some challenges in heavyweight cipher design daniel j
play

Some challenges in heavyweight cipher design Daniel J. Bernstein - PDF document

Jan 13, 2023 •365 likes •673 views

Some challenges in heavyweight cipher design Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Protocol generates new AES-128 key k . Protocol encrypts message block m 1 as AES k (1) m 1 , m 2 as

  1. Some challenges in heavyweight cipher design Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

  2. Protocol generates new AES-128 key k . Protocol encrypts message block m 1 as AES k (1) ⊕ m 1 , m 2 as AES k (2) ⊕ m 2 , m 3 as AES k (3) ⊕ m 3 , etc. Also authenticates. First block m 1 is predictable: GET / HTTP/1.1\r\n Attacker learns AES k (1). Can attacker deduce AES k (20)? We constantly tell people: “No! AES is secure! This is all safe!”

  3. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”.

  4. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”. Fragile fix: Complicate protocols by trying to randomize everything.

  5. Attacker learns AES k (1) for, say, 2 40 user keys k . Attacker finds some user key using feasible 2 88 computation. Attacker decrypts, maybe forges, data for that user. Is this 2 128 “security”? See 2002 Biham “key collisions”. Fragile fix: Complicate protocols by trying to randomize everything. Much simpler fix: 256-bit keys. (Side discussion: Is 192 enough?)

  6. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor.

  7. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor. Parallelize: N 2 processors, each running 2 64 =N iterations. 1999 Zalka claims this is optimal.

  8. Another reason to be concerned about 128-bit cipher keys: quantum computing. Grover finds k from AES k (1) using 2 64 iterations on a small quantum processor. Parallelize: N 2 processors, each running 2 64 =N iterations. 1999 Zalka claims this is optimal. Multiple targets should allow much better parallelization. Related algos: 2009 Bernstein; 2004 Grover–Radhakrishnan.

  9. Should MACs have nonces? To authenticate ( m 1 ; m 2 ; m 3 ; m 4 ): Compute function with small differential probabilities. e.g., r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 , where r is secret. Generate a one-time key s n = AES k ( n ) from master key k . Add to obtain MAC: r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 + s n . Widely deployed for speed: consider, e.g., GCM.

  10. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages.

  11. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?)

  12. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?) Is this 2 128 “security”?

  13. 2006 Joux “forbidden attack”: ntwice in GCM ⇒ repeated s n ⇒ attacker figures out r , can easily forge messages. Joux’s suggested response: AES k ( r 4 m 1 + r 3 m 2 + r 2 m 3 + rm 4 ) “seems a safe option”. (Also suggested and analyzed in, e.g., 2000 Bernstein; earlier refs?) Is this 2 128 “security”? Forgery chance ≤ ‹ + › where › is AES PRF insecurity and ‹ ≈ q 2 L= 2 128 for message lengths ≤ L .

  14. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 .

  15. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.)

  16. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.) Fragile solution: “Switch keys!”

  17. › is at least q ( q − 1) = 2 129 . Solution: better PRP/PRF switch (2005 Bernstein), ok for q ≈ 2 64 . ‹ is still unacceptably large. (Show that this is tight? See, e.g., 2005 Ferguson GCM attack.) Fragile solution: “Switch keys!” Much simpler: 256-bit blocks. 2014 Bernstein–Chou “Auth256”: 29 bit ops/message bit for differential probability < 2 − 255 . Or try EHC from 2013 Nandi?

  18. Improving Tor Tor wants “fast, proven, secure, easy-to-implement, non-patent- encumbered, side-channel-free” 509-byte blooock cipher. (But current cipher is a disaster, so can consider compromises.) Also: secure chaining from each blooock to the next. Tor is considering deployment of AEZ or HHFHFH in 2016. See, e.g., Mathewson talks from RWC 2013 and RWC 2016.

