on the influence of message length in pmac s security
play

On the Influence of Message Length in PMACs Security Bounds Atul - PowerPoint PPT Presentation

Jul 25, 2023 •223 likes •877 views

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1 Security Bounds Factors: 1.

  1. On the Influence of Message Length in PMAC’s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1

  2. Security Bounds Factors: 1. Adversarial Resources 2

  3. Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 2

  4. Security Bounds Factors: 1. Adversarial Resources 2. Scheme parameters 3. Confidence level 2

  5. Security Bounds Factors: 1. Adversarial Resources Message Length — ℓ 2. Scheme parameters 3. Confidence level Secure Number of Queries — q 2

  6. Security Bounds Factors: 1. Adversarial Resources Message Length — ℓ 2. Scheme parameters 3. Confidence level TLS 1.3: GCM, ChaCha20 + Poly1305 Secure Number of Queries — q ISO/IEC SC27 WG2: 48 bit block size? 2

  7. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 3

  8. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 q 2 ℓ 2 ≤ ǫ 2 n Block size n q Number of queries ℓ Query length in blocks ǫ Confidence 3

  9. Example : EMAC m 1 m 2 m 3 m 4 + + + π 1 π 1 π 1 π 1 π 2 π T c 1 q 2 ℓ 2 ≤ ǫ Table: ǫ = 1 / 2 20 , ℓ = 1KB 2 n Cipher Block Size Limit Block size n 2 51 AES128 128 q Number of queries 2 18 . 5 PRESENT 64 ℓ Query length in blocks KATAN32 32 4 ǫ Confidence 3

  10. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  11. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  12. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  13. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  14. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  15. EMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 ? 2 4 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 4

  16. Switching Schemes 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 EMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  17. Switching Schemes 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 Sum of CBCs 2 4 PMAC Plus EMAC 3kf9 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  18. Switching Schemes 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 Sum of CBCs 2 4 PMAC Plus EMAC 3kf9 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 5

  19. XOR-Style PRF PMAC w Parity PMACX LightMAC 6

  20. XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + + 6

  21. XOR-Style PRF PMAC w Parity PMACX LightMAC m x 1 x 2 x 3 x 4 π π π π + + + 6

  22. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + 7

  23. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + � � PMAC( m ) = OutputTransform PHASH( m ) 7

  24. PMAC and PHASH m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + � � PMAC( m ) = OutputTransform PHASH( m ) 1. Gray codes 2. Powering up 7

  25. PMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  26. PMAC Bounds 2 22 2 19 2 16 Message Length — ℓ 2 13 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  27. PMAC Bounds 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  28. PMAC Bounds 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 ? 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 8

  29. Focusing on Collisions PHASH( m 1 ) = PHASH( m 2 ) PMAC( m 1 ) = PMAC( m 2 ) 9

  30. Focusing on Collisions PHASH( m 1 ) = PHASH( m 2 ) PMAC( m 1 ) = PMAC( m 2 ) PHASH collision implies a PMAC attack 9

  31. Results Message length dependence changes according to masks 10

  32. Results Message length dependence changes according to masks PHASH Instances 10

  33. Results Message length dependence changes according to masks Gray Codes PHASH Instances 10

  34. Results Message length dependence changes according to masks Gray Codes Powering Up PHASH Instances 10

  35. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Powering Up PHASH Instances PHASH Instances 10

  36. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Computationally hard to find high probability collision Powering Up (based on conjecture) PHASH Instances 10

  37. Results Message length dependence changes according to masks Infinitely many with collision upper bound 2 / 2 n or Gray Codes Computationally hard to find high probability collision Powering Up (based on conjecture) Gray codes instances depend on PHASH Instances message length 10

  38. Results in Context 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 11

  39. Results in Context 2 22 PMAC w Parity 2 19 2 16 LightMAC Message Length — ℓ 2 13 PMACX 2 10 2 7 2 4 PMAC 2 1 2 0 2 1 2 3 2 5 2 7 2 9 2 11 2 13 2 13 Number of Queries — q 11

  40. PHASH vs XOR Hash 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 π π π π XOR Hash( m ) + + + m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + 12

  41. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  42. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  43. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  44. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  45. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  46. XOR Hash Collision 1 n / 2 m 1 2 n / 2 m 2 3 n / 2 m 3 4 n / 2 m 4 1 n / 2 m ′ 1 2 n / 2 m ′ 2 3 n / 2 m ′ 3 π π π π π π π 0 + + + + + + 13

