the subterranean 2 0 cipher suite
play

The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa - PowerPoint PPT Presentation

May 12, 2023 •477 likes •1.2k views

The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa Massolino 3 , Alireza Mehrdad 1 , Yann Rotella 2 1 Radboud University NL, 3 PQShield UK, 2 UVSQ, LMV, Universit e Paris-Saclay FR Fast Software Encryption Workshop November 9,

  1. The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa Massolino 3 , Alireza Mehrdad 1 , Yann Rotella 2 1 Radboud University NL, 3 PQShield UK, 2 UVSQ, LMV, Universit´ e Paris-Saclay FR Fast Software Encryption Workshop November 9, 2020 1/22

  2. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control 2/22

  3. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h 2/22

  4. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  5. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  6. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  7. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a squeeze here ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  8. Subterranean ’s round function R b : 256-bit shift register with 32-bit stages 3/22

  9. Subterranean ’s round function R b : 256-bit shift register with 32-bit stages a : 257-bit state: a ← R ( a , b ) . . . a 76 a 77 a 78 a 79 a 80 a 81 a 82 a 83 a 84 a 85 a 86 . . . a 0 t ◦ ◦ ◦ ✡✠ ✡✠ ✡✠ ❄ ❄ ❄ ❄ γ ◦ ◦ ◦ ✛ ✛ ✛ ✛ � � � � ▽ ς ◦ ✁ ✁ θ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✛ b 3 � � σ [ b ] 10 64 88 100 112 124 136 P ✏ P ❍ ❍ �✟✟✟ ✏✏✏✏ ✟ π P ❍ ❅ ✘✘✘ ✘ P ✥ P ❍ ❅ � ✥ . . . a 91 a 92 a 93 . . . a 0 t + 1 3/22

  10. Could Subterranean 1992 compete in the lightweight competition 2020? 4/22

  11. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 4/22

  12. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software 4/22

  13. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway 4/22

  14. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit 4/22

  15. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit • Not bad, so let’s give it a shot! 4/22

  16. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption 5/22

  17. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels 5/22

  18. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • Mode 5/22

  19. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • Mode 5/22

  20. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • Mode 5/22

  21. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode 5/22

  22. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing 5/22

  23. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing • except for encryption/decryption in SAE that relies on nonce uniqueness 5/22

  24. And now to Subterranean 2.0 and its rationale in more detail! 6/22

  25. Subterranean-XOF M 0 M 1 M i Z 0 Z 1 Z 2 Z 7 R 8 R 2 R 2 R 2 0 R R R • | M j | : one byte • | Z j | : 4 bytes 7/22

  26. Subterranean-Deck K 0 K 1 M 0 M 1 Z 0 Z 1 Z 2 Z i R 8 0 R R R R R R R • | M j | , | Z j | , | K j | : 4 bytes 8/22

  27. Subterranean-SAE A i a Z 0 Z i +1 K 0 N 2 A 0 P 0 Z 1 P i T 0 T 1 T 3 R 8 R 8 0 R R R R R R R R • | K j | , | N j | , | A j | , | Z j | , | P j | , | T j | : 4 bytes 9/22

  28. The Subterranean 2.0 round function . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ ❄ ❄ ❄ ❄ χ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✙ ✟ θ � � 64 88 100 112 124 136 π P P ✏✏✏✏ ✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ P ❍ ❅ � ✥ ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 χ : s i ← s i + ( s i +1 + 1) s i +2 ι : s i ← s i + δ i θ : s i ← s i + s i +3 + s i +8 π : s i ← s 12 i 10/22

  29. Absorb and Squeeze . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ χ ❄ ❄ ❄ ❄ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✲ θ � � 64 88 100 112 124 136 π P ✏ P ✏✏✏✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ ✥ P ❍ ❅ � ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 12 4 = 176 G 64 = { 1 , 176 , 136 , . . . , 92 } ≺ Z / 257 Z ∗ z i = s 176 i + s 176 − i s 176 i = s 176 i + p i 11/22

