symmetric key cryptography an engineering perspective
play

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha - PowerPoint PPT Presentation

Dec 26, 2022 •33 likes •873 views

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 December 19, 2014 1 / 44 Overview Engineering Perspective Design, analysis,

  1. Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 — December 19, 2014 1 / 44

  2. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques 2 / 44

  3. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques Two Parts • Hash functions • MAC algorithms 2 / 44

  4. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques Two Parts • Hash functions • MAC algorithms Simpli fi ed View • Small inaccuracies, details missing • Incomplete study: citations missing 2 / 44

  5. Part I: Hash Functions 3 / 44

  6. Hash Function Hash Function h • Generates a short “ fi ngerprint” of a message m Security Requirements • One-way function: h given Y , hard to fi nd m : h ( m ) = Y • Collision resistant function: hard to fi nd m � = m ′ : h ( m ) = h ( m ′ ) h ( m ) • . . . SHA-3 Competition (2008-2012) 4 / 44

  7. Hash Function Hash Function h • Generates a short “ fi ngerprint” of a message m Security Requirements • One-way function: h given Y , hard to fi nd m : h ( m ) = Y • Collision resistant function: hard to fi nd m � = m ′ : h ( m ) = h ( m ′ ) h ( m ) • . . . SHA-3 Competition (2008-2012) 4 / 44

  8. π κ Permutation-Based Hash Functions Hash Functions Based on Permutations • Simpler to design: no key schedule • Block-cipher-based: see later K x y P E C b b b b (Cryptographic) Permutation • Provable security: statistical object (random permutation) • Cryptanalysis: deterministic algorithm (no “distinguishers”) 5 / 44

  9. Hash Function Rate Hash Function Rate α data processed per permutation call (in bits) • α = permutation size (in bits) • Note: various de fi nitions of “rate” exist! 6 / 44

  10. Hash Function Rate Hash Function Rate α data processed per permutation call (in bits) • α = permutation size (in bits) • Note: various de fi nitions of “rate” exist! Ideal Construction • Rate-1 hash function: α = 1 6 / 44

  11. π π π Rate-1 Hash Function: First Attempt Simplest Rate-1 Hash Function m ℓ m 1 m 2 n . . . h ( m ) 0 n n 7 / 44

  12. π π π π π π Rate-1 Hash Function: First Attempt Collision: Correcting Block Attack m ℓ m 1 m 2 n x . . . h ( m ) 0 n n m ℓ ⊕ x ⊕ y m ′ m ′ 1 2 n y . . . h ( m ) 0 n n 8 / 44

  13. π π π Rate-1 Hash Function: Second Attempt Another Rate-1 Hash Function m 1 m 1 m 2 m 2 m ℓ m ℓ n . . . h ( m ) 0 n n 9 / 44

  14. π π π Rate-1 Hash Function: Second Attempt Observation m 1 m 1 m ℓ m ℓ x x n m 1 x m 1 x 0 . . . h ( m ) 0 n n 10 / 44

  15. π π π π π π Rate-1 Hash Function: Second Attempt Collision Attack (Black et al., Crypto ’02) m 1 m 1 m ℓ m ℓ x x n m 1 x m 1 x 0 . . . h ( m ) 0 n n m ℓ m ℓ m ′ m ′ x ′ x ′ 1 1 n m ′ m ′ x ′ x ′ 0 1 1 . . . h ( m ) 0 n n 11 / 44

  16. π Impossibility Result m i n n n n n h i − 1 f 1 f 2 h i Black et al. (Eurocrypt ’05) • Compression function from n -bit permutation • Information-theoretic: f 1 , f 2 can be any function • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ queries 12 / 44

  17. Security/E ffi ciency Tradeo ff s mn v n n f 1 π 1 sn g w n n f 2 π 2 n n f 3 π 3 Rogaway-Steinberger (Eurocrypt ’08) • Compression function from k n -bit permutations • Information-theoretic: f i can be any function • Generic collision attack: 2 n [1 − ( m − 0 . 5 s ) /k ] 13 / 44

  18. Security/E ffi ciency Tradeo ff s mn v n n f 1 π 1 sn g w n n f 2 π 2 n n f 3 π 3 Rogaway-Steinberger (Eurocrypt ’08) • Compression function from k = 3 n -bit permutations • Information-theoretic: f i can be any function, m = 2 , s = 1 • Generic collision attack: 2 n [1 − (2 − 0 . 5 · 1) / 3] = 2 n/ 2 14 / 44

