symmetric key cryptography an engineering perspective
play

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha - PowerPoint PPT Presentation

Dec 26, 2022 •33 likes •873 views

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 December 19, 2014 1 / 44 Overview Engineering Perspective Design, analysis,

  1. Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 — December 19, 2014 1 / 44

  2. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques 2 / 44

  3. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques Two Parts • Hash functions • MAC algorithms 2 / 44

  4. Overview Engineering Perspective • Design, analysis, implementation • Basic concepts and techniques Two Parts • Hash functions • MAC algorithms Simpli fi ed View • Small inaccuracies, details missing • Incomplete study: citations missing 2 / 44

  5. Part I: Hash Functions 3 / 44

  6. Hash Function Hash Function h • Generates a short “ fi ngerprint” of a message m Security Requirements • One-way function: h given Y , hard to fi nd m : h ( m ) = Y • Collision resistant function: hard to fi nd m � = m ′ : h ( m ) = h ( m ′ ) h ( m ) • . . . SHA-3 Competition (2008-2012) 4 / 44

  7. Hash Function Hash Function h • Generates a short “ fi ngerprint” of a message m Security Requirements • One-way function: h given Y , hard to fi nd m : h ( m ) = Y • Collision resistant function: hard to fi nd m � = m ′ : h ( m ) = h ( m ′ ) h ( m ) • . . . SHA-3 Competition (2008-2012) 4 / 44

  8. π κ Permutation-Based Hash Functions Hash Functions Based on Permutations • Simpler to design: no key schedule • Block-cipher-based: see later K x y P E C b b b b (Cryptographic) Permutation • Provable security: statistical object (random permutation) • Cryptanalysis: deterministic algorithm (no “distinguishers”) 5 / 44

  9. Hash Function Rate Hash Function Rate α data processed per permutation call (in bits) • α = permutation size (in bits) • Note: various de fi nitions of “rate” exist! 6 / 44

  10. Hash Function Rate Hash Function Rate α data processed per permutation call (in bits) • α = permutation size (in bits) • Note: various de fi nitions of “rate” exist! Ideal Construction • Rate-1 hash function: α = 1 6 / 44

  11. π π π Rate-1 Hash Function: First Attempt Simplest Rate-1 Hash Function m ℓ m 1 m 2 n . . . h ( m ) 0 n n 7 / 44

  12. π π π π π π Rate-1 Hash Function: First Attempt Collision: Correcting Block Attack m ℓ m 1 m 2 n x . . . h ( m ) 0 n n m ℓ ⊕ x ⊕ y m ′ m ′ 1 2 n y . . . h ( m ) 0 n n 8 / 44

  13. π π π Rate-1 Hash Function: Second Attempt Another Rate-1 Hash Function m 1 m 1 m 2 m 2 m ℓ m ℓ n . . . h ( m ) 0 n n 9 / 44

  14. π π π Rate-1 Hash Function: Second Attempt Observation m 1 m 1 m ℓ m ℓ x x n m 1 x m 1 x 0 . . . h ( m ) 0 n n 10 / 44

  15. π π π π π π Rate-1 Hash Function: Second Attempt Collision Attack (Black et al., Crypto ’02) m 1 m 1 m ℓ m ℓ x x n m 1 x m 1 x 0 . . . h ( m ) 0 n n m ℓ m ℓ m ′ m ′ x ′ x ′ 1 1 n m ′ m ′ x ′ x ′ 0 1 1 . . . h ( m ) 0 n n 11 / 44

  16. π Impossibility Result m i n n n n n h i − 1 f 1 f 2 h i Black et al. (Eurocrypt ’05) • Compression function from n -bit permutation • Information-theoretic: f 1 , f 2 can be any function • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ queries 12 / 44

  17. Security/E ffi ciency Tradeo ff s mn v n n f 1 π 1 sn g w n n f 2 π 2 n n f 3 π 3 Rogaway-Steinberger (Eurocrypt ’08) • Compression function from k n -bit permutations • Information-theoretic: f i can be any function • Generic collision attack: 2 n [1 − ( m − 0 . 5 s ) /k ] 13 / 44

  18. Security/E ffi ciency Tradeo ff s mn v n n f 1 π 1 sn g w n n f 2 π 2 n n f 3 π 3 Rogaway-Steinberger (Eurocrypt ’08) • Compression function from k = 3 n -bit permutations • Information-theoretic: f i can be any function, m = 2 , s = 1 • Generic collision attack: 2 n [1 − (2 − 0 . 5 · 1) / 3] = 2 n/ 2 14 / 44

