a scon a submission to caesar
play

A SCON : A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. - PowerPoint PPT Presentation

Jun 28, 2023 •234 likes •562 views

S C I E N C E P A S S I O N T E C H N O L O G Y A SCON : A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schl affer Graz University of Technology CECC 2015 www.iaik.tugraz.at www.iaik.tugraz.at The

  1. S C I E N C E P A S S I O N T E C H N O L O G Y A SCON : A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schl¨ affer Graz University of Technology CECC 2015 www.iaik.tugraz.at

  2. www.iaik.tugraz.at The Team Christoph Dobraunig Maria Eichlseder Florian Mendel Martin Schl¨ affer Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 2 CECC 2015

  3. www.iaik.tugraz.at Overview CAESAR Design of A SCON Security analysis Implementations Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 3 CECC 2015

  4. www.iaik.tugraz.at CAESAR CAESAR: Competition for Authenticated Encryption – Security, Applicability, and Robustness http://competitions.cr.yp.to/caesar.html Inspired by AES SHA-3 eStream Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 4 CECC 2015

  5. www.iaik.tugraz.at CAESAR – Candidates ACORN ++AE AEGIS AES-CMCC AES-COBRA AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ Artemia Ascon AVALANCHE Calico CBA CBEAM CLOC Deoxys ELmD Enchilada FASER HKC HS1-SIV ICEPOLE iFeed[AES] Joltik Julius Ketje Keyak KIASU LAC Marble McMambo Minalpher MORUS NORX OCB OMD PAEQ PAES PANDA π -Cipher POET POLAWIS PRIMATEs Prøst Raviyoyla Sablier SCREAM SHELL SILC Silver STRIBOB Tiaoxin TriviA-ck Wheesht YAES Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 5 CECC 2015

  6. www.iaik.tugraz.at CAESAR – Candidates ACORN ++AE AEGIS AES-CMCC AES-COBRA AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ Artemia Ascon AVALANCHE Calico CBA CBEAM CLOC Deoxys ELmD Enchilada FASER HKC HS1-SIV ICEPOLE iFeed[AES] Joltik Julius Ketje Keyak KIASU LAC Marble McMambo Minalpher MORUS NORX OCB OMD PAEQ PAES PANDA π -Cipher POET POLAWIS PRIMATEs Prøst Raviyoyla Sablier SCREAM SHELL SILC Silver STRIBOB Tiaoxin TriviA-ck Wheesht YAES Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 6 CECC 2015

  7. www.iaik.tugraz.at A SCON – Design Goals Security Online Efficiency Single pass Lightweight Scalability Simplicity Side-Channel Robustness Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 7 CECC 2015

  8. www.iaik.tugraz.at A SCON – General Overview Nonce-based AE scheme Sponge inspired P 1 C 1 P 2 C 2 P t C t 64 64 64 IV p 12 p 6 p 6 p 12 256 256 256 256 128 K � N T 0 ∗ � K K � 0 ∗ 1 K Processing Initialization Finalization Plaintext Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 8 CECC 2015

  9. www.iaik.tugraz.at A SCON – Permutation Iterative application of round function One round Constant addition Substitution layer Linear layer Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 9 CECC 2015

  10. www.iaik.tugraz.at A SCON – Round Substitution layer x 0 x 1 x 2 x 3 x 4 Linear layer x 0 x 1 x 1 x 2 x 3 x 4 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 10 CECC 2015

  11. www.iaik.tugraz.at A SCON – Round x 4 ⊕ ( x 4 ≫ 7) ⊕ ( x 4 ≫ 41) → x 4 x 4 x 4 x 3 ⊕ ( x 3 ≫ 10) ⊕ ( x 3 ≫ 17) → x 3 x 3 x 3 x 2 ⊕ ( x 2 ≫ 1) ⊕ ( x 2 ≫ 6) → x 2 x 2 x 2 x 1 ⊕ ( x 1 ≫ 61) ⊕ ( x 1 ≫ 39) → x 1 x 1 x 1 x 0 ⊕ ( x 0 ≫ 19) ⊕ ( x 0 ≫ 28) → x 0 x 0 x 0 S-box Linear transformation Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 11 CECC 2015

  12. www.iaik.tugraz.at Analysis – A SCON [DEMS15] Attacks on round-reduced versions of A SCON -128 Key-recovery Forgery Analysis of the building blocks Permutation Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 12 CECC 2015

  13. www.iaik.tugraz.at Key-recovery – Idea Target initialization Choose nonce Observe key-stream Deduce information about the secret key rounds time method 2 66 6 / 12 cube-like 2 35 5 / 12 A SCON -128 2 36 5 / 12 differential-linear 2 18 4 / 12 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 13 CECC 2015

  14. www.iaik.tugraz.at Key-recovery – Idea Target initialization Choose nonce Observe key-stream Deduce information about the secret key rounds time method 2 66 6 / 12 cube-like 2 35 5 / 12 A SCON -128 2 36 5 / 12 differential-linear 2 18 4 / 12 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 13 CECC 2015

