encryption based on card shuffle
play

Encryption based on Card Shuffle Jooyoung Lee Faculty of - PowerPoint PPT Presentation

Encryption based on Card Shuffle Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University October 3, 2015 Jooyoung Lee Encryption based on Card Shuffle Block Cipher k n n E u v A block cipher is a function E : { 0 , 1 }


  1. Encryption based on Card Shuffle Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University October 3, 2015 Jooyoung Lee Encryption based on Card Shuffle

  2. Block Cipher k κ n n E u v A block cipher is a function E : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n such that for all k ∈ { 0 , 1 } κ the mapping E ( k , · ) is a permutation on { 0 , 1 } n . Most block ciphers such as DES and AES operate on 64 ∼ 128 bit blocks Jooyoung Lee Encryption based on Card Shuffle

  3. Security of Encryption Scheme: Indistinguishability E -1 k ( x )/P -1 ( x ) x y E k ( x )/P( x ) An adversary makes a certain number of oracle queries to the black box in two different directions Ideal World: a truly random permutation P Real World: a keyed block cipher E k for a random secret key k The adversarial goal is to tell apart the two worlds If the distinguishing advantage is small, this block cipher is said to be secure Jooyoung Lee Encryption based on Card Shuffle

  4. Encryption of Data of Small Size If we need to encrypt all the credit card numbers in the data base as the ciphertexts of the same format Data size is too small Using AES? A new block cipher? Jooyoung Lee Encryption based on Card Shuffle

  5. Feistel Network L R K 0 ⊕ f Even in the case the round function is perfectly secure (namely, truly random): K 1 ⊕ f the entire permutation is secure only up to n 2 queries for a sufficient number of 2 rounds, where n is the block size K 2 ⊕ f Not suitable if the data size n is too small K 3 ⊕ f S T Jooyoung Lee Encryption based on Card Shuffle

  6. Card Shuffle The final position of a card of a certain position(=plaintext) 1 is viewed as the encryption of the plaintext Card shuffle is a Markov process 2 Mixing time=number of rounds Should be oblivious: one should be able to trace the 3 trajectory of a card without attending to lots of other cards Jooyoung Lee Encryption based on Card Shuffle

  7. Thorp Shuffle 3-bit values represent the positions of the cards The cards at 0 ∗ ∗ and 1 ∗ ∗ are matched They come together, while swapped or not according to the evaluation of a round function at “ ∗ ∗ " This process is a single round of a blockcipher structure Secure up to 2 n / n queries (Crypto 2009) for O ( n 2 ) rounds 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 Jooyoung Lee Encryption based on Card Shuffle

  8. Thorp Shuffle 3-bit values represent the positions of the cards The cards at 0 ∗ ∗ and 1 ∗ ∗ are matched They come together, while swapped or not according to the evaluation of a round function at “ ∗ ∗ " This process is a single round of a blockcipher structure Secure up to 2 n / n queries (Crypto 2009) for O ( n 2 ) rounds 000 001 010 011 100 101 110 111 000 001 010 011 100 101 110 111 Jooyoung Lee Encryption based on Card Shuffle

  9. Swap-or-Not Shuffle (Crypto 2012) A round key K ( � = 0 ) is chosen uniformly at random from { 0 , 1 } 3 The cards at positions x and x ⊕ K are matched They are swapped or not according to the evaluation of a round function at "max { x , x ⊕ K } " Secure up to ( 1 − ǫ ) 2 n queries for any ǫ > 0 for O ( n ) rounds ⊕ K (=011) 000 001 010 011 100 101 110 111 Swap or Not 000 001 010 011 100 101 110 111 Jooyoung Lee Encryption based on Card Shuffle

  10. Another View of the SN Shuffle {0,1} n For each element, a distinct element is chosen uniformly at 1 random. A single pairing might determine all the other pairings. A random permutation is applied to the pair of size two. 2 The random permutations applied to the pairs are all independent. Jooyoung Lee Encryption based on Card Shuffle

  11. New Construction: Partition-and-Mix {0,1} n For each element, D − 1 distinct elements are chosen 1 uniformly at random ( D ≥ 2). A single block might determine all the other blocks. A random permutation is applied to the set of size D . 2 The random permutations applied to the blocks are all independent. Jooyoung Lee Encryption based on Card Shuffle

  12. New Construction: Partition-and-Mix Definition Let N , D ≥ 2 be integers such that D | N , ε > 0 and let B K = { B i K } i = 1 ,..., N D be a keyed partition of [ N ] = { 0 , 1 , . . . , N − 1 } into blocks of size D . Then B K is called ε -almost D -uniform if for any set U of size D Pr [ K ← $ K : U ∈ B K ] ≤ 1 + ε � . � N − 1 D − 1 Remark If a partition of [ N ] into blocks of size D is chosen uniformly at random from the set of all possible partitions, then for any set U of size D 1 Pr [ U ∈ B K ] = � . � N − 1 D − 1 Jooyoung Lee Encryption based on Card Shuffle