  19. ⊕ ⊕ Security/E ffi ciency Tradeo ff s n v 1 n v 2 n n π 1 n w n n π 2 n n π 3 Mennink-Preneel (Crypto ’12) • Compression function from k = 3 n -bit permutations • Constructions with only XORs, fi rst systematic analysis • Optimal collision resistance: 2 n/ 2 15 / 44

  20. π Security/E ffi ciency Tradeo ff s 2 n v n w Why Not One Big Permutation? • 2 n -bit permutation instead of n -bit • Same generic collision attack: 2 n/ 2 • More e ffi cient than three n -bit permutations? 16 / 44

  21. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. 17 / 44

  22. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. Remarks • Not intuitive: b → b bits: (2 b ) 2 b = 2 b 2 b functions • Not rigorous: based on design choices and attacks • How to count “operations”? 17 / 44

  23. Scaling Law “When the input size of a symmetric-key primitive doubles, the number of operations (roughly) doubles as well”. Remarks • Not intuitive: b → b bits: (2 b ) 2 b = 2 b 2 b functions • Not rigorous: based on design choices and attacks • How to count “operations”? Next Slides: Scaling Law Examples 17 / 44

  24. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) 18 / 44

  25. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) Rijndael (256-bit key): 8-bit Words • 128/192/256-bit block size: 14 rounds 18 / 44

  26. Scaling Law: Fixed Word Size PHOTON: 4-bit Words • 100/144/196/256-bit permutation: 12 rounds • (288-bit permutation: 12 rounds, but 8-bit word size) Rijndael (256-bit key): 8-bit Words • 128/192/256-bit block size: 14 rounds Skein: 64-bit Words • 256/512-bit block/key size: 72 rounds • 1024-bit block/key size: 80 rounds • Overdesign? Best (non-biclique) attack is on 36 rounds (Yu et al., SAC ’13) 18 / 44

  27. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) 19 / 44

  28. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) SHA-2 • SHA-256: 768-to-256-bit: 64 rounds (32-bit words) • SHA-512: 1536-to-512 bit: 80 rounds (64-bit words) 19 / 44

  29. Scaling Law: Variable Word Size BLAKE • 960-to-256-bit: 14 rounds (32-bit words) • 1920-to-512-bit: 16 rounds (64-bit words) SHA-2 • SHA-256: 768-to-256-bit: 64 rounds (32-bit words) • SHA-512: 1536-to-512 bit: 80 rounds (64-bit words) Keccak • 800-bit permutation: 22 rounds (32-bit words) • 1600-bit permutation: 24 rounds (64-bit words) • Note: zero-sum distinguisher for full-round 1600-bit per- mutation (Boura et al., Duan-Lai) 19 / 44

  30. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds 20 / 44

  31. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost 20 / 44

  32. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) 20 / 44

  33. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total 20 / 44

  34. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total • Four n -bit or one 2 n -bit permutation: same cost 20 / 44

  35. Scaling Law: Counterexamples? Grøstl • 512-bit permutation: 10 rounds • 1024-bit permutation: 14 rounds • Close! If 15 rounds: three small or one big: same cost • Best attacks: resp. 9/10 rounds (Jean et al., FSE ’12) Spongent • b -bit permutation, r = b/ 2 rounds, b/ 4 S-boxes/round: b 2 / 8 S-boxes in total • Four n -bit or one 2 n -bit permutation: same cost • 272-bit Spongent: 5x lower throughput than 256-bit PHOTON (Bogdanov et al., IEEE Trans. Comp. 2013) 20 / 44

  36. Hash Functions with 2 n/ 2 Collision Resistance Rate-1 Hash Function ( α = 1) • Impossible (Black et al., Eurocrypt ’05) • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ 21 / 44

  37. Hash Functions with 2 n/ 2 Collision Resistance Rate-1 Hash Function ( α = 1) • Impossible (Black et al., Eurocrypt ’05) • Generic collision attack: at most n + ⌈ log 2 ( n ) ⌉ Rate-0.5 Hash Function ( α = 0 . 5) • Three n -bit permutations • One 2 n -bit permutation 21 / 44

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC & SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

794 views • 62 slides
CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric Cryptosystems Course Technicalities Renate Scheidler 1 Department of Mathematics & Statistics Overview of Cryptography 2 Department of Computer

222 views • 9 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic Alexander Russell

Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic Alexander Russell

Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic Alexander Russell QMATH, Department of Mathematical Sciences Department of Computer Science & Engineering University of Copenhagen University of Connecticut

418 views • 21 slides
Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20, 2017 1 Classic Ciphers Consider a cipher where we substitute each letter of the alphabet with a different letter of the same alphabet. We call such a

281 views • 3 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides

More recommend