silc simple lightweight cfb
play

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko - PowerPoint PPT Presentation

Nov 01, 2022 •255 likes •557 views

SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. Eita Kobayashi, NEC Corporation DIAC 2014 August 23, 2014, Santa Barbara, USA

  1. SILC: SImple Lightweight CFB Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. Eita Kobayashi, NEC Corporation DIAC 2014 August 23, 2014, Santa Barbara, USA 1

  2. Outline • Authenticated Encryption with Associated Data (AEAD) • SILC, SImple Lightweight CFB, pronounced as “silk” http://pixabay.com/en/silk ‐ yarn ‐ thread ‐ spool ‐ thread ‐ 196539/ 2

  3. SILC Design Goal • Provably secure AEAD that is based on a blockcipher – Standard security notions for privacy and authenticity • To improve previous schemes, CCM, EAX, and EAX ‐ prime – optimizing the design to achieve a small gate size on HW implementations • HW oriented version of CLOC [IMGM14] – CLOC is for embedded SW implementations [IMGM14] Iwata, Minematsu, Guo, Morioka, CLOC: Compact Low ‐ Overhead CFB, Submission to the CAESAR competition 3

  4. Design Strategy • CLOC optimizes the number of blockcipher calls by making various cases – if the input is empty, a multiple of block size, or otherwise – this contributes to the efficiency for short input, and well suits for embedded SW implementations – requires non ‐ negligible number of logic gates • SILC avoids making cases – at the cost of the constant number of increase of blockcipher calls – data blocks are processed consistently – reduces the logic gates needed to implement the cases 4

  5. SILC Overview • SILC is built upon CLOC • It follows the Encrypt ‐ then ‐ PRF paradigm • HASH, PRF: variants of CBC MAC • ENC: a variant of CFB 5

  6. Parameters • E K : blockcipher with an n ‐ bit block • l N : nonce length in bits 1 ≦ l N ≦ n − 1 • tau: tag length in bits 1 ≦ tau ≦ n 6

  7. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 1 ≦ |N| ≦ n − 1 • A: associated data, at most 2 n/2 ‐ 1 bytes 7

  8. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 1 ≦ |N| ≦ n − 1 • A: associated data, at most 2 n/2 ‐ 1 bytes zero prepending function zpp(N) = 0…0 || N 8

  9. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 0<|N|<n zero appending function zap(X) = X || 0…0 • A: associated data, at most 2 n/2 ‐ 1 bytes (possibly none) 9

  10. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 0<|N|<n Len(A) = length of A in bytes • A: associated data, at most 2 n/2 ‐ 1 bytes 10

  11. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 0<|N|<n tweak function • A: associated data, at most 2 n/2 ‐ 1 bytes broken into bytes 11

  12. V < ‐ HASH K (N,A) • variant of CBC MAC • N: nonce, fixed length, 1 ≦ |N| ≦ n − 1 • A: associated data, at most 2 n/2 ‐ 1 bytes 12

  13. C < ‐ ENC K (V,M) • variant of CFB mode • M: plaintext, at most 2 n/2 ‐ 1 bytes 13

  14. C < ‐ ENC K (V,M) bit fixing function • variant of CFB mode fix the most significant bit by one • M: plaintext, at most 2 n/2 ‐ 1 bytes fix1(X) = X OR 10…0 14

  15. C < ‐ ENC K (V,M) • variant of CFB mode • M: plaintext, at most 2 n/2 ‐ 1 bytes 15

  16. T < ‐ PRF K (V,C) • variant of CBC MAC 16

  17. Works with Two State Blocks 17

  18. SILC Properties • Nonce ‐ based AEAD • uses only the encryption of the blockcipher both for encryption and decryption • It makes |N| n + |A| n + 2|M| n + 2 blockcipher calls for a nonce N, associated data A, and a plaintext M – where |X| n is the length of X in n ‐ bit blocks – 1 ≦ |N| ≦ n − 1, so |N| n = 1 – blockcipher key scheduling can be precomputed – No precomputation beyond that (blockcipher calls, generation of key dependent tables, . . . ) is needed 18

  19. Limitations • Static associated data cannot be handled efficiently – nonce is processed before associated data • For long plaintexts, it needs 2 blockcipher calls per one block • HASH, ENC, and PRF are all sequential – blockcipher calls in ENC and PRF are parallelizable 19

  20. Security • Privacy: Indistinguishability of ciphertexts from random bits against nonce ‐ respecting adversaries in a chosen plaintext attack setting • • 20

  21. Security • Authenticity: Unforgeability against nonce ‐ reusing adversaries in a chosen ciphertext attack setting • • 21

  22. Security • Authenticity: Unforgeability against nonce ‐ reusing adversaries in a chosen ciphertext attack setting • • • Standard birthday bounds, proofs are similar to those of CLOC 22