  19. ⊕ ⊕ Security/E ffi ciency Tradeo ff s n v 1 n v 2 n n π 1 n w n n π 2 n n π 3 Mennink-Preneel (Crypto ’12) • Compression function from k = 3 n -bit permutations • Constructions with only XORs, fi rst systematic analysis • Optimal collision resistance: 2 n/ 2 15 / 44

  20. π Security/E ffi ciency Tradeo ff s 2 n v n w Why Not One Big Permutation? • 2 n -bit permutation instead of n -bit • Same generic collision attack: 2 n/ 2 • More e ffi cient than three n -bit permutations? 16 / 44

  21. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. 17 / 44

  22. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. Remarks • Not intuitive: b → b bits: (2 b ) 2 b = 2 b 2 b functions • Not rigorous: based on design choices and attacks • How to count “operations”? 17 / 44

  23. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. Remarks • Not intuitive: b → b bits: (2 b ) 2 b = 2 b 2 b functions • Not rigorous: based on design choices and attacks • How to count “operations”? Next Slides: Scaling Law Examples 17 / 44

  24. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) 18 / 44

  25. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) Rijndael (256-bit key): 8-bit Words • 128/192/256-bit block size: 14 rounds 18 / 44

  26. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) Rijndael (256-bit key): 8-bit Words • 128/192/256-bit block size: 14 rounds Skein: 64-bit Words • 256/512-bit block/key size: 72 rounds • 1024-bit block/key size: 80 rounds • Overdesign? Best (non-biclique) attack is on 36 rounds (Yu et al., SAC ’13) 18 / 44

  27. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) 19 / 44

  28. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) SHA-2 • SHA-256: 768-to-256-bit: 64 rounds (32-bit words) • SHA-512: 1536-to-512 bit: 80 rounds (64-bit words) 19 / 44

  29. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) SHA-2 • SHA-256: 768-to-256-bit: 64 rounds (32-bit words) • SHA-512: 1536-to-512 bit: 80 rounds (64-bit words) Keccak • 800-bit permutation: 22 rounds (32-bit words) • 1600-bit permutation: 24 rounds (64-bit words) • Note: zero-sum distinguisher for full-round 1600-bit per- mutation (Boura et al., Duan-Lai) 19 / 44

  30. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds 20 / 44

  31. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost 20 / 44

  32. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) 20 / 44

  33. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total 20 / 44

  34. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total • Four n -bit or one 2 n -bit permutation: same cost 20 / 44

  35. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total • Four n -bit or one 2 n -bit permutation: same cost • 272-bit Spongent: 5x lower throughput than 256-bit PHOTON (Bogdanov et al., IEEE Trans. Comp. 2013) 20 / 44

  36. Hash Functions with 2 n/ 2 Collision Resistance Rate-1 Hash Function ( α = 1) • Impossible (Black et al., Eurocrypt ’05) • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ 21 / 44

  37. Hash Functions with 2 n/ 2 Collision Resistance Rate-1 Hash Function ( α = 1) • Impossible (Black et al., Eurocrypt ’05) • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ Rate-0.5 Hash Function ( α = 0 . 5) • Three n -bit permutations • One 2 n -bit permutation 21 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University of Technology This is joint work with Ahto Buldas and Risto Laanoja The presenter has received the Skype and IT Academy PhD Students Scholarship

318 views • 15 slides
Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by

Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by

Network Security Essentials Chapter 3 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively as the true name and the

970 views • 81 slides
Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan Microsoft Research, Cambridge Microsoft Research INRIA Joint Centre, Paris Joint work with C. Fournet and A.D. Gordon + R. Puccella, S. Tse, N.

1.4k views • 122 slides
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity

Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice Bob (sender) (reciever) Fran (forger) Remark: Authentication

450 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel

Message Authentication Code (MAC) Constructions Signature Schemes OWFs = Signatures Foundation of Cryptography (0368-4162-01), Lecture 7 MACs and Signatures Iftach Haitner, Tel Aviv University December 27, 2011 Message Authentication

1.25k views • 89 slides
Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad

Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Mes Messa sage ge Aut uthe hent ntica ication tion Cod Codes es Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare

1.18k views • 80 slides
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

463 views • 42 slides
Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A

Hashing Hashing What is it? A form of narcotic intake? A side order for your eggs? A combination of the two? Hashing 1 Problem RT&T is a large phone company, and they want to provide caller ID capability: - given a phone number,

267 views • 14 slides

More recommend