generating a fixed number of masks with word permutations
play

Generating a Fixed Number of Masks with Word Permutations and XORs - PowerPoint PPT Presentation

Aug 08, 2023 •276 likes •658 views

Generating a Fixed Number of Masks with Word Permutations and XORs Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation DIAC 2013, Directions in Authenticated Ciphers August 12, 2013, Chicago, USA 1 Overview Masks are frequently

  1. Generating a Fixed Number of Masks with Word Permutations and XORs Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation DIAC 2013, Directions in Authenticated Ciphers August 12, 2013, Chicago, USA 1

  2. Overview • Masks are frequently used in designs of blockcipher ‐ based MACs and AEADs • Some of them use many masks (the number depends on the input length) – Examples: PMAC (MAC), OCB (AEAD) • Others use a fixed number of masks – Examples: CMAC (MAC), EAX (AEAD) • In many cases, multiplications over GF(2 n ) are used – Gray code, multiplications with a constant over a prime field,… – allow an easy and clean security proof – efficient 2

  3. Overview • We show that word permutations and XORs can be used to generate a fixed number of masks – can be more efficient depending on the environment • similar to a word ‐ oriented LFSR – focus on CMAC and EAX – can be an option in your design • [Note] A part of the results will appear in [MiLuIw13] – this talk reviews the approach in [MiLuIw13] and presents new concrete examples [MiLuIw13] Minematsu, Lucks, Iwata. Improved Authenticity Bound of EAX, and Refinements. ProvSec 2013, to appear. 3

  4. Masks • used to “tweak” the input of a blockcipher – often XOR is used – depends on the key – sometimes they are used for the output as well X X ∆ ∆ E K E K ∆ Y Y 4

  5. OCB [RoBeBlKr01, Ro04, KrRo11] ∆← Init(N) ∆← Inc 1 ( ∆ ) ∆← Inc 2 ( ∆ ) ∆← Inc 3 ( ∆ ) ∆← Inc m ( ∆ ) ∆← Inc $ ( ∆ ) M[1] M[2] M[m] CheckSum M[3] ∆ ∆ ∆ ∆ ∆ ∆ … E K E K E K E K E K ∆ ∆ ∆ ∆ Auth C[1] C[2] C[m] C[3] Tag • Gray code, XOR with a pre ‐ computed value • The number of masks depends on the input length 5

  6. CMAC [NIST SP 800 ‐ 38B] M[1] M[2] M[m ‐ 1] M[m] || 10…0 M[3] 2L or … 4L E K E K E K E K E K CMAC K (M) • MAC, variable ‐ input length PRF • L=E K (0 n ) • 2L: “doubling” of L in GF(2 n ) • 4L: 2(2L) 6

  7. CMAC [NIST SP 800 ‐ 38B] M[1] M[2] M[m ‐ 1] M[m] || 10…0 M[3] X or … Y E K E K E K E K E K CMAC K (M) • X=2L, Y=4L 7

  8. Six Conditions on X and Y • For any n ‐ bit constant c and sufficiently small � , if L is randomly chosen • These six conditions are sufficient for CMAC being a secure PRF 8

  9. Six Conditions on X and Y • with X=2L and Y=4L where � =1/2 n 9

  10. Breaking L into Words • block length: n bits • word length: w bits • w=n/4 (e.g., (n,w)=(128,32), (64,16)) • L=(L 1 ,L 2 ,L 3 ,L 4 ) • L [1..4] =L 1 xor L 2 xor L 3 xor L 4 10

  11. Breaking L into Words • block length: n bits • word length: w bits • w=n/4 (e.g., (n,w)=(128,32), (64,16)) • L=(L 1 ,L 2 ,L 3 ,L 4 ) • L [1..4] =L 1 xor L 2 xor L 3 xor L 4 • It works 11

  12. Breaking L into Words • M X and M Y are 4 x 4 matrices over GF(2 n/4 ) • full rank 12

  13. Breaking L into Words the identity matrix • All six matrices are full rank • for each condition, one value of L satisfies the equality, � =1/2 n 13