  23. Recommended Parameter Sets • E K : blockcipher with an n ‐ bit block – n: 64 or 128 – AES ‐ 128 for n = 128, and PRESENT ‐ 80 or LED ‐ 80 for n = 64 • l N : nonce length in bits – 96 or 64 for n = 128, and 48 for n = 64 • tau: tag length in bits – 64 for n = 128, and 32 for n = 64 23

  24. Recommended Parameter Sets • E K : blockcipher with an n ‐ bit block – n: 64 or 128 – AES ‐ 128 for n = 128, and PRESENT ‐ 80 or LED ‐ 80 for n = 64 • l N : nonce length in bits – 96 or 64 for n = 128, and 48 for n = 64 • tau: tag length in bits – 64 for n = 128, and 32 for n = 64 • 64 ‐ bit blockciphers are not for general purpose applications – for applications that can ensure the total amount of data processed with one key – low data transmission rate, limited battery lifetime 24

  25. HW Implementation • We evaluated AES ‐ SILC for ASIC using a 90 nm standard cell library • HW reference implementation AES ‐ SILC – to see the basic performance • Compared it with AES ‐ CLOC, AES ‐ OTR, and AES ‐ EAX – Unit = Gate Equivalent (GE) – AES is round ‐ based, where S ‐ box uses the composite ‐ field expression – single AES core 25

  26. HW Implementation • Scenario 1 – Frequency is fixed to 100 MHz AES SILC CLOC OTR EAX Gates (GE) 10207.75 15675.5 17137.75 21862.5 28662.25 Ratio (AES) 1 1.54 1.68 2.14 2.81 Throughput 1163.63 764.12 685.71 1134.18 794.48 (Mbit/sec) • SILC is the smallest (x 1.54 of AES size) • no significant change if the freq. ~= 20 MHz • Throughput is an estimation 26

  27. HW Implementation • Scenario 2 – The same RTL (Register Transfer Level) as Scenario 1 – find the maximum frequency SILC CLOC OTR EAX Max freq. (MHz) 344.8 312.5 333.3 277.8 Gates (GE) 23135 25287.25 29080.75 35305 Ratio (AES) 1.57 2.01 2.07 3.16 Throughput 2634.88 2142.85 3780.21 2207.07 (Mbit/sec) • Ratio: compared with AES of the corresponding freq. • SILC is again the smallest (x 1.57 of AES size) 27 • Throughput is an estimation

  28. SW Implementation • Not the main focus of SILC • General purpose CPU – Intel(R) Core(TM) i5 ‐ 3427U CPU, 1.80GHz (Ivy Bridge) – with a long plaintext (more than 2 20 blocks) and empty associated data, and with parallelism P AES ‐ SILC PRESENT ‐ SILC LED ‐ SILC Speed (cpb) 4.9 42 40 Remarks AES ‐ NI, P=1 bit ‐ sliced, P=16 bit ‐ sliced, P=32 • In AES ‐ SILC, E K in ENC and PRF are computed in parallel • AES ‐ CLOC: about 4.9 cpb (P = 1) • serial AES ‐ 128 encryption: about 4.3 cpb 28

  29. LED Reference Code • Inconsistency in the description of LED in the submission document and the LED reference code – The LED reference code will be updated soon – The reference code of SILC remains unchanged 29

  30. Conclusions • Designed SILC and analyzed the security and the efficiency • SILC is suitable for use within constrained HW devices http://pixabay.com/en/silk ‐ yarn ‐ thread ‐ spool ‐ thread ‐ 196539/ 30

Recommend

1 MPI-based SILC system Data transfer: the sequential case Currently based on a client-server

1 MPI-based SILC system Data transfer: the sequential case Currently based on a client-server

Outline Workshop on State-of-the-Art in Scientific and Parallel Computing (PARA '06) Ume, Sweden, June 18-21, 2006 Background Ways of using matrix computation libraries Distributed SILC: An easy-to-use Distributed SILC interface

232 views • 4 slides
Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with

Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with

Overview Overview What is SILC? What is SILC? Analysis of the SILC Protocol with Analysis of the SILC Protocol with Stands for Stands for S S ecure ecure I I nternet nternet L L ive ive C C onferencing. onferencing. Murphi

475 views • 5 slides
CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated

CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated

CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 Outline Describe AE schemes, CLOC, SILC and OTR Merged as CLOC and SILC for CAESAR Both are CAESAR

1.18k views • 66 slides
Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24,

Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24,

Purpose IFIP International Conference on Network and Parallel Computing (NPC 2006) October 24, 2006, in Tokyo, Japan A model-based analysis of the benefits and cost in the SILC framework SILC: A simple interface for matrix computation

