caesar candidate icepole
play

CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat - PowerPoint PPT Presentation

Nov 14, 2022 •232 likes •528 views

Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary . CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat Homsirikamol 3 , Krystian Matusiewicz 4 , Josef Pieprzyk 5 , 6 , Marcin Rogawski

  1. Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary . CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat Homsirikamol 3 , Krystian Matusiewicz 4 , Josef Pieprzyk 5 , 6 , Marcin Rogawski 7 , Marian Srebrny 1 , 2 , and Marcin Wojcik 8 Polish Academy of Sciences, Poland 1 ; University of Commerce, Poland 2 ; George Mason University, USA 3 ; Intel, Gdansk, Poland 4 ; Queensland University of Technology, Australia 5 ; Macquarie University, Australia 6 ; Cadence Design Systems, USA 7 ; University of Bristol, United Kingdom 8 DIAC 2014: Directions in Authenticated Ciphers DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 1 / 29

  2. Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary Co-authors DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 2 / 29

  3. Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary Outline 1 Introduction and Motivation 2 Icepole Design 3 Security Analysis 4 HW and SW Performance 5 Summary DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 3 / 29

  4. Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary Introduction and Motivation Multiple Internet protocols require authenticated encryption: IPSec/TLS/SSL etc. High-speed hardware-oriented cipher with authentication, more efficient that AES-GCM Existing frameworks/strategies for provably secure cryptographic schemes (e.g.: Sponge Construction etc.) CAESAR competition DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 4 / 29

  5. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE 101 based on duplex framework introduced by Bertoni et al. ”Duplexing the sponge: (...)” Cryptology ePrint archive 2011/499 high-speed hardware-oriented ICEPOLE permutation is the heart of our design family of authenticated encryption schemes with three parameters: key, nonce and SMN primary recommendation: ICEPOLE-128: 128-bit key and 128-bit nonce DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 5 / 29

  6. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Encryption and Tag Generation - Overview c o c n key || nonce σ SMN σ AD σ P T pad pad pad P P P P 6 6 12 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 6 / 29

  7. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Internal State Organization 1280-bit internal state S organized into dwo-dimensional array S [4][5] each element of array is a 64-bit word S [ x ][ y ][ z ] refers to the bit z in the row x and the column y the mapping between a vector V and the S : V [64( x + 4 y ) + z ] = S [ x ][ y ][ z ] DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 7 / 29

  8. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Round and P6, P12 Permutations R = κ ◦ ψ ◦ π ◦ ρ ◦ µ ICEPOLE Permutations P6 - 6 rounds of ICEPOLE permutation P12 - 12 rounds of ICEPOLE permutation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 8 / 29

  9. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Transformation: µ       2 1 1 1 Z 0 2 Z 0 + Z 1 + Z 2 + Z 3 1 1 18 2 Z 0 + Z 1 + 18 Z 2 + 2 Z 3 Z 1        =       1 2 1 18 Z 2 Z 0 + 2 Z 1 + Z 2 + 18 Z 3      1 18 2 1 Z 0 + 18 Z 1 + 2 Z 2 + Z 3 Z 3 GF(2 5 ) multiplication modulo x 5 + x 2 + 1 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 9 / 29

  10. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Round R = κ ◦ ψ ◦ π ◦ ρ ◦ µ DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 10 / 29

  11. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Transformation: ρ 63 2 3 6 0 1 2 3 4 5 S [ x ][ y ] := S [ x ][ y ] n offsets[ x ][ y ] for all (0 ≤ x ≤ 3) , (0 ≤ y ≤ 4) o ff sets[0][0] := 0 o ff sets[0][1] := 36 o ff sets[0][2] := 3 o ff sets[0][3] := 41 o ff sets[0][4] := 18 o ff sets[1][0] := 1 o ff sets[1][1] := 44 o ff sets[1][2] := 10 o ff sets[1][3] := 45 o ff sets[1][4] := 2 o ff sets[2][0] := 62 o ff sets[2][1] := 6 o ff sets[2][2] := 43 o ff sets[2][3] := 15 o ff sets[2][4] := 61 o ff sets[3][0] := 28 o ff sets[3][1] := 55 o ff sets[3][2] := 25 o ff sets[3][3] := 21 o ff sets[3][4] := 56 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 11 / 29

  12. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Round R = κ ◦ ψ ◦ π ◦ ρ ◦ µ DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 12 / 29

  13. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Transformation: π x 0 := ( x + y ) mod 4 y 0 := ((( x + y ) mod 4) + y + 1) mod 5 π reorders the words in the state S ′ ][ y ′ ] ← π ( S [ x ][ y ]) S [ x DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 13 / 29

