simon nsa designed cipher in the post snowden world
play

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur - PowerPoint PPT Presentation

Mar 31, 2024 •272 likes •784 views

Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015 The SIMON and SPECK Families of Lightweight Block Ciphers Two families of lightweight block ciphers (10 variants for each) Tomer Ashur Simon:

  1. Simon: NSA-designed Cipher in the Post-snowden World Tomer Ashur KU Leuven 28/12/2015

  2. The SIMON and SPECK Families of Lightweight Block Ciphers ◮ Two families of lightweight block ciphers (10 variants for each) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  3. The SIMON and SPECK Families of Lightweight Block Ciphers ◮ Two families of lightweight block ciphers (10 variants for each) ◮ Desgined by the NSA Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  4. The SIMON and SPECK Families of Lightweight Block Ciphers ◮ Two families of lightweight block ciphers (10 variants for each) ◮ Desgined by the NSA ◮ Released in 2013 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  5. Simon ◮ Hardware oriented Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  6. Simon ◮ Hardware oriented ◮ Fesitel structure Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  7. Simon - Structure X i +1 = F ( X i ) ⊕ Y i ⊕ K i X i Y i Y i +1 = X i � F � K i X i +1 Y i +1 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  8. Simon - Variants Block size Key size No. rounds 32 64 32 48 72 36 96 36 64 96 42 128 44 96 96 52 144 54 128 128 68 192 69 256 72 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  9. Simon - Round Function ≪ 1 � Y i & X i ≪ 8 ≪ 2 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  10. Simon - Key schedule Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  11. Simon - Performance Figure: Performance figures from the original paper (eprint 2013/404) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  12. Simon - Performance Figure: Performance figures from the NIST workshop (eprint 2015/585) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  13. Simon - Security Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  14. Simon - Security ◮ “ ...SIMON and SPECK have been designed to provide security against traditional adversaries who can adaptively encrypt and decrypt large amounts of data. We concede that (as is the case with other algorithms) there will be what amount to highly optimized ways to exhaust the key that reduce the cost of a naive exhaust by a small factor. We have also made a reasonable effort to provide security against adversaries who can flip key bits, and our aim is that there should be no related-key attacks... ” (eprint 2013/404) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  15. Simon - Security ◮ “The development process culminated in the publication of the algorithm specifics in June 2013 [9]. Prior to this, Simon and Speck were analyzed by NSA cryptanalysts and found to have security commensurate with their key lengths; i.e., no weaknesses were found. Perhaps more importantly, the algorithms have been pretty heavily scrutinized by the international cryptographic community for the last two years (see, e.g., [2], [3], [5], [4], [1], [6], [15], [16], [20], [27], [29], [37], [47], [51], [53], [56], [59], [62], [60], [30], [7], [25], [42], [24]).” (eprint 2015/585) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  16. Linear Cryptanalysis  p = 3 4 ; ǫ = 1 0  4   p = 3 4 ; ǫ = 1  X i  4 X i & Y i = p = 3 4 ; ǫ = 1 Y i  4   p = 3 4 ; ǫ = 1  X i ⊕ Y i ⊕ 1  4 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  17. Linear Cryptanalysis - Data Complexity ◮ Data complexity ≥ ǫ − 2 Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  18. Linear Cryptanalysis - Data Complexity ◮ Data complexity ≥ ǫ − 2 ◮ Data complexity ≤ 2 n Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  19. Multiple Linear Cryptanalysis ◮ Using more than one linear approximation to reduce the data complexity Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  20. Multiple Linear Cryptanalysis ◮ Using more than one linear approximation to reduce the data complexity ◮ Using more than one linear approximation to extend the attack Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  21. The NIST Workshop ◮ “ ...For example, the bias calculated in section 5 should be 2 − 8 . 