poex a beyond birthday bound secure on line cipher
play

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt - PowerPoint PPT Presentation

Jan 12, 2023 •31 likes •561 views

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universitt Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016

  1. POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universität Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016 1/27 Eik List POEx

  2. Agenda 1 Motivation 2 POEx 3 Proof Ideas 4 Instantiation 5 Summary 18 July 2016 2/27 Eik List POEx

  3. Section 1 Motivation 18 July 2016 3/27 Eik List POEx

  4. On-Line Ciphers [Bellare et al., 2001] M p M ′ M ′ M 1 M p +1 M p +2 M 1 M p p +1 p +2 . . . . . . . . . . . . E K E K E K E K E K E K E K E K . . . . . . C p C p +1 C p +2 C p C ′ C ′ C 1 C 1 p +1 p +2 On-line cipher: Every C i depends only on M 1 , . . . , M i [Boldyreva and Taesombut, 2004]: Constant latency and memory 18 July 2016 4/27 Eik List POEx

  5. On-Line Ciphers [Bellare et al., 2001] M p M ′ M ′ M 1 M p +1 M p +2 M 1 M p p +1 p +2 . . . . . . . . . . . . E K E K E K E K E K E K E K E K . . . . . . C p C p +1 C p +2 C p C ′ C ′ C 1 C 1 p +1 p +2 On-line cipher: Every C i depends only on M 1 , . . . , M i [Boldyreva and Taesombut, 2004]: Constant latency and memory Length-preserving 18 July 2016 4/27 Eik List POEx

  6. On-Line Ciphers [Bellare et al., 2001] M p M ′ M ′ M 1 M p +1 M p +2 M 1 M p p +1 p +2 . . . . . . . . . . . . E K E K E K E K E K E K E K E K . . . . . . C p C p +1 C p +2 C p C ′ C ′ C 1 C 1 p +1 p +2 On-line cipher: Every C i depends only on M 1 , . . . , M i [Boldyreva and Taesombut, 2004]: Constant latency and memory Length-preserving Prefix-preserving p ← LLCP n ( M, M ′ ) : Length (in blocks) of longest common prefix C i = C ′ i , for all 1 ≤ i ≤ p C p +1 � = C ′ p +1 C i , C ′ i independent for all i > p + 1 18 July 2016 4/27 Eik List POEx

  7. Notions: SOPRP -Security [Bellare et al., 2001] E K D K P P − 1 A P և OPerm n K և K 18 July 2016 5/27 Eik List POEx

  8. Limitation: Birthday Bound M 1 M 2 M m M 1 M 2 M m 0 n C 0 . . . E K H L E K E K . . H L E K H L E K E K . 0 n C 1 C 2 C m C 1 C 2 C m HCBC1 MHCBC M 1 M 2 M m M 1 M 2 M m 0 n E K E K . . . 0 n � � � E K E K E K . E K E K E K . E K . E K E K K 1 K 1 K 1 1 C 1 C 2 C m TC3 C 1 C 2 C m MHCBC M 1 M 2 M m 0 n (S) OPRP security requires dependency of previous block = ⇒ chaining . E K E K . E K H L H L . All of the above: n -bit chaining value (bottleneck: collision) Birthday bound: security lost after 2 n/ 2 blocks encrypted under 0 n the same key C 1 C 2 C m Interesting problem in practice and theory HPCBC 18 July 2016 6/27 Eik List POEx

  9. Application: On-Line Authenticated Encryption Schemes Relevance: High-throughput/low-latency requirements, e. g. Optical Transport Networks [ITU-T, 2009] Stream-oriented interfaces in implementations, e. g. EVP_DecryptUpdate in OpenSSL [Young and Hudson, 2011] Output (part of) the result before all input parts are fully processed 18 July 2016 7/27 Eik List POEx

  10. Application: On-Line Authenticated Encryption Schemes Relevance: High-throughput/low-latency requirements, e. g. Optical Transport Networks [ITU-T, 2009] Stream-oriented interfaces in implementations, e. g. EVP_DecryptUpdate in OpenSSL [Young and Hudson, 2011] Output (part of) the result before all input parts are fully processed 2nd-Round BC-Based Robust On-Line CAESAR Candidates: AES-JAMBU, COLM (AES-COPA + ELmD), POET, SHELL 18 July 2016 7/27 Eik List POEx