701 views • 4 slides
CAM ROLLER SPRING CASE UIAA INTERNATIONAL CLIMBING AND MOUNTAINEERING FEDERATION UNION

CAM ROLLER SPRING CASE UIAA INTERNATIONAL CLIMBING AND MOUNTAINEERING FEDERATION UNION

CAM ROLLER SPRING CASE UIAA INTERNATIONAL CLIMBING AND MOUNTAINEERING FEDERATION UNION INTERNATIONALE DES ASSOCIATIONS DALPINISME 4 kN STATIC LOAD 110 kg at 3 m/s DYNAMIC LOAD SIMPLE SIMPLE LIGHTWEIGHT SIMPLE LIGHTWEIGHT RELIABLE

679 views • 46 slides
Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections

Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections

Matching and Optimizing the Matching and Optimizing the SILC / ILC sections SILC / ILC sections of the CW Linac (v7) of the CW Linac (v7) J.-F. Ostiguy APC/Fermilab ostiguy@fnal.gov JFO/20090910 Assumptions Assumptions Type 4 cryostat

276 views • 26 slides
Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC

Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC

Motivation S T A T I S T I K A U S T R I A D i e I n f o r m a t i o n s m a n a g e r EU-SILC poverty rates High quality indicators on national- but estimates on sub-national level have poor accuracy SAE-Methods modelling

729 views • 15 slides
Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti

554 views • 32 slides
Let's Make a Game! Simple game development with Slick2D and Java Slick2D Lightweight 2D

Let's Make a Game! Simple game development with Slick2D and Java Slick2D Lightweight 2D

Let's Make a Game! Simple game development with Slick2D and Java Slick2D Lightweight 2D game engine Built on top of LWJGL Takes care of the basics http://slick.ninjacave.com/ http://slick.ninjacave.com/wiki Setting

129 views • 8 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K.

New Lightweight DES Variants Suited for RFID Applications G. Leander, C. Paar, A. Poschmann, K. Schramm Workshop on Fast Software Encryption 2007 Outline Introduction Why lightweight? Why choose DES? DESL: DES Lightweight Why change DES?

364 views • 12 slides
IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello,

IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello,

35 th IARIW GENERAL CONFERENCE SESSION 12: IMPROVING THE MEASUREMENT OF HOUSEHOLD FINANCES IN SURVEYS IT-SILC Measurement of the Household Finance, Wealth and Consumption P. Consolini, G. Donatiello, D. Frattarola, M. Spaziani Italian National

222 views • 19 slides
Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research

Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research

Extending EU-SILC to homeless people: the Belgian experience Ides Nicaise, KU Leuven Research commissioned by the Belgian Combat Poverty Service and sponsored by BELSPO This project has received funding from the European Unions Seventh

131 views • 9 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
Lightweight Session Programming in Scala Alceste Scalas Nobuko Yoshida Theory and Applications

Lightweight Session Programming in Scala Alceste Scalas Nobuko Yoshida Theory and Applications

t i f a c r t A C o m p * t * l e * n t e e * A s t P i W s E n e O o C l l C D O * o * e c C s u u m E e e E R n * o e t v t y s d d a E * a e u l t a Lightweight Session

1.08k views • 62 slides
The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions

The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions

The hard-to-survey in EU-SILC Nadja Lamei Statistics Austria, Challenges and potential solutions for the Directorate Social Statistics Austrian case Summer school 'Reaching out to hard-to- survey groups among the poor' 30 May 3 June,

356 views • 35 slides
Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve?

Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve?

Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve? 1. A simple, concise framework 2. High-performance for shared-memory machines Why? An abundance of graph processing applications Problems

534 views • 17 slides
On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1

On the Design and Use of Lightweight Cryptography for Cyber-Physical Systems Hirotaka Yoshida 1 1 AIST, Japan Kolkata, India (16 November 2018) 1 / 38 Table of contents 1 Introduction 2 Lightweight Crypto Stack for Circuit/RAM Size Requirement

670 views • 38 slides
Container-based virtualization Process-level Extensively used in Lightweight virtualization

Container-based virtualization Process-level Extensively used in Lightweight virtualization

C NTR Lightweight OS Containers Jrg Thalheim, Pramod Bhatotia Pedro Fonseca Baris Kasikci USENIX ATC 2018 Container-based virtualization Process-level Extensively used in Lightweight virtualization production isolation Namespaces

250 views • 22 slides
Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and

Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific Research (B), Grant

317 views • 30 slides
Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering

Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering

Contaminated Land Remediation Goals James Potter BSc, MSc, SiLC, CIWM, CEnv Delivering sustainable solutions in a more competitive world Introduction to James Potter James has over 13 years experience in contaminated land investigation,

599 views • 34 slides

More recommend