on the provable security of the iterated even mansour
play

On the Provable Security of the Iterated Even-Mansour Cipher against - PowerPoint PPT Presentation

Sep 11, 2023 •271 likes •1.23k views

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

  1. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benoît Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2 ANSSI, France April 29, 2015 — EUROCRYPT 2015 B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 1 / 29

  2. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Outline Introduction: Key-Alternating Ciphers in the Random Permutation Model Security Against Related-Key Attacks Security Against Chosen-Key Attacks B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 2 / 29

  3. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Outline Introduction: Key-Alternating Ciphers in the Random Permutation Model Security Against Related-Key Attacks Security Against Chosen-Key Attacks B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 3 / 29

  4. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Key-Alternating Cipher (KAC): Definition k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • plaintext x ∈ { 0 , 1 } n , ciphertext y ∈ { 0 , 1 } n • master key k ∈ { 0 , 1 } κ • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s are key derivation functions mapping k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED, . . . ) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 4 / 29

  5. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Key-Alternating Cipher (KAC): Definition k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r An r -round key-alternating cipher: • plaintext x ∈ { 0 , 1 } n , ciphertext y ∈ { 0 , 1 } n • master key k ∈ { 0 , 1 } κ • the P i ’s are public permutations on { 0 , 1 } n • the f i ’s are key derivation functions mapping k to n -bit “round keys” • examples: most SPNs (AES, SERPENT, PRESENT, LED, . . . ) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 4 / 29

  6. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types k 0 k 1 k r n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  7. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types k 0 k 1 k r n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  8. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types k 0 k 1 k r n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  9. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types k k k n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  10. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types n k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  11. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Various Key-Schedule Types n k f 0 f 1 f r k 0 k 1 k r n y x P 1 P 2 P r Round keys can be: • independent (total key-length κ = ( r + 1) n ) • derived from an n -bit master key ( κ = n ), e.g. • trivial key-schedule: ( k , k , . . . , k ) • more complex: ( f 0 ( k ) , f 1 ( k ) , . . . , f r ( k )) • anything else (e.g. 2 n -bit master key ( k 0 , k 1 ) and round keys ( k 0 , k 1 , k 0 , k 1 , . . . ) as in LED-128) B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 5 / 29

  12. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Proving the Security of KACs n k f 0 f 1 f r n y x P 1 P 2 P r Question How can we “prove” security? • against a general adversary: ⇒ too hard (unconditional complexity lower bound!) • against specific attacks (differential, linear. . . ): ⇒ use specific design of P 1 , . . . , P r (count active S-boxes, etc.) • against generic attacks: ⇒ Random Permutation Model for P 1 , . . . , P r B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 6 / 29

  13. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Proving the Security of KACs n k f 0 f 1 f r n y x P 1 P 2 P r Question How can we “prove” security? • against a general adversary: ⇒ too hard (unconditional complexity lower bound!) • against specific attacks (differential, linear. . . ): ⇒ use specific design of P 1 , . . . , P r (count active S-boxes, etc.) • against generic attacks: ⇒ Random Permutation Model for P 1 , . . . , P r B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 6 / 29

  14. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Proving the Security of KACs n k f 0 f 1 f r n y x P 1 P 2 P r Question How can we “prove” security? • against a general adversary: ⇒ too hard (unconditional complexity lower bound!) • against specific attacks (differential, linear. . . ): ⇒ use specific design of P 1 , . . . , P r (count active S-boxes, etc.) • against generic attacks: ⇒ Random Permutation Model for P 1 , . . . , P r B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 6 / 29

  15. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Proving the Security of KACs n k f 0 f 1 f r n y x P 1 P 2 P r Question How can we “prove” security? • against a general adversary: ⇒ too hard (unconditional complexity lower bound!) • against specific attacks (differential, linear. . . ): ⇒ use specific design of P 1 , . . . , P r (count active S-boxes, etc.) • against generic attacks: ⇒ Random Permutation Model for P 1 , . . . , P r B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 6 / 29

  16. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Analyzing KACs in the Random Permutation Model k f 0 f 1 f r P 1 · · · P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles to which the adversary can only make black-box queries (both to P i and P − 1 ) i • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • trades complexity for randomness ( ≃ Random Oracle Model) • complexity measure of the adversary: • q c = # queries to the cipher = plaintext/ciphertext pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 7 / 29

  17. Introduction Related-Key Attacks Chosen-Key Attacks Conclusion Analyzing KACs in the Random Permutation Model k f 0 f 1 f r P 1 · · · P r x P 1 P 2 P r y q c q p q p • the P i ’s are modeled as public random permutation oracles to which the adversary can only make black-box queries (both to P i and P − 1 ) i • adversary cannot exploit any weakness of the P i ’s ⇒ generic attacks • trades complexity for randomness ( ≃ Random Oracle Model) • complexity measure of the adversary: • q c = # queries to the cipher = plaintext/ciphertext pairs (data D ) • q p = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security B. Cogliati and Y. Seurin RKA and CKA security for the IEM April 29, 2015 — EC 2015 7 / 29

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda

1.03k views • 25 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel Jero + , Alexandra Boldyreva * , and Cristina Nita-Rotaru ++ * Georgia Institute ++ Northeastern + Purdue of T echnology University University 1

536 views • 31 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides
Iterated Binomial Sums and their Associated Iterated Integrals Jakob Ablinger joint work with J.

Iterated Binomial Sums and their Associated Iterated Integrals Jakob Ablinger joint work with J.

1 Iterated Binomial Sums and their Associated Iterated Integrals Jakob Ablinger joint work with J. Bl umlein, C. Raab and C. Schneider SFB F050 Algorithmic and Enumerative Combinatorics Research Institute for Symbolic Computation Johannes

1.51k views • 134 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides

More recommend