  11. Application: On-Line Authenticated Encryption Schemes Relevance: High-throughput/low-latency requirements, e. g. Optical Transport Networks [ITU-T, 2009] Stream-oriented interfaces in implementations, e. g. EVP_DecryptUpdate in OpenSSL [Young and Hudson, 2011] Output (part of) the result before all input parts are fully processed 2nd-Round BC-Based Robust On-Line CAESAR Candidates: AES-JAMBU, COLM (AES-COPA + ELmD), POET, SHELL Inherit birthday-bound limitation 18 July 2016 7/27 Eik List POEx

  12. Approaches for Higher (Provable) Security 1 Instantiation with wide-block primitive 2 Sponges 3 BBB-secure design 18 July 2016 8/27 Eik List POEx

  13. Alternative Approaches 1. Instantiation with Wide-Block Primitive M 1 M 2 M m . . . � � � 0 n E K E K E K C 1 C 2 C m Example: TC3 [Rogaway and Zhang, 2011] with Prøst permutation or BLAKE2b , keyed and tweaked using Even-Mansour [Even and Mansour, 1991] + Efficient + Simple description and analysis – Technically not beyond-birthday-bound (BBB) (our approach guarantees significantly higher security) 18 July 2016 9/27 Eik List POEx

  14. Alternative Approaches 2. Sponge . . . M C IV . . . . . . π π π π π K E.g. Keyak, Ketje, NORX, PRIMATEs, StriBOB, . . . + High security margin ◦ Not fully as efficient as block-cipher-based on-line ciphers – Technically not BBB 18 July 2016 10/27 Eik List POEx

  15. Section 2 POEx 18 July 2016 11/27 Eik List POEx

  16. POE M 1 M 2 M L H L H L · · · X 0 E K E K E K H L H L · · · Y 0 C 1 C 2 C L On-line cipher under POET [Abed et al., 2014] 1 BC call + 2 calls to ǫ -AXU hash function H per block SOPRP -secure POE + PMAC + Tag Splitting: Decryption-misuse-resistant on-line AE scheme POET 18 July 2016 12/27 Eik List POEx

  17. XTX M W [Minematsu and Iwata, 2015] Tweak-domain extender for n tweakable block cipher � T H L V E K E : K×{ 0 , 1 } τ ×{ 0 , 1 } n → { 0 , 1 } n � τ ǫ -AXU hash function H : L×{ 0 , 1 } ∗ → { 0 , 1 } τ ×{ 0 , 1 } n C E − 1 ,H ] − 1 ( A ) ≤ ǫ · q 2 + Adv STPRP Adv STPRP E − 1 ( ℓ, O ( t )) . XTX [ � E,H ] , XTX [ � E, � � 18 July 2016 13/27 Eik List POEx

  18. POEx M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 E K H L V 2 E K H L V 3 E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 XTX chained H : ǫ -AXU hash function � E : tweakable block cipher SOPRP -secure on-line secure up to about O (2 n + τ/ 2 ) blocks encrypted under same key BBB-secure 18 July 2016 14/27 Eik List POEx

  19. Section 3 Proof Ideas 18 July 2016 15/27 Eik List POEx

  20. Proof Ideas Steps M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 Steps: 1 Replace � E by ideal primitive � π և TPerm ( τ, n ) 18 July 2016 16/27 Eik List POEx

  21. Proof Ideas Steps M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 Steps: 1 Replace � E by ideal primitive � π և TPerm ( τ, n ) 2 Identify bad events 18 July 2016 16/27 Eik List POEx

  22. Proof Ideas Steps M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 Steps: 1 Replace � E by ideal primitive � π և TPerm ( τ, n ) 2 Identify bad events 3 Study difference between POEx / POEx − 1 and P / P − 1 w/o bad events: In, directly after , and beyond common prefix 18 July 2016 16/27 Eik List POEx

  23. Proof Ideas Steps M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 Steps: 1 Replace � E by ideal primitive � π և TPerm ( τ, n ) 2 Identify bad events 3 Study difference between POEx / POEx − 1 and P / P − 1 w/o bad events: In, directly after , and beyond common prefix 4 Bound probability of bad events 18 July 2016 16/27 Eik List POEx

