short variable length domain extenders with beyond
play

Short Variable Length Domain Extenders With Beyond Birthday Bound - PowerPoint PPT Presentation

Aug 15, 2022 •376 likes •854 views

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

  1. Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3, 2018 1 / 23

  2. Modes of Operation ◮ Block cipher: fixed-input-length (FIL) 2 / 23

  3. Modes of Operation ◮ Block cipher: fixed-input-length (FIL) ◮ Apply block cipher iteratively CBC mode . . . M 1 M 2 M l − 1 M l + + + + IV E K E K E K E K . . . C l − 1 C l C 1 C 2 2 / 23

  4. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ . . . M 1 M 2 M l − 1 l 3 / 23

  5. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l 3 / 23

  6. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l + + + + IV E K E K E K E K . . . C 1 C 2 C l − 1 C l 3 / 23

  7. Modes of Operation Fractional data = ⇒ padding CBC+padding M ∗ 10 ∗ . . . M 1 M 2 M l − 1 l + + + + IV E K E K E K E K . . . C 1 C 2 C l − 1 C l Ciphertext expansion: | C | > | M | 3 / 23

  8. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 4 / 23

  9. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 4 / 23

  10. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ M 1 M 2 M l − 1 l 4 / 23

  11. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l 4 / 23

  12. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C 1 C 2 4 / 23

  13. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C 1 C 2 4 / 23

  14. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C ∗ C 1 C 2 C l l − 1 4 / 23

  15. Avoiding Ciphertext Expansion 1. CTR: turns block cipher into stream cipher = ⇒ not suitable for some applications 2. Non-generic methods: EME, TET, HEH, HCTR, HCH, XCB 3. Ciphertext stealing: . . . M ∗ 10 ∗ M 1 M 2 M l − 1 l + + + + IV E K E K E K E K C l − 1 C l . . . C ∗ C 1 C 2 C l l − 1 ◮ Condition: C i ’s need to be decrypted independently 4 / 23

  16. Length Doublers M 1 M 2 length doubler [ n -bit enciphering scheme] C 1 C 2 ◮ | M 1 | = | C 1 | = n = block size ◮ | M 2 | = | C 2 | ∈ [ 0 , n − 1 ] 5 / 23

  17. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption 6 / 23

  18. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption M � 80 2 n / 2 doubler [64-bit BC] � 80 C 32-bits security 6 / 23

  19. Beyond Birthday Bound Length Doubler ◮ Format-preserving encryption ◮ Electronic product code tag encryption M M � 80 � 80 2 n / 2 doubler 2 3 n / 4 doubler [64-bit BC] [64-bit BC] � 80 � 80 C C 32-bits security 48-bits security 6 / 23

  20. Security Definition E ± ρ ± K adversary A ◮ Adversary A makes q queries to oracle ( E K or ρ ) 7 / 23

  21. Security Definition E ± ρ ± K adversary A ◮ Adversary A makes q queries to oracle ( E K or ρ ) ◮ Strong length-preserving pseudorandom permutation ⇐ ⇒ A cannot determine which world it is interacting with 7 / 23

  22. Round Function F [˜ E K ] M 1 M 2 � n � s T 1 ˜ E K 1 � 10 ∗ right s ( Y ) left n − s ( Y ) � n − s � n � s C 1 C 2 8 / 23

  23. 2-LDT Security upper bound: ◮ 2 n − ( s / 2 ) Security lower bound ◮ 2 n / 2 (ToSC 2017(3)) 9 / 23

  24. 2-LDT Security upper bound: ◮ 2 n − ( s / 2 ) Security lower bound ◮ 2 n / 2 (ToSC 2017(3)) ◮ “New bound” 9 / 23

  25. 3-LDT Security lower bound ◮ “New bound” ◮ Better bound than 2-LDT 10 / 23

  26. Security Analysis of 3-LDT security n 11 n / 12 7 n / 8 s min ≈ 5 n / 6 s max s max ≈ ( n + s min ) / 2 3 n / 4 2 n / 3 5 n / 8 n / 2 s min const n / 4 n / 2 3 n / 4 n − 2 log 2 ( n ) s min ≤ s max ≤ ( n + s min ) / 2 11 / 23

  27. Security Bound of 2-LDT and 3-LDT security ◦ = 2-LDT ⋆ = 3-LDT n ⋆ 11 n / 12 ⋆ 5 n / 6 ⋆ 3 n / 4 ⋆ 2 n / 3 ⋆ ◦ 7 n / 12 ◦ n / 2 ◦ ◦ ◦ input size n 5 n / 4 3 n / 2 7 n / 4 2 n − 1 12 / 23

  28. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special 13 / 23

  29. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 b = 0 13 / 23

  30. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 ideal primitive b = 0 13 / 23

  31. Harmonic Permutation Primitives (Tweakable) pseudorandom permutation G a , b and H a , b ◮ a , b ∈ { 0 , 1 } ◮ a = forward, b = inverse ◮ 0 = random permutation, 1 = special a = 0 a = 1 ideal primitive b = 0 b = 0 a = 0 a = 1 b = 1 b = 1 13 / 23

