generic security of the keyed sponge
play

Generic security of the Keyed Sponge based on joint work with Guido - PowerPoint PPT Presentation

Oct 11, 2023 •260 likes •602 views

Generic security of the Keyed Sponge Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 , ArcticCrypt Longyearbyen July 19, 2016 1 / 30 Joan Daemen 1 , 2 Elena Andreeva 3

  1. Generic security of the Keyed Sponge Generic security of the Keyed Sponge based on joint work with Guido Bertoni 1 , Michaël Peeters 1 , Gilles Van Assche 1 , ArcticCrypt Longyearbyen July 19, 2016 1 / 30 Joan Daemen 1 , 2 Elena Andreeva 3 and Bart Mennink 3 1 STMicroelectronics 2 Radboud University 3 COSIC KULeuven

  2. Generic security of the Keyed Sponge Outline 1 Sponge 2 Keyed sponge 3 Beyond birthday-bound security 4 Keyed sponge, refactored 2 / 30

  3. Generic security of the Keyed Sponge Sponge Outline 1 Sponge 2 Keyed sponge 3 Beyond birthday-bound security 4 Keyed sponge, refactored 3 / 30

  4. Generic security of the Keyed Sponge Sponge RadioGatún [Keccak team, NIST 2nd hash workshop 2006] XOF: eXtendable Output Function Problem: expressing security claim Search for random oracle but then with inner collisions 4 / 30

  5. Generic security of the Keyed Sponge Sponge (Early) Sponge at Dagstuhl, January 2007 Screenshot: 5 / 30

  6. Generic security of the Keyed Sponge Sponge Generic security of Sponge [KT, Ecrypt hash, September 2007 ] Random sponges: T-sponge: f is random transformation P-sponge: f is random permutation Theorem: if no inner collisions, output is uniformly random inner collision: different inputs leading to same inner state Probability of inner collision: 6 / 30 2 − c − 1 M 2 with M : # calls to f

  7. Generic security of the Keyed Sponge Sponge with strong permutation f : Keccak [KT, SHA-3, 2008] Sponge 7 / 30 NIST SHA-3 deadline approaching …U-turn Promoting sponge from reference to usage (2007-2008) RadioGatún cryptanalysis (1st & 3rd party): not promising M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing

  8. Generic security of the Keyed Sponge Sponge Distinguishing random sponge from random oracle Problem: in real world, adversary has access to f 8 / 30 Distinguishing advantage: 2 − c − 1 M 2

  9. Generic security of the Keyed Sponge Sponge Differentiating random sponge from random oracle Indifferentiability framework [Maurer, Renner & Holenstein, 2004] Applied to hashing [Coron, Dodis, Malinaud & Puniya, 2005] Random oracle augmented with simulator for sake of proof 9 / 30 Differentiating advantage: 2 − c − 1 M 2 [KT, Eurocrypt 2008]

  10. Generic security of the Keyed Sponge Keyed sponge Outline 1 Sponge 2 Keyed sponge 3 Beyond birthday-bound security 4 Keyed sponge, refactored 10 / 30

  11. Generic security of the Keyed Sponge Keyed sponge Message authentication codes 11 / 30 Key Padded message MAC 0 f f f … f f

  12. Generic security of the Keyed Sponge Keyed sponge Stream encryption Long output stream per IV: similar to OFB mode Short output stream per IV: similar to counter mode 12 / 30 Key IV 0 f f f Key stream

  13. Generic security of the Keyed Sponge Keyed sponge But this is no longer sponge Adopted by several CAESAR candidates 13 / 30 Authenticated encryption: spongeWrap [KT, SAC 2011] Key IV Padded message MAC 0 f f f … f f Key stream

  14. Generic security of the Keyed Sponge Keyed sponge Generic security equivalent to that of sponge 14 / 30 The duplex construction [KT, SAC 2011] σ 0 σ 1 σ 2 Z 0 Z 1 Z 2 pad trunc pad trunc pad trunc r 0 f f f outer … inner c 0 initialize duplexing duplexing duplexing

