a modular framework for building variable input length
play

A Modular Framework for Building Variable-Input- Length Tweakable - PowerPoint PPT Presentation

Oct 19, 2023 •631 likes •1.24k views

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and Seth Terashima Portland State University Motivation: Full Disk Encryption File System Virtual Disk (Exposes plaintexts) FDE Physical Disk

  1. A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and Seth Terashima Portland State University

  2. Motivation: Full Disk Encryption File System Virtual Disk (Exposes plaintexts) FDE Physical Disk (Stores ciphertexts)

  3. Motivation: Full Disk Encryption ● Disks encrypted sector-by-sector – Plaintexts are sectors File System – No “file” abstraction Virtual Disk (Exposes plaintexts) FDE Physical Disk (Stores ciphertexts)

  4. Motivation: Full Disk Encryption ● Disks encrypted sector-by-sector – Plaintexts are sectors File System – No “file” abstraction ● Accessing a plaintext shouldn't Virtual Disk (Exposes plaintexts) result in accessing multiple HW sectors FDE Physical Disk (Stores ciphertexts)

  5. Motivation: Full Disk Encryption ● Disks encrypted sector-by-sector – Plaintexts are sectors File System – No “file” abstraction ● Accessing a plaintext shouldn't Virtual Disk (Exposes plaintexts) result in accessing multiple HW sectors FDE Therefore plaintext length = ciphertext length ● No room for IV bits Physical Disk (Stores ciphertexts) ● No room for MAC bits

  6. File System Virtual disk Sector 1 Sector 2 Sector n FDE layer C 1 C 2 C n Physical disk

  7. File System Virtual disk Sector 1 Sector 2 Sector n FDE layer C 1 C 2 C n Physical disk Problem: This looks uncomfortably like ECB (albeit with 4kB blocks)...

  8. File System Virtual disk Sector 1 Sector 2 Sector n FDE 1 2 n layer C 1 C 2 C n Physical disk Problem: This looks uncomfortably like ECB (albeit with 4kB blocks)... Solution (?): Use Sector IDs as IVs.

  9. Nonce-based encryption isn't enough. ● What if an attacker images the disk at two different times?

  10. Nonce-based encryption isn't enough. ● What if an attacker images the disk at two different times? Should only leak equality of plaintexts should look like a random permutation

  11. Nonce-based encryption isn't enough. ● What if an attacker images the disk at two different times? Should only leak equality of plaintexts should look like a random permutation ● What if an attacker tampers with a ciphertext?

  12. Nonce-based encryption isn't enough. ● What if an attacker images the disk at two different times? Should only leak equality of plaintexts should look like a random permutation ● What if an attacker tampers with a ciphertext? Entire plaintext sector should be corrupted should look like a random permutation

  13. File System Virtual disk Sector 1 Sector 2 Sector n FDE 1 2 n layer C 1 C 2 C n Physical disk

  14. File System Virtual disk Sector 1 Sector 2 Sector n FDE layer C 1 C 2 C n Physical disk

  15. Tweakable (block)ciphers ● A good tweakable blockcipher “looks like” a family of independent, random permutations

  16. Tweakable (block)ciphers ● A good tweakable blockcipher “looks like” a family of independent, random permutations

  17. Tweakable (block)ciphers ● A good tweakable blockcipher “looks like” a family of independent, random permutations Tweak

  18. Tweakable (block)ciphers ● A good tweakable blockcipher “looks like” a family of independent, random permutations Tweak Family of independent, random permutations

  19. Tweakable (block)ciphers ● A good tweakable blockcipher “looks like” a family of independent, random permutations Tweak Family of independent, random permutations ● FDE demands a “wideblock” STPRP (512 or 4096 byte blocks)

  20. VIL Tweakable Ciphers ● VIL = Variable input length – Still preserves length of input – Random permutation for each length and tweak

  21. VIL Tweakable Ciphers ● VIL = Variable input length – Still preserves length of input – Random permutation for each length and tweak ● Existing constructions – CMC, EME*, PEP, TET, HEH, HCTR, … – Security reduction to underlying n -bit blockcipher – Birthday-bound security (wrt n ) – Either: 2 blockcipher calls or 1 blockcipher call, 1 GF multiply per n bits of input

  22. Results PIV: A new approach to VIL TCs AEAD from VIL TCs

  23. Results PIV: A new approach to VIL TCs AEAD from VIL TCs

  24. Results PIV: A new approach to VIL TCs ● TCT2: First to break the birthday bound AEAD from VIL TCs

  25. Results PIV: A new approach to VIL TCs ● TCT2: First to break the birthday bound ● TCT1: First to require a single blockcipher call (and no finite field multiplications) for each n bits of input AEAD from VIL TCs

  26. Results PIV: A new approach to VIL TCs ● TCT2: First to break the birthday bound ● TCT1: First to require a single blockcipher call (and no finite field multiplications) for each n bits of input ● Simple, easily verified security proof AEAD from VIL TCs

