primates v1 1
play

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena - PowerPoint PPT Presentation

Aug 19, 2023 •142 likes •953 views

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begl Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum PRIMATEs GIBBON APE HANUMAN 2

  1. PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum

  2. PRIMATEs GIBBON APE HANUMAN 2

  3. PRIMATEs GIBBON APE HANUMAN Misuse resistant 2

  4. PRIMATEs GIBBON APE HANUMAN Misuse resistant Security with ideal permutation 2

  5. PRIMATEs GIBBON APE HANUMAN Misuse Trades-off security resistant with speed Security with ideal permutation 2

  6. PRIMATEs • Sponge inspired (9) 3

  7. PRIMATEs • Sponge inspired (9) 3

  8. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits 4

  9. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight 4

  10. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits 4

  11. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits • Countermeasure against DPA is efficient 4

  12. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 5

  13. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based 5

  14. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption 5

  15. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation 5

  16. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations 5

  17. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations • No ciphertext extension 5

  18. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 6

  19. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output 6

  20. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption 6

  21. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption • No distinguishers in 12 round p 1 and p 4 6

  22. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: 7

  23. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks 7

  24. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations 7

  25. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster 7

  26. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster • No security proof 7

  27. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output…. • Tag…. • Domain separation with a constant XOR • Inverse permutations are used for decryption 8

  28. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR 9

  29. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 10

  30. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 11

  31. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 12

  32. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits 13

  33. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix 13

  34. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting 13

  35. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption 13

  36. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption • Other AE designs: P RØST 13

  37. PRIMATEs Ranking w.r.t security • APE - 120 • HANUMAN - 120 • GIBBON - 120 • APE - 80 • HANUMAN - 80 • GIBBON - 80 14

  38. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 15

  39. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 15

  40. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate 16

  41. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate Round Update: CA o MC o SR o SE 16

Recommend

Ch. 6 Primate homologies 1 Overview of the primates -Found in tropics/semi-tropics 2 TL;DR

Ch. 6 Primate homologies 1 Overview of the primates -Found in tropics/semi-tropics 2 TL;DR

Ch. 6 Primate homologies 1 Overview of the primates -Found in tropics/semi-tropics 2 TL;DR Primate shared derived traits -Primates are arboreal = adapted for living in the trees -Flexible limbs and prehensile hands/feet -Generalized dentition

480 views • 13 slides
Conservation of DNA in New World Primates Isolation of the Chorionic Gonadotropin Gene Promoter

Conservation of DNA in New World Primates Isolation of the Chorionic Gonadotropin Gene Promoter

Comparative Genomics: Conservation of DNA in New World Primates Isolation of the Chorionic Gonadotropin Gene Promoter in the Owl Monkey ( Aotus nancymaae ) LH and CG: Two Glycoprotein Hormones that Regulate Reproduction CG LH Luteinizing

376 views • 23 slides
NIPS07 tutorial (preliminary) Visual Recognition in Primates and Machines Tomaso Poggio

NIPS07 tutorial (preliminary) Visual Recognition in Primates and Machines Tomaso Poggio

NIPS07 tutorial (preliminary) Visual Recognition in Primates and Machines Tomaso Poggio (with Thomas Serre) McGovern Institute for Brain Research Center for Biological and Computational Learning Department of Brain & Cognitive

1.03k views • 99 slides
What do hidden representations learn? Other animals dont like onions (but primates do) Plaut

What do hidden representations learn? Other animals dont like onions (but primates do) Plaut

What do hidden representations learn? Other animals dont like onions (but primates do) Plaut and Shallice (1993) Mapped orthography to semantics (unrelated similarities) Compared similarities among hidden representations to those among

121 views • 9 slides
Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

A success story of Emperor Tamarin twins raised both by humans and their family By: Michelle Jordan and Jessica Grote Primate Keepers, Denver Zoo Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

460 views • 20 slides
habitats near the equator, but some species have adapted to live in colder, harsher climates.

habitats near the equator, but some species have adapted to live in colder, harsher climates.

Primates generally live in warm habitats near the equator, but some species have adapted to live in colder, harsher climates. Ground-dwelling primates have terrestrial adaptations, as well as arboreal adaptations. Primate habitats are under

389 views • 17 slides
Searching for the genetic basis of complex traits in humans and primates Vasily Ramensky UCLA

Searching for the genetic basis of complex traits in humans and primates Vasily Ramensky UCLA

Searching for the genetic basis of complex traits in humans and primates Vasily Ramensky UCLA Center for Neurobehavioral Genetics 22/03/16 University of California Los Angeles Center for Neurobehavioral Genetics -- 35-year project aimed to

742 views • 46 slides
Shigella spp. Four species ( boydii , Shigella spp. and dysenteriae , flexneri , sonnei )

Shigella spp. Four species ( boydii , Shigella spp. and dysenteriae , flexneri , sonnei )

Shigella spp. Four species ( boydii , Shigella spp. and dysenteriae , flexneri , sonnei ) Yersinia enterocolitica = serogroups Shigellosis = bacillary Dean O. Cliver dysentery Host-adapted to humans PHR 250 (primates)

492 views • 5 slides
9/26/2016 Macaque Model of Hormones and Atherosclerosis - Female Reproductive Aging Insights

9/26/2016 Macaque Model of Hormones and Atherosclerosis - Female Reproductive Aging Insights

9/26/2016 Macaque Model of Hormones and Atherosclerosis - Female Reproductive Aging Insights From Studies of Nonhuman Primates & Atherosclerosis Susan E. Appt, DVM, Associate Professor of Pathology / Comparative Medicine, Wake Forest

353 views • 9 slides
How we use animal studies to understand recovery from brain injury Ann M. Stowe, PhD Assistant

How we use animal studies to understand recovery from brain injury Ann M. Stowe, PhD Assistant

How we use animal studies to understand recovery from brain injury Ann M. Stowe, PhD Assistant Professor Neurology & Neurotherapeutics Overview Introduction to clinical stroke Post-stroke plasticity in non-human primates Stroke

731 views • 41 slides
10703 Deep Reinforcement Learning Reinforcement Learning in Humans and Animals Tom Mitchell

10703 Deep Reinforcement Learning Reinforcement Learning in Humans and Animals Tom Mitchell

10703 Deep Reinforcement Learning Reinforcement Learning in Humans and Animals Tom Mitchell October 29, 2018 Reading: Barto & Sutton Chapter 15 Tom Mitchell, October 2018 Outline RL in primates RL in humans Error signals and

448 views • 20 slides

More recommend