wage an authenticated encryption with a twist
play

WAGE: An Authenticated Encryption with a Twist Riham AlTawy , Guang - PowerPoint PPT Presentation

May 26, 2023 •363 likes •746 views

WAGE: An Authenticated Encryption with a Twist Riham AlTawy , Guang Gong, Kalikinkar Mandal 1 , and Raghvendra Rohit 2 IACR FSE 2020 1 Currently with University of New Brunswick, Canada 2 Currently with University of Rennes 1, CNRS,

  1. WAGE: An Authenticated Encryption with a Twist Riham AlTawy ⋆ , Guang Gong, Kalikinkar Mandal 1 , and Raghvendra Rohit 2 ⋆ IACR FSE 2020 1 Currently with University of New Brunswick, Canada 2 Currently with University of Rennes 1, CNRS, IRISA, France

  2. Outline 1. Introduction 2. Design of WAGE 3. Security Analysis and Features 4. Hardware Performance 1 / 20

  3. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny Lucifier CAST Keccak GIFT RC4 DES . . . . . . . . . 1970 1980 1990 2000 2010 2019 2 / 20

  4. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny Lucifier CAST Keccak GIFT RC4 DES . . . . . . . . . 1970 1980 1990 2000 2010 2019 Smart devices RFIDs and NFC Internet of Things Resource constrained devices Sensor networks Embedded systems 2 / 20

  5. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny Lucifier CAST Keccak GIFT RC4 DES . . . . . . . . . 1970 1980 1990 2000 2010 2019 Smart devices RFIDs and NFC Internet of Things Resource constrained devices Some algorithms and current standards do not fit into these devices! Sensor networks Embedded systems 2 / 20

  6. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny NIST LWC Lucifier CAST Keccak GIFT RC4 Submission DES . . . . . . call . . . 1970 1980 1990 2000 2010 2019 Smart devices 56 round 1 candidates RFIDs and NFC 32 round 2 candidates Internet of Things Different designs and goals Resource constrained devices Some algorithms and current standards do not fit into these devices! Sensor networks Embedded systems 2 / 20

  7. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny NIST LWC Lucifier CAST Keccak GIFT RC4 Submission DES . . . . . . call . . . 1970 1980 1990 2000 2010 2019 Smart devices 56 round 1 candidates RFIDs and NFC 32 round 2 candidates Internet of Things Different designs and goals Resource constrained devices Some algorithms and current standards do not fit into these devices! Sensor networks Embedded systems 2 / 20

  8. Developments in symmetric key cryptography MD5 SHA-2 Photon RIPEMD Grain Quark SHA-1 Trivium Spongent AES Mickey Simon MARS Salsa Simeck RC6 WG Ascon Serpent Present Skinny NIST LWC Lucifier CAST Keccak GIFT RC4 Submission DES . . . . . . call . . . 1970 1980 1990 2000 2010 2019 Smart devices 56 round 1 candidates RFIDs and NFC 32 round 2 candidates Internet of Things Different designs and goals WAGE Resource constrained devices Some algorithms and current standards do not fit into these devices! Sensor networks Embedded systems 2 / 20

  9. Our Contributions - Permutation design: We design a hardware-friendly permutation of size 259 bits based on a 37-stage Galois NLFSR over F 2 7 . 3 / 20

  10. Our Contributions - Permutation design: We design a hardware-friendly permutation of size 259 bits based on a 37-stage Galois NLFSR over F 2 7 . - Security analysis: We analyze the diffusion, algebraic, differential, and linear properties of the WAGE permutation and the WAGE authenticated encryption. 3 / 20

  11. Our Contributions - Permutation design: We design a hardware-friendly permutation of size 259 bits based on a 37-stage Galois NLFSR over F 2 7 . - Security analysis: We analyze the diffusion, algebraic, differential, and linear properties of the WAGE permutation and the WAGE authenticated encryption. - WG-PRBG: We present the construction of WG based pseudo random bit generator with guaranteed randomness properties from WAGE. 3 / 20

  12. Design of WAGE 4 / 20

  13. WAGE Permutation Round Function rc i 1 S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 WGP SB SB rc i ⊕ 0 ω S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i S i 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 WGP SB SB - S j i is a 7-bit word, WGP and SB are 7-bit S-boxes, ω is a linear operation over 7-bit word, and rc i j are 7-bit round constants. 5 / 20

  14. Rationale of the overall design - Reuse and adopt the initialization phase of the well-studied WG stream cipher for authenticated encryption 6 / 20

