings Between Wikipedia and WordNet 09.09.2016 Tomasz

Game with a Purpose for Verification of Mappings Between Wikipedia and WordNet 09.09.2016 Tomasz Maria Boiski tobo@eti.pg.gda.pl Mappings, tags, extractions 1. We need them 2. We create them either on the fly or before 3. We use them to

830 views • 16 slides
Logics for Social Choice Our goal today will be to embed part of SCT into a formal logic. Roughly,

Logics for Social Choice Our goal today will be to embed part of SCT into a formal logic. Roughly,

Logics for Social Choice COMSOC 2011 Logics for Social Choice COMSOC 2011 Logics for Social Choice Our goal today will be to embed part of SCT into a formal logic. Roughly, models of the logic should encode aggregators and formulas should

251 views • 7 slides
FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de http://www.coli.uni-saarland.de/courses/FLST/2014/ FLST: Linguistics Foundation Linguistic Foundations Today Intro Phonetics /

1.06k views • 40 slides
!"#$%&'()*+,$&+-".)"&("#+

!"#$%&'()*+,$&+-".)"&("#+

!"#$#!"% 90%80*)::0'5%./4.%./0%3.4.;.)8<% 80=;,80:0'.%>)8%504'08<%3<')53%.)%?0%@48.% !"#$%&'()*+,$&+-".)"&("#+ )>%./0%>)8:4(%3.8;*.;80%)>%3<')5,*4(%

129 views • 8 slides
RESIDENTIAL CARE Northern Long Term Care December 2017 Healthcare LaingBuisson LaingBuisson

RESIDENTIAL CARE Northern Long Term Care December 2017 Healthcare LaingBuisson LaingBuisson

RESIDENTIAL CARE Northern Long Term Care December 2017 Healthcare LaingBuisson LaingBuisson Healthcare intelligence intelligence Key Statistics, North East 2.6 million people in the South West 65.0% 6.0% .0% 0.5 million (20%) over 65 736

253 views • 6 slides

More recommend