deck based wide block cipher modes and an exposition of
play

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded - PowerPoint PPT Presentation

Nov 11, 2022 •217 likes •632 views

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

  1. Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15

  2. Block cipher K n n P B C ◮ Plaintext P encrypted to ciphertext C with secret key K ◮ Fixed block size 2 / 15

  3. Block cipher K n n P B C ◮ Plaintext P encrypted to ciphertext C with secret key K ◮ Fixed block size ◮ In order to encrypt variable sized messages, we need a mode of operation ◮ These modes require a nonce, which has to be stored 2 / 15

  4. Wide block cipher K ∗ ∗ P B C ◮ Alternatively, we can design a wide block cipher ◮ A wide block cipher is a block cipher with a variable block size 3 / 15

  5. Wide block cipher K ∗ ∗ P B C ◮ Alternatively, we can design a wide block cipher ◮ A wide block cipher is a block cipher with a variable block size ◮ No nonce needed, as every part of the output ideally depends on every part of the input 3 / 15

  6. Tweakable wide block cipher K W ∗ ∗ P B C ◮ A tweakable wide block cipher additionally has a tweak ◮ Tweak W public, ciphertext completely changes with a different tweak 4 / 15

  7. Tweakable wide block cipher K W ∗ ∗ P B C ◮ A tweakable wide block cipher additionally has a tweak ◮ Tweak W public, ciphertext completely changes with a different tweak ◮ Useful for e.g. disk encryption, where every sector gets its own tweak 4 / 15

  8. Our contribution We build two tweakable wide block ciphers based on two primitives: 5 / 15

  9. Our contribution We build two tweakable wide block ciphers based on two primitives: ◮ Doubly-extendable cryptographic keyed (deck) functions: ◮ Input: any size ◮ Output: arbitrarily long 5 / 15

  10. Our contribution We build two tweakable wide block ciphers based on two primitives: ◮ Doubly-extendable cryptographic keyed (deck) functions: ◮ Input: any size ◮ Output: arbitrarily long ◮ Keyed hashes: ◮ Input: any size ◮ Output: fixed size 5 / 15

  11. Our contribution We build two tweakable wide block ciphers based on two primitives: ◮ Doubly-extendable cryptographic keyed (deck) functions: ◮ Input: any size ◮ Output: arbitrarily long ◮ Keyed hashes: ◮ Input: any size ◮ Output: fixed size In contrast to block ciphers, these primitives are not necessarily invertible, which allows for a more flexible design 5 / 15

  12. Double-decker U L U R V L V R H K F K 1 W F K 2 H K X L X R Y L Y R 6 / 15

  13. Double-decker U L U R V L V R H K ◮ Generalization of Farfalle-WBC by Bertoni et al. (2017) F K 1 ◮ Feistel-like structure W F K 2 H K X L X R Y L Y R 6 / 15

  14. Double-decker U L U R V L V R H K ◮ Generalization of Farfalle-WBC by Bertoni et al. (2017) F K 1 ◮ Feistel-like structure ◮ Two keyed hashes on the outside, two deck W functions on the inside – hence the name F K 2 H K X L X R Y L Y R 6 / 15

  15. Double-decker U L U R V L V R n ∗ ∗ n H K ◮ Generalization of Farfalle-WBC by Bertoni et al. (2017) F K 1 ◮ Feistel-like structure ◮ Two keyed hashes on the outside, two deck W functions on the inside – hence the name F K 2 ◮ Outer lanes of fixed size ◮ Inner lanes of variable size H K n ∗ ∗ n X L X R Y L Y R 6 / 15

  16. Docked-double-decker T U V H K F K 1 W F K 2 H K X Y Z 7 / 15

  17. Docked-double-decker T U V H K ◮ Variant of double-decker ◮ One lane less F K 1 W F K 2 H K X Y Z 7 / 15

  18. Docked-double-decker T U V n ∗ n H K ◮ Variant of double-decker ◮ One lane less F K 1 ◮ Outer lanes of fixed size W ◮ Inner lane of variable size F K 2 H K n ∗ n X Y Z 7 / 15

  19. Docked-double-decker T U V n ∗ n H K ◮ Variant of double-decker ◮ One lane less F K 1 ◮ Outer lanes of fixed size W ◮ Inner lane of variable size F K 2 ◮ Deck functions get fixed sized input, so they conceptually become stream ciphers H K n ∗ n X Y Z 7 / 15

  20. XOR-universality ◮ A keyed hash H is ε -XOR-universal if for all x � = x ′ and y P [ H K ( x ) ⊕ H K ( x ′ ) = y ] � ε 8 / 15

  21. XOR-universality ◮ A keyed hash H is ε -XOR-universal if for all x � = x ′ and y P [ H K ( x ) ⊕ H K ( x ′ ) = y ] � ε ◮ This conventional property only considers the XOR-difference between a single query pair 8 / 15

  22. XOR-universality ◮ A keyed hash H is ε -XOR-universal if for all x � = x ′ and y P [ H K ( x ) ⊕ H K ( x ′ ) = y ] � ε ◮ This conventional property only considers the XOR-difference between a single query pair � q ◮ For q queries the bound becomes � ε 2 8 / 15

  23. XOR-universality ◮ A keyed hash H is ε -XOR-universal if for all x � = x ′ and y P [ H K ( x ) ⊕ H K ( x ′ ) = y ] � ε ◮ This conventional property only considers the XOR-difference between a single query pair � q ◮ For q queries the bound becomes � ε 2 ◮ However: ◮ ε is the worst-case bound on all possible x � = x ′ ◮ For some functions not all query pairs have similar probabilities 8 / 15