  13. Security of the Partition-and-Mix Theorem Let PM r be the r-round partition-and-mix shuffle on [ N ] defined by an ε -almost D-uniform keyed partition. Then r r 4 + 1 4 N 4 ( 1 + ε ) 2 Adv cca PM r ( q ) ≤ 4 − 1 . r r 4 ( N − q ) ( r − 4 ) D Result D The number of rounds is reduced by a factor of log 2 1 + ε for a same level of security. Jooyoung Lee Encryption based on Card Shuffle

  14. Efficient Implementation of the Partition-and-Mix Problem How to implement a (almost) D -uniform random partition for a given D ? Definition A family of permutations on N elements is perfect D -wise independent if it acts uniformly on tuples of D elements. Example A keyed permutation family g such that g K 1 , K 2 ( v ) = K 1 · v + K 2 is perfect 2-wise independent. multiplication and addition are done in GF ( 2 n ) and K 1 is nonzero Jooyoung Lee Encryption based on Card Shuffle

  15. Partition: Using D -wise Independent Permutation Family {0,1} n {0,1} n u Each element u is mapped by g − 1 , where g is (implicitly 1 keyed) D -wise independent permutation. g − 1 ( u ) is contained in a certain block V in a fixed partition 2 of { 0 , 1 } n . U = g ( V ) is defined as a random block containing u . 3 Jooyoung Lee Encryption based on Card Shuffle

  16. Partition: Using D -wise Independent Permutation Family {0,1} n {0,1} n u g -1 ( u ) Each element u is mapped by g − 1 , where g is (implicitly 1 keyed) D -wise independent permutation. g − 1 ( u ) is contained in a certain block V in a fixed partition 2 of { 0 , 1 } n . U = g ( V ) is defined as a random block containing u . 3 Jooyoung Lee Encryption based on Card Shuffle

  17. Partition: Using D -wise Independent Permutation Family {0,1} n {0,1} n u g -1 ( u ) Each element u is mapped by g − 1 , where g is (implicitly 1 keyed) D -wise independent permutation. g − 1 ( u ) is contained in a certain block V in a fixed partition 2 of { 0 , 1 } n . U = g ( V ) is defined as a random block containing u . 3 Jooyoung Lee Encryption based on Card Shuffle

  18. Partition: Using D -wise Independent Permutation Family {0,1} n {0,1} n g u Each element u is mapped by g − 1 , where g is (implicitly 1 keyed) D -wise independent permutation. g − 1 ( u ) is contained in a certain block V in a fixed partition 2 of { 0 , 1 } n . U = g ( V ) is defined as a random block containing u . 3 Jooyoung Lee Encryption based on Card Shuffle

  19. Example: 2-wise Independent Permutation Family Suppse that the fixed partition is V = {{ v , v + 1 } : v ∈ { 0 , 1 } n } A random permutation is defined as g K 1 , K 2 ( v ) = K 1 · v + K 2 Given u ∈ { 0 , 1 } n , g − 1 K 1 , K 2 ( u ) = K − 1 · ( u + K 2 ) 1 Then u is paired with � � � � g − 1 K − 1 g K 1 , K 2 ( u ) + 1 = K 1 · · ( u + K 2 ) + 1 + K 2 = u + K 1 1 Same as used in the swap-or-not shuffle Negative result: no nontrivial subgroups of S n ( n ≥ 25) which are 4-wise independent Jooyoung Lee Encryption based on Card Shuffle

  20. Partition: Using Hamming Codes (3-dimension) K 3 K 1 K 2 For each round, linearly independent round keys K 1 , K 2 , K 3 1 are chosen uniformly at random Set { 0 , 1 } n is decomposed into the cosets of � K 1 , K 2 , K 3 � 2 Two vertices on a diagonal line are randomly chosen for 3 each coset Each coset is again decomposed into two blocks around 4 the vertices Jooyoung Lee Encryption based on Card Shuffle

  21. Partition: Using Hamming Codes (3-dimension) K 3 K 1 K 2 For each round, linearly independent round keys K 1 , K 2 , K 3 1 are chosen uniformly at random Set { 0 , 1 } n is decomposed into the cosets of � K 1 , K 2 , K 3 � 2 Two vertices on a diagonal line are randomly chosen for 3 each coset Each coset is again decomposed into two blocks around 4 the vertices Jooyoung Lee Encryption based on Card Shuffle

  22. Partition: Using Hamming Codes (3-dimension) For each round, linearly independent round keys K 1 , K 2 , K 3 1 are chosen uniformly at random Set { 0 , 1 } n is decomposed into the cosets of � K 1 , K 2 , K 3 � 2 Two vertices on a diagonal line are randomly chosen for 3 each coset Each coset is again decomposed into two blocks around 4 the vertices Jooyoung Lee Encryption based on Card Shuffle

  23. Partition: Using Hamming Codes (3-dimension) For each round, linearly independent round keys K 1 , K 2 , K 3 1 are chosen uniformly at random Set { 0 , 1 } n is decomposed into the cosets of � K 1 , K 2 , K 3 � 2 Two vertices on a diagonal line are randomly chosen for 3 each coset Each coset is again decomposed into two blocks around 4 the vertices Jooyoung Lee Encryption based on Card Shuffle

Recommend


More recommend