  24. Proof Ideas Bad Events M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 H L V 1 � π H L V 2 π � H L V 3 � π Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 Bad Events: Consider distinct queries: ( M, C ) � = ( M ′ , C ′ ) , p = LLCP n ( M, M ′ ) Enc. queries: tweak+input collision: ( V i , X i ) = ( V ′ j , X ′ j ) Enc. queries: chaining-value collision: ( X i , Y i ) = ( X ′ j , Y ′ j ) Collisions beyond longest common prefix Two similar bad events for decryption queries 18 July 2016 17/27 Eik List POEx

  25. Proof Ideas Bound M i W i X i X i − 1 Assuming independent keys K and L � H L V i E K Y i − 1 ǫ -AXU hash function H Y i C 1 � � 2 τ E − 1 ,H ] − 1 ( A ) ≤ 2 ℓ 2 ǫ · Adv SOPRP + 2 · Adv STPRP 2 + E − 1 ( ℓ, O ( t )) . POEx [ � E,H ] , POEx [ � 2 n − ℓ � E, � 18 July 2016 18/27 Eik List POEx

  26. Section 4 Instantiation 18 July 2016 19/27 Eik List POEx

  27. Instantiation of � E M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 TWEAKEY constructions [Jean et al., 2014] Deoxys-BC-128-128 as � E AES-based, software-efficient 128-bit tweak and state 18 July 2016 20/27 Eik List POEx

  28. Instantiation of � E M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 H L V 2 H L V 3 E K E K E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 TWEAKEY constructions [Jean et al., 2014] Deoxys-BC-128-128 as � E AES-based, software-efficient 128-bit tweak and state Various application-specific alternatives possible: Joltik-BC, Mennink’s designs [Mennink, 2015], ThreeFish [Ferguson et al., 2010], . . . 18 July 2016 20/27 Eik List POEx

  29. Instantiation of H M 1 M 2 M 3 W 1 W 2 W 3 X 1 X 2 X 3 n X 0 � � � H L V 1 E K H L V 2 E K H L V 3 E K Y 0 τ Y 3 Y 1 Y 2 C 1 C 2 C 3 GF multiplications for H : � m L m +1 − i · M i mod p n ( x ) , Poly [ n ] L ( M ) := i =1 m/ 2 n -AXU for GF (2 n ) , p n ( x ) : irreducible polynomial in GF (2 n ) For L = GF (2 n ) × GF (2 τ ) : Poly [ n, τ ] L 1 ,L 2 ( M ) := ( Poly [ n ] L 1 ( M ) , Poly [ τ ] L 2 ( M )) . 18 July 2016 21/27 Eik List POEx

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

877 views • 20 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

1.21k views • 95 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
C a e l q p c e u u a r r i l m v a e P R e n h a E d M d P c C

C a e l q p c e u u a r r i l m v a e P R e n h a E d M d P c C

Advancesi W R e V 2 a N s 5 p o 2 ? u o 1 5 r - 3 c e 0 o E S l L c s i e ~ 1 9 A r r P e i i G s r B g e l i r r r h n P I I : S 0 3 0 9 - 1 7 0 8 ( 9 6 ) O O 0 5 0 - 4

643 views • 26 slides
Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web?

Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web?

Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web? Technologies Systems Systems Services Infrastructures I f t t Knowledge, information, data A lot of that Introduction to the

559 views • 29 slides
RSA Cryptosystem Nave

RSA Cryptosystem Nave

RSA Cryptosystem Nave Public Key System Nave Public Key System Encryption and decryption algorithm are not the same Encryption and decryption algorithm are not the

1.3k views • 74 slides
Energy Condition, Modular Flow, and AdS/CFT Black Holes and Holography Workshop,TSIMF, Jan 7-11,

Energy Condition, Modular Flow, and AdS/CFT Black Holes and Holography Workshop,TSIMF, Jan 7-11,

Energy Condition, Modular Flow, and AdS/CFT Black Holes and Holography Workshop,TSIMF, Jan 7-11, 2019 Huajia Wang Kavli Institute for Theoretical Physics u v v ( z ) u X + B ( z ) v O z = 0 z arXiv:1806.10560; arXiv:1706.09432; JHEP

1.11k views • 95 slides
Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School

Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School

Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School ol nurturing TALENTS developing CHARACTER inspiring LIVES Nurturing Talents, Developing Character, Inspiring Lives Programme for the Day

1.4k views • 59 slides
Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

505 views • 24 slides
Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip debug interfaces are a well-known attack vector - Used as a stepping stone to further an attack - Can provide chip-level control of a target

766 views • 35 slides
sts st r r

sts st r r

sts st r sts st r r Pt tr

768 views • 61 slides

More recommend