  27. Protected IV Mode

  28. N -bit TBC Protected IV Mode

  29. N -bit TBC VIL Tweakable Cipher Protected IV Mode

  30. N -bit TBC VIL Tweakable Cipher Only needs to be secure against adversaries that never repeat tweaks. Protected IV Mode

  32. Doesn't repeat a tweak Doesn't repeat a tweak

  33. Does a “protected” IV repeat? Does Y L look random? Doesn't repeat a tweak Doesn't repeat a tweak

  35. If we start with an n -bit blockcipher, we beat the b'day bound if N > n.

  36. If we start with an n -bit blockcipher, we beat the b'day bound if N > n. Okay if is slow as long as N ≪ m and is efficient

  37. If we start with an n -bit blockcipher, we beat the b'day bound if N > n. Okay if is slow as long as N ≪ m and is efficient Standard 4KB disc sector, to scale ( N = 256 bits)

  38. TCT2: Constructing ● Optimized for sector-sized messages (arbitrary length messages require incrementing the protected IV) ● Setting = CLRW2 [LST '12] gives beyond b'day security – Makes two blockcipher calls per invocation

  39. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10]

  40. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10] ● Implement the n -bit TBC using CLRW2 [LST '12] over, e.g., AES

  41. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10] ● Implement the n -bit TBC using CLRW2 [LST '12] over, e.g., AES ● Use NH [BHKKR '99] to extend the tweak length

  42. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10] ● Implement the n -bit TBC using CLRW2 [LST '12] over, e.g., AES ● Use NH [BHKKR '99] to extend the tweak length ● Secure to O(2 2n/3 ) queries

  43. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10] ● Implement the n -bit TBC using CLRW2 [LST '12] over, e.g., AES ● Use NH [BHKKR '99] to extend the tweak length ● Secure to O(2 2n/3 ) queries ● The two F calls make a total: – 28 multiplies in GF n – 12 n -bit blockcipher calls

  44. TCT2: Constructing ● Build an N = 2 n -bit TBC out of an n- bit TBC [CDMS '10] ● Implement the n -bit TBC using CLRW2 [LST '12] over, e.g., AES ● Use NH [BHKKR '99] to extend the tweak length ● Secure to O(2 2n/3 ) queries ● The two F calls make a total: – 28 multiplies in GF n – 12 n -bit blockcipher calls ● Potentially expensive for short inputs, fine for long ones

  45. Comparison with other modes Computational cost on sn -bit inputs Mode BC Calls GF Multiplies Ring Ops Queries Reference EME* 2 s + 3 --- --- 2 n /2 Halevi '04; Halevi, Rogaway '03 HEH s + 1 s + 2 --- 2 n /2 Sarkar '07, '09 TCT1 s + 1 5 16 s 2 n /2 TCT2 2 s + 8 32 32 s 2 2n /3 Typical: s = 256 (4KB sectors, AES) Security Bound

  46. Results PIV: A new approach to VIL TCs AEAD from VIL TCs

  47. Header Seq. No. Payload VIL Tweakable Cipher Unique sequence numbers can provide privacy Ciphertext

  48. Header Seq. No. Payload VIL Tweakable Cipher Unique sequence numbers can provide privacy Ciphertext Security largely agnostic to the nature, location of uniqueness

  49. Header Seq. No. Payload 0x000000 VIL Tweakable Cipher Simple padding can ensure authenticity (language of padded strings is “sparse”). Ciphertext

  50. Header Payload Seq. No. Encoder Encoded Header Encoded Payload VIL Tweakable Cipher Encoded Header Ciphertext cf. “Encode then Encrypt” [Bellare and Rogaway '00]

  51. Header Payload Seq. No. Encoder Encoded Header Encoded Payload Decryption checks VIL Tweakable Cipher membership in this language to ensure authenticity Encoded Header Ciphertext cf. “Encode then Encrypt” [Bellare and Rogaway '00]

  52. If and for all n , , then we get b bits of authenticity. ● Payload may be mapped into during an explicit encoding step (e.g., pad with 0x00..00)

  53. If and for all n , , then we get b bits of authenticity. ● Payload may be mapped into during an explicit encoding step (e.g., pad with 0x00..00) ● Payload may already be in some “sparse” language (e.g., a protocol with human-readable fields, checksums) – No ciphertext stretch!

