some challenges in heavyweight cipher design daniel j
play

Some challenges in heavyweight cipher design Daniel J. Bernstein - PDF document

Jan 13, 2023 •365 likes •673 views

Some challenges in heavyweight cipher design Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Protocol generates new AES-128 key k . Protocol encrypts message block m 1 as AES k (1) m 1 , m 2 as

  1. Some challenges in heavyweight cipher design Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

  2. Protocol generates new AES-128 key k . Protocol encrypts message block m 1 as AES k (1) ⊕ m 1 , m 2 as AES k (2) ⊕ m 2 , m 3 as AES k (3) ⊕ m 3 , etc. Also authenticates. First block m 1 is predictable: GET / HTTP/1.1\r\n Attacker learns AES k (1). Can attacker deduce AES k (20)? We constantly tell people: “No! AES is secure! This is all safe!”

  3. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”.

  4. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”. Fragile fix: Complicate protocols by trying to randomize everything.

  5. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”. Fragile fix: Complicate protocols by trying to randomize everything. Much simpler fix: 256-bit keys. (Side discussion: Is 192 enough?)

  6. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor.

  7. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor. Parallelize: N 2 processors, each running 2 64 =N iterations. 1999 Zalka claims this is optimal.

  8. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor. Parallelize: N 2 processors, each running 2 64 =N iterations. 1999 Zalka claims this is optimal. Multiple targets should allow much better parallelization. Related algos: 2009 Bernstein; 2004 Grover–Radhakrishnan.

  9. Should MACs have nonces? To authenticate ( m 1 ; m 2 ; m 3 ; m 4 ): Compute function with small differential probabilities. e.g., r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 , where r is secret. Generate a one-time key s n = AES k ( n ) from master key k . Add to obtain MAC: r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 + s n . Widely deployed for speed: consider, e.g., GCM.

  10. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages.

  11. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?)

  12. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?) Is this 2 128 “security”?

  13. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?) Is this 2 128 “security”? Forgery chance ≤ ‹ + › where › is AES PRF insecurity and ‹ ≈ q 2 L= 2 128 for message lengths ≤ L .

  14. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 .

  15. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.)

  16. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.) Fragile solution: “Switch keys!”

  17. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.) Fragile solution: “Switch keys!” Much simpler: 256-bit blocks. 2014 Bernstein–Chou “Auth256”: 29 bit ops/message bit for differential probability < 2 − 255 . Or try EHC from 2013 Nandi?

  18. Improving Tor Tor wants “fast, proven, secure, easy-to-implement, non-patent- encumbered, side-channel-free” 509-byte blooock cipher. (But current cipher is a disaster, so can consider compromises.) Also: secure chaining from each blooock to the next. Tor is considering deployment of AEZ or HHFHFH in 2016. See, e.g., Mathewson talks from RWC 2013 and RWC 2016.

  19. � � � block cipher (strong SPRP) Feistel NR CMC CTR EME OFB XCB HCTR stream cipher PEP (strong PRF) HCH TET HEH iHCH HOH EMME SCTES � blooock cipher HHFHFH (strong SPRP)

  20. � � � � � � � � � � � � � � x 0 w x 1 + 1 H 1 � H 2 � F 2 � + 2 x 2 x 3 F 3 H 3 − 3 � H 4 � − 4 x 4 w x 5

  21. Previous slide: HHFHFH (Bernstein–Nandi–Sarkar). H is purely combinatorial; F is a stream cipher. Ingredients: 4-round Feistel; H at top (1996 Lucks), bottom (1997 Naor–Reingold); H 2 ; H 3 allow one-block nonces; H 1 ; H 4 are stretched by 0-pad; XCB/HCTR-style tweak, faster than 2002 Liskov–Rivest–Wagner. Allow one H 1 ; H 2 ; H 3 ; H 4 key; unify H 1 ; H 2 hypotheses; unify H 3 ; H 4 hypotheses.