  19. � � � block cipher (strong SPRP) Feistel NR CMC CTR EME OFB XCB HCTR stream cipher PEP (strong PRF) HCH TET HEH iHCH HOH EMME SCTES � blooock cipher HHFHFH (strong SPRP)

  20. � � � � � � � � � � � � � � x 0 w x 1 + 1 H 1 � H 2 � F 2 � + 2 x 2 x 3 F 3 H 3 − 3 � H 4 � − 4 x 4 w x 5

  21. Previous slide: HHFHFH (Bernstein–Nandi–Sarkar). H is purely combinatorial; F is a stream cipher. Ingredients: 4-round Feistel; H at top (1996 Lucks), bottom (1997 Naor–Reingold); H 2 ; H 3 allow one-block nonces; H 1 ; H 4 are stretched by 0-pad; XCB/HCTR-style tweak, faster than 2002 Liskov–Rivest–Wagner. Allow one H 1 ; H 2 ; H 3 ; H 4 key; unify H 1 ; H 2 hypotheses; unify H 3 ; H 4 hypotheses.

  22. One possibility for F : permutation in EM in CTR. Full-width permutation output beats squeezing for long output; and CTR is highly parallel. Also choose highly parallel H . We’re still optimizing choices. Use single-block tweak w . “chopTC”: chain by choosing w as truncation of P ⊕ C . HHFHFH reads each bit in array twice, writes each bit once. Something I’m working on now: more locality inside permutation.

  23. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”?

  24. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis.

  25. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis. Simpler fix: “bigger-birthday- bound security.” Use 256-bit blocks, security q 2 = 2 256 .

  26. Security loss of mode compared to security of F : basically q 2 = 2 128 , assuming 128-bit blocks and typical choice of H . Is this 2 128 “security”? Fragile fix: “beyond-birthday- bound security.” Complicates implementation, security analysis. Simpler fix: “bigger-birthday- bound security.” Use 256-bit blocks, security q 2 = 2 256 . Is 256-bit n safe in ChaCha?

  27. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc.

  28. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc. Occasional designs: Rijndael, OMD (SHA-2), Keccak, BLAKE2, NORX, Simpira, : : : . This needs far more attention, optimization. Hash designs are usually overkill.

  29. Heavyweight ciphers Interesting cipher -design space: ≥ 256 bits for all pipes. ≥ 256-bit keys, ≥ 256-bit outputs, ≥ 256-bit subkeys, etc. Occasional designs: Rijndael, OMD (SHA-2), Keccak, BLAKE2, NORX, Simpira, : : : . This needs far more attention, optimization. Hash designs are usually overkill. Is 256 fundamentally much slower, or much less energy-efficient, than 128? My guess: No!

  30. Another optimization target: PRF inside EdDSA signatures. EdDSA generates per-signature random number mod 256-bit ‘ as truncated hash: H ( s; m ) mod ‘ . H is SHA-512; s is subkey. 2015 Bellare–Bernstein–Tessaro: truncated prefixed MD hash is a high-security multi-user MAC. Even with the constraint of reusing preimage-resistant hash, surely can build better design in both software and hardware.

Recommend

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design phase - Everyone designs a cipher. Analysis phase - Everyone analyses the ciphers published. 2 / 9 Design phase The design of your cipher

264 views • 9 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school

Motivation Industry Academia We Start To Cheat... And Fail! Lightweight Block Cipher Design Gregor Leander DTU Mathematics, Denmark ECRYPT II summer school May/June 2011 G. Leander Lightweight Block Cipher Design Motivation Industry

577 views • 56 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design? CSci 5271 A. DES Introduction to Computer Security Networking (contd) and cryptography B. AES Stephen McCamant C. DSA University of

582 views • 11 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Bmore Fit for Healthy Babies Program Overview Healthcares Heavyweight Battle: How America

Bmore Fit for Healthy Babies Program Overview Healthcares Heavyweight Battle: How America

Bmore Fit for Healthy Babies Program Overview Healthcares Heavyweight Battle: How America Can Win the Fight Against Obesity Healthcare Leadership Council April 16, 2015 Background Obese women of reproductive age are more likely to

545 views • 11 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Content 1. Challenges of PIR design 2. Recommendation 1: Strut-and-tie method for strut check

Content 1. Challenges of PIR design 2. Recommendation 1: Strut-and-tie method for strut check

1-DAY SEMINAR ON PERFORMANCE EVALUATION FOR CONCRETE TO CONCRETE CONNECTION: FROM QUALIFICATION TO DESIGN Session 4: Design Recommendations: Strut-and-Tie Method and some reconciliations with rebar and anchor theory Dr. Daniel Looi

776 views • 23 slides

More recommend