  15. Rationale of the overall design - Reuse and adopt the initialization phase of the well-studied WG stream cipher for authenticated encryption - Cheap hardware cost for WGP over F 2 7 than F 2 8 - 1 WGP S-box to 5 additional S-boxes (1 WGP + 4 SB) for faster confusion - Extra XORs for strong diffusion in addition to feedback 6 / 20

  16. Rationale of the overall design - Reuse and adopt the initialization phase of the well-studied WG stream cipher for authenticated encryption - Cheap hardware cost for WGP over F 2 7 than F 2 8 - 1 WGP S-box to 5 additional S-boxes (1 WGP + 4 SB) for faster confusion - Extra XORs for strong diffusion in addition to feedback - Minimal overhead for tweaking the WAGE permutation to an independent WG-PRBG 6 / 20

  17. S-boxes - WGP S-Box : Defined over F 2 7 : WGP ( x ) = WGP 7( x 13 ) WGP 7( x ) = x + ( x + 1) 33 + ( x + 1) 39 + ( x + 1) 41 + ( x + 1) 104 d = 13 chosen to achieve low differential uniformity and high nonlinearity 7 / 20

  18. S-boxes - WGP S-Box : Defined over F 2 7 : WGP ( x ) = WGP 7( x 13 ) WGP 7( x ) = x + ( x + 1) 33 + ( x + 1) 39 + ( x + 1) 41 + ( x + 1) 104 d = 13 chosen to achieve low differential uniformity and high nonlinearity - SB S-Box : Defined in a bit-wise and iterative fashion: ( x 0 , x 1 , x 2 , x 3 , x 4 , x 5 , x 6 ) ← R 5 ( x 0 , x 1 , x 2 , x 3 , x 4 , x 5 , x 6 ) ( x 0 , x 1 , x 2 , x 3 , x 4 , x 5 , x 6 ) ← Q ( x 0 , x 1 , x 2 , x 3 , x 4 , x 5 , x 6 ) x 0 ← x 0 ⊕ 1 x 2 ← x 2 ⊕ 1 7 / 20

  19. S-boxes (cont.) x 0 x 1 x 2 x 3 x 4 x 5 x 6 ⊙ ⊙ ⊙ Q layer ⊕ ⊕ ⊕ ▽ ▽ ◦ ◦ P layer y 0 y 1 y 2 y 3 y 4 y 5 y 6 A block diagram of R 8 / 20

  20. Round constants - Lightweight 7-bit LFSR for generating the constants a i +8 a i +6 a i +4 a i +2 a i a i +7 a i +5 a i +3 a i +1 rc i 1 � �� � a i +7 , a i +6 , a i +5 , a i +4 , a i +3 , a i +2 , a i +1 , a i � �� � rc i 0 9 / 20

  21. Round constants - Lightweight 7-bit LFSR for generating the constants a i +8 a i +6 a i +4 a i +2 a i a i +7 a i +5 a i +3 a i +1 rc i 1 � �� � a i +7 , a i +6 , a i +5 , a i +4 , a i +3 , a i +2 , a i +1 , a i � �� � rc i 0 1 ) � = ( rc j 0 , rc j - Property: ( rc i 0 , rc i 1 ) for 0 ≤ i, j ≤ 110 and i � = j . Ensures that all the rounds of WAGE are distinct and provides resistance against slide and invariant subspace attacks. 9 / 20

  22. Number of rounds - Number of rounds: 111 - Selection based on the security analysis: diffusion, algebraic degree, differential and linear bounds - Overall criterion: WAGE permutation is indistinguishable from a random permutation 10 / 20

  23. Diffusion and algebraic degree behavior - Diffusion: Full bit diffusion in 28+28 rounds in both forward and backward directions. 56/111 rounds are sufficient against meet-in the-middle attacks. - Algebraic degree: WGP and SB sboxes each are of degree 6. Faster growth in algebraic degree and 111 rounds provides huge security margin against algebraic attacks. 11 / 20

  24. Differential and linear bounds - WGP S-box: DP = 2 − 4 . 4 and LSC = 2 − 5 . 08 - SB S-box: DP = 2 − 4 and LSC = 2 − 5 . 35 12 / 20

  25. Differential and linear bounds - WGP S-box: DP = 2 − 4 . 4 and LSC = 2 − 5 . 08 - SB S-box: DP = 2 − 4 and LSC = 2 − 5 . 35 - Case I: No constraints on the positions of input and output differences - Case II: Input and output differences are restricted to only rate positions Table: Upper bounds of MEDCP and MELCSC values of WAGE in log 2 ( · ) scale Rounds Minimum MEDCP MELSC # active sboxes log 2 ( · ) Case I 74 59 − 59 × 4 = − 236 − 59 × 5 . 08 ≈ − 299 . 7 Case II 74 72 − 72 × 4 = − 288 − 72 × 5 . 08 ≈ − 365 . 7 12 / 20

