permutation based encryption authentication and
play

Permutation-based encryption, authentication and authenticated - PowerPoint PPT Presentation

Dec 06, 2023 •243 likes •739 views

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

  1. . . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 , Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors

  2. . SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … MAC computation: CBC-MAC, C-MAC, … self-synchronizing: CFB synchronous: counter mode, OFB, … Stream encryption: Block encryption: ECB, CBC, … So HMAC, MGF1, etc. are in practice also block-cipher based (Standard) hash functions make use of block ciphers . Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric Permutation-based encryption, authentication and authenticated encryption . . . . Authenticated encryption: OCB, GCM, CCM …

  3. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher

  4. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation)

  5. . Hashing and its modes HMAC, MGF1, … Authenticated encryption: OCB, GCM, CCM … MAC computation: CBC-MAC, C-MAC, … self-synchronizing: CFB synchronous: counter mode, OFB, … Stream encryption: Block encryption: ECB, CBC, … Indicated in red: . When is the inverse block cipher needed? Modern-day cryptography is block-cipher centric Permutation-based encryption, authentication and authenticated encryption . . . . So a block cipher without inverse can do a lot!

  6. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Your typical block cipher Block cipher internals

  7. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Designer’s view of a block cipher Designer’s view of a block cipher obtained by repeating an invertible round function with an efficient inverse and no diffusion from data part to key part n -bit block cipher with | K | -bit key b -bit permutation with b = n + | K |

  8. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric How it is typically used Hashing use case: Davies-Meyer compression function

  9. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Why limit diffusion from left to right? Removing diffusion restriction not required in hashing

  10. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric So iterated permutation is at the same time simpler and more efficient! Simplifying the view: iterated permutation

  11. . . . . . . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Block cipher without inverse: wide permutation Block cipher without inverse: wide permutation Previous applies to all modes where inverse is not needed Requirement of separate key schedule vanishes n -bit block cipher replaced by b -bit permutation with Permutation as a generalization of a block cipher Less is more! b = n + | K |

  12. . . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based crypto: the sponge construction Permutation-based construction: sponge efficiency: processes r bits per call to f Flexibility in trading rate r for capacity c or vice versa f : a b -bit permutation with b = r + c security: provably resists generic attacks up to 2 c / 2

  13. . assuming f has been chosen randomly design with attacks in mind Hermetic Sponge Strategy security proof is infeasible Security for a specific choice of f construction as sound as theoretically possible covers security against generic attacks Generic security: . What can we say about sponge security Security of the sponge construction Permutation-based encryption, authentication and authenticated encryption . . . . security based on absence of attacks despite public scrutiny

  14. . . . . . . Permutation-based encryption, authentication and authenticated encryption Applications What can you do with a sponge function? Regular hashing Pre-sponge permutation-based hash functions Truncated permutation as compression function: Snefru [Merkle ’90] , FFT-Hash [Schnorr ’90] , …MD6 [Rivest et al. 2007] Streaming-mode: Subterranean , Panama , RadioGatún , , Thomsen, 2007] , … Grindahl [Knudsen, Rechberger

  15. . . . . . . Permutation-based encryption, authentication and authenticated encryption Applications What can you do with a sponge function? Message authentication codes Pre-sponge (partially) permutation-based MAC function: Pelican-MAC [Daemen, Rijmen 2005]

  16. . . . . . . Permutation-based encryption, authentication and authenticated encryption Applications What can you do with a sponge function? Stream encryption Similar to block cipher modes: Long keystream per IV: like OFB Short keystream per IV: like counter mode Independent permutation-based stream ciphers: Salsa and ChaCha [Bernstein 2007]

  17. . . . . . . Permutation-based encryption, authentication and authenticated encryption Applications What can you do with a sponge function? Mask generating function

  18. . . . . . . Permutation-based encryption, authentication and authenticated encryption Authenticated encryption Remember MAC generation Authenticated encryption: MAC generation

  19. . . . . . . Permutation-based encryption, authentication and authenticated encryption Authenticated encryption Remember stream encryption Authenticated encryption: encryption

  20. . . . . . . Permutation-based encryption, authentication and authenticated encryption Authenticated encryption And now together! Authenticated encryption: just do them both?