Recommend

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

! The variable-length code is a prefix min f ( c ) d ( c ) code : no binary string is

Coding ! Representing characters from some input alphabet using another alphabet . Example: input characters from the Latin Huffman Codes alphabet, output strings of binary digits. ! Fixed-length binary character code: for an input

326 views • 3 slides
Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input

Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input

Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input length to fixed length output Primary requirement: collision-resistance If for all PPT A, Pr[x y and h(x)=h(y)] is negligible in the following

500 views • 13 slides
Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq Transformatjon Variable length output Model Variable length input Example Applicatjons Summarizatjon (extractjve/abstractjve) Machine translatjon

560 views • 52 slides
Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Garrett Bingham Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of video frames, Prev: Title Slide generate a variable-length natural language Problem description of the video. Next: Motivation

850 views • 15 slides
Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length Number Integer: 32 bit Decimal(5,2): 999.99 Real, Double: 32 bit, 64 bit Datetime Date: 2002-01-15 Time:

733 views • 3 slides
Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.85k views • 147 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA 2008 Antonio Galves Chains with memory of variable length Chains with memory of variable length Introduced by Rissanen (1983) as a universal

772 views • 74 slides
Circuits TM: A single program that works for every input length Circuits: A program tailored to

Circuits TM: A single program that works for every input length Circuits: A program tailored to

Circuits TM: A single program that works for every input length Circuits: A program tailored to a specific input length Motivation: -that's what computers really are -cryptography: attackers focus on specific key length -more combinatorial,

415 views • 30 slides
Modular Home Virginia Building Solutions For Home Owners: Variety Modular homes look like

Modular Home Virginia Building Solutions For Home Owners: Variety Modular homes look like

Modular Home Virginia Building Solutions For Home Owners: Variety Modular homes look like any other homes. Today's technology has allowed modular manufacturers to build almost any style of house, from a simple ranch to a highly customized

522 views • 15 slides
String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj and David Kofoed Wind Presented by Hjalte Wedel Vildhj October 13, 2010 SPIRE 2010, Los Cabos, Mexico The Variable Length Gap Problem Given some

998 views • 57 slides
Math 2200-01 (Calculus I) Spring 2020 Book 1 - fail for example ( one input variable onion 27

Math 2200-01 (Calculus I) Spring 2020 Book 1 - fail for example ( one input variable onion 27

Math 2200-01 (Calculus I) Spring 2020 Book 1 - fail for example ( one input variable onion 27 Calculus I - variable calculus single - : y x , ( rates of change ) : diff calculus output variable Derivatives . ) . . - variable Calculus I i

362 views • 11 slides
MODULAR PREFAB BUILDING INNOVATIONS SP SPUR Emerging Building Types Ju June e 5 th th , ,

MODULAR PREFAB BUILDING INNOVATIONS SP SPUR Emerging Building Types Ju June e 5 th th , ,

MODULAR PREFAB BUILDING INNOVATIONS SP SPUR Emerging Building Types Ju June e 5 th th , , 2019 Dean Lewis, PE SE - Associate DCI ENGINEERS Licensed in all 50 States with projects in Canada, Central & South America, China, and Japan

735 views • 39 slides
Artworks narra4ng a story: a modular framework for the

Artworks narra4ng a story: a modular framework for the

Artworks narra4ng a story: a modular framework for the integrated presenta4on of three-dimensional and textual contents MARCO CALLIERI

500 views • 33 slides
Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder , Jan Cheyns Mario Pickavet, Piet Demeester Dept. of Information Technology (INTEC) Ghent University - IMEC, Belgium UNIVERSITEIT GENT Outline

268 views • 15 slides
Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian

Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian

Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian Development Bank Central Theme of the Discussions Session 7 Economic measurement using input output framework Session 8 Utility of the

588 views • 40 slides
S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic Dictionaries Let K be a set of dictionary elements, called keys. For any finite subset D of K and for any key k three operations of search, insertion,

387 views • 13 slides
VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length Grams Chen Li Bin Wang and Xiaochun Yang Northeastern University, China Approximate selection queries Keanu Reeves Samuel Jackson

606 views • 42 slides
Modular Software Building with Python SCons SEA Conference February 21, 2012 Gary Granger

Modular Software Building with Python SCons SEA Conference February 21, 2012 Gary Granger

Modular Software Building with Python SCons SEA Conference February 21, 2012 Gary Granger NCAR, Earth Observing Laboratory Build System Goals Modular Change how a module is built without changing the builds which depend on it

414 views • 18 slides
Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About Me Teon Banek Graduated from University of Zagreb, Faculty of Electrical Engineering and Computing Lead query engine developer at Memgraph

699 views • 33 slides
Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem Penninckx, Bart Jacobs, Frank Piessens Department of Computer Science, KU Leuven, Belgium DRADS 2014 Table of Contents Introduction Requirements

660 views • 45 slides
Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and

Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and

Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and L. Hanzo Communications Research Group School of Electronics and Computer Science, University of Southampton, SO17 1BJ, UK.

652 views • 14 slides
On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario

On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario

On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario Pickavet Piet Demeester Dept. of Information Technology (INTEC) Ghent University - IMEC, Belgium UNIVERSITEIT GENT Outline Intro Slotted

445 views • 17 slides

More recommend