34 × 2 × 2 − 1 = 2 17 . 64 , not 2 − 8 . 34 × 2 × 2 = 2 − 15 . 68 . This error was propagated throughout the paper... ” (Anonymous reviewer for the NIST) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  22. The NIST Workshop ◮ “ ...For example, the bias calculated in section 5 should be 2 − 8 . 34 × 2 × 2 − 1 = 2 17 . 64 , not 2 − 8 . 34 × 2 × 2 = 2 − 15 . 68 . This error was propagated throughout the paper... ” (Anonymous reviewer for the NIST) ◮ “ ...The first comment, dealing with the right bias when combining two linear approximations is clearly wrong. The joint bias when combining approximations is given by the piling up lemma and is equal to (for three approximations) e 0 × e 1 × e 2 × 2 2 ...” (my response to the NIST review) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  23. The Plot Thickens ◮ Three days after sending this, I got an email from Doug Shors Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  24. The Plot Thickens ◮ Three days after sending this, I got an email from Doug Shors ◮ “We are preparing to post a paper to the eprint archive; one thing we’ve done in the paper is summarize the current state of the SIMON and SPECK cryptanalysis... ” (Doug Shors, 24/05/2015) ◮ “ ...Right now we’re not seeing how it could work as claimed... ” (Doug Shors, 24/05/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  25. The Plot Thickens ◮ Three days after sending this, I got an email from Doug Shors ◮ “We are preparing to post a paper to the eprint archive; one thing we’ve done in the paper is summarize the current state of the SIMON and SPECK cryptanalysis... ” (Doug Shors, 24/05/2015) ◮ “ ...Right now we’re not seeing how it could work as claimed... ” (Doug Shors, 24/05/2015) ◮ “ ...I understand that implementing the full attack is out of reach. But is it possible to restrict the keys in some way, or to do the 22- or 23-round version of the attack, and get some useful information?” (Doug Shors, 26/05/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  26. Verifying the Attack on 20 Rounds ◮ Doug: “ ...Combining a bunch of random biases (2 − n/ 2 is random), if it worked, would allow you to attack any number of rounds of any block cipher... ” (Doug Shors, 26/05/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  27. Verifying the Attack on 20 Rounds ◮ Doug: “ ...Combining a bunch of random biases (2 − n/ 2 is random), if it worked, would allow you to attack any number of rounds of any block cipher... ” (Doug Shors, 26/05/2015) ◮ Tomer: “ ...Combining enough linear approximations together - even if the bias for each individual one is below 2 − n/ 2 - can improve an attack both in terms of the number of required plaintexts and/or the length of the distinguisher... ” (Tomer Ashur, 26/06/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  28. Verifying the Attack on 20 Rounds ◮ Doug: “ ...Combining a bunch of random biases (2 − n/ 2 is random), if it worked, would allow you to attack any number of rounds of any block cipher... ” (Doug Shors, 26/05/2015) ◮ Tomer: “ ...Combining enough linear approximations together - even if the bias for each individual one is below 2 − n/ 2 - can improve an attack both in terms of the number of required plaintexts and/or the length of the distinguisher... ” (Tomer Ashur, 26/06/2015) ◮ Doug: “ ...Actually, I do not disagree with this statement, but you really have to consider what happens in the wrong case, which I don’t think is done in the paper...” (Doug Shors, 26/06/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  29. Direct Email Exchange with the NSA ◮ “ ...Just as a friendly comment, I think there are some misconceptions in the paper which will be apparent to experts reading it, and so it’s probably in your interest to fix them... ” (Doug Shors, 01/06/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