  14. Breaking L into Words • with (n+n/4) ‐ bit memory – store L and L [1..4] – masks are obtained by a word permutation only • with n ‐ bit memory – store L – masks are obtained by a word permutation and three XORs 14

  15. EAX [BeRoWa04] N (nonce) M (plaintext) H (header) CMAC[0] CMAC[1] N (IV for CTR) CTR mode encryption C (ciphertext) CMAC[2] CMAC[t]: tweaked CMAC T (tag) 15

  16. Tweaked CMAC in EAX 0 or 1 or 2 M[1] M[m ‐ 1] M[m] || 10…0 M[2] (in binary) 2L or … 4L E K E K E K E K E K CMAC[t] K (M) CMAC[0], CMAC[1], CMAC[2] 16

  17. Tweaked CMAC in EAX M[1] M[m ‐ 1] M[m] || 10…0 M[2] E K (0 n ) or 2L E K (0 n ‐ 1 1) or … or 4L E K (0 n ‐ 2 10) E K E K E K E K CMAC[t] K (M) CMAC[0], CMAC[1], CMAC[2] 17

  18. Tweaked CMAC in EAX M[1] M[m ‐ 1] M[m] || 10…0 M[2] A or X B or … or Y C E K E K E K E K CMAC[t] K (M) 18

  19. A, B, C, X, and Y Are Masks • can be pre ‐ computed and stored in memory to optimize the efficiency – three blockcipher calls for pre ‐ computation – masks are sensitive information (should not be disclosed) – memory can be costly • resource constrained devices – EAX ‐ prime [ANSI C12.22] • a slightly modified version of EAX • proposed to reduced the pre ‐ computation complexity or memory cost • insecure 19

  20. A, B, C, X, and Y Are Masks • a fixed number of (five) masks • desirable to efficiently obtain the five masks from a small amount of memory in any order – no need to sequentially generate them – unlike word ‐ oriented LFSRs 20

  21. Twenty Four Conditions [MiLuIw13] • A, B, C, X, Y are functions of L • For any n ‐ bit constant c and sufficiently small � , if L is randomly chosen • These twenty four conditions are sufficient for EAX being a secure AEAD 21

  22. Case w=n/4 for EAX (1) [MiLuIw13] • the first four elements of rotations of (L 1 ,L 2 ,L 3 ,L 4 ,L [1..4] ) – L=(L 1 ,L 2 ,L 3 ,L 4 ), L [1..4] =L 1 xor L 2 xor L 3 xor L 4 • All twenty four matrices are full rank 22

  23. Case w=n/4 for EAX (1) [MiLuIw13] • with (n+n/4) ‐ bit memory – store L=E K (0 n ) and L [1..4] – masks are obtained by a word permutation only • with n ‐ bit memory – store L – masks are obtained by a word permutation and three XORs 23

  24. Case w=n/4 for EAX (2) [MiLuIw13] • L [a,b] =L a xor L b • All twenty four matrices are full rank • Searched for (limited) space, picked one that “looks good” – small memory to implement, small number of XORs • X and Y can be used for CMAC as well 24

  25. Case w=n/4 for EAX (2) [MiLuIw13] • with (n+2 x n/4) ‐ bit memory – store L and L [1,2] and L [3,4] – masks are obtained by a word permutation only • with n ‐ bit memory – store L – masks are obtained by a word permutation and two XORs 25

  26. So Far, w=n/4 • w=n/4 – (n,w)=(128,32), (64,16) • w=n/8 – (n,w)=(128,16), (64,8) • w=n/16 – (n,w)=(128,8) 26

  27. Case w=n/8 for EAX (1) • applied the previous method (of using L [1..4] =L 1 xor L 2 xor L 3 xor L 4 ) to (L 1 ,L 2 ,L 3 ,L 4 ) and (L 5 ,L 6 ,L 7 ,L 8 ) independently • All twenty four matrices are full rank • X and Y can be used for CMAC 27