  21. . . . . . . Permutation-based encryption, authentication and authenticated encryption The duplex construction Sister construction of sponge opening new applications The duplex construction Generic security equivalent to that of sponge Object: D = duplex [ f , pad , r ] Requesting ℓ -bit output Z = D . duplexing ( σ , ℓ )

  22. . . . . . . Permutation-based encryption, authentication and authenticated encryption The duplex construction The SpongeWrap mode SpongeWrap authenticated encryption Single-pass authenticated encryption Processes up to r bits per call to f Functionally similar to (P)helix [Lucks, Muller , Schneier , Whiting, 2004]

  23. . . . . . . Permutation-based encryption, authentication and authenticated encryption The duplex construction The SpongeWrap mode The SpongeWrap mode Key K , data header A and data body B of arbitrary length Confidentiality assumes unicity of data header Supports intermediate tags

  24. . 256, 288 256 Photon Guo, Peyrin, Crypto 100, 144, 196, Poschmann 2011 Spongent , Naya-Plasencia Bogdanov, Knezevic, CHES 88, 136, 176 Leander , Toz, Varici, 2011 248, 320 2010 Meier . Keccak . . . . Permutation-based encryption, authentication and authenticated encryption Sponge functions: are they real? Sponge functions: existing proposals to date Bertoni, Daemen, 136, 176 SHA-3 25, 50, 100, 200 Peeters, Van Assche 2008 400, 800, 1600 Quark Aumasson, Henzen, CHES Verbauwhede

  25. . Quark, Photon, Spongent: lightweight hash functions r can be made arbitrarily small, e.g. 1 byte Sponge (“huge state”) feedforward (block size): n Davies-Meyer block cipher based hash (“narrow pipe”) . Lightweight is synonymous with low-area here The current perception On the efficiency of permutation-based cryptography Permutation-based encryption, authentication and authenticated encryption . . . . Easy to see why. Let us target security strength c / 2 chaining value (block size): n ≥ c input block size ( key length): typically k ≥ n total state ≥ 3 c permutation width: c + r total state ≥ c + 8

  26. . One cryptographic expert’s opinion: higher speed expected from MAC and stream encryption Keyed sponge still perceived as possible but inefficient Keccak showed that sponge can be secure and fast security.” either gets high-speed but low security or low-speed and high “The sponge construction is a pretty poor way to encrypt. One The current perception (continued) . On the efficiency of permutation-based cryptography Permutation-based encryption, authentication and authenticated encryption . . . . competing proposals in keyed applications are faster

  27. . storing expanded key costs memory diffusion across full state Unique permutation features address it with decent nonce management not required if nonces are affordable or available issue: keystream re-use in stream encryption misuse resistance may be prohibitive in resource-constrained devices pre-computation of key schedule . Unique block cipher features Permutations vs block ciphers On the efficiency of permutation-based cryptography Permutation-based encryption, authentication and authenticated encryption . . . . flexibility in choice of rate/capacity

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16 Stateless, Deterministic

198 views • 17 slides
Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if

Quantum Authentication and Encryption with Key Recycling Or: How to Re-use a One-Time Pad Even if P = NP Safely & Feasibly Serge Fehr Louis Salvail CWI Amsterdam University of Montral Encryption & Authentication Schemes with

829 views • 62 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

880 views • 58 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael

11/12/09 Physically Restricted Authentication and Encryption for Cyber-physical Systems Michael Kirkpatrick, Elisa Bertino Purdue University Frederick Sheldon Oak Ridge National Laboratory DHS: S&T Workshop on Future Directions in

438 views • 4 slides
CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record

Implementing scalable CAN Security with CANcrypt by Olaf Pfeiffer CAN AUTHENTICATION AND ENCRYPTION February 2017 CAN PROVIDES MULTIPLE ATTACK VECTORS Record and re-play messages Can trigger desired actions Re-engineering

320 views • 21 slides
Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio Intelligent Systems Group Department of Computer Science and Artificial Intelligence University of the Basque Country (UPV/EHU) 1 Permutation-based

1.3k views • 89 slides
tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101: Encryption without authentication is useless. Encryption without authentication is like meeting a stranger in a

813 views • 31 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics

Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics Intro Attack on iterated ciphers Differential cryptanalysis

1.27k views • 77 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

University of Milano-Bicocca Department of Informatics, Systems and Communications Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Delft June 19, 2018 Context

329 views • 21 slides
s rtr s

s rtr s

s rtr s t tts 1 1 , 2 r

798 views • 66 slides
s Jrmy Jean - Ivica Nikoli Thomas Peyrin - Yannick Seurin NTU (Singapore)

s Jrmy Jean - Ivica Nikoli Thomas Peyrin - Yannick Seurin NTU (Singapore)

s Jrmy Jean - Ivica Nikoli Thomas Peyrin - Yannick Seurin NTU (Singapore) and ANSSI (France) DIAC 2016 Nagoya, Japan - September 27, 2016

714 views • 28 slides
r rtss t P

r rtss t P

r rtss t P r r rtsst rs r

770 views • 43 slides

More recommend