  30. Direct Email Exchange with the NSA ◮ “ ...Just as a friendly comment, I think there are some misconceptions in the paper which will be apparent to experts reading it, and so it’s probably in your interest to fix them... ” (Doug Shors, 01/06/2015) ◮ “I come originally from the mathematics world, where there’s a pretty high standard regarding the veracity of published results, and I’m often disappointed by the standard for crypto publications, where opinion, wishful thinking, marketing of tweaks to existing methods as fundamental breakthroughs, etc., etc., are all tolerated. I’m addressing the situation in general; not your paper in particular. Of course there is also a lot of very high-quality work out there” (Doug Shors, 26/06/2015) Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden Wo

Recommend

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp The post-Snowden adversary Since the Snowden revelations beginning in

481 views • 27 slides
Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos NXP

Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos NXP

Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos NXP Semiconductors Craig Costello Microsoft Research Michael Naehrig Microsoft Research June 2013 the Snowden leaks the NSA had written the

671 views • 13 slides
PRICE OF PRIVACY IN THE CLOUD, OR THE ECONOMIC CONSEQUENCES OF MR SNOWDEN PROFESSOR SIMON

PRICE OF PRIVACY IN THE CLOUD, OR THE ECONOMIC CONSEQUENCES OF MR SNOWDEN PROFESSOR SIMON

[click to select this box and delete] Title slide option 1 Choose one title slide and delete the others. PRICE OF PRIVACY IN THE CLOUD, OR THE ECONOMIC CONSEQUENCES OF MR SNOWDEN PROFESSOR SIMON WILKIE 18 OCTOBER 2019 LEAD IN HEADING

617 views • 36 slides
Towards A Clean Slate Digital Sovereignty in the Post Snowden Era Alexander von Gernler

Towards A Clean Slate Digital Sovereignty in the Post Snowden Era Alexander von Gernler

Towards A Clean Slate Digital Sovereignty in the Post Snowden Era Alexander von Gernler <gernler@genua.de> Munich Internet Research Retreat Raitenhaslach, November 24/25, 2016 Personal Digital Sovereignty Disclaimer The views presented

258 views • 12 slides
Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting,

Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting,

An Account of the ISO/IEC Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting, Jaipur, India Dual EC NSA-designed PRNG (DRBG) Backdoored Snowden revelations: Project Bullrun

770 views • 24 slides
PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet

PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet

PRIVACY POST-SNOWDEN Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of Oxford @IanBrownOII Implants in the supply chain International law and politics International Covenant on Civil and Political

384 views • 17 slides
observations on the simon block cipher family Stefan Klbl 1 lightweight cryptography What is

observations on the simon block cipher family Stefan Klbl 1 lightweight cryptography What is

Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum, Germany observations on the simon block cipher family Stefan Klbl 1

809 views • 60 slides
(Straw) Man in the Middle: A Modest Post-Snowden Proposal Brussels, Belgium Jacob Appelbaum

(Straw) Man in the Middle: A Modest Post-Snowden Proposal Brussels, Belgium Jacob Appelbaum

(Straw) Man in the Middle: A Modest Post-Snowden Proposal Brussels, Belgium Jacob Appelbaum [redacted] 10 December 2015 Jacob Appelbaum ([redacted]) (Straw) Man in the Middle: 10 December 2015 1 / 26 Post-Snowden? What does that mean?

439 views • 33 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Philip Snowden: more Methodism than Marxism Philip Snowden was a leading figure in the

Philip Snowden: more Methodism than Marxism Philip Snowden was a leading figure in the

Philip Snowden: more Methodism than Marxism Philip Snowden was a leading figure in the ILP, that is, in the dominant soft left of the emerging labour representation movement and then of the Labour Party, alongside Keir Hardie

201 views • 4 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128,

Arnab Roy 1 September 21, 2016 1 DTU Compute, Technical University of Denmark, Denmark A Brief Comparison of Simon and Simeck Stefan Klbl 1 The Simeck block cipher family 1 48 128, 192, 256 128 96, 144 96 96, 128 64 72, 96 64 32 Key

617 views • 28 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he got to the position of being able to leak confidential information from the CIA How Snowden planned and performed the attack The method used

264 views • 24 slides
Societal Decision Making in a Web-Connected World. Simon French simon.french@warwick.ac.uk

Societal Decision Making in a Web-Connected World. Simon French simon.french@warwick.ac.uk

Expert Judgement and Societal Decision Making in a Web-Connected World. Simon French simon.french@warwick.ac.uk Societal risk decisions Old way : Decide Announce Defend New way : Involve stakeholders and public in deliberations from

792 views • 36 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Cryptography during the two world wars, and wrap-up of classical ciphers. Math 4440/5440. First

Cryptography during the two world wars, and wrap-up of classical ciphers. Math 4440/5440. First

Cryptography during the two world wars, and wrap-up of classical ciphers. Math 4440/5440. First World War German Cipher: ADFGVX Cipher A D F G V X 3 4 2 1 A c o 8 x f 4 D G X G D m k 3 a z 9 X G D G F n w 1 0

740 views • 55 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides

More recommend