  28. Case w=n/8 for EAX (1) • applied the previous method (of using L [1..4] =L 1 xor L 2 xor L 3 xor L 4 ) to (L 1 ,L 2 ,L 3 ,L 4 ) and (L 5 ,L 6 ,L 7 ,L 8 ) independently • All twenty four matrices are full rank • X and Y can be used for CMAC 28

  29. Case w=n/8 for EAX (1) • with (n+2 x n/8) ‐ bit memory – store L and L [1..4] and L [5..8] – masks are obtained by a word permutation only • with n ‐ bit memory – store L – masks are obtained by a word permutation and six XORs 29

  30. Case w=n/8 for EAX (1) • can be used for the cases w=n/4j for any j � 1 – break L into (L 1 ,L 2 ,…,L 4j ) – apply to (L 1 ,L 2 ,L 3 ,L 4 ), (L 5 ,L 6 ,L 7 ,L 8 ),…,(L 4j ‐ 3 ,L 4j ‐ 2 ,L 4j ‐ 1 ,L 4j ) independently 30

  31. Case w=n/8 for EAX (2) • applied the previous method (of using L [a,b] =L a xor L b ) to (L 1 ,L 2 ,L 3 ,L 4 ) and (L 5 ,L 6 ,L 7 ,L 8 ) independently • All twenty four matrices are full rank • X and Y can be used for CMAC 31

  32. Case w=n/8 for EAX (2) • with (n+4 x n/8) ‐ bit memory – store L and L [1,2] and L [3,4] and L [5,6] and L [7,8] – masks are obtained by a word permutation only • with n ‐ bit memory – store L – masks are obtained by a word permutation and four XORs 32

  33. Case w=n/8 for EAX • Interestingly, taking the first eight elements of the rotations of (L 1 ,…,L 8 ,L [1..8] ) does not work • X and Y do not work for CMAC 33

  34. Case w=n/16 for EAX (1) • Taking the first sixteen elements of the rotations of (L 1 ,…,L 16 ,L [1..16] ) works • a word permutation only with (n+n/16) ‐ bit memory – store L and L [1..16] • with n ‐ bit memory, 15 XORs are needed (if we store L) • X and Y work for CMAC 34

  35. Case w=n/16 for EAX (2) • Construction that “looks good” (from searching limited space) • a word permutation only if (n+4 x n/16) ‐ bit memory – store L and L [1,2] and L [2,3] and L [3,4] and L [4,5] • with n ‐ bit memory – store L – masks are obtained by a word permutation and four XORs 35

  36. Summary of Mask Generation for EAX • w=n/4 Perm. only if with n ‐ bit memory ref. (1) n + n/4 permutation + three XORs [MiLuIw13] (2) n + 2 x n/4 permutation + two XORs [MiLuIw13] • w=n/8 Perm. only if with n ‐ bit memory (1) n + 2 x n/8 permutation + six XORs (2) n + 4 x n/8 permutation + four XORs • w=n/16 Perm. only if with n ‐ bit memory (1) n + n/16 permutation + 15 XORs (2) n + 4 x n/16 permutation + four XORs 36

  37. Summary • Considered a problem of generating a fixed number of masks used in CMAC and EAX • Demonstrated that the approach can be used to reduce the pre ‐ computation complexity or memory cost with various word lengths • Optimality of the examples in this talk is open, but generating examples is not hard (just to see if the matrices are full rank) – how we can obtain good constructions is open • can be an option in your design – formalizing the sufficient conditions may not be easy 37

Recommend

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by

JUST THE MATHS SLIDES NUMBER 19.2 PROBABILITY 2 (Permutations and combinations) by A.J.Hobson 19.2.1 Introduction 19.2.2 Rules of permutations and combinations 19.2.3 Permutations of sets with some objects alike UNIT 19.2 -

400 views • 11 slides
Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval

Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval

Masks Masks Masks play a part in almost every culture on the planet from ancient Aztec, medieval European festivals, Japanese opera and American horror films. Masks Throughout history masks have had many different uses. How many different

813 views • 24 slides
Layered permutations and rational generating functions Anders Bjrner Department of Mathematics

