advanced block cipher design
play

Advanced Block Cipher Design My crazy boss asked me to design a new - PowerPoint PPT Presentation

Aug 12, 2023 •344 likes •914 views

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

  1. Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. What’s next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  2. Outline • High-Level Schemes • Confusion • Diffusion • Key-Schedule • Beyond the Design Pascal Junod -- Advanced Block Cipher Design 2 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  3. Introduction Pascal Junod -- Advanced Block Cipher Design 3 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  4. Some Simple Facts • As of today, nobody knows how to design a (mathematically proven) secure block cipher. • Problem related to fundamental open questions in mathematics/computer science • A secure block cipher is a block cipher that nobody can break... • A good block cipher is a secure block cipher that people like to implement. Pascal Junod -- Advanced Block Cipher Design 4 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  5. So many Designs in the Wild... Hierocrypt G-DES LOKI MacGuffin LION RC2 Coconut98 Akellare DFC Square Twofish E0 Anubis CAST Skipjack CS-Cipher DEAL Shark Rijndael RC5 IDEA Camellia Aria Present Noekeon DES-X Magenta Threefish Seed RC6 Mars FOX Serpent GOST BassOmatic 3-Way DES MESH E2 TEA Blowfish Misty Triple DES XTEA BEAR FEAL Cipherunicorn CLEFIA XXTEA Madryga 5

