the 128 bit blockcipher clefia
play

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 - PowerPoint PPT Presentation

Nov 18, 2023 •255 likes •464 views

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

  1. The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University

  2. Direction for designing a new blockcipher Priority for Choosing an algorithm 1. Security 2. Implementation cost and Encryption speed Security Security Algorithm X Algorithm Y Speed Low cost Low cost Speed

  3. Target Category of CLEFIA Hardware Oriented • Smartcard, RFID • HIGHT, ICEBERG, Streamciphers Balanced (general-purpose) • Widely used in many products • AES, Serpent, Camellia, FOX, … Software Oriented • Servers for Huge Data Processing • RC6, SEA, Streamciphers

  4. The Blockcipher CLEFIA Basic Information � Block Length : 128-bit � Key Length : 128-bit, 192-bit, 256-bit � Structure : 4-branch generalized Feistel (Type-II) � Number of Rounds : 18 (128-bit key), 22 (192-bit key), 26 (256-bit key)

  5. Key Plaintext Key Scheduling Part Data Processing Part F 1 F 0 Bit Permutation F 0 F 1 Bit Permutation Reduced Bit Permutation Data F 1 F 0 Processing : : : : Bit Permutation Part Bit Permutation F 1 F 0 Bit Permutation F 1 F 0 Bit Permutation Ciphertext

  6. SP-type F-functions F-functions Round function F 0 S 0 32 32 32 32 8 ⎛ ⎞ 01 02 04 06 ⎜ ⎟ S 1 RK 2i RK 2i+1 ⎜ ⎟ 02 01 06 04 8 ⎜ ⎟ S 0 04 06 01 02 32 32 ⎜ ⎟ 8 ⎜ ⎟ ⎝ ⎠ 06 04 02 01 S 1 F 1 F 0 8 F 1 S 1 8 ⎛ ⎞ 01 08 02 0 a ⎜ ⎟ S 0 ⎜ ⎟ 08 01 0 02 a 8 ⎜ ⎟ S 1 02 0 01 08 a ⎜ ⎟ 8 ⎜ ⎟ ⎝ ⎠ 0 02 08 01 a S 0 8

  7. What ’ s New in CLEFIA Combination of 1. Diffusion Switching Mechanism (DSM) , and � � Type-II generalized Feistel structure (GFN) Two S-boxes System 2. Enhanced Key Scheduling Part 3.

  8. 2-branch Feistel VS. 4-branch Feistel 4-branch type-II generalized Feistel Structure Feistel Structure (GFN) 32 32 32 32 F F 64 64 F F F F F F + Better Diffusion - Slow diffusion requires more rounds - Large F-function +Compact F-function

  9. What is Diffusion Switching Mechanism (DSM)? DSM enhance the diffusion � M 1 efficiency of Feistel structure Optimal Diffusion To strengthen against � Mappings M 1 (MDS matrices) � differential attack, and M 1 , M 2 � linear attack M 2 by switching plural diffusion matrices in F-functions concatenation References M 1 || M 2 � M 2 is also an optimal � Shirai, Shibutani@FSE04 diffusion mapping � Shirai, Preneel@Asiacrypt04 M 1 Shirai, Shibutani@FSE06 � M 1

  10. 4-branch GFN + DSM DSM is suitable to 4-branch GFN � No need for round depending Switching � Effect of reducing the number of rounds � Reducing about 30% of number of rounds in CLEFIA ’ s case � F F F 0 F 1 F F F F F 0 F F 1 F : : : : : : : : F F F 0 F F 1 F F F F 0 F 1 F F F F F 0 F F 1 F With DSM Without DSM

  11. Estimation of active S-boxes S-box : S 0 = − 4 . 67 DP 2 max × = > 4 . 67 28 130 . 76 128 = − 4 . 38 LP 2 max × = > 4 . 38 30 131 . 4 128 128-bit key 192-bit key Minimum Requirement 256-bit key

  12. 2 S-box system � CLEFIA employs 2 different 8-bit S-boxes S 0 S 1 − = 6 DP 2 = − 4 . 67 2 DP max ⎛ ⎞ 1 2 max ⎜ ⎟ = − SS 0 SS 2 ⎜ ⎟ 6 − = LP 2 ⎛ ⎞ 4 . 38 2 ⎝ ⎠ LP 2 1 1 2 Inversion max max ⎜ ⎟ f GF(2 8 ) g ⎜ ⎟ Over ⎝ ⎠ 2 1 8 8 SS 1 SS 3 • Based on Inversion over GF(2 8 ) • Based on 4-bit S-boxes (Whirlpool, FOX) (AES, Camellia) Byte oriented saturation transition S All All S 0 S Const = 0 Balance S 1

  13. Key Scheduling Part of CLEFIA (Concept) Key : RK 0 ,..,RK 3 Bit Permutation RK 4 ,..,RK 7 Bit Permutation Reduced-round RK 8 ,..,RK 11 Bit Permutation Data Processing RK 12 ,..,RK 15 Bit Permutation Part RK 16 ,..,RK 19 Bit Permutation RK 20 ,..,RK 23 Bit Permutation : : :