  24. Blinded keyed hash ◮ We consider blinded keyed hash (bkh) security to achieve a more accurate estimate when multiple queries are taken into account 9 / 15

  25. Blinded keyed hash ◮ We consider blinded keyed hash (bkh) security to achieve a more accurate estimate when multiple queries are taken into account ◮ The keyed hash function H is bkh secure if it is indistinguishable in the following setup ∆ X H K RO 1 RO 2 X ∆ 9 / 15

  26. Example: Xoofffie Xoofffie XOR-universal bkh 2 − 127 2 − 127 single query tuple � q � · 2 − 127 q · 2 − 128 q queries 2 ◮ Red bounds are claimed, black bound follows from XOR-universality 10 / 15

  27. Example: Xoofffie Xoofffie XOR-universal bkh 2 − 127 2 − 127 single query tuple � q � · 2 − 127 q · 2 − 128 q queries 2 ◮ Red bounds are claimed, black bound follows from XOR-universality ◮ Using Xoofffie as XOR-universal hash: claimed security guarantee of 64 bits ◮ Using Xoofffie as bkh: claimed security guarantee of 128 bits 10 / 15

  28. Security results ◮ We cannot apply the bkh model directly to our construction ◮ The real difficulty is to reduce to the bkh model ◮ For XOR-universality this was trivial 11 / 15

  29. Security results ◮ We cannot apply the bkh model directly to our construction ◮ The real difficulty is to reduce to the bkh model ◮ For XOR-universality this was trivial ◮ We show that the double-deckers are secure when: ◮ The keyed hash H is bkh secure ◮ The deck function F is prf secure 11 / 15

  30. Security results ◮ We cannot apply the bkh model directly to our construction ◮ The real difficulty is to reduce to the bkh model ◮ For XOR-universality this was trivial ◮ We show that the double-deckers are secure when: ◮ The keyed hash H is bkh secure ◮ The deck function F is prf secure ◮ Furthermore, by applying the tweak to the deck functions the bound of H becomes tweak-separated ◮ Deck functions behave independently for different tweaks ◮ Significantly improves security bound for certain settings 11 / 15

  31. Power of tweak-separation ◮ Consider a ε -XOR-universal keyed hash function H ◮ Consider q queries and q W queries with tweak W loss on H naive actual � q � general bound ε 2 � q � one tweak ε 2 � q � no tweak repetitions ε 2 12 / 15

  32. Power of tweak-separation ◮ Consider a ε -XOR-universal keyed hash function H ◮ Consider q queries and q W queries with tweak W loss on H naive actual � q � q W � � � general bound ε ε 2 W 2 � q � q � � one tweak ε ε 2 2 � q � no tweak repetitions 0 ε 2 12 / 15

  33. Applying to disk encryption on SSDs ◮ Double-decker is very suitable for disk encryption ◮ Disks are separated in sectors ◮ Block size is equal to the sector size ◮ Physical sector number used as tweak 13 / 15

  34. Applying to disk encryption on SSDs ◮ Double-decker is very suitable for disk encryption ◮ Disks are separated in sectors ◮ Block size is equal to the sector size ◮ Physical sector number used as tweak ◮ The sectors in SSDs have a limited lifetime as they get damaged every time data is written ◮ The Kingston UV500 960 GB has N = 2 28 sectors, where every sector can be written at most ≈ 500 times 13 / 15

  35. Applying to disk encryption on SSDs ◮ Double-decker is very suitable for disk encryption ◮ Disks are separated in sectors ◮ Block size is equal to the sector size ◮ Physical sector number used as tweak ◮ The sectors in SSDs have a limited lifetime as they get damaged every time data is written ◮ The Kingston UV500 960 GB has N = 2 28 sectors, where every sector can be written at most ≈ 500 times � 500 N ε ≈ 2 74 ε ≪ 1 ◮ Without tweak-separation secure when 2 � 2 � 500 ε ≈ 2 46 ε ≪ 1 ◮ With tweak-separation this improves to 2 N � 2 13 / 15

  36. Comparison with Adiantum U V T U V n ∗ n ∗ n H K H K F K 1 B K 1 W W F K 2 F K 2 H K H K n ∗ n ∗ n X Y Z X Y Adiantum (FSE 2019) Docked-double-decker 14 / 15

  37. Conclusion ◮ We introduced (docked-)double-decker, two tweakable wide block ciphers based on deck functions and keyed hash functions 15 / 15

  38. Conclusion ◮ We introduced (docked-)double-decker, two tweakable wide block ciphers based on deck functions and keyed hash functions ◮ We also introduced the security model bkh for keyed hashes as a generalization of XOR-universality 15 / 15

Recommend

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Information Security 1 Basic Ciphers Shift Cipher Brute&force attack can easily break Substitution Cipher Frequency

571 views • 35 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Clarification about attacker power Block ciphers used to encode messages longer than block size

Clarification about attacker power Block ciphers used to encode messages longer than block size

ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Clarification about attacker power Block ciphers used to encode messages longer than block size In security

405 views • 4 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit

663 views • 35 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
H were created in the late 18th and 19th centuries; they federated and became the Commonwealth

H were created in the late 18th and 19th centuries; they federated and became the Commonwealth

Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions 1 Introduction On the Design of Hash

324 views • 8 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides

More recommend