  15. www.iaik.tugraz.at Forgery – Idea P t C t = ∆ P 1 C 1 P 2 C 2 64 64 p 6 p 6 p 12 256 256 256 128 T = ∆ K � 0 ∗ K Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 14 CECC 2015

  16. www.iaik.tugraz.at Forgery – A SCON -128 3/12 rounds finalization probability 2 − 33 input difference after 1 round after 2 rounds after 3 rounds x 0 8000000000000000 8000100800000000 8000000002000080 ???????????????? x 1 0000000000000000 8000000001000004 9002904800000000 ???????????????? x 2 0000000000000000 → 0000000000000000 → d200000001840006 → ???????????????? x 3 0000000000000000 0000000000000000 0102000001004084 4291316c5aa02140 x 4 0000000000000000 0000000000000000 0000000000000000 090280200302c084 4/12 rounds finalization probability 2 − 101 input difference after 4 rounds x 0 8000000000000000 ???????????????? x 1 0000000000000000 ???????????????? x 2 0000000000000000 → ???????????????? x 3 0000000000000000 280380ec6a0e9024 x 4 0000000000000000 eb2541b2a0e438b0 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 15 CECC 2015

  17. www.iaik.tugraz.at Analysis – Permutation Zero-sum distinguisher 12 rounds with complexity 2 130 Search for differential and linear characteristics Proof on minimum number of active S-boxes result rounds differential linear 1 1 1 proof 2 4 4 3 15 13 4 44 43 heuristic ≥ 5 > 64 > 64 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 16 CECC 2015

  18. www.iaik.tugraz.at Implementation – A SCON Software 64-bit Intel platforms ARM NEON 8-bit ATmega128 Hardware [GWDE15] High-speed Low-area Threshold implementations Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 17 CECC 2015

  19. www.iaik.tugraz.at Software – 64-bit Intel One message per core (Core2Duo) 64 512 1024 4096 A SCON -128 (c/B) 22.0 15.9 15.6 15.2 A SCON -96 (c/B) 17.7 11.0 10.5 10.3 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 18 CECC 2015

  20. www.iaik.tugraz.at Software – 64-bit Intel One message per core (Core2Duo) 64 512 1024 4096 A SCON -128 (c/B) 22.0 15.9 15.6 15.2 A SCON -96 (c/B) 17.7 11.0 10.5 10.3 Four messages per core [Sen15] (Haswell) 64 512 1024 4096 A SCON -128 (c/B) 10.49 7.33 7.11 6.94 A SCON -96 (c/B) 8.55 5.26 5.02 4.85 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 18 CECC 2015

  21. www.iaik.tugraz.at Hardware – Results [GWDE15] Chip Area Throughput Power Energy [kGE] [Mbps] [µW] [µJ/byte] Unprotected Implementations Fast 1 round 7.08 5 524 43 33 Fast 6 rounds 24.93 13 218 184 23 Low-area 2.57 14 15 5 706 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 19 CECC 2015

  22. www.iaik.tugraz.at Hardware – Results [GWDE15] Chip Area Throughput Power Energy [kGE] [Mbps] [µW] [µJ/byte] Unprotected Implementations Fast 1 round 7.08 5 524 43 33 Fast 6 rounds 24.93 13 218 184 23 Low-area 2.57 14 15 5 706 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 19 CECC 2015

  23. www.iaik.tugraz.at Hardware – Results [GWDE15] Chip Area Throughput Power Energy [kGE] [Mbps] [µW] [µJ/byte] Unprotected Implementations Fast 1 round 7.08 5 524 43 33 Fast 6 rounds 24.93 13 218 184 23 Low-area 2.57 14 15 5 706 Threshold Implementations Fast 1 round 28.61 3 774 183 137 Fast 6 rounds 123.52 9 018 830 104 Low-area 7.97 15 45 17 234 Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 19 CECC 2015

  24. www.iaik.tugraz.at A SCON -128 – Choice of Parameters Now: (c,r) = (256, 64) Conservative choice Proposed: (c,r) = (192, 128) [BDPA11] Significant speedup (factor 2) Limit on data complexity 2 64 Proposed: (c,r) = (128, 192) [JLM14] Significant speedup (factor 3) More analysis needed Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 20 CECC 2015

  25. www.iaik.tugraz.at More Information http://ascon.iaik.tugraz.at Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 21 CECC 2015

  26. www.iaik.tugraz.at Acknowledgments The work has been supported in part by the Austrian Science Fund (project P26494-N15) and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS). Ch. Dobraunig , M. Eichlseder, F . Mendel, M. Schl¨ affer 22 CECC 2015

Recommend

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2 1 IAIK, Graz University of Technology, Austria 2 Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of

639 views • 25 slides
PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begl Bilgin, Andrey

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begl Bilgin, Andrey

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begl Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum PRIMATEs GIBBON APE HANUMAN 2

953 views • 80 slides
* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

AMDiS Adaptive Multidimensional simulations: Parallel Concepts Parallel Concepts Christina Stcker (stoecker@caesar.de), Dr. Angel Ribalta (ribalta@caesar.de), Simon Vey (vey@caesar.de), * Dr. Axel Voigt (voigt@caesar.de) research

806 views • 23 slides
Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists Daniel J. Bernstein CAESAR timeline planned in 2012 2013.01: Announce tentative schedule. 2014.01: Deadline for first-round submissions.