  32. Harmonic Permutation Primitives If a = 1 or b = 1, then part of permutation random 14 / 23

  33. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random 14 / 23

  34. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random ( n − s ) -bits ( n − s ) -bits ⇓ permutation 14 / 23

  35. Harmonic Permutation Primitives If a = 1 or b = 1, then s -bits part of permutation random part of permutation random ( n − s ) -bits ( n − s ) -bits ⇓ permutation 14 / 23

  36. Proof Idea M 1 M 2 M 1 M 2 � n � s � n � s T 1 ˜ E K 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 ˜ ρ E K 2 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 ˜ E K 3 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 15 / 23

  37. Proof Idea − � $ π 1 , ˜ ˜ π 2 , ˜ π 3 ← Perm ( n , n ) M 1 M 2 M 1 M 2 � n � s � n � s T 1 ˜ π 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 ρ π 2 ˜ � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 π 3 ˜ � 10 ∗ � s � n � s � n C 1 C 2 C 1 C 2 16 / 23

  38. Proof Idea M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 0 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 0 , 0 H 0 , 0 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 0 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 17 / 23

  39. Proof Idea [Reduction] ≤ 18 / 23

  40. Proof Idea [Step 1] M 1 M 2 M 1 M 2 � n � s � n � s T 1 T 1 G 0 , 0 G 0 , 1 � 10 ∗ � 10 ∗ right s ( Y 1 ) right s ( Y 1 ) left n − s ( Y 1 ) left n − s ( Y 1 ) n – s � n – s � � s � s T 2 T 2 G 0 , 0 G 1 , 1 � 10 ∗ � 10 ∗ right s ( Y 2 ) right s ( Y 2 ) left n − s ( Y 2 ) left n − s ( Y 2 ) n – s � n – s � T 3 T 3 G 0 , 0 G 1 , 0 � 10 ∗ � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 19 / 23

  41. Proof Idea [Step 1] T M C G 0 , 1 T T C C M M G 1 , 1 G 0 , 0 T M C G 1 , 0 20 / 23

  42. Proof Idea [Step 2] M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 1 � 10 ∗ right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 1 , 1 H 1 , 1 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 1 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 21 / 23

  43. Proof Idea [Step 2] M 1 M 2 M 1 M 2 � n � s � n � s T 1 G 0 , 1 � 10 ∗ Indistinguishable right s ( Y 1 ) left n − s ( Y 1 ) n – s � � s T 2 G 1 , 1 H 1 , 1 � 10 ∗ right s ( Y 2 ) left n − s ( Y 2 ) n – s � T 3 G 1 , 0 � 10 ∗ � s � s � n � n C 1 C 2 C 1 C 2 21 / 23

  44. Proof Idea [Step 3] M 1 M 2 M 1 M 2 � n � s � n � s H 1 , 1 H 0 , 0 � s � s � n � n C 1 C 2 C 1 C 2 22 / 23

  45. Conclusion New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound 23 / 23

  46. Conclusion New results ◮ Harmonic primitives ◮ 2-LDT: beyond birthday bound ◮ 3-LDT: better bound Further research ◮ 2-LDT and 3-LDT: tight bound? ◮ 3-LDT: optimal security? ◮ Harmonic primitives: tight bound and use for other constructions? 23 / 23

Recommend

extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure

extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure

Update on cementitious extenders & their application Presented by: Bryan Perrie The Concrete Institute Structure Types of extenders Availability of extenders Methods of use Extender specifications Extender Use

487 views • 28 slides
Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of

Garrett Bingham Sequence to Sequence Video to Text Venugopalan et al. Given a variable-length sequence of video frames, Prev: Title Slide generate a variable-length natural language Problem description of the video. Next: Motivation

850 views • 15 slides
Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length

Basic SQL types String Char(n): fixed length. Padded Varchar(n): variable length Number Integer: 32 bit Decimal(5,2): 999.99 Real, Double: 32 bit, 64 bit Datetime Date: 2002-01-15 Time:

733 views • 3 slides
Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA

Stochastic chains with memory of variable length Antonio Galves Universidade de So Paulo AofA 2008 Antonio Galves Chains with memory of variable length Chains with memory of variable length Introduced by Rissanen (1983) as a universal

772 views • 74 slides
String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj

String Matching with Variable Length Gaps By Philip Bille, Inge Li Grtz, Hjalte Wedel Vildhj and David Kofoed Wind Presented by Hjalte Wedel Vildhj October 13, 2010 SPIRE 2010, Los Cabos, Mexico The Variable Length Gap Problem Given some

998 views • 57 slides
compression 1 some slides courtesy James allan@umass outline Introduction Fixed

compression 1 some slides courtesy James allan@umass outline Introduction Fixed

compression 1 some slides courtesy James allan@umass outline Introduction Fixed Length Codes Short-bytes bigrams / Digrams n -grams Restricted Variable-Length Codes basic method Extension for larger symbol