  26. WAGE Authenticated Encryption and WG-PRBG 13 / 20

  27. WAGE Authenticated Encryption - Supports 128-bit key, 128-bit nonce and 128-bit tag - Operates in sponge-duplex mode with stronger keyed initialization and finalization phases 14 / 20

  28. WAGE Authenticated Encryption - Supports 128-bit key, 128-bit nonce and 128-bit tag - Operates in sponge-duplex mode with stronger keyed initialization and finalization phases K 0 K 1 64 load ( N, K ) P P P 195 0x00 0x00 Initialization 14 / 20

  29. WAGE Authenticated Encryption - Supports 128-bit key, 128-bit nonce and 128-bit tag - Operates in sponge-duplex mode with stronger keyed initialization and finalization phases K 0 K 1 AD 0 AD a − 1 64 load ( N, K ) P P P P P 195 0x00 0x00 0x01 0x01 Initialization Processing associated data 14 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
This Weeks Sermon What is it? Nehemiah 13:15-22 What is the Sabbath? Nehemiah 13:15-22 15

This Weeks Sermon What is it? Nehemiah 13:15-22 What is the Sabbath? Nehemiah 13:15-22 15

This Weeks Sermon What is it? Nehemiah 13:15-22 What is the Sabbath? Nehemiah 13:15-22 15 In those days I saw people in Judah treading winepresses on the Sabbath and bringing in grain and loading it on donkeys, together with wine,

430 views • 39 slides
Shaahin Hessabi Department of Computer Engineering Sharif University of Technology Requirements

Shaahin Hessabi Department of Computer Engineering Sharif University of Technology Requirements

Shaahin Hessabi Department of Computer Engineering Sharif University of Technology Requirements Requirements Design for reuse is necessary for both memories and analog circuits. Both sensitive to noise and technology parameters.

808 views • 35 slides
MEMS Technology for Radiation Sensors C. Kenney, August 2, 2013 HL-LHC Vertex Needs Higher

MEMS Technology for Radiation Sensors C. Kenney, August 2, 2013 HL-LHC Vertex Needs Higher

MEMS Technology for Radiation Sensors C. Kenney, August 2, 2013 HL-LHC Vertex Needs Higher track density better segmentation Many interactions better vertex resolution along beam axis Improved radiation tolerance Better

680 views • 24 slides
The Poisson trick for matched two-way tables a case for putting the fish in the bowl (a case for

The Poisson trick for matched two-way tables a case for putting the fish in the bowl (a case for

Plan Key ideas Example Plots Bilinear models Case of two matched tables References The Poisson trick for matched two-way tables a case for putting the fish in the bowl (a case for putting the bird in the cage) e1, Antoine de

432 views • 29 slides
Applied Statistics Lecturer: Serena Arima Regression model Model estimation Properties OLS

Applied Statistics Lecturer: Serena Arima Regression model Model estimation Properties OLS

Regression model Model estimation Properties OLS estimator Applied Statistics Lecturer: Serena Arima Regression model Model estimation Properties OLS estimator Linear regression model Consider the income and the expenditure of a sample of n

762 views • 51 slides
Evidence For LSE Growth Commission Human Capital Stephen Machin 1 Relevant Issues It is

Evidence For LSE Growth Commission Human Capital Stephen Machin 1 Relevant Issues It is

March 14 2012 Evidence For LSE Growth Commission Human Capital Stephen Machin 1 Relevant Issues It is undeniable that the skills and education of the workforce matter for productivity and, in turn, for overall growth. The key

794 views • 23 slides
Classical Labor Supply: Blundell, Duncan and Meghir (1998) ECON 34430: Topics in Labor Markets

Classical Labor Supply: Blundell, Duncan and Meghir (1998) ECON 34430: Topics in Labor Markets

Classical Labor Supply: Blundell, Duncan and Meghir (1998) ECON 34430: Topics in Labor Markets T. Lamadon (U of Chicago) Winter 2016 Remember We start with the following expression: h it = + w log( w it ) + r R it + it and H

155 views • 13 slides
Advisory Council Meeting Spring 2009 Thomas W. Gilligan Dean Student Presentation Real Estate

Advisory Council Meeting Spring 2009 Thomas W. Gilligan Dean Student Presentation Real Estate

Advisory Council Meeting Spring 2009 Thomas W. Gilligan Dean Student Presentation Real Estate Finance & Investment Center: Winners of the National Real Estate Challenge Tower Configurations Tower entirely white standard Orange top

843 views • 70 slides

More recommend