  14. Key Scheduling Part of CLEFIA (128-bit key) Key 12-round 4-branch GFN 28 diff. Active S-boxes : F 0 F F 1 F RK 0 ,..,RK3 Bit Permutation RK 4 ,..,RK 7 Bit Permutation F 0 F F 1 F RK 8 ,..,RK 11 : : “DoubleSwap” function : : Bit Permutation A B C D F 0 F F 1 F RK 12 ,..,RK 15 Bit Permutation RK 16 ,..,RK 19 Bit Permutation F 0 F F 1 F B D A C RK 20 ,..,RK 23 Bit Permutation F 0 F 1 F F : : :

  15. Key Scheduling Part of CLEFIA (192,256-bit key) Key F 0 F 1 F 0 F 1 RK 0 ,..,RK 7 Bit Permutation F 0 F 1 F 0 F 1 RK 8 ,..,RK 15 Bit Permutation 10-round F 0 F 1 F 0 F 1 8-branch GFN RK 16 ,..,RK 31 Bit Permutation 29 diff. Active S-boxes : : : : : : : : RK 32 ,..,RK 47 Bit Permutation : : : F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1 F 0 F 1

  16. Security Evaluation (excerpt) [Data Processing Part] Differential Attack � 1. Differential Cryptanalysis 2. Linear Cryptanalysis � 12-round has 28 differential active S-boxes 3. Differential-Linear Cryptanalysis 4. Boomerang Attack Linear Attack � 5. Amplified Boomerang Attack 6. Rectangle Attack � 12-round has 29 linear active S-boxes 7. Truncated Differential Cryptanalysis 8. Truncated Linear Cryptanalysis 9. Impossible Differential Cryptanalysis Impossible Differential Attack � 10. Saturation Cryptanalysis 11. Higher Order Differential Cryptanalysis � Found 9-round Impossible Diff paths 12. Interpolation Cryptanalysis 13. XSL Attack 14. Chi-Square Cryptanalysis Saturation Attack � 15. Slide Attack 16. Related-Cipher Cryptanalysis � Found 6-round Saturation paths, 17. Related-Key Cryptanalysis 18. Related-Key Boomerang Cryptanalysis 10-round attack 19. Related-Key Rectangle Cryptanalysis 20. Collision Attack [Key Scheduling Part] Related-key type Attacks � � Expected to be difficult due to many active S-boxes

  17. Performance : Software Estimation 90% of AES operations + dependency � � 144 S-boxes in CLEFIA vs. 160 S-boxes in AES (128-bit key) Current Experimental Results on Athlon 64 in assembly

  18. Performance : Hardware Reasons for the Compactness 4-branch GFN � F-functions can be shared by Data Processing Part and Key � Scheduling Part Small footprint S-box and Matrices � Cycle Gate Efficiency * Process Type of Throughput Algorithm Ref Size [Throughput / [Mbps] Implementation Rule gate] 0.09 μ m CLEFIA 36 4,993 677 135 0.13 μ m Compact AES 54 5,398 311 85.5* [20] 0.13 μ m 44 6,511 325 75* Camellia [20] 0.09 μ m CLEFIA 18 6,061 1,424 235 0.13 μ m Speed AES 11 12,454 1,691 202.5* [20] 0.13 μ m Camellia 22 10,993 971 132* [20] *The values of efficiency are adjusted by multiplying 1.5 by taking the difference of process into account

  19. Conclusion Proposed a new blockcipher CLEFIA � � DSM + 4-branch Feistel, Two S-boxes, Enhanced Key Schedule, etc.. Confirmed Potential ability for compact and fast � implementations Software – One of the fastest ciphers � Hardware – Achieved the best efficiency � among known general-purpose blockciphers. Keeping enough security margin against all known attacks � Analysis of CLEFIA is very welcome!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth Asian Workshop on Symmetric Key Cryptography, 19%22, December 2014, SETS Chennai, India 1 Introduction Blockcipher mode : turning a blockcipher

702 views • 59 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian Statistical

457 views • 35 slides
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata

470 views • 35 slides
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul

On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul

On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul Nandi 2 , Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad, India 3 Google Inc. and Department of

605 views • 35 slides
Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

1 / 24 Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom. Sibenik, 7 June 2016 Basic Syntax of Blockciphers DES

882 views • 85 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
An enciphering scheme based on a card shuffle Ben Morris Mathematics, UC Davis Joint work with

An enciphering scheme based on a card shuffle Ben Morris Mathematics, UC Davis Joint work with

An enciphering scheme based on a card shuffle Ben Morris Mathematics, UC Davis Joint work with Viet Tung Hoang (Computer Science, UC Davis) and Phil Rogaway (Computer Science, UC Davis). Setting Blockcipher construction pseudorandom function

317 views • 27 slides
An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

Introduction CAESAR Competition TriviA : A Streamcipher Based AE Scheme Hardware Implementation of TriviA ELmD : A Blockcipher Based AE Scheme An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

812 views • 48 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a

BLOCK CIPHERS 1 / 1 Permutations and Inverses A function f : { 0 , 1 } { 0 , 1 } is a permutation if there is an inverse function f 1 : { 0 , 1 } { 0 , 1 } satisfying x { 0 , 1 } : f 1 ( f ( x )) = x

1.05k views • 62 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED cipher algorithm would be the default cipher together with AES in SRTP Motivation In Korea, many companies provide VoIP service and we

294 views • 6 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 14, 2013 Announcements / Goals For

459 views • 9 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides

More recommend