614 views • 47 slides
Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term

Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term

Presentation to: California Debt and Investment Advisory Commission Introduction to Variable Rate Financing April 2008 Table of Contents I. Alternative Short-Term Products II. Municipal Variable Rate Market Update Alternative Short-Term

411 views • 15 slides
Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage

Variables in C++ The variable C++ Variables Kinds of Variables Memory storage Variable qualifiers The variable The variable A variable declaration is a request for space Basic data types in memory int , short,

239 views • 6 slides
Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder

Service differentiation for variable length packets in OPS with recirculating FDLs Chris Develder , Jan Cheyns Mario Pickavet, Piet Demeester Dept. of Information Technology (INTEC) Ghent University - IMEC, Belgium UNIVERSITEIT GENT Outline

268 views • 15 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor

Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor

Numberjack User Guide May 27, 2013 1 Variables Constructor for the class Variable : Constructor Object Binary variable Variable() Variable in the domain of { 0, N-1 } Variable(N) Binary variable called x Variable(x) Variable in

418 views • 4 slides
Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem

Variable-Lived Short-Run Selves Drew Fudenberg and David K. Levine September 8, 2009 The Problem Models of long-run planning and short-run impulsive selves provide a quantitative explanation of a wide variety of behavioral paradoxes,

583 views • 22 slides
S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic

S(b)-Trees: an Optimal Balancing of Variable Length Keys Konstantin V. Shvachko 2 Dynamic Dictionaries Let K be a set of dictionary elements, called keys. For any finite subset D of K and for any key k three operations of search, insertion,

387 views • 13 slides
VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length

VGRAM: Improving Performance of Approximate Queries on String Collections Using Variable-Length Grams Chen Li Bin Wang and Xiaochun Yang Northeastern University, China Approximate selection queries Keanu Reeves Samuel Jackson

606 views • 42 slides
Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq

Sequnce(s)-to-Sequence Transformatjons in Text Processing Narada Warakagoda Seq2seq Transformatjon Variable length output Model Variable length input Example Applicatjons Summarizatjon (extractjve/abstractjve) Machine translatjon

560 views • 52 slides
Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About

Variable Length Relationship Pattern Extensions Teon Banek March , cbnd About Me Teon Banek Graduated from University of Zagreb, Faculty of Electrical Engineering and Computing Lead query engine developer at Memgraph

699 views • 33 slides
Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and

Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and

Concatenated Irregular Variable Length Coding and Irregular Unity Rate Coding R. G. Maunder and L. Hanzo Communications Research Group School of Electronics and Computer Science, University of Southampton, SO17 1BJ, UK.

652 views • 14 slides
On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario

On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario

On trains and wagons: switching variable length packets in slotted OPS Chris Develder Mario Pickavet Piet Demeester Dept. of Information Technology (INTEC) Ghent University - IMEC, Belgium UNIVERSITEIT GENT Outline Intro Slotted

445 views • 17 slides
Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi

Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi

Heads and Tails A Variable-Length Instruction Format Supporting Parallel Fetch and Decode Heidi Pan and Krste Asanovi MIT Laboratory for Computer Science CASES Conference, Nov. 2001 Motivation Tight space constraints Cost, power

679 views • 46 slides
Investigating Relational Recurrent Neural Networks with Variable Length Memory Pointer Mahtab

Investigating Relational Recurrent Neural Networks with Variable Length Memory Pointer Mahtab

Investigating Relational Recurrent Neural Networks with Variable Length Memory Pointer Mahtab Ahmed and Robert E. Mercer Department of Computer Science University of Western Ontario London, ON, Canada Introduction Memory based Neural

595 views • 13 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (4/17/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (4/17/07) I E S R C E O V U

Digital Systems Terminations I CMPE 650 Terminations From our previous analysis, a cable needs to be terminated when Its long (its length exceeds 1/6 the electrical length of the rising edge) and reflections occur Its short (its

1.15k views • 18 slides
A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and Seth Terashima Portland State University Motivation: Full Disk Encryption File System Virtual Disk (Exposes plaintexts) FDE Physical Disk

1.24k views • 59 slides
Homework 3 Due Thursday Sept 30 CLRS 8-3 (sorting variable-length items) CLRS 9-2 (weighted

Homework 3 Due Thursday Sept 30 CLRS 8-3 (sorting variable-length items) CLRS 9-2 (weighted

Homework 3 Due Thursday Sept 30 CLRS 8-3 (sorting variable-length items) CLRS 9-2 (weighted median) CLRS 11-1 (longest probe bound for hashing) 1 Chapter 11: Hashing We use a table of size m n and select a function h : U Z m ,

216 views • 21 slides
ZipLink Series Wireless POTS & Ethernet Extenders Dont Trench it ZIP it! When

ZipLink Series Wireless POTS & Ethernet Extenders Dont Trench it ZIP it! When

ZipLink Series Wireless POTS & Ethernet Extenders Dont Trench it ZIP it! When businesses expand, it is sometimes necessary to provide phone and internet connectivity from the main office to remote structures for a variety of

278 views • 15 slides

More recommend