527 views • 10 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides
ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel,

ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel,

ASCON Submission to the CAESAR Compe44on Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Mar4n Schlffer DIAC 2016 Our Team Christoph Dobraunig Maria Eichlseder Florian Mendel Mar4n Schlffer ASCON Main Design Goals

688 views • 25 slides
BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

Friends of Caesar Creek is a not-for-profit volunteer organization dedicated to educating the public about the natural resources of the Caesar Creek Lake Region. They support the educational, scientific, and historical activities of the region

497 views • 18 slides
Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438 Outline Last time: low-level plumbing Today: top-down architecting of the Internet Goals Layering Protocols The end-to-end

946 views • 58 slides
Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus

Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus

Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus Brutus AND Caesar Caesar but NOT Calpurnia Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar, Brutus Caesar, then strip

563 views • 40 slides
Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438 2 Today: Physical Media Networks are made up of devices and communication links Devices and links can be physically threatened

1.01k views • 75 slides
When a submission includes a

When a submission includes a

When a submission includes a payslip with Validation error Should process all valid payslips in the submission and code: 2049 invalid previousLineItemID or

655 views • 31 slides
1 Cant build the matrix Inverted index Term Doc # Documents are parsed to extract words

1 Cant build the matrix Inverted index Term Doc # Documents are parsed to extract words

Query Information Retrieval (IR) Which plays of Shakespeare contain the words Brutus AND Caesar but NOT Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar then strip out lines containing Calpurnia ? Slow (for

213 views • 10 slides
1 Cant build the matrix Inverted index Documents are parsed to extract words Term Doc #

1 Cant build the matrix Inverted index Documents are parsed to extract words Term Doc #

Query Information Retrieval (IR) Which plays of Shakespeare contain the words Brutus AND Caesar but NOT Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar then strip out lines containing Calpurnia ? Based on slides

419 views • 10 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
Mar 17: Paper submission Mar 17 Paper submission Mar 22 Assignment to ACs Papers will be

Mar 17: Paper submission Mar 17 Paper submission Mar 22 Assignment to ACs Papers will be

Mar 17: Paper submission Mar 17 Paper submission Mar 22 Assignment to ACs Papers will be screened for length and inclusion of author information above abstract. Mar 23-30 Reviewer Selection We will desk reject any that do not satisfy

246 views • 11 slides
An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

Introduction CAESAR Competition TriviA : A Streamcipher Based AE Scheme Hardware Implementation of TriviA ELmD : A Blockcipher Based AE Scheme An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

812 views • 48 slides
0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I

0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I

Temporal Logic: The Lesser of Three Evils Leslie Lamport Microsoft Research 0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I Started Making sure my concurrent algorithms were right. Proving the

1.49k views • 112 slides
AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines,

AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines,

AMERICAN ACADEMY of ANESTHESIOLOGIST ASSISTANTS Student Poster Presentation Descriptions and Guidelines AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines, utilize the AAAA abstract submission

221 views • 4 slides
Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar http://courses.engr.illinois.edu/cs438/ Some History Ethernet was invented as a broadcast technology Each packet received by all attached hosts Easy to set up, cheap to

1.57k views • 123 slides
1 In process of creating universe, role of initiating, of leading, belongs not to all three

1 In process of creating universe, role of initiating, of leading, belongs not to all three

Why a denial of the Sons eternal submission threatens both the Trinity and the Bible Wayne Grudem ETS: San Antonio: Nov. 15, 2016 I. E vidence for the Sons submission to the Father prior to Incarnation A. Submission indicated by the eternal

256 views • 4 slides

Informat ation skills in higher er ed educat ation: a a SC SCON ONUL Po Position Pap Paper er (1999 1999) Types of f

1.7k views • 134 slides
INTERNAL Submission plugin ARC 6 camp Ume 7-9.11 2018 INTERNAL Submission plugin

INTERNAL Submission plugin ARC 6 camp Ume 7-9.11 2018 INTERNAL Submission plugin

INTERNAL Submission plugin ARC 6 camp Ume 7-9.11 2018 INTERNAL Submission plugin Especially aimed for restrictive HPC sites Self-contained ARC site: intended to run with ARC Control Tower installed on frontend The local aCT

586 views • 20 slides
Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael

908 views • 53 slides
An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of High-Level Synthesis Tools Ekawat Homsirikamol and Kris Gaj George Mason University USA Based on work partially supported by the National Science

775 views • 50 slides

More recommend