  15. Generic security of the Keyed Sponge Keyed sponge Keyed sponge: distinguishing setting Security strength s : expected complexity of succesful attack strength s means attack complexity 2 s bounds can be converted to security strength statements 15 / 30 Straightforward bound: 2 − c − 1 M 2 + 2 − k M Here: s ≥ min ( c / 2 , k ) e.g., s = 128 requires c = 256 and k = 128 c / 2: birthday bound

  16. Generic security of the Keyed Sponge Beyond birthday-bound security Outline 1 Sponge 2 Keyed sponge 3 Beyond birthday-bound security 4 Keyed sponge, refactored 16 / 30

  17. Generic security of the Keyed Sponge Beyond birthday-bound security More fine-grained attack complexity Splitting attack complexity: queries to construction: data complexity M 17 / 30 queries to f or f − 1 : computational complexity N Our ambition around 2010: 2 − c − 1 M 2 + 2 − c NM + 2 − k N If we limit data complexity M ≤ 2 a ≪ 2 c / 2 : s ≥ min ( c − a , k ) e.g., s = 128 and a = 64 require c = 192 and k = 128

  18. Generic security of the Keyed Sponge Beyond birthday-bound security 18 / 30 Intuition behind 2 − c NM success probability per guess: 2 − c

  19. Generic security of the Keyed Sponge Beyond birthday-bound security 19 / 30 Intuition behind 2 − c NM µ ≤ M instances with same partial r -bit input success probability per guess: µ 2 − c

  20. Generic security of the Keyed Sponge Beyond birthday-bound security 19 / 30 Intuition behind 2 − c NM µ ≤ M instances with same partial r -bit input success probability per guess: µ 2 − c

  21. Generic security of the Keyed Sponge Beyond birthday-bound security 19 / 30 Intuition behind 2 − c NM µ ≤ M instances with same partial r -bit input success probability per guess: µ 2 − c

  22. Generic security of the Keyed Sponge proof did not convince reviewers Beyond birthday-bound security new variant (a.o. in CAESAR): inner-keyed sponge: 20 / 30 bound did not cover multi-target (key) attacks Problems and limitations An initial attempt [KT, SKEW 2011] bound: 2 − c − 1 M 2 + 2 − c + 1 NM + 2 − k N M pad trunc Z r 0 f f f f f f outer inner c K absorbing squeezing

  23. Generic security of the Keyed Sponge Modular proof using Patarin’s H-coefficient technique Beyond birthday-bound security 21 / 30 [Andreeva, Daemen, Mennink, Van Assche, FSE 2015] Inner/outer-keyed, multi-target ( n ), multiplicity µ Bound: 2 − c − 1 M 2 + 2 − c + 1 µ N + 2 − k nN + . . . A RO 1 K 1 KS K 2 RO 2 KS ? f f ... ... RO n K n KS

  24. Generic security of the Keyed Sponge Beyond birthday-bound security Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015] Absorbing on full permutation width does not degrade bounds We decided to use that insight in Keyak v2 But proven bounds had some limitations and problems: no multi-key security 22 / 30 term 2 − k µ N rather than 2 − c µ N multiplicity µ only known a posteriori

  25. Generic security of the Keyed Sponge Beyond birthday-bound security Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015] Absorbing on full permutation width does not degrade bounds We decided to use that insight in Keyak v2 But proven bounds had some limitations and problems: no multi-key security 22 / 30 term 2 − k µ N rather than 2 − c µ N multiplicity µ only known a posteriori

  26. Generic security of the Keyed Sponge Keyed sponge, refactored Outline 1 Sponge 2 Keyed sponge 3 Beyond birthday-bound security 4 Keyed sponge, refactored 23 / 30

  27. Generic security of the Keyed Sponge Keyed sponge, refactored Initial state: concatenation of key k and IV 24 / 30 The new core: (full-state) keyed duplex Z ¾ Z ¾ Z ¾ K f f f … ± IV Full-state absorbing, no padding: | σ | = b Multi-key: k selected from an array K with index δ Re-phased: f , Z , σ instead of σ , f , Z ≈ all keyed sponge functions are modes of this

