release of unverified plaintext tight unified model and
play

Release of Unverified Plaintext: Tight Unified Model and Application - PowerPoint PPT Presentation

May 23, 2023 •304 likes •849 views

AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and Nilanjan Datta and Avijit Dutta and Bart Mennink and Mridul Nandi and Somitra Sanadhya and

  1. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and Nilanjan Datta and Avijit Dutta and Bart Mennink and Mridul Nandi and Somitra Sanadhya and Ferdinand Sibleyras Institute for Advancing Intelligence, TCG-CREST, Kolkata Fast Software Encryption 2020 26th October, 2020 1 / 30

  2. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Outline of the Talk Definitions of AE and Security Notion. RUP Security. INT-RUP Attack on SUNDAE. MONDAE: An INT-RUP Secure Variant of SUNDAE. ANYDAE: Generic INT-RUP Design. TUESDAE: An Optimal Instantiation of ANYDAE. 2 / 30

  3. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography Privacy Integrity

  4. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography Privacy Integrity Enc. Scheme MAC Scheme 3 / 30

  5. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography + Privacy Integrity Enc. Scheme AE Scheme MAC Scheme 4 / 30

  6. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography + Privacy Integrity Enc. Scheme AE Scheme MAC Scheme Stateful AE (Nonce, Random IV or Arbitrary IV Based). Stateless AE. 4 / 30

  7. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Stateful Authenticated Encryption (AE) Authenticated Encryption Enc. Algorithm Dec. Algorithm N N C E K D K M / ⊥ M A A 5 / 30

  8. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Stateless Authenticated Encryption (AE) Authenticated Encryption Enc. Algorithm Dec. Algorithm N N C E K D K M / ⊥ M A A 6 / 30

  9. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Privacy Requirement (IND-CPA). Real World Ideal World (Enc. Function) (Random Function) E K RF 7 / 30

  10. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Privacy Requirement (IND-CPA). Real World Ideal World (Enc. Function) (Random Function) E K RF For a secure AE, the distinguishing advantage is negligible. 7 / 30

  11. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K 8 / 30

  12. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K A forges if A can produce a non-trivial ( N ∗ , A ∗ , C ∗ ) tuple such that D K ( N ∗ , A ∗ , C ∗ ) = M ∗ . 8 / 30

  13. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K A forges if A can produce a non-trivial ( N ∗ , A ∗ , C ∗ ) tuple such that D K ( N ∗ , A ∗ , C ∗ ) = M ∗ . For a secure AE, the forging advantage is negligible. 8 / 30

  14. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE An AE scheme is secure in a conventional sense if it achieves IND-CPA and INT-CTXT security. 9 / 30

  15. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverifiable Plaintext (RUP) Issue of AE Plaintext blocks can only be released after successful verification in the receiver end. But the buffer size in the receiving end is limited. As a result, it might not be able to hold the entire plaintext at once. Receiver might have to release the plaintext before verifying. 10 / 30

  16. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model N A C N A C N A C D K Core D K V K M / ⊥ E K ⊤ / ⊥ M 11 / 30

  17. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). 12 / 30

  18. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. 12 / 30

  19. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. PA1 Notion. Real World Ideal World E K D K E K S Enc. Hist 12 / 30

  20. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. PA2 Notion. Real World Ideal World E K D K E K S Enc. Hist 13 / 30

  21. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Secure AE An AE scheme is RUP secure if it achieves IND-CPA and PA1 and INT-RUP security. 14 / 30

  22. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Hoang et al. introduced RAE notion (EUROCRYPT 2015). • Distinguish AE from a random injective function. Hoang et al. introduced RAE sim notion (EUROCRYPT 2015). • Employs PA2 notion. Barwell et al. introduced SAE notion (IMACC 2015). • Refinement of RAE for nonce based AE. Ashur et al. introduced RUPAE notion (CRYPTO 2017). Focuses on nonce based AE. PA1 + INT-RUP with the ideal model decryption being a random function. 15 / 30

  23. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. 16 / 30

  24. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. 16 / 30

  25. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. These security notions hold for nonce based AE. Security is void when nonce is misused. 16 / 30

  26. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. These security notions hold for nonce based AE. Security is void when nonce is misused. We need a security model in RUP scenario which allows Nonce Misuse. Single pass decryption feature. 16 / 30

  27. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE AERUP Security Notion AERUP Security Notion. Real World Ideal World E K D K V K $ S ⊥ AERUP ⇐ ⇒ AE + PA1 + INT-RUP. 17 / 30

