the subterranean 2 0 cipher suite
play

The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa - PowerPoint PPT Presentation

May 12, 2023 •477 likes •1.2k views

The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa Massolino 3 , Alireza Mehrdad 1 , Yann Rotella 2 1 Radboud University NL, 3 PQShield UK, 2 UVSQ, LMV, Universit e Paris-Saclay FR Fast Software Encryption Workshop November 9,

  1. The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa Massolino 3 , Alireza Mehrdad 1 , Yann Rotella 2 1 Radboud University NL, 3 PQShield UK, 2 UVSQ, LMV, Universit´ e Paris-Saclay FR Fast Software Encryption Workshop November 9, 2020 1/22

  2. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control 2/22

  3. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h 2/22

  4. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  5. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  6. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  7. Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a squeeze here ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22

  8. Subterranean ’s round function R b : 256-bit shift register with 32-bit stages 3/22

  9. Subterranean ’s round function R b : 256-bit shift register with 32-bit stages a : 257-bit state: a ← R ( a , b ) . . . a 76 a 77 a 78 a 79 a 80 a 81 a 82 a 83 a 84 a 85 a 86 . . . a 0 t ◦ ◦ ◦ ✡✠ ✡✠ ✡✠ ❄ ❄ ❄ ❄ γ ◦ ◦ ◦ ✛ ✛ ✛ ✛ � � � � