perfect block ciphers with small blocks
play

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas - PowerPoint PPT Presentation

Nov 16, 2022 •305 likes •550 views

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

  1. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 École Normale Supérieure 2 EADS 3 Cryptolog International March 28 th , 2007 Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  2. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Outline Block ciphers with non-standard sizes 1 Choosing uniformly a random permutation 2 3 P ERMUTATOR Sampling following the Hypergeometric Distribution 4 Security Analysis 5 Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  3. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Small blocks Usual block ciphers operate over blocks of 64 bits or more. Some applications need shorter blocks (e.g. generation of unique pseudo-random numbers in a short range). Security issues with block size Usual block cipher designs (e.g. Feistel scheme) build ciphers from a restricted subset of the permutations over the message space (a Feistel scheme can only be an even permutation). This is tolerated thanks to the huge block size. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  4. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Non-binary alphabets Usual block ciphers use messages consisting of bits. Some applications need messages using another alphabet (e.g. generation of unique decimal pseudo-random numbers). 10 is more complex than 2 Decimal alphabets are challenging: Several ring structures can be applied to a set of size 10. There is no field of size 10. There are several types of differentials. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  5. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis What this paper is about We describe P ERMUTATOR , which is an algorithm for selecting randomly and uniformly a permutation over a set of n elements: n is arbitrary; the algorithm input is a seekable stream of random bits; if the stream is truly random, then all the n ! permutations have an equal chance of being selected; the permutation and its inverse can be “efficiently” evaluated. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  6. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Knuth Shuffle random selection 0 1 2 3 4 5 4 5 2 3 0 1 4 1 2 3 0 5 4 5 2 1 0 3 4 5 2 3 0 1 4 5 2 1 3 0 Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  7. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Knuth Shuffle The permutation is defined by an array of size n . We need n − 1 random selections of integers between 0 and r , where r goes down from n − 1 to 1. Cost: O ( n log n ) space O ( n log n ) CPU ( n selections of integers of size log n ) for init, then O ( log n ) (array lookup) for each evaluation Applicability The “Knuth shuffle” solves our problem only for very small values of n (e.g. n ≤ 10000). Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  8. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Partial evaluation Idea Use a shuffle algorithm, but apply it partially : for a given input x , compute only the parts which may have an influence over φ ( x ) . The Knuth shuffle is not adequate for partial evaluation: on average, n / 2 random selection events may affect φ ( x ) . Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  9. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Overview “P ERMUTATOR ” is a shuffle expressed as a binary tree of “S PLITTER ” operations. To evaluate φ ( x ) , one needs follow only one path from the root in that tree (log n nodes). “S PLITTER ” is implemented as a binary tree of “R EPARTITOR ” operations. For a given x , we need follow only one path in that tree, for each for the considered S PLITTER nodes. (at most log n sub-nodes). “R EPARTITOR ” is a random selection event, using the hypergeometric distribution, which has cost O ( log n ) . Cost: O ( log n ) space (tree walking, no backtrack needed) O (( log n ) 3 ) CPU for each evaluation Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  10. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis P ERMUTATOR : a tree of S PLITTER Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  11. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis S PLITTER S PLITTER is an elementary permutation which splits elements into two groups: each of the n elements goes either into the left half (size ⌊ n / 2 ⌋ ) or the right half (size ⌈ n / 2 ⌉ ). Within each half, the element ordering is preserved. S PLITTER selects ⌊ n / 2 ⌋ “white” elements, which go into the left half; the remaining (black) elements go into the right half. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  12. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis S PLITTER Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  13. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis S PLITTER Each S PLITTER works over n elements, and must “extract” p white elements. It invokes R EPARTITOR , which tells how many of these white elements come from the left half. S PLITTER then invokes itself recursively on both halves. For partial evaluation, only one half is considered. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  14. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis S PLITTER : a tree of R EPARTITOR 8 3 5 2 1 3 2 1 1 1 0 2 1 1 1 1 0 0 1 1 0 0 0 1 1 1 0 1 0 0 1 Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  15. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis R EPARTITOR R EPARTITOR is given n elements, among which p are white (and n − p are black). R EPARTITOR chooses how many of those p white elements come from the ⌊ n / 2 ⌋ first elements. R EPARTITOR , when used in P ERMUTATOR , selects a uniform permutation if it returns the value u following the hypergeometric distribution: �� n − a � a � k p − k P ( u = k ) = � n � p where a = ⌊ n / 2 ⌋ . Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  16. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Direct sampling For small values of p , R EPARTITOR uses a direct sampling algorithm: the p white elements are directly selected: 1 n 1 ← a , n 2 ← n − a 2 if p = 0, then return a − n 1 3 select randomly r between 0 and n 1 + n 2 − 1 (inclusive) 4 if r < n 1 , then n 1 ← n 1 − 1, else n 2 ← n 2 − 1 5 p ← p − 1 6 go to step 2 Limitations Cost is linear in p . We use this method for p ≤ 10. Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  17. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Rejection sampling Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

  18. Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Rejection sampling Principle We select random points until we find one which lies below the target distribution. The process is hastened by using a carefully chosen area for random point selection (a scaled “easy” distribution). For R EPARTITOR , we use the Cauchy-Lorentz distribution: � ν � � 1 CL µ , ν ( x ) = ( x − µ ) 2 + ν π where α = ⌊ n / 2 ⌋ / n , µ = α p and ν = 2 α ( 1 − α ) p . Louis Granboulan, Thomas Pornin Perfect Block Ciphers With Small Blocks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak

Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak

Breaking The FF3 Format- Preserving Encryption Standard Over Small Domains F. Betl Durak Serge Vaudenay 1 Block Ciphers {0,1} 128 0x149E00A50F0F00D6 K AES {0,1} 128 0xA4F22C1B78HE90A9 2 Block Ciphers {0,1} 128

1.32k views • 91 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Blockly &amp; Big Data CT @ VT Things to see today Blocks that produce representative slices

Blockly &amp; Big Data CT @ VT Things to see today Blocks that produce representative slices

Introduction to Computational Thinking Blockly &amp; Big Data CT @ VT Things to see today Blocks that produce representative slices of actual big data streams Blocks that correspond to programming language constructs See the

412 views • 7 slides
Memory Hierarchy &amp; Caching Use several levels of faster and faster memory to hide delay of

Memory Hierarchy &amp; Caching Use several levels of faster and faster memory to hide delay of

7a.1 7a.2 Memory Hierarchy &amp; Caching Use several levels of faster and faster memory to hide delay of upper levels EE 457 Unit 7a Unit of Transfer: Word, Half, or Byte (LW, LH, LB or SW, SH, SB) Registers L1 Cache ~ 1ns Cache and

492 views • 10 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Intro to A4: Block Stores CS 4410 Operating Systems [A. Bracy, R. Van Renesse] Introduction

Intro to A4: Block Stores CS 4410 Operating Systems [A. Bracy, R. Van Renesse] Introduction

Intro to A4: Block Stores CS 4410 Operating Systems [A. Bracy, R. Van Renesse] Introduction abstraction that provides File System persistent, named data abstraction providing access to a Block Store sequence of numbered blocks. (or Block

697 views • 42 slides
OFED - CHALLENGES Subhojit Roy, Tej Parkash, Lokesh Arora, Storage Engineering [May 26 th , 2017 ]

OFED - CHALLENGES Subhojit Roy, Tej Parkash, Lokesh Arora, Storage Engineering [May 26 th , 2017 ]

3 rd ANNUAL STORAGE DEVELOPER CONFERENCE 2017 BUILDING A BLOCK STORAGE APPLICATION ON OFED - CHALLENGES Subhojit Roy, Tej Parkash, Lokesh Arora, Storage Engineering [May 26 th , 2017 ] AGENDA Introduction Setting the Context (SVC as Storage

309 views • 15 slides
Mod 667 actions 1101: National Grid NTS to provide evidence as to whether the Duration Test was

Mod 667 actions 1101: National Grid NTS to provide evidence as to whether the Duration Test was

Mod 667 actions 1101: National Grid NTS to provide evidence as to whether the Duration Test was still appropriate and required. The entry capacity NPV test contains both a financial and duration element. The financial element is explicit and the

478 views • 13 slides
Graduate Entry Medical School Self-Directed Learning Booking Procedure GEMSD0011.2 Primary

Graduate Entry Medical School Self-Directed Learning Booking Procedure GEMSD0011.2 Primary

Graduate Entry Medical School Self-Directed Learning Booking Procedure GEMSD0011.2 Primary Responsibility: Chief Technical Officer Self-Directed Learning Booking Procedure 1.0 I NTRODUCTION This procedure is to ensure that students are aware

248 views • 10 slides
MIPS Architecture Example: subset of MIPS processor architecture Drawn from Patterson

MIPS Architecture Example: subset of MIPS processor architecture Drawn from Patterson

An Example: MIPS From the Harris/Weste book Based on the MIPS-like processor from the Hennessy/Patterson book MIPS Architecture Example: subset of MIPS processor architecture Drawn from Patterson &amp; Hennessy MIPS is a 32-bit

356 views • 16 slides

More recommend