Layered permutations and rational generating functions Anders Bjrner Department of Mathematics

Layered permutations and rational generating functions Anders Bjrner Department of Mathematics Kungliga Tekniska Hgskolan S-100 44 Stockholm, SWEDEN and Bruce Sagan Department of Mathematics Michigan State University East Lansing, MI

1.23k views • 84 slides
Enumeration of Pin-Permutations Fr ed erique Bassino Mathilde Bouvel Dominique Rossin ees

Enumeration of Pin-Permutations Fr ed erique Bassino Mathilde Bouvel Dominique Rossin ees

Enumeration of Pin-Permutations Fr ed erique Bassino Mathilde Bouvel Dominique Rossin ees AL Journ EA 2009 liafa Introduction Pin-permutations Decomposition tree Characterization Generating function Conclusion Main result of

665 views • 40 slides
Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies

Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies

What are African Masks? African Masks Why were masks made? Traditionally for spiritual reasons Celebrations Ceremonies Initiations (when a young person becomes a member of the adult community) To bring peace in troubled times

431 views • 11 slides
On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima

Introduction Sorting signed permutations Conclusion On the average number of reversals needed to sort signed permutations 1 Thaynara Arielly de Lima & 1 , 2 Mauricio Ayala-Rinc on atica 1 & Ci ao 2 Departamentos de Matem encia

795 views • 46 slides
Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as

Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as

Computer Vision Lecture 5: Edges, binary images and blobs Last lecture Convolution masks as templates Convolution masks as point-spread functions Special masks: simple differencing masks centre-surround masks averaging

512 views • 13 slides
WORD EQUATIONS WITH A FIXED VECTOR OF LENGTHS Ji Skora Department of Algebra Faculty of

WORD EQUATIONS WITH A FIXED VECTOR OF LENGTHS Ji Skora Department of Algebra Faculty of

WORD EQUATIONS WITH A FIXED VECTOR OF LENGTHS Ji Skora Department of Algebra Faculty of Mathematics and Physics Charles University in Prague June 20, 2014 Ji Skora WORD EQUATIONS WITH A FIXED VECTOR OF Word equations Two

586 views • 39 slides
Optimal word-length allocation for the fixed-point implementation of linear filters and

Optimal word-length allocation for the fixed-point implementation of linear filters and

Introduction Fixed-Point implementation Word-length optimization under accuracy constraint Conclusions Optimal word-length allocation for the fixed-point implementation of linear filters and controllers Thibault Hilaire , Hacne Ouzia and

847 views • 48 slides
Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night

Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night

A step towards the automated production of Water Masks from Sentinel-1 SAR images Pierre Fabry, Nicolas Bercher Brest & Toulouse, France Water masks from Sentinel-1 : Why ? dynamic water masks (every 12 days) : all weather, night and

903 views • 54 slides
Generating trees for permutations avoiding generalized patterns Sergi Elizalde Dartmouth College

Generating trees for permutations avoiding generalized patterns Sergi Elizalde Dartmouth College

Generating trees for permutations avoiding generalized patterns Sergi Elizalde Dartmouth College Permutation Patterns 2006, Reykjavik Permutation Patterns 2006, Reykjavik p.1 Generating trees for permutations avoiding generalized patterns

868 views • 61 slides
Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin

Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin

Background Generating Trees Quarter Turn Baxter Permutations Kevin Dilks North Dakota State University June 26, 2017 Kevin Dilks Quarter Turn Baxter Permutations Background Generating Trees Outline Background 1 Generating Trees 2

1.07k views • 58 slides
Too Small to Fail Tackling the Word Gap The 30 Million Word Gap: Its not just the number of

Too Small to Fail Tackling the Word Gap The 30 Million Word Gap: Its not just the number of

Too Small to Fail Tackling the Word Gap The 30 Million Word Gap: Its not just the number of words New research has found that by age 2, a 6 month gap in language development is apparent. The vocabulary that a child has by the age of 4 is one of

356 views • 12 slides
The issues with Face Masks All types of medical masks essentially functioned as a low-pass

The issues with Face Masks All types of medical masks essentially functioned as a low-pass

The issues with Face Masks All types of medical masks essentially functioned as a low-pass acoustic filter for speech, attenuating the high frequencies (2000-7000 Hz) spoken by the wearer by 3 to 4 dB for a simple medical mask

169 views • 5 slides
i radix point (binary point) assumed to be to the right of i 0 the rightmost digit.

i radix point (binary point) assumed to be to the right of i 0 the rightmost digit.