  47. PHASH Collision m ′ m ′ m ′ m 1 m 2 m 3 m 4 1 2 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω + + + + + + + π π π π π π π 0 + + + + + + 14

  48. PHASH Collision m ′ m ′ m ′ m 1 m 2 m 3 m 4 1 2 3 c 1 ω c 2 ω c 3 ω c 4 ω c 1 ω c 2 ω c 3 ω + + + + + + + π π π π π π π 0 + + + + + + 14

  49. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + X 2 15

  50. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 1 c 1 15

  51. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  52. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  53. Approach m 1 m 2 m 3 m 4 0 c 1 ω c 2 ω c 3 ω c 4 ω + + + + π π π π π PHASH( m ) ω + + + m 4 m 2 m 3 m 1 c 1 c 2 c 3 c 4 15

  54. Conclusions and Open Problems PMAC message length dependence is non-trivial 16

  55. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 16

  56. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 16

  57. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? 16

  58. Conclusions and Open Problems PMAC message length dependence is non-trivial 1. What happens with powering up? 2. Optimal masks? 3. Relationship between PMAC and PHASH when the output transform is not independent? Thank you for your attention. 16

  59. Connection With PHASH Collision Probability m 2 collide with probability k / 2 n if the Two messages � m 1 and � corresponding set in X 2 is evenly covered by k slopes. Simple proof of ℓ -bound: 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PEBB Member Advisory Committee (PMAC) PMAC Overview and HEM Recommendation PEBB Board Meeting,

PEBB Member Advisory Committee (PMAC) PMAC Overview and HEM Recommendation PEBB Board Meeting,

PEBB Member Advisory Committee (PMAC) PMAC Overview and HEM Recommendation PEBB Board Meeting, May 21, 2019 Attachment 2 Health Policy and Analytics Division Presentation Overview Who is PMAC? What does PMAC do? PMACs Board

209 views • 19 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

261 views • 12 slides
Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services

Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services

Overview Cryptography functions Secret key (e.g., DES) Security Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy: preventing unauthorized release of information Outline Authentication:

883 views • 5 slides
Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services Authentication Codes Authentication Codes Confidentiality : Symmetric encryption solves Integrity Ahmet Burak Can Authentication Hacettepe

341 views • 4 slides
Minimum Message Length Inference and Mixture Modelling of Inverse Gaussian Distributions Daniel

Minimum Message Length Inference and Mixture Modelling of Inverse Gaussian Distributions Daniel

Minimum Message Length Inference and Mixture Modelling of Inverse Gaussian Distributions Daniel F. Schmidt Enes Makalic Centre for Molecular, Environmental, Genetic & Analytic (MEGA) Epidemiology School of Population Health University of

478 views • 25 slides
Inferring Phylogenetic Graphs of Natural Languages using Minimum Message Length Jane N. Ooi and

Inferring Phylogenetic Graphs of Natural Languages using Minimum Message Length Jane N. Ooi and

Inferring Phylogenetic Graphs of Natural Languages using Minimum Message Length Jane N. Ooi and David L. Dowe School of Computer Science and Software Engineering, Monash University, Clayton, Vic 3800, Australia janeo@bruce.csse.monash.edu.au

335 views • 10 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University of Electro-Communications 28/March/2007 @ FSE 2007 1 Introduction of MD4 Input Output Hash Arbitrary Defined Function length data length

562 views • 40 slides
The influence of social deprivation on length of hospitalization Engin YILMAZ Denis RAYNAUD The

The influence of social deprivation on length of hospitalization Engin YILMAZ Denis RAYNAUD The

The influence of social deprivation on length of hospitalization Engin YILMAZ Denis RAYNAUD The 2010 IRDES Workshop on Applied Health Economics and Policy Evaluation IRDES 2010 24 - 25 June 2010, Paris France www.irdes.fr/Workshop2010

394 views • 14 slides
Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication

Security 2 CSC 249 April 12, 2018 Network Security Recap Message Integrity and Authentication Trusted Intermediaries Secure email pretty good privacy (PGP) 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key

427 views • 13 slides
Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and

Key-Dependent Message Security in the Standard Model Dennis Hofheinz (CWI, Amsterdam) What and why? Key-dependent message (KDM) security As IND, but with special encryption oracle Real game: O(F) = ENC SK ( F(SK) ) Random