  14. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Round R = κ ◦ ψ ◦ π ◦ ρ ◦ µ DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 14 / 29

  15. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Transformation ψ for all (0 ≤ k ≤ 4) Z k = M k ⊕ ( ¬ M k +1 M k +2 ) ⊕ ( M 0 M 1 M 2 M 3 M 4 ) ⊕ ( ¬ M 0 ¬ M 1 ¬ M 2 ¬ M 3 ¬ M 4 ) ICEPOLE S-box The S-box maps a 5-bit input vector ( M 0 , ... M 4 ) to a 5-bit output vector ( Z 0 , ... Z 4 ) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 15 / 29

  16. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary ICEPOLE Round R = κ ◦ ψ ◦ π ◦ ρ ◦ µ DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 16 / 29

  17. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Transformation: κ S [0][0] := S [0][0] ⊕ constant[numberOfRound] ICEPOLE Constants The constant values are taken as the output of a simple 64-bit maximum-cycle Linear Feedback Shift Register (LFSR). The polynomial representation of LFSR is x 64 + x 63 + x 61 + x 60 + 1. The LFSR seed 0123456789ABCDEF each cycle generates a subsequent constant. DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 17 / 29

  18. Introduction and Motivation Icepole Design ICEPOLE 101 Security Analysis Basic Ingredients of ICEPOLE HW and SW Performance High Level View Summary Decryption and Tag Generation c o c n key || nonce σ AD σ SMN σ P T pad pad pad P P P P 6 6 12 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 18 / 29

  19. Introduction and Motivation Icepole Design Security Analysis ICEPOLE Security HW and SW Performance Summary ICEPOLE Security (Parameters) ICEPOLE is based on the duplex construction - parameters: r (bitrate) and c (capacity) ICEPOLE-128: r=1026 bits and c=256 bits (up to 2 126 blocks) ICEPOLE-256: r=962 bits and c=318 bits (up to 2 62 blocks) Security level proven, unless permuation is unsecure SKEW’11: Bertoni et al. in ”On the security of the keyed sponge construction” proved that if the data complexity is limited to 2 a r -bit blocks, the keyed mode withstands generic attacks with time complexity up to 2 c − a calls of the underlying permutation. If a < c / 2, this results in an increase of the security strength from c / 2 to c − a . DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 19 / 29

  20. Introduction and Motivation Icepole Design Security Analysis ICEPOLE Security HW and SW Performance Summary Nonce Requirement ICEPOLE requires a nonce In case of nonce reuse, some level of intermediate robustness provided by secret message number and associated data (if distinct) In case of violating all nonce-like mechanisms (nonce reused, secret message number reused, the same associated data), security claims do not hold (recent analysis by Tao Huang, Hongjun Wu, Ivan Tjuawinata) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 20 / 29

Recommend

* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

* Dr. Axel Voigt (voigt@caesar.de) research center caesar crystal growth group

AMDiS Adaptive Multidimensional simulations: Parallel Concepts Parallel Concepts Christina Stcker (stoecker@caesar.de), Dr. Angel Ribalta (ribalta@caesar.de), Simon Vey (vey@caesar.de), * Dr. Axel Voigt (voigt@caesar.de) research

806 views • 23 slides
CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals Online Parallelizable Software oriented Decryption-misuse resistant, unverified plaintext release Nonce-misuse resistant, or

180 views • 15 slides
Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists Daniel J. Bernstein CAESAR timeline planned in 2012 2013.01: Announce tentative schedule. 2014.01: Deadline for first-round submissions.

527 views • 10 slides
BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

BUILDING STRONG The Friends of Caesar Creek is hosted at the Visitor Center and conducts its

Friends of Caesar Creek is a not-for-profit volunteer organization dedicated to educating the public about the natural resources of the Caesar Creek Lake Region. They support the educational, scientific, and historical activities of the region

497 views • 18 slides
Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438

Layering CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438 Outline Last time: low-level plumbing Today: top-down architecting of the Internet Goals Layering Protocols The end-to-end

946 views • 58 slides
The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers

The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers

The Candidate Experience What is Candidate Experience? Candidate Experience How job seekers perceive an organizations recruitment process This includes everything from initial sourcing, recruiting, interviewing, hiring, and even

537 views • 31 slides
Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2

Ascon (A Submission to CAESAR) Ch. Dobraunig 1 , M. Eichlseder 1 , F. Mendel 1 , M. Schl affer 2 1 IAIK, Graz University of Technology, Austria 2 Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of