  28. Generic security of the Keyed Sponge Keyed sponge, refactored Further refine adversary’s capability Independent outputs Z for different paths Ideal function: Ideal eXtendable Input Function (IXIF) 25 / 30 Generic security of keyed duplex: the setup Z ¾ Z ¾ Z ¾ x y ( ± , IV) Z x y ¾ K ? f f f f Path f RO … ± IV RO -based object with duplex interface L : # queries to keyed duplex/ RO with repeated path q IV : max IV # init queries with different keys

  29. Generic security of the Keyed Sponge Keyed sponge, refactored of M r -bit values is negligible 26 / 30 Generic security of keyed duplex: the bound Z ¾ Z ¾ Z ¾ x y ( ± , IV) Z x y ¾ K ? f f f f Path f … RO ± IV 2 − c − 1 L 2 + 2 − c ( L + 2 ν ) N + 2 − k q IV N + . . . with ν : chosen such that probability of ν -wise multi-collision in set

  30. Generic security of the Keyed Sponge Keyed sponge, refactored Application: counter-like stream cipher Only init calls, each taking Z as keystream block Bound: Strength: 27 / 30 IV is nonce, so L = 0 Assume M ≪ 2 r / 2 : ν = 1 2 − c ( 2 ν ) N + 2 − k q IV N + . . . s ≥ min ( c − 1 , k − log 2 ( q IV ))

  31. Generic security of the Keyed Sponge Keyed sponge, refactored Application: lightweight MAC Bound: Strength: Imposes a minimum width of the permutation: 28 / 30 Message padded and fed via IV and σ blocks t -bit tag, squeezed in chunks of r bits: c = b − r adversary chooses IV so L ≈ M = 2 a q IV is total number of keys n 2 − c − 1 M 2 + 2 − c + 1 MN + 2 − k nN + . . . s ≥ min ( b − a − r − 1 , k − log 2 ( n )) b > s + a + r

  32. Generic security of the Keyed Sponge Keyed sponge, refactored bounds: Plaintext absorbed in outer part, AD in inner part also Used in Keyak v2 [KT & Ronny Van Keer, 2015] 29 / 30 Application: Motorist AE session mode P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3) Used in Keyak with c = 256 and b = 1600 or b = 800 Rate 544 or 1344 so we can take ν = 1 nonce-respecting: 2 − c + 1 N + 2 − k q IV N + . . . nonce-violating: 2 − c MN + 2 − k q IV N + . . .

Recommend

On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda

1.03k views • 25 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a

Ret Retaine ined Sponge Sponge Most common retained surgical item that requires a re-operation Detection can be difficult and remote from the initial operation The sponge must be removed Primary problem is faulty OR

570 views • 26 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation

13 th IWA Specialized Conference on Small Water and Wastewater Systems, 14-16 September 2016, Athens, Greece Treatment performance of practical-scale down-flow hanging sponge reactor using sixth-generation sponge media Tsutomu Okubo*, Akinori

366 views • 33 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

System Provider escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret Sharing Scheme, Smartcard Integration and a new Linux Security Module Daniel Bumeyer 2 , Benedikt Driessen 1 , Andr Osterhues 1 ,

630 views • 18 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
Generic classes Declaration Use Annotations 54 Generic classes Declaration add

Generic classes Declaration Use Annotations 54 Generic classes Declaration add

Generic classes Declaration Use Annotations 54 Generic classes Declaration add generic types between angle brackets: public class MyStack < E,F >{ E item; } 55 Generic Classes Use MyStack<Integer> ms= new

273 views • 23 slides
Generic functional programming Basic idea: define generic functions by induction on the

Generic functional programming Basic idea: define generic functions by induction on the

A Hitchhikers Guide to the Universes (Universes for Generic Programs and Proofs) Marcin Benke Peter Dybjer Patrik Jansson Chalmers Technical University Main goals: extend generic programming to functional languages with dependent types