  6. Designing a New Block Cipher • Several good and bad reasons: • Faster/smaller than any other one ✔ • With «better» security guarantees than any ✔ ✔ other one • My boss crazily asked me to design a new, ~ secret (!) and patented (!!) block cipher • Not enough proposals/diversity in the wild ✖ • I desperately need to publish something to ✖ finish my PhD thesis ! Pascal Junod -- Advanced Block Cipher Design 6 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  7. Designing a New Block Cipher • Claude E. Shannon somewhat defined how to build a good cipher: Two methods (other than recourse to ideal systems) suggest themselves for frustrating a statistical analysis. These we may call the methods of diffusion and confusion . Pascal Junod -- Advanced Block Cipher Design 7 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  8. Designing a New Block Cipher • Several decisions to take • Platform target • Security target • High-level scheme • Inner confusion/diffusion elements • Key-Schedule Pascal Junod -- Advanced Block Cipher Design 8 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  9. Designing a New Block Cipher • Platform target • low-end CPU (4-bit, 8-bit, 16-bit, 32-bit micro- controller) • RAM/ROM/code size • high-end CPU (Intel/AMD/...) • SIMD instructions / L1 cache size • FPGA/ ASIC • low/high gate/cells budget (RFID vs. high- speed encryption card) Pascal Junod -- Advanced Block Cipher Design 9 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  10. Designing a New Block Cipher • Security target (1) • Encryption • Authenticated encryption • Hashing • Key size (..., 64, 80, 128, 256, 512, 1024, ...) • Block size (..., 32, 48, 64, 96, 128, 256, 512, 1024, ...) Pascal Junod -- Advanced Block Cipher Design 10 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  11. Designing a New Block Cipher It is probably • Security target (2) the most powerful way to break a protected implementation as of • Side-channel attacks today ! • Fault attacks • (Resistance to reverse engineering, software emulation, ...) Pascal Junod -- Advanced Block Cipher Design 11 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  12. Designing a New Block Cipher • High-Level Scheme • None (?) • Iterated • Feistel • Generalized Feistel • Substitution-Permutation Network • Lai-Massey Pascal Junod -- Advanced Block Cipher Design 12 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  13. Designing a New Block Cipher • Inner confusion/diffusion elements • Substitution boxes • Key-dependent non-linear operations • (Non-)linear diffusion layers Pascal Junod -- Advanced Block Cipher Design 13 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  14. Designing a New Block Cipher • Key-schedule algorithm • Light • Diffusive • Diffusive and non-linear • One-way • Efficient in both directions Pascal Junod -- Advanced Block Cipher Design 14 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  15. High-Level Schemes Pascal Junod -- Advanced Block Cipher Design 15 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  16. Iterated Schemes • Main principle: • Take a (rather weak) keyed permutation, i.e., a round function • Iterate this function several times, by adding new randomness • Hopefully get something more secure ! • Well illustrated e.g. by Vaudenay’s decorrelation theory (information-theoretic setting) and Tessaro et al. (computational setting) very recent results Pascal Junod -- Advanced Block Cipher Design 16 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  17. Iterated Schemes • Well-known «Zürcher» cryptographer joke: • « Most ciphers are secure after sufficiently many rounds» ( L. O’Connor) • «Most ciphers are too slow after sufficiently many rounds» (J. Massey) Pascal Junod -- Advanced Block Cipher Design 17 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  18. Feistel Scheme • Feistel Scheme (aka Feistel Network, Feistel Cipher, ...) • Named after his inventor, Horst Feistel • Scheme behind the DES • Allow to transform any (possibly non-invertible function) in a permutation Pascal Junod -- Advanced Block Cipher Design 18 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  19. Feistel Scheme • Has «provable security» properties [LubyRackoff, Patarin,...] • PRP after 3 (7) rounds 2 ) n and less than O (2 O (2 n (1 − ε ) ) ( ) queries • SPRP after 4 (10) rounds 2 ) n and less than O (2 O (2 n (1 − ε ) ) ( ) queries Pascal Junod -- Advanced Block Cipher Design 19 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  20. Generalized Feistel Schemes • Many, many different variants (see e.g. [HoangRogaway -2010]) • Rather slow diffusion Pascal Junod -- Advanced Block Cipher Design 20 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  21. Substitution Permutation Networks • Used by AES, Present, Square and many others. • Works on the full cipher width • Large body of literature available on its security towards various attacks (linear, differential, saturation, ...) Pascal Junod -- Advanced Block Cipher Design 21 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  22. Lai-Massey Scheme • High-level structure behind the IDEA cipher • Recycled e.g. by FOX • Has some provable properties (see e.g. [Vaudenay-1999]) Pascal Junod -- Advanced Block Cipher Design 22 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  23. Confusion Pascal Junod -- Advanced Block Cipher Design 23 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  24. Substitution Boxes • Substitution boxes • Non-linear mapping bits n − → m • Usual values: 3 − → 3 4 − → 4 6 − → 4 7 − → 7 8 − → 8 9 − → 9 8 − → 32 Pascal Junod -- Advanced Block Cipher Design 24 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  25. Substitution Boxes • Main criteria to look at: • DP and LP coefficients • Algebraic degree • + many, many others... Pascal Junod -- Advanced Block Cipher Design 25 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  26. Substitution Boxes • Differential (Linear) Probability coefficient • Measures the resistance of an S-box to differential (linear) cryptanalysis Pascal Junod -- Advanced Block Cipher Design 26 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  27. Substitution Boxes • Algebraic Degree • Measures the «complexity» of the Boolean equations representing the S-box • Is equal to the number of variables of the largest monomial in the polynomial representation of the S-box. Pascal Junod -- Advanced Block Cipher Design 27 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  28. Substitution Boxes • Other criteria: • No single-bit difference • Efficient Boolean representation • Efficient Boolean representation of the inverse mapping • ... Pascal Junod -- Advanced Block Cipher Design 28 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  29. Substitution Boxes • How to find «good» S-boxes ? • Three main approaches: • Random search • Algebraic construction • Iterated construction Pascal Junod -- Advanced Block Cipher Design 29 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

  30. Substitution Boxes • Random search • Plug an AES in counter mode to a Knuth shuffle • Generate random permutations • Test for your preferred criteria • Repeat the process until you are happy ! Pascal Junod -- Advanced Block Cipher Design 30 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
Block ciphers What is a block cipher? Dan Boneh Block

Block ciphers What is a block cipher? Dan Boneh Block

Online Cryptography Course

1.24k views • 65 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides

More recommend