tweaks and keys for block ciphers the tweakey framework
play

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - PowerPoint PPT Presentation

Aug 10, 2023 •250 likes •586 views

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - Ivica Nikoli - Thomas Peyrin NTU - Singapore ASIACRYPT 2014 Kaohsiung, Taiwan - December 11, 2014 Introduction The TWEAKEY Framework The STK Construction AE with TBC

  1. Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jérémy Jean - Ivica Nikolić - Thomas Peyrin NTU - Singapore ASIACRYPT 2014 Kaohsiung, Taiwan - December 11, 2014

  2. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  3. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Tweakable block ciphers Tweakable block ciphers are very useful building blocks: ⊲ block cipher, stream cipher ⊲ parallel MAC ⊲ parallel authenticated encryption: like OCB3 or COPA , but simpler design/proofs and much higher security bounds ⊲ hash function: use the tweak input as block counter (HAIFA framework) or to perform randomized hashing ⊲ tree hashing: use the tweak to encode the position in the tree ⊲ PRNG, KDF, disk encryption

  4. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Contributions ⊲ block cipher based TBC constructions (like XEX ) usually provide birthday security ⊲ building an ad-hoc TBC with full security is not easy (very little number of proposals) ⊲ even designing a key schedule remains a risky task, especially for long keys (see related-key attacks on AES -256) Our contributions ⊲ we propose the TWEAKEY framework to help designers to create tweakable block ciphers ⊲ we provide one cipher example KIASU-BC , the first ad-hoc AES -based TBC ⊲ in the TWEAKEY framework, we propose the STK construction for SPN ciphers ⊲ we provide two cipher examples Joltik-BC and Deoxys-BC

  5. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  6. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  7. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Tweakable block ciphers ? From an efficiency point of view, updating the tweak input of a TBC should be doable very efficiently → the tweak schedule should be lighter than the key schedule From a security point of view, the tweak is fully known and controllable, not the key → the tweak schedule should be stronger than the key schedule Thus, for a TBC designer, this paradox leads to tweak = key

  8. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The TWEAKEY framework Rationale: tweak and key should be treated the same way − → tweakey tk r − 1 tk 1 tk r tk 0 . . . h h h g g g g P = s 0 f f s r + 1 = C . . . s 1 s r TWEAKEY generalizes the class of key-alternating ciphers

  9. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The TWEAKEY framework tk r − 1 tk 1 tk r tk 0 . . . h h h g g g g P = s 0 f . . . f s r + 1 = C s 1 s r The TWEAKEY framework The regular key schedule is replaced by a TWEAKEY schedule that generates subtweakeys. An n -bit key n -bit tweak TBC has 2 n -bit tweakey and g compresses 2 n to n bits: ⊲ such a primitive would be a TK-2 primitive ( TWEAKEY of order 2). ⊲ the same primitive can be seen as a 2 n -bit key cipher with no tweak (or 1 . 5 n -bit key and 0 . 5 n -bit tweak, etc).

  10. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  11. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The tweakable block cipher KIASU-BC KIASU-BC is exactly the AES-128 cipher, but with a fixed 64-bit tweak value T XORed to each subkey (two first rows) AES-128 K . . . AES KS AES KS P . . . C AES round AES round T 0 T 2 T 4 T 6 T 1 T 3 T 5 T 7 T = 0 0 0 0 0 0 0 0

  12. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The tweakable block cipher KIASU-BC KIASU-BC is exactly the AES-128 cipher, but with a fixed 64-bit tweak value T XORed to each subkey (two first rows) AES-128 KIASU-BC K . . . AES KS AES KS T T T T P . . . C AES round AES round T 0 T 2 T 4 T 6 T 1 T 3 T 5 T 7 T = 0 0 0 0 0 0 0 0

  13. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Security of KIASU-BC The security of KIASU-BC is the same as AES-128 for a fixed tweak. The tricky part is to analyse what happens when the tweak varies. If the key is fixed and one varies the tweak: KIASU-BC ’s tweak schedule has been chosen such that it is itself a good key schedule. Bad idea: adding a tweak on the entire 128-bit state, since trivial and very good related-tweakey differential paths would exist. If both the key and tweak vary (aka related-tweakey): KIASU-BC was designed such that no interesting interaction between the key schedule and the tweak schedule will exist. We put a special focus on attacks which are highly impacted by the key schedule: ⊲ related-key related-tweak attacks (aka related-tweakey) ⊲ meet-in-the-middle attacks