Number Systems Binary: Computer Arithmetic Hexadecimal: Word Size: (Fixed) number of bits used to represent a number School of Computer Science G51CSA School of Computer Science G51CSA 1 2 Integer Representation Non Negative Integer

391 views • 5 slides
Who is a Hero? 3 1 8/15/2020 Kansas started out with low number of cases, low number of

Who is a Hero? 3 1 8/15/2020 Kansas started out with low number of cases, low number of

8/15/2020 Francie Ekengren, MD August 18, 2020 1 2 Who is a Hero? 3 1 8/15/2020 Kansas started out with low number of cases, low number of deaths, and low number of tests. Stay at Home Social Distancing Masks 4 Opened Up -

362 views • 12 slides
Realizing Site Permutations Stephane Durocher, Saeed Mehrabi, Debajyoti Mondal, Matthew Skala

Realizing Site Permutations Stephane Durocher, Saeed Mehrabi, Debajyoti Mondal, Matthew Skala

Realizing Site Permutations Stephane Durocher, Saeed Mehrabi, Debajyoti Mondal, Matthew Skala Site permutations We are sitting somewhere on the Euclidean plane. We want to describe our location in relation to some fixed, known sites. One

301 views • 17 slides
Word Sense Disambiguation Word Sense Disambiguation (WSD) Given A

Word Sense Disambiguation Word Sense Disambiguation (WSD) Given A

Word Sense Disambiguation Word Sense Disambiguation (WSD) Given A word in context A fixed inventory of potential word senses Decide which sense of the

458 views • 44 slides
Powerpoint Presentations are created everyday. This number is only ever going to increase. So in

Powerpoint Presentations are created everyday. This number is only ever going to increase. So in

90 % Of individuals believe they are more engaged when a presentation incorporates a strong narrative. Engage your audience and keep them fixed on your presentation by incorporating a story. Have them hanging off your every word with

404 views • 17 slides
China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks

China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks

China Medical Export Controls for: 1. Non-medical use face masks Non-medical use face masks required to conform with the quality standards of China or other countries, and The Ministry of Commerce provides a list of validated manufacturers for

331 views • 5 slides
Pointers Character Values There are a fixed number of char values Examples: a b

Pointers Character Values There are a fixed number of char values Examples: a b

Pointers Character Values There are a fixed number of char values Examples: a b \n Number of possibilities : the number of chars 1 A char Variable Pointer Values There are a fixed number of pointer values Assume a 32 bit

483 views • 20 slides
Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored

Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored

Video 1: Intro to Floating point (Unsigned) Fixed-point representation The numbers are stored with a fixed number of bits for the integer part and a fixed number of bits for the fractional part. Suppose we have 8 bits to store a real number,

205 views • 18 slides
Generating Subfields Mark van Hoeij June 15, 2017 Mark van Hoeij Generating Subfields Overview

Generating Subfields Mark van Hoeij June 15, 2017 Mark van Hoeij Generating Subfields Overview

Generating Subfields Mark van Hoeij June 15, 2017 Mark van Hoeij Generating Subfields Overview Papers: 1 Generating Subfields (vH, Kl uners, Novocin) ISSAC2011. 2 The Complexity of Computing all Subfields of an Algebraic Number Field

445 views • 28 slides
Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a

Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a

Floating point representation (Unsigned) Fixed-point representation The numbers are stored with a fixed number of bits for the integer part and a fixed number of bits for the fractional part. Suppose we have 8 bits to store a real number, where

906 views • 39 slides

More recommend