  22. One possibility for F : permutation in EM in CTR. Full-width permutation output beats squeezing for long output; and CTR is highly parallel. Also choose highly parallel H . We’re still optimizing choices. Use single-block tweak w . “chopTC”: chain by choosing w as truncation of P ⊕ C . HHFHFH reads each bit in array twice, writes each bit once. Something I’m working on now: more locality inside permutation.

  23. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”?

  24. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis.

  25. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis. Simpler fix: “bigger-birthday- bound security.” Use 256-bit blocks, security q 2 = 2 256 .

  26. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis. Simpler fix: “bigger-birthday- bound security.” Use 256-bit blocks, security q 2 = 2 256 . Is 256-bit n safe in ChaCha?

  27. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc.

  28. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc. Occasional designs: Rijndael, OMD (SHA-2), Keccak, BLAKE2, NORX, Simpira, : : : . This needs far more attention, optimization. Hash designs are usually overkill.

  29. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc. Occasional designs: Rijndael, OMD (SHA-2), Keccak, BLAKE2, NORX, Simpira, : : : . This needs far more attention, optimization. Hash designs are usually overkill. Is 256 fundamentally much slower, or much less energy-efficient, than 128? My guess: No!

  30. Another optimization target: PRF inside EdDSA signatures. EdDSA generates per-signature random number mod 256-bit ‘ as truncated hash: H ( s; m ) mod ‘ . H is SHA-512; s is subkey. 2015 Bellare–Bernstein–Tessaro: truncated prefixed MD hash is a high-security multi-user MAC. Even with the constraint of reusing preimage-resistant hash, surely can build better design in both software and hardware.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design phase - Everyone designs a cipher. Analysis phase - Everyone analyses the ciphers published. 2 / 9 Design phase The design of your cipher

264 views • 9 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design? CSci 5271 A. DES Introduction to Computer Security Networking (contd) and cryptography B. AES Stephen McCamant C. DSA University of

582 views • 11 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Odds and ends Determinis0c Encryp0on Construc0ons: SIV

Odds and ends Determinis0c Encryp0on Construc0ons: SIV

Online Cryptography Course

135 views • 10 slides
Tagging: An Overview Rule-based Disambiguation Example after-morphology data (using Penn

Tagging: An Overview Rule-based Disambiguation Example after-morphology data (using Penn

Tagging: An Overview Rule-based Disambiguation Example after-morphology data (using Penn tagset): I watch a fly . NN NN DT NN . PRP VB NN VB VBP VBP Rules using word forms, from context &amp; current position

694 views • 9 slides
PPs t r rt

PPs t r rt

PPs t r rt rst trs

872 views • 62 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Adaptive Management Task Force: Implementation Plan and Pilot Criteria October 2018 Presentation

Adaptive Management Task Force: Implementation Plan and Pilot Criteria October 2018 Presentation

Adaptive Management Task Force: Implementation Plan and Pilot Criteria October 2018 Presentation Outline Superfund Adaptive Management Overview Task Force Implementation Plan Superfund AM Pilot Criteria Next Steps 1 SUPERFUND

906 views • 39 slides
A Probability Ranking Principle for Interactive IR Norbert Fuhr October 18, 2008 Outline

A Probability Ranking Principle for Interactive IR Norbert Fuhr October 18, 2008 Outline

A Probability Ranking Principle for Interactive IR Norbert Fuhr October 18, 2008 Outline Motivation Approach The Model Towards application Conclusion and Outlook Motivation The classical PRP Questioning the PRP assumptions Interactive

1.03k views • 34 slides
U s e r s p a c e N V M e D r i v e r i n Q E M U F a m Z h e n g

U s e r s p a c e N V M e D r i v e r i n Q E M U F a m Z h e n g

U s e r s p a c e N V M e D r i v e r i n Q E M U F a m Z h e n g S e n i o r S o f t w a r e E n g i n e e r K V M F o r m 2 0 1 7 , P r a g u e A b o u t N V M e

428 views • 32 slides

More recommend