250 views • 10 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter

Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter

Generic Programming in a Dependently Typed Language Generic proofs for generic programs Peter Morris pwm@cs.nott.ac.uk University of Nottingham Generic Programming in a Dependently Typed Language p. 1/12 This talk We introduce a

599 views • 45 slides
Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,

907 views • 88 slides
The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin, Axel Poschmann CRYPTO

The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin, Axel Poschmann CRYPTO

Introduction Generalized Sponge Serial MDS PHOTON Security Conclusion The PHOTON Family of Lightweight Hash Functions Jian Guo, Thomas Peyrin, Axel Poschmann CRYPTO 2011, 15 August 2011 Introduction Generalized Sponge Serial MDS PHOTON

839 views • 35 slides
About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge

About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge

About the SKP Group About the SKP Group Integrated Business Model Ferro Alloys, Sponge Iron, Billets, TMT Bars, Stainless Steel, Power, Coal Mining. One of the largest producers of High Carbon Ferro Chrome, Silico Manganese,

638 views • 39 slides
Supplementary Material Compressible and recyclable monolithic g-C 3 N 4 /melamine sponge: A facile

Supplementary Material Compressible and recyclable monolithic g-C 3 N 4 /melamine sponge: A facile

Supplementary Material Compressible and recyclable monolithic g-C 3 N 4 /melamine sponge: A facile ultrasonic-coating approach and enhanced visible-light photocatalytic activity Ye Yang 1,2 , Qian Zhang 1* , Ruiyang Zhang 1 , Tao Ran 1 , Wenchao

594 views • 4 slides
LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015

LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015

LASER INDUCED POROUS GRAPHENE SPONGE Capstone Spring 2015 Amine Ouesla8 - Group Leader Eric Bailey - Deputy Leader Allen Chang - Treasurer

270 views • 25 slides
GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6

GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6

GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6 Weve already seen examples of generic classes ArrayList<T>; HashMap<K, V>; Where T is being used to represent the type of each

304 views • 6 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
What are Generics? e.g. Generics, Generic Programming, Generic Types, Generic Methods 6

What are Generics? e.g. Generics, Generic Programming, Generic Types, Generic Methods 6

What are Generics? e.g. Generics, Generic Programming, Generic Types, Generic Methods 6 Defining the idea Behind Java Generics Data Types are now used as Type Parameters 7 Defining the idea Behind Java Generics Generic Types: generic

601 views • 23 slides
Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard 25th April 2018, London Graz University of Technology Motivation and Context Logical Attacks www.tugraz.at Exploit software and design bugs

616 views • 59 slides
Synthesis of Superconductor (2020/05/08 revised) Collect: Agate mortar (clean with sponge

Synthesis of Superconductor (2020/05/08 revised) Collect: Agate mortar (clean with sponge

Synthesis of Superconductor (2020/05/08 revised) Collect: Agate mortar (clean with sponge after use) Label one zip-lock bag with student ID and name (To collect the synthesized superconductors) Prepare: Plastic spatula x1 Mask

512 views • 14 slides
Planning and Optimization C14. Merge-and-Shrink Abstractions: Generic Algorithm Malte Helmert and

Planning and Optimization C14. Merge-and-Shrink Abstractions: Generic Algorithm Malte Helmert and

Planning and Optimization C14. Merge-and-Shrink Abstractions: Generic Algorithm Malte Helmert and Gabriele R oger Universit at Basel November 14, 2016 Generic Algorithm Summary Generic Algorithm Generic Algorithm Summary Generic

272 views • 24 slides
Patients Must Have Immediate Access to Affordable Generic Medicines at Day One After Patent

Patients Must Have Immediate Access to Affordable Generic Medicines at Day One After Patent

Patients Must Have Immediate Access to Affordable Generic Medicines at Day One After Patent Expiry Generic Medicines: Key to Healthcare Sustainability and Patient Care EGA represents over 700 companies in 34 European countries Generic

728 views • 25 slides

More recommend