short variable length domain extenders with beyond
play

Short Variable Length Domain Extenders With Beyond Birthday Bound - PowerPoint PPT Presentation

Aug 15, 2022 •376 likes •854 views

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

  1. Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3, 2018 1 / 23

  2. Modes of Operation ◮ Block cipher: fixed-input-length (FIL) 2 / 23

  3. Modes of Operation ◮ Block cipher: fixed-input-length (FIL) ◮ Apply block cipher iteratively CBC mode . . . M 1 M 2 M l − 1 M l + + + + IV E K E K E K E K . . . C l − 1 C l C 1 C 2 2 / 23

  4. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ . . . M 1 M 2 M l − 1 l 3 / 23

  5. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l 3 / 23

  6. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l + + + + IV E K E K E K E K . . . C 1 C 2 C l − 1 C l 3 / 23

  7. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l + + + + IV E K E K E K E K . . . C 1 C 2 C l − 1 C l Ciphertext expansion: | C | > | M | 3 / 23

  8. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 4 / 23

  9. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 4 / 23

  10. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ M 1 M 2 M l − 1 l 4 / 23

  11. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l 4 / 23

  12. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C 1 C 2 4 / 23

  13. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C 1 C 2 4 / 23

  14. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C ∗ C 1 C 2 C l l − 1 4 / 23

  15. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C ∗ C 1 C 2 C l l − 1 ◮ Condition: C i ’s need to be decrypted independently 4 / 23

  16. Length Doublers M 1 M 2 length doubler [ n -bit enciphering scheme] C 1 C 2 ◮ | M 1 | = | C 1 | = n = block size ◮ | M 2 | = | C 2 | ∈ [ 0 , n − 1 ] 5 / 23

  17. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption 6 / 23

  18. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption M � 80 2 n / 2 doubler [64-bit BC] � 80 C 32-bits security 6 / 23

  19. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption M M � 80 � 80 2 n / 2 doubler 2 3 n / 4 doubler [64-bit BC] [64-bit BC] � 80 � 80 C C 32-bits security 48-bits security 6 / 23

  20. Security Definition E ± ρ ± K adversary A ◮ Adversary A makes q queries to oracle ( E K or ρ ) 7 / 23

  21. Security Definition E ± ρ ± K adversary A ◮ Adversary A makes q queries to oracle ( E K or ρ ) ◮ Strong length-preserving pseudorandom permutation ⇐ ⇒ A cannot determine which world it is interacting with 7 / 23

  22. Round Function F [˜ E K ] M 1 M 2 � n � s T 1 ˜ E K 1 � 10 ∗ right s ( Y ) left n − s ( Y ) � n − s � n � s C 1 C 2 8 / 23

  23. 2-LDT Security upper bound: ◮ 2 n − ( s / 2 ) Security lower bound ◮ 2 n / 2 (ToSC 2017(3)) 9 / 23

  24. 2-LDT Security upper bound: ◮ 2 n − ( s / 2 ) Security lower bound ◮ 2 n / 2 (ToSC 2017(3)) ◮ “New bound” 9 / 23

  25. 3-LDT Security lower bound ◮ “New bound” ◮ Better bound than 2-LDT 10 / 23

  26. Security Analysis of 3-LDT security n 11 n / 12 7 n / 8 s min ≈ 5 n / 6 s max s max ≈ ( n + s min ) / 2 3 n / 4 2 n / 3 5 n / 8 n / 2 s min const n / 4 n / 2 3 n / 4 n − 2 log 2 ( n ) s min ≤ s max ≤ ( n + s min ) / 2 11 / 23

  27. Security Bound of 2-LDT and 3-LDT security ◦ = 2-LDT ⋆ = 3-LDT n ⋆ 11 n / 12 ⋆ 5 n / 6 ⋆ 3 n / 4 ⋆ 2 n / 3 ⋆ ◦ 7 n / 12 ◦ n / 2 ◦ ◦ ◦ input size n 5 n / 4 3 n / 2 7 n / 4 2 n − 1 12 / 23

  28. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special 13 / 23

  29. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 b = 0 13 / 23

  30. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 ideal primitive b = 0 13 / 23