639 views • 25 slides
Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus

Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus

Information Retrieval Lecture 1 Query Which plays of Shakespeare contain the words Brutus Brutus AND Caesar Caesar but NOT Calpurnia Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar, Brutus Caesar, then strip

563 views • 40 slides
Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Media CS 438: Spring 2014 Instructor: Matthew Caesar http://www.cs.illinois.edu/~caesar/cs438 2 Today: Physical Media Networks are made up of devices and communication links Devices and links can be physically threatened

1.01k views • 75 slides
1 Cant build the matrix Inverted index Term Doc # Documents are parsed to extract words

1 Cant build the matrix Inverted index Term Doc # Documents are parsed to extract words

Query Information Retrieval (IR) Which plays of Shakespeare contain the words Brutus AND Caesar but NOT Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar then strip out lines containing Calpurnia ? Slow (for

213 views • 10 slides
1 Cant build the matrix Inverted index Documents are parsed to extract words Term Doc #

1 Cant build the matrix Inverted index Documents are parsed to extract words Term Doc #

Query Information Retrieval (IR) Which plays of Shakespeare contain the words Brutus AND Caesar but NOT Calpurnia ? Could grep all of Shakespeares plays for Brutus and Caesar then strip out lines containing Calpurnia ? Based on slides

419 views • 10 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

Introduction CAESAR Competition TriviA : A Streamcipher Based AE Scheme Hardware Implementation of TriviA ELmD : A Blockcipher Based AE Scheme An Overview of CAESAR Mridul Nandi Indian Statistical Institute, Kolkata SEPTEMBER 2016

812 views • 48 slides
Candidate 1 (11:10am) Transcript of Presentation and Q&amp;A Session (Name of candidate and

Candidate 1 (11:10am) Transcript of Presentation and Q&amp;A Session (Name of candidate and

TPS Executive Director Search: Member Forum 7/17/17 Candidate 1 (11:10am) Transcript of Presentation and Q&amp;A Session (Name of candidate and identifying information has been removed from this transcript by the request of the final

218 views • 8 slides
0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I

0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I

Temporal Logic: The Lesser of Three Evils Leslie Lamport Microsoft Research 0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I Started Making sure my concurrent algorithms were right. Proving the

1.49k views • 112 slides
Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

Ethernet CS/ECE 438: Spring 2014 Instructor: Matthew Caesar http://courses.engr.illinois.edu/cs438/ Some History Ethernet was invented as a broadcast technology Each packet received by all attached hosts Easy to set up, cheap to

1.57k views • 123 slides
2019 Candidate Filing Workshop Are you ready to file? Candidate Guide &amp; Drive Filing

2019 Candidate Filing Workshop Are you ready to file? Candidate Guide &amp; Drive Filing

2019 Candidate Filing Workshop Are you ready to file? Candidate Guide &amp; Drive Filing Week May 13-17, 2019 Voters Pamphlet Deadlines Additional Candidate Information 2019 Candidate Guide 2019 Election Calendar Filing

420 views • 24 slides
Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael

908 views • 53 slides
An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of

An Alterna)ve Approach to Hardware Benchmarking of CAESAR Candidates Based on the Use of High-Level Synthesis Tools Ekawat Homsirikamol and Kris Gaj George Mason University USA Based on work partially supported by the National Science

775 views • 50 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M.

Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M.

Towards a Next- Generation Inter-domain Routing Protocol L. Subramanian, M. Caesar, C.T. Ee, M. Handley , Z. Mao, S. Shenker, and I. Stoica Routing 1999 Internet Map Coloured by ISP Source: Bill Cheswick, Lumeta AS-level Topology 2003

946 views • 37 slides
Physical Layer CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Layer CS 438: Spring 2014 Instructor: Matthew Caesar

Physical Layer CS 438: Spring 2014 Instructor: Matthew Caesar http://courses.engr.illinois.edu/cs438/ Course Outline ~ Apr 16 Application L7 ~ Mar 21 L4 Transport ~ Feb 26 L3 Network ~ Feb 15 L2 Data link Today L1 Physical

910 views • 86 slides
Caesar had his Brutus, Charles the First his Cromwell, and George the Third [at this point the

Caesar had his Brutus, Charles the First his Cromwell, and George the Third [at this point the

Caesar had his Brutus, Charles the First his Cromwell, and George the Third [at this point the speaker is interrupted with cries of Treason!] may profit by their example. If this be treason, make the most of it. P ATRICK H ENRY A

358 views • 7 slides
IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar http://courses.engr.illinois.edu/cs438/ Internet Routing So far, only considered routing within a domain Many issues can be ignored in this setting because

1.25k views • 75 slides

More recommend