overview of the sponge duplex and farfalle constructions
play

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van - PowerPoint PPT Presentation

Aug 22, 2022 •27 likes •907 views

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,

  1. Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy Šibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen, Seth Hoffert, Bart Mennink, Michaël Peeters, Ronny Van Keer 1 / 59

  2. Outline The duplex construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The sponge construction 1 Unkeyed applications 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 2 / 59

  3. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 3 / 59

  4. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Hashing requirements 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 4 / 59

  5. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  6. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  7. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  8. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  9. Security notions for hashing Hashing requirements Generalized: extendable output function (XOF) “XOF: a function in which the output can be extended to any length. ” [Ray Perlner, SHA-3 workshop 2014] Applications Signatures : full-domain hashing, mask generating function Key derivation : as many/long derived keys as needed 6 / 59 h : { 0 , 1 } ∗ → { 0 , 1 } ∗ Stream cipher : C = P ⊕ h ( K ∥ nonce )

  10. Security notions for hashing Hashing requirements Modern security requirements Hash or XOF h with n -bit output Modern security requirements h behaves like a random mapping … up to security strength s Classical security requirements, derived from it Preimage resistance Second-preimage resistance Collision resistance 7 / 59 2 min ( n , s ) 2 min ( n , s ) 2 min ( n / 2 , s )

  11. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Modern generic security 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 8 / 59

  12. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  13. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  14. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right 10 / 59 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to primitive F at left

  15. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Methodology: 10 / 59 build P that makes left/right distinguishing diffjcult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]

  16. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] 10 / 59 � D RO , P [ RO ] )� ( D S [ F ] , F ) ( Adv ( q ) = − Pr � ≤ ϵ ( q ) � � � Pr

  17. Security notions for hashing Modern generic security Consequences of indifferentiability do pre-image attack Can be generalized to any attack 11 / 59 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for our construction: P pre ( D|S [ F ]) = ? A distinguisher D with Adv ( q ) = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude our construction; otherwise, RO But we have a proven bound Adv ( q ) ≤ ϵ ( q ) , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + ϵ ( q )

  18. Security notions for hashing Modern generic security Consequences of indifferentiability [Andreeva, Mennink, Preneel, ISC 2010] 12 / 59

  19. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  20. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  21. Why permutation-based cryptography? The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 14 / 59

  22. Why permutation-based cryptography? Symmetric crypto: what textbooks and intro’s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 15 / 59

  23. Why permutation-based cryptography? The truth about symmetric crypto today Block ciphers: 16 / 59

  24. Why permutation-based cryptography? What block cipher are used for Hashing (Davies-Meyer) and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … 17 / 59

  25. Why permutation-based cryptography? Block cipher operation 18 / 59

  26. Why permutation-based cryptography? Block cipher operation: the inverse 19 / 59

  27. Why permutation-based cryptography? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … Most schemes with misuse-resistant claims So for most uses you don’t need the inverse! 20 / 59

  28. Why permutation-based cryptography? Block cipher internals 21 / 59

  29. Why permutation-based cryptography? Davies-Meyer compression function 22 / 59

  30. Why permutation-based cryptography? Removing restrictions not required in hashing 23 / 59

  31. Why permutation-based cryptography? Simplifying the view: iterated permutation 24 / 59

  32. Why permutation-based cryptography? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: no more need for effjcient inverse no more worries about key schedule 25 / 59 less barriers ⇒ more diffusion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan

Full-duplex without Strings: Enabling Full- duplex with Half-duplex Clients Karthikeyan Sundaresan, Mohammad Khojastepour, Eugene Chai, Sampath Rangarajan NEC Labs America MobiCom 2014 Full-duplex Transmitting + receiving on same time-

326 views • 21 slides
Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 0 0 f f f f f 0 0 0 0 absorbing squeezing Duplex Construction input

808 views • 60 slides
Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a re-operation Detection can be difficult and remote from the initial operation The sponge must be removed Primary problem is faulty OR

570 views • 26 slides
Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Cooperative versus Full-Duplex Communication in Cellular Networks : A Comparison of the Total Degrees of Freedom Amr El-Keyi and Halim Yanikomeroglu Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

306 views • 17 slides
Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 14: Full-Duplex Communications Instructor: Kate Ching-Ju Lin ( ) 1 Outline Whats full-duplex Self-Interference Cancellation Full-duplex and Half-duplex Co-existence

1.37k views • 47 slides
DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of

DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of

A Primer for DUPLEX Stainless Steel John Grocki 2012 What are Duplex Stainless Steels ? A family of stainless steels whose: structures are approximately 50/50 austenite and ferrite physical properties are a combination of the

905 views • 51 slides
Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a

Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a

Pipes! Files read() write() Creating pipes Half-Duplex Pipes Full-Duplex Pipes What is a File in Unix / Linux S t a n d a r d E r r o r Hardware Devices s e i l F x t e T Kitchen Sink

324 views • 8 slides
Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

13 th IWA Specialized Conference on Small Water and Wastewater Systems, 14-16 September 2016, Athens, Greece Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation sponge media Tsutomu Okubo*, Akinori

366 views • 33 slides
Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh

Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh

Full Duplex Radios Daniel J. Steffey Source Full Duplex Radios* ACM SIGCOMM 2013 Dinesh Bharadia Emily McMilin Sachin Katti *All source information and graphics/charts 2 Problem It is generally not possible for radios to receive and

705 views • 28 slides
Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh

Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh

Practical, Real-time, Full-Duplex Wireless Mayank Jain, Jung Il Choi, Taemin Kim, Dinesh Bharadia, Kannan Srinivasan, Siddharth Seth, Philip Levis, Sachin Katti, Prasun Sinha September 22, 2011 1 What full-duplex 2 What full-duplex ...

1.18k views • 103 slides
Host Device USB 1.0/1.1 USB 2.0 USB 3.0

Host Device USB 1.0/1.1 USB 2.0 USB 3.0

Host Device USB 1.0/1.1 USB 2.0 USB 3.0 USB 3.1 USB 3.2 1.5/12 MBits/s 480 MBits/s 5 GBits/s 10 GBits/s 20 GBits/s Half duplex Half duplex Full duplex 2006 2016 1996 1998 2000

527 views • 35 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1

Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1

Generic security of the Keyed Sponge Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 , ArcticCrypt Longyearbyen July 19, 2016 1 / 30 Joan Daemen 1 , 2 Elena Andreeva 3

602 views • 33 slides
Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only

Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only

Full Duplex Radios ROHIT KUMAR 2 Types of Communication Simplex Data can be transferred only in one direction. Half Duplex Data can be transferred in both directions but not simultaneously. Full Duplex Data can be

282 views • 12 slides
Duplex Ultrasound Evaluation Duplex Ultrasound Evaluation Reversed Trendelenberg position on

Duplex Ultrasound Evaluation Duplex Ultrasound Evaluation Reversed Trendelenberg position on

4/14/2016 Disclosures: Speaker honorarium for W.L. Gore When Do You Need to Treat and Associates, 9/2015. Venous Perforators?.. and How to Do It David Rigberg, MD Professor and Program Director Division of Vascular Surgery University of

196 views • 5 slides
Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 9 1 / 43 Introduction 1 2 The Relationship between Active and Passive Approaches to Passive 3 From Structural

597 views • 43 slides
1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the

1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the

1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the faith by devoting themselves to deceitful spirits and teachings of demons, 2 through the insincerity of liars whose consciences are seared, 3 who

331 views • 3 slides
The Spirit Jacques Ellul The Spirit In Galatians 5:16-26 And because you are children, 1.

The Spirit Jacques Ellul The Spirit In Galatians 5:16-26 And because you are children, 1.

2019-10-01 The glorious liberty of the children of God is not the happy fluttering of a butterfly from one attractive flower to another. It is joyous, but it is also radical, hard, and absolute Giving Galatians 5 : 22 - 26 us our burden,

465 views • 4 slides
Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum

Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum

Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum Hansen Development Consultant Gentofte Centralbibliotek Sergey Borovoy CEO ATAPY Software Quick facts about Gentofte Central Library Gentofte

372 views • 20 slides
had a lot to say, but I just couldn't say it. I never thought I'd be able to sit and talk to

had a lot to say, but I just couldn't say it. I never thought I'd be able to sit and talk to

I was a smart kid and had a lot to say, but I just couldn't say it. I never thought I'd be able to sit and talk to someone like I'm talking to you right now. Emily Blunt Golden Globe Nominated Actress John 13:13 (NIV) You call me

410 views • 13 slides
Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Eurocrypt 2013 Athens, Greece, May 28th, 2013 1 / 57 Symmetric crypto: what textbooks and intros say Symmetric

915 views • 67 slides
SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy

SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy

SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy Benjamin Reed Christopher Olston Turn Inc. Facebook Inc. Google Inc. kelmeleegy@turn.com br33d@fb.com olston@google.com 1 Background

434 views • 25 slides
Prt rt

Prt rt

Prt rt s rt rst trs st

626 views • 36 slides
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd

1.27k views • 86 slides

More recommend