  31. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 a = 1 ideal primitive b = 0 b = 0 a = 0 a = 1 b = 1 b = 1 13 / 23

  32. Harmonic Permutation Primitives If a = 1 or b = 1, then part of permutation random 14 / 23

  33. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random 14 / 23

  34. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random ( n − s ) -bits ( n − s ) -bits ⇓ permutation 14 / 23

  35. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random part of permutation random ( n − s ) -bits ( n − s ) -bits ⇓ permutation 14 / 23

  36. Proof Idea M 1 M 2 M 1 M 2 � n � s � n � s T 1 ˜ E K 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 ˜ ρ E K 2 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 ˜ E K 3 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 15 / 23

  37. Proof Idea − � $ π 1 , ˜ ˜ π 2 , ˜ π 3 ← Perm ( n , n ) M 1 M 2 M 1 M 2 � n � s � n � s T 1 ˜ π 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 ρ π 2 ˜ � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 π 3 ˜ � 10 ∗ � s � n � s � n C 1 C 2 C 1 C 2 16 / 23

  38. Proof Idea M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 0 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 0 , 0 H 0 , 0 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 0 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 17 / 23

  39. Proof Idea [Reduction] ≤ 18 / 23

  40. Proof Idea [Step 1] M 1 M 2 M 1 M 2 � n � s � n � s T 1 T 1 G 0 , 0 G 0 , 1 � 10 ∗ � 10 ∗ right s ( Y 1 ) right s ( Y 1 ) left n − s ( Y 1 ) left n − s ( Y 1 ) n – s � n – s � � s � s T 2 T 2 G 0 , 0 G 1 , 1 � 10 ∗ � 10 ∗ right s ( Y 2 ) right s ( Y 2 ) left n − s ( Y 2 ) left n − s ( Y 2 ) n – s � n – s � T 3 T 3 G 0 , 0 G 1 , 0 � 10 ∗ � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 19 / 23

  41. Proof Idea [Step 1] T M C G 0 , 1 T T C C M M G 1 , 1 G 0 , 0 T M C G 1 , 0 20 / 23

  42. Proof Idea [Step 2] M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 1 , 1 H 1 , 1 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 1 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 21 / 23

  43. Proof Idea [Step 2] M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 1 � 10 ∗ Indistinguishable right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 1 , 1 H 1 , 1 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 1 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 21 / 23

  44. Proof Idea [Step 3] M 1 M 2 M 1 M 2 � n � s � n � s H 1 , 1 H 0 , 0 � s � s � n � n C 1 C 2 C 1 C 2 22 / 23

  45. Conclusion New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound 23 / 23

  46. Conclusion New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound Further research ◮ 2-LDT and 3-LDT: tight bound? ◮ 3-LDT: optimal security? ◮ Harmonic primitives: tight bound and use for other constructions? 23 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure

extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure

Update on cementitious extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure Types of extenders Availability of extenders Methods of use Extender specifications Extender Use

487 views • 28 slides
Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Garrett Bingham Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of video frames, Prev: Title Slide generate a variable-length natural language Problem description of the video. Next: Motivation

850 views • 15 slides
Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length Number Integer: 32 bit Decimal(5,2): 999.99 Real, Double: 32 bit, 64 bit Datetime Date: 2002-01-15 Time:

733 views • 3 slides
Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA 2008 Antonio Galves Chains with memory of variable length Chains with memory of variable length Introduced by Rissanen (1983) as a universal

772 views • 74 slides
String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj and David Kofoed Wind Presented by Hjalte Wedel Vildhj October 13, 2010 SPIRE 2010, Los Cabos, Mexico The Variable Length Gap Problem Given some

998 views • 57 slides
compression 1 some slides courtesy James allan@umass outline Introduction Fixed

compression 1 some slides courtesy James allan@umass outline Introduction Fixed

compression 1 some slides courtesy James allan@umass outline Introduction Fixed Length Codes Short-bytes bigrams / Digrams n -grams Restricted Variable-Length Codes basic method Extension for larger symbol

614 views • 47 slides
Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term

Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term

Presentation to: California Debt and Investment Advisory Commission Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term Products II. Municipal Variable Rate Market Update Alternative Short-Term