  14. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Security of KIASU-BC Related-tweakey attacks We prove that no good related-key related-tweak (aka related-tweakey) attacks differential path exist for KIASU (even boomerang), with a computer-aided search tool. active upper bound on rounds method used SBoxes probability 2 0 1-2 0 trivial 2 − 6 3 1 Matsui’s 2 − 48 4 8 Matsui’s 2 − 84 ≥ 14 5 Matsui’s 2 − 132 7 ≥ 22 ex. split (3R+4R)

  15. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works KIASU features ⊲ first adhoc tweakable AES-128 ... ⊲ ... which provides 2 128 security - not only birthday security ⊲ extremely fast in software: less than 1 c/B on Haswell ⊲ quite small in hardware ⊲ very simple - almost direct plug-in of AES-128 (reuse existing security analysis and implementations) ⊲ backward compatible with AES-128 (simply set T = 0)

  16. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  17. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  18. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Building fast ad-hod tweakable block ciphers is not easy tk r − 1 tk 1 tk r tk 0 h h . . . h g g g g f f s r + 1 = C P = s 0 . . . s 1 s r The case of AES -like ciphers ⊲ KIASU is limited to 64-bit tweak for AES (insecure otherwise) ⊲ we could do a LED -like design, but slow due to high number of rounds ⊲ the main issue: adding more tweakey state makes the security drop, or renders security hard to study, even for automated tools Idea: separate the tweakey material in several words, design a secure tweakey schedule for one word and then superpose them in a secure way

  19. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 h ′ α 2 h ′ α 2 h ′ . . . h ′ α 2 h ′ α 1 h ′ α 1 h ′ . . . h ′ α 1 C 0 C 1 C 2 C r − 1 XOR XOR XOR XOR C r XOR f f f P = s 0 . . . s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction: ⊲ the tweakey state update function h consists in the same subfunction h ′ applied to each tweakey word ⊲ the subtweakey extraction function g consists in XORing all the words together ◦ reduce the implementation overhead ◦ reduce the area footprint by reusing code ◦ simplify the security analysis

  20. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 h ′ α 2 h ′ α 2 h ′ . . . h ′ α 2 h ′ α 1 h ′ α 1 h ′ . . . h ′ α 1 C 0 C 1 C 2 C r − 1 XOR XOR XOR XOR C r XOR f f f P = s 0 . . . s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction: ⊲ problem : strong interaction between the parallel branches of tweakey state ⊲ solution : differentiate the parallel branches by simply using distinct multiplications in a small field

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata

470 views • 35 slides
Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann

Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann

Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann Barsamian 1,3 , Joackim Bernier 4 , Sever Hirstoaga 1,2 , Michel Mehrenberger 1,2 , Eric Violard 1,3 1. 2. CNRS IRMA (MoCo), INRIA (TONUS) 3. CNRS

659 views • 42 slides
Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics

Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics

Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics Fluid dynamics refers to the physics of fluid motion The Navier-Stokes equation describes the motion of fluids and can appear in many forms

634 views • 47 slides
Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA -

Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA -

Introduction The SWR algorithm for advection diffusion equation The two-dimensional wave equation Conclusion und perspectives Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA - Universit e Paris 13

710 views • 53 slides
8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of

8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of

8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of Leture 8 Age of a Flat Matter-Dominated Universe: 2 2 = 3 1 a ( t ) / = ) = t t H 3 1 1 F or = 67 : 7 0 : 5

663 views • 15 slides
Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution

Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution

Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution framework Florian Feppon Gr egoire Allaire, Charles Dapogny Julien Cortial, Felipe Bordeu ECCM June 12, 2018 Outline 1. Hadamards

783 views • 33 slides
!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+

!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+

!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+ :(;(#-)&+"'+(<3+=2442>+ 9&#")?('")3.-%3(9+ B(%8)$(&C+ @3+A*)-?+ D"?E-9&#<(&#+ F4+.%+

714 views • 23 slides
Janice Novakowski Richmond School District jnovakowski@sd38.bc.ca

Janice Novakowski Richmond School District jnovakowski@sd38.bc.ca

Janice Novakowski Richmond School District jnovakowski@sd38.bc.ca @jnovakowski38 #BCAMTreggio Introduction, BC Curriculum and Collaborative Inquiry Pedagogical

470 views • 25 slides

More recommend