  30. Design Rationale in a nutshell The choice of G 64 : • non-consecutive bits (State-Recovery attacks on Ketje Jr [Fuhr, Naya-Plasencia, Rotella, ToSC 2018] ) • consistent with π dispersion 12/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite 12 spacious Suites Junior Suite: 45m 2 Suite: 65m 2 Apartment Suite: 110m 2 Fine Italian Cuisine Renowned Chef Vito Grippa

498 views • 18 slides
Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim

Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim

Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim Fredericks National Pest Management Association Termite Impact Eastern Subterranean Termite ( Reticulitermes flavipes) Consumers spend $2-3

323 views • 16 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Subterranean surroundings, whether real or imaginary, furnish a model of an artificial

Subterranean surroundings, whether real or imaginary, furnish a model of an artificial

Subterranean surroundings, whether real or imaginary, furnish a model of an artificial environment from which nature has been effectively banished...human beings who live underground must use mechanical devices to provide the necessities of

251 views • 8 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
underground Planning and subterranean development Jonathan Bore Going underground...

underground Planning and subterranean development Jonathan Bore Going underground...

Going underground Planning and subterranean development Jonathan Bore Going underground... Background Why here? Why now? Pros and cons Number of applications Permitted development Impact during construction

282 views • 17 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Lecture 7: Sequential Networks: Registers, Finite State Machines CSE 140: Components and Design

Lecture 7: Sequential Networks: Registers, Finite State Machines CSE 140: Components and Design

Lecture 7: Sequential Networks: Registers, Finite State Machines CSE 140: Components and Design Techniques for Digital Systems Diba Mirza Dept. of Computer Science and Engineering 1 University of California, San Diego D Flip-Flop (Delay)

714 views • 37 slides
The Art and Science of Memory System Calls Kernel

The Art and Science of Memory System Calls Kernel

9/30/14 CSE 506: Opera.ng Systems CSE 506: Opera.ng Systems Logical Diagram Binary Memory Threads Formats Allocators User The Art and Science of

110 views • 9 slides
Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC

Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC

Project 4 Inter-Process Communication and Process Management COS 318 Fall 2016 Project 4: IPC and Process Management Goal: Add new IPC mechanism and process management to the kernel. Read the project spec for the details. Get a

411 views • 17 slides
Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science

Massachusetts Institute of Technology Department of Electrical Engineering and Computer Science 6.453 Quantum Optical Communication Lecture Number 23 Fall 2016 Jeffrey H. Shapiro c 2008, 2010, 2014 Date: Tuesday, December 6, 2016

280 views • 13 slides
VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D

VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D

VLSI Testing Sequential ATPG Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/ E-mail:

491 views • 19 slides
EE 201: Sequential logic in VHDL Steven Bell 14 February 2019 By the end of class today, you

EE 201: Sequential logic in VHDL Steven Bell 14 February 2019 By the end of class today, you

EE 201: Sequential logic in VHDL Steven Bell 14 February 2019 By the end of class today, you should be able to: Print debugging info using report and write / writeline Use a process block for combinational logic, sequential logic, or testbench

253 views • 10 slides
Hybrid Controller Chip (HCC) Size: 4700um x 2860um; I/O pads: 83 Dual pad-ring

Hybrid Controller Chip (HCC) Size: 4700um x 2860um; I/O pads: 83 Dual pad-ring

Hybrid Controller Chip (HCC) Size: 4700um x 2860um; I/O pads: 83 Dual pad-ring structure to fit onto Hybrid IBM Standard Cells: ~20,000 + 727 Decoupling caps (200pF) Nets: 22,942 Macros: Voltage Regulator

313 views • 6 slides
Software Development Methodologies Lecturer: Raman Ramsin Lecture 1: Basics Sharif University of

Software Development Methodologies Lecturer: Raman Ramsin Lecture 1: Basics Sharif University of

Software Development Methodologies Lecturer: Raman Ramsin Lecture 1: Basics Sharif University of Technology Department of Computer Engineering 1 Software Development Methodologies Lecture 1 Software Development Methodology (SDM) Software

1.23k views • 12 slides

More recommend