new constructions of macs from tweakable block ciphers
play

New Constructions of MACs from (Tweakable) Block Ciphers Benot - PowerPoint PPT Presentation

Sep 24, 2023 •273 likes •837 views

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

  1. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benoît Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018 — FSE 2018 B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 1 / 24

  2. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Summary of the contribution • we propose four new MAC constructions based on a (tweakable) block cipher: stateless and deterministic nonce-based/randomized TBC-based Hash-as-Tweak (HaT) Nonce-as-Tweak (NaT) BC-based Hash-as-Key (HaK) Nonce-as-Key (NaK) • all four constructions are secure beyond the birthday bound • TBC-based constructions are provably secure in the standard model • BC-based constructions are provably secure in the ideal cipher model • nonce-based constructions provide graceful security degradation with the maximal number of nonce repetitions B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 2 / 24

  3. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Summary of the contribution • we propose four new MAC constructions based on a (tweakable) block cipher: stateless and deterministic nonce-based/randomized TBC-based Hash-as-Tweak (HaT) Nonce-as-Tweak (NaT) BC-based Hash-as-Key (HaK) Nonce-as-Key (NaK) • all four constructions are secure beyond the birthday bound • TBC-based constructions are provably secure in the standard model • BC-based constructions are provably secure in the ideal cipher model • nonce-based constructions provide graceful security degradation with the maximal number of nonce repetitions B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 2 / 24

  4. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Summary of the contribution • we propose four new MAC constructions based on a (tweakable) block cipher: stateless and deterministic nonce-based/randomized TBC-based Hash-as-Tweak (HaT) Nonce-as-Tweak (NaT) BC-based Hash-as-Key (HaK) Nonce-as-Key (NaK) • all four constructions are secure beyond the birthday bound • TBC-based constructions are provably secure in the standard model • BC-based constructions are provably secure in the ideal cipher model • nonce-based constructions provide graceful security degradation with the maximal number of nonce repetitions B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 2 / 24

  5. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Summary of the contribution • we propose four new MAC constructions based on a (tweakable) block cipher: stateless and deterministic nonce-based/randomized TBC-based Hash-as-Tweak (HaT) Nonce-as-Tweak (NaT) BC-based Hash-as-Key (HaK) Nonce-as-Key (NaK) • all four constructions are secure beyond the birthday bound • TBC-based constructions are provably secure in the standard model • BC-based constructions are provably secure in the ideal cipher model • nonce-based constructions provide graceful security degradation with the maximal number of nonce repetitions B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 2 / 24

  6. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Outline Generalities Stateless Deterministic MACs Nonce-Based MACs B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 3 / 24

  7. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Outline Generalities Stateless Deterministic MACs Nonce-Based MACs B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 4 / 24

  8. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion MAC definition MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 5 / 24

  9. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion MAC definition ( N , M ) T MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 5 / 24

  10. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion MAC definition ( N , M ) ( N ′ , M ′ , T ′ ) 0 / 1 T MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 5 / 24

  11. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion MAC definition ( N , M ) ( N ′ , M ′ , T ′ ) 0 / 1 T MAC K ( N ′ , M ′ ) = T ′ ? T = MAC K ( N , M ) Security Definition The adversary is allowed • q MAC queries T = MAC K ( N , M ) • v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 5 / 24

  12. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • security model: nonces are chosen by the adversary, any nonce can be used at most µ times in MAC queries • µ = 1: nonce-respecting adversary • µ > 1: nonce-misusing adversary • randomized: MAC function takes as input random coins (generated by the sender) in addition to the key and the message B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 6 / 24

  13. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • security model: nonces are chosen by the adversary, any nonce can be used at most µ times in MAC queries • µ = 1: nonce-respecting adversary • µ > 1: nonce-misusing adversary • randomized: MAC function takes as input random coins (generated by the sender) in addition to the key and the message B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 6 / 24

  14. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Three types of MAC • stateless and deterministic: MAC function only takes the key and the message as input (Variable-input-length PRF ⇒ stateless deterministic MAC) • nonce-based: • MAC function takes as input a non-repeating nonce N in addition to the key and the message M • security model: nonces are chosen by the adversary, any nonce can be used at most µ times in MAC queries • µ = 1: nonce-respecting adversary • µ > 1: nonce-misusing adversary • randomized: MAC function takes as input random coins (generated by the sender) in addition to the key and the message B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 6 / 24

  15. Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion Graceful nonce-misuse security degradation • the security of some nonce-based MACs collapses if a single nonce is used twice (e.g. GMAC) • ideally, security should degrade gracefully in case nonces are repeated • any BBB-secure nonce-based MAC with graceful security degradation can be turned into a BBB-secure randomized MAC by choosing n -bit nonces uniformly at random: q µ +1 Adv rand-MAC + Adv nonce-MAC ( q , v ) ≤ ( q , v , µ ) F F 2 µ ( n +1) � �� � � �� � small for µ> 1 µ -multicoll. proba. for any value of µ = maximal number of nonce repetitions. B. Cogliati, J. Lee, Y. Seurin New Constructions of MACs from (T)BCs FSE 2018 7 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

1.79k views • 120 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with: Christof Beierle Stefan Klbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

472 views • 33 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016 The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S.

1.91k views • 55 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack Readings for Next 3

CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack Readings for Next 3

CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 Local Variables of a Procedure public

331 views • 16 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Mflop 300 200 100 0 6 8 10 12 14 16 18 20 22 Vector length 2^n 600

Mflop 300 200 100 0 6 8 10 12 14 16 18 20 22 Vector length 2^n 600

Performance of scalar product benchmark 600 R10000/195MHz R8000/75MHz Alpha/500Mhz IBM Power 2/66Mhz 500 IBM PPC604e/166Mhz IBM PPC604e/233Mhz PPro 200/Mhz, NAG F90 PPro 200/Mhz, PG F77 400 Mflop 300 200 100 0 6 8 10 12 14 16

658 views • 37 slides
INRDB the Internet Number Resource Database Robert Kisteleki Science Group Manager, RIPE NCC

INRDB the Internet Number Resource Database Robert Kisteleki Science Group Manager, RIPE NCC

RIPE Network Coordination Centre INRDB the Internet Number Resource Database Robert Kisteleki Science Group Manager, RIPE NCC robert@ripe.net INRDB Robert Kisteleki / AIMS 2010 http://www.ripe.net 1 RIPE Network Coordination Centre What

721 views • 23 slides
CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12

CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12

Readings for Next 3 Lectures Textbook CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 2 Local Variables of a Procedure

201 views • 8 slides
CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall 2014 CMPSC 311 - Introduction to Systems Programming A string is just an array ... C handles ASCII text through strings A string is just an

208 views • 17 slides
Simple LSB embedding (recap) CSM25 Secure Information Hiding Dr Hans Georg Schaathun University

Simple LSB embedding (recap) CSM25 Secure Information Hiding Dr Hans Georg Schaathun University

Simple LSB embedding (recap) CSM25 Secure Information Hiding Dr Hans Georg Schaathun University of Surrey Spring 2007 Dr Hans Georg Schaathun Simple LSB embedding (recap) Spring 2007 1 / 34 Lesson Outcomes Chapter 2: LSB recap After this

1.07k views • 84 slides
Names Par)cipants Mark Davis Souheil Ben Yacoub

Names Par)cipants Mark Davis Souheil Ben Yacoub

Names Par)cipants Mark Davis Souheil Ben Yacoub Richard Ishida Doug Lawrence Gary Lefman Chris)an Lieske Juan Pane Kers)n Steffen

280 views • 9 slides

More recommend