411 views • 15 slides
Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage Variable qualifiers The variable The variable A variable declaration is a request for space Basic data types in memory int , short,

239 views • 6 slides
Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder , Jan Cheyns Mario Pickavet, Piet Demeester Dept. of Information Technology (INTEC) Ghent University - IMEC, Belgium UNIVERSITEIT GENT Outline

268 views • 15 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor

Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor

Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor Object Binary variable Variable() Variable in the domain of { 0, N-1 } Variable(N) Binary variable called x Variable(x) Variable in

418 views • 4 slides
Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem Models of long-run planning and short-run impulsive selves provide a quantitative explanation of a wide variety of behavioral paradoxes,

583 views • 22 slides
S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic Dictionaries Let K be a set of dictionary elements, called keys. For any finite subset D of K and for any key k three operations of search, insertion,

387 views • 13 slides
VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length Grams Chen Li Bin Wang and Xiaochun Yang Northeastern University, China Approximate selection queries Keanu Reeves Samuel Jackson

606 views • 42 slides
Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq Transformatjon Variable length output Model Variable length input Example Applicatjons Summarizatjon (extractjve/abstractjve) Machine translatjon

560 views • 52 slides
Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About Me Teon Banek Graduated from University of Zagreb, Faculty of Electrical Engineering and Computing Lead query engine developer at Memgraph

699 views • 33 slides
Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale

Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale

Reasoning in Abella about Structural Operational Semantics Specifications Andrew Gacek 1 Dale Miller 2 Gopalan Nadathur 1 1 Department of Computer Science and Engineering University of Minnesota 2 INRIA Saclay - le-de-France & LIX/cole

314 views • 17 slides
Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers,

Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers,

Pure Type Systems without Explicit Contexts Robbert Krebbers Joint work with Herman Geuvers, James McKinna and Freek Wiedijk Institute for Computing and Information Science Faculty of Science, Radboud University Nijmegen and Faculty of

990 views • 41 slides
Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010

Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010

Parametric LTL Games Martin Zimmermann RWTH Aachen University February 25th, 2010 AlMoTh 2010 Frankfurt am Main, Germany Martin Zimmermann RWTH Aachen University Parametric LTL Games 1/18 Motivation We consider infinite games with winning

628 views • 38 slides
Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March

Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March

Theory of Computer Science B4. Predicate Logic I Gabriele R oger University of Basel March 9, 2020 Motivation Syntax Semantics Free/Bound Variables Summary Logic: Overview Propositional Logic Logic Predicate Logic Motivation

594 views • 57 slides
CS481: Bioinformatics Algorithms Can Alkan EA224 calkan@cs.bilkent.edu.tr

CS481: Bioinformatics Algorithms Can Alkan EA224 calkan@cs.bilkent.edu.tr

CS481: Bioinformatics Algorithms Can Alkan EA224 calkan@cs.bilkent.edu.tr http://www.cs.bilkent.edu.tr/~calkan/teaching/cs481/ More on the Motif Problem Exhaustive Search and Median String are both exact algorithms They always find

1.34k views • 45 slides
Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern Matching 1 Outline and Reading Strings (11.1) Pattern matching algorithms Brute-force algorithm (11.2.1) Boyer-Moore algorithm (11.2.2)

612 views • 14 slides
Correctness-by-Construction in Stringology Bruce W. Watson FASTAR Research Group, Stellenbosch

Correctness-by-Construction in Stringology Bruce W. Watson FASTAR Research Group, Stellenbosch

Correctness-by-Construction in Stringology Bruce W. Watson FASTAR Research Group, Stellenbosch University, South Africa bruce@fastar.org Institute of Cybernetics at TUT, Tallinn, Estonia, 3 June 2013 Aim of this talk Motivate for

322 views • 30 slides
Theory I Algorithm Design and Analysis (10 - Text search, part 1) Prof. Dr. Th. Ottmann 1 Text

Theory I Algorithm Design and Analysis (10 - Text search, part 1) Prof. Dr. Th. Ottmann 1 Text

Theory I Algorithm Design and Analysis (10 - Text search, part 1) Prof. Dr. Th. Ottmann 1 Text search Different scenarios: Dynamic texts Text editors Symbol manipulators Static texts Literature databases Library

883 views • 39 slides

More recommend