272 views • 4 slides
Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan

Influence of Steganographic Design Elements Steganalysis of YASS Summary Influence of Embedding Strategies on Security of Steganographic Methods in the JPEG Domain Jan Kodovsk Jessica Fridrich January 28, 2008 / Electronic Imaging 2008

817 views • 22 slides
Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
Foreign Ownership, Control or Influence and Foreign Ownership, Control or Influence and Government

Foreign Ownership, Control or Influence and Foreign Ownership, Control or Influence and Government

Presenting a live 90 minute webinar with interactive Q&A Foreign Ownership, Control or Influence and Foreign Ownership, Control or Influence and Government Contractor Security Clearance Mitigating FOCI and Meeting Requirements for National

469 views • 17 slides
Computing with Compact Sets: The Gray Code Case Dieter Spreen University of Siegen joint work

Computing with Compact Sets: The Gray Code Case Dieter Spreen University of Siegen joint work

Computing with Compact Sets: The Gray Code Case Dieter Spreen University of Siegen joint work with Hideki Tsuiki Kyoto University Continuity, Computability, Constructivity: From Logic to Algorithms Kochel am See, Bavaria, 14-18 September

423 views • 17 slides
Rotary Encoders 2 Rotary Encoders Electromechanical devices used to measure the angular

Rotary Encoders 2 Rotary Encoders Electromechanical devices used to measure the angular

1 Rotary Encoders 2 Rotary Encoders Electromechanical devices used to measure the angular position or rotation of a shaft. Two types: Absolute: Output a binary number for the current angular position of the shaft. 0000 = 0,

340 views • 13 slides
Extraction of real Gray-code from proofs using non-deterministic implication Ulrich Berger

Extraction of real Gray-code from proofs using non-deterministic implication Ulrich Berger

Extraction of real Gray-code from proofs using non-deterministic implication Ulrich Berger Swansea University j.w.w. Hideki Tsuiki Kyoto University Workshop on Mathematical Logic and its Aplications September 17, Kyoto 1 / 21 Overview

470 views • 21 slides
Previous Lecture Todays Lecture Slides for Lecture 6 ENEL 353: Digital Circuits Fall 2013

Previous Lecture Todays Lecture Slides for Lecture 6 ENEL 353: Digital Circuits Fall 2013

ENEL 353 F13 Section 02 Slides for Lecture 6 slide 2/21 ENEL 353 F13 Section 02 Slides for Lecture 6 slide 3/21 Previous Lecture Todays Lecture Slides for Lecture 6 ENEL 353: Digital Circuits Fall 2013 Term ranges for

160 views • 3 slides
Binary Counters Integer Representations towards Efficient Counting in the Bit Probe Model (paper

Binary Counters Integer Representations towards Efficient Counting in the Bit Probe Model (paper

Binary Counters Integer Representations towards Efficient Counting in the Bit Probe Model (paper presented at TAMC 2011) Gerth Stlting Brodal (Aarhus Universitet) Mark Greve (Aarhus Universitet) Vineet Pandey (BITS Pilani, Indien) S.

661 views • 34 slides
Technology Behind the Microsoft RoomAlive Project Luka Tsulaia University of Tartu 2018 Plan

Technology Behind the Microsoft RoomAlive Project Luka Tsulaia University of Tartu 2018 Plan

Technology Behind the Microsoft RoomAlive Project Luka Tsulaia University of Tartu 2018 Plan Prehistory Kinect Device Device Overview RoomAlive Project Death Whats next PreHistory Version 1 Launched in Nov 2010

536 views • 26 slides
Routing Mechanisms for Interconnection Networks Routing a message from node P s (010) to node P d

Routing Mechanisms for Interconnection Networks Routing a message from node P s (010) to node P d

Routing Mechanisms for Interconnection Networks Routing a message from node P s (010) to node P d (111) in a three- dimensional hypercube using E-cube routing. Mapping Techniques for Graphs Often, we need to embed a known communication

248 views • 12 slides
Logic for exact real arithmetic Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Logic for exact real arithmetic Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Logic for exact real arithmetic Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen Oberwolfach, November 2017 1 / 25 Exact real numbers can be given in different formats: Cauchy sequences (of rationals, with Cauchy modulus).

267 views • 25 slides

More recommend