  28. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. 18 / 30

  29. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. Makes a + 2 m + 1 BC invocations. 18 / 30

  30. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. Makes a + 2 m + 1 BC invocations. One of the AE Candidates in NIST Lightweight Cryptography competition. 18 / 30

  31. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. 19 / 30

  32. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. State size as small as the block size. 19 / 30

  33. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. State size as small as the block size. Offers good implementation characteristics both on lightweight and high-performance platforms. 19 / 30

  34. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE is not RUP Secure: INT-RUP Insecurity A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 T C 1 C 2 1. A makes query D K ( ǫ, T 1 , C 1 [1]), where T 1 = 110 n − 2 and obtains M 1 [1]. 20 / 30

  35. AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE is not RUP Secure: INT-RUP Insecurity A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 T C 1 C 2 1. A makes query D K ( ǫ, T 1 , C 1 [1]), where T 1 = 110 n − 2 and obtains M 1 [1]. A learns E K (110 n − 2 ) = M 1 [1] ⊕ C 1 [1] . 20 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals Online Parallelizable Software oriented Decryption-misuse resistant, unverified plaintext release Nonce-misuse resistant, or

180 views • 15 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It

ADD BoF Intro How we got here Old History Traditional DNS uses plaintext to port 53 It was always possible, but uncommon, to subvert that stub-resolver-auth resolution model Snowden revelations led to RFC7258 Encrypting DNS

346 views • 9 slides
Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications

Large-scale electronic structure methods Introduction Lanczos method 1D tight-binding model O(N) Krylov subspace method Applications Outlook Taisuke Ozaki (ISSP, Univ. of Tokyo) The Summer School on DFT: Theories and

689 views • 55 slides
On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

835 views • 48 slides
A tight race between deterministic and stochastic dynamics of RPS-model Qian Yang Supervisors:

A tight race between deterministic and stochastic dynamics of RPS-model Qian Yang Supervisors:

A tight race between deterministic and stochastic dynamics of RPS-model Qian Yang Supervisors: Prof. Jonathan Dawes &amp; Dr. Tim Rogers University of Bath Email: Q.Yang2@bath.ac.uk July 5, 2016 . . . . . . . . . . . . . . . .

392 views • 22 slides
Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October

Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October

Model Building in Grand Unified Theories Tom as Gonzalo University College London 15 October 2014 1 Outline Motivation Review of Grand Unified Theories Overview of Group Theory Model Building Groups and Representations Theories and

1.13k views • 78 slides
SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound Harikrishna Narasimhan and Shivani Agarwal Department of Computer Science and Automation Indian Institute of Science, Bangalore Receiver Operating

1.12k views • 90 slides
Scalable Translation Validation of Unverified Legacy OS Code Amer Tahat, Sarang Joshi, Pronoy

Scalable Translation Validation of Unverified Legacy OS Code Amer Tahat, Sarang Joshi, Pronoy

Renee 1.0 Scalable Translation Validation of Unverified Legacy OS Code Amer Tahat, Sarang Joshi, Pronoy Gawsamy, Binoy Ravindran Presenter: Amer Tahat System Software Research Group-SSRG Department of Electrical and Computer Engineering

807 views • 33 slides
Pseudo-Masked Language Models for Unified Language Model Pre-Training ICML-2020 Hangbo Bao, Li

Pseudo-Masked Language Models for Unified Language Model Pre-Training ICML-2020 Hangbo Bao, Li

Pseudo-Masked Language Models for Unified Language Model Pre-Training ICML-2020 Hangbo Bao, Li Dong, Furu Wei, Wenhui Wang, Nan Yang, Xiaodong Liu, Yu Wang, Songhao Piao, Jianfeng Gao, Ming Zhou, Hsiao-Wuen Hon Unified Pre-Training Framework h

390 views • 16 slides
Western Placer Unified School District Board of Trustees - January 20, 2015 1 Positive economic

Western Placer Unified School District Board of Trustees - January 20, 2015 1 Positive economic

Western Placer Unified School District Board of Trustees - January 20, 2015 1 Positive economic growth continues and fuels public education spending Proposition 98 continues to receive most of the new money Funding is tight for the

543 views • 22 slides
A Simple Computer Computing Models A simple computer model with a unified notion of

A Simple Computer Computing Models A simple computer model with a unified notion of

A Simple Computer Computing Models A simple computer model with a unified notion of data and instructions Von Neumann architecture model The first key idea is a model of memory Others Computing with

452 views • 31 slides
The Shell Model: An Unified Description of the Structure of the Nucleus (I) ALFREDO POVES

The Shell Model: An Unified Description of the Structure of the Nucleus (I) ALFREDO POVES

The Shell Model: An Unified Description of the Structure of the Nucleus (I) ALFREDO POVES Departamento de F sica Te orica and IFT, UAM-CSIC Universidad Aut onoma de Madrid (Spain) Frontiers in Nuclear and Hadronic Physics

416 views • 26 slides
The Shell Model: An Unified Description of the Structure of the Nucleus (III) ALFREDO POVES

The Shell Model: An Unified Description of the Structure of the Nucleus (III) ALFREDO POVES

The Shell Model: An Unified Description of the Structure of the Nucleus (III) ALFREDO POVES Departamento de F sica Te orica and IFT, UAM-CSIC Universidad Aut onoma de Madrid (Spain) Frontiers in Nuclear and Hadronic Physics

335 views • 33 slides
A Unified Model for I-N-S A -S C Phase Transitions for Liquid Crystal Song Mei School of

A Unified Model for I-N-S A -S C Phase Transitions for Liquid Crystal Song Mei School of

A Unified Model for I-N-S A -S C Phase Transitions for Liquid Crystal Song Mei School of Mathematical Science, Peking University November 1, 2013 Joint work with Jiequn Han, Wei Wang, Pingwen Zhang . . . . . . . . . . . . . . .

605 views • 29 slides
Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto,

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto,

Release the Kraken: New KRACKs in the 802.11 Standard Mathy Vanhoef @vanhoefm Toronto, Canada, 16 October 2018 Key reinstallations in the 4-way handshake 2 WPA2: 4-way handshake Used to connect to any protected Wi-Fi network Mutual

814 views • 43 slides
#$

#$

#$ /':;98*

418 views • 12 slides
Learning and Teaching Strategy Curriculum Review kick-off workshop Professor Alan Spivey

Learning and Teaching Strategy Curriculum Review kick-off workshop Professor Alan Spivey

Learning and Teaching Strategy Curriculum Review kick-off workshop Professor Alan Spivey Assistant Provost (Learning and Teaching) Agenda and event format 14.00 - Introduction and Q&amp;A Alan Spivey L&amp;T Assistant Provost

207 views • 7 slides
Seamless Transitions APRIL 13, 2016 SAFIYAH JACKSON KELLEY POLLITT MICHAEL B. ABEL, PH.D. How

Seamless Transitions APRIL 13, 2016 SAFIYAH JACKSON KELLEY POLLITT MICHAEL B. ABEL, PH.D. How

PreK-3 Continuum: Your Role in Creating Seamless Transitions APRIL 13, 2016 SAFIYAH JACKSON KELLEY POLLITT MICHAEL B. ABEL, PH.D. How often are you formally taking note of what kindergarten transition period means to individual children,

841 views • 48 slides
Construc)ng Effec)ve Assignments, Problem Sets &amp; Exam Ques)ons

Construc)ng Effec)ve Assignments, Problem Sets &amp; Exam Ques)ons

Construc)ng Effec)ve Assignments, Problem Sets &amp; Exam Ques)ons Best Prac)ces for Teaching and Learning Goal To illustrate how to apply Bloom s

348 views • 8 slides
Interac(ve Teaching &amp; Ac(ve Learning Best Prac(ces for

Interac(ve Teaching &amp; Ac(ve Learning Best Prac(ces for

Interac(ve Teaching &amp; Ac(ve Learning Best Prac(ces for Teaching and Learning Outline 1. Introduc+on 2. One-on-one teaching 3. Ac+ve Learning Methods

374 views • 21 slides
Writing Multiple-Choice Questions to Assess Higher Order Thinking October 28, 2020 Michael

Writing Multiple-Choice Questions to Assess Higher Order Thinking October 28, 2020 Michael

10/29/2020 Writing Multiple-Choice Questions to Assess Higher Order Thinking October 28, 2020 Michael Atkinson (Department of Psychology) Kim Whiter (Centre for Teaching and Learning) Ken N. Meadows (Centre for Teaching and Learning) Session

127 views • 9 slides
The Performance-Learning Continuum Because Learning Is Not a One-Time Thing Larry Bograd

The Performance-Learning Continuum Because Learning Is Not a One-Time Thing Larry Bograd

The Performance-Learning Continuum Because Learning Is Not a One-Time Thing Larry Bograd RoundMGroup Learning Introductions Name and location What do you do Why are you attending this session? How Did You Learn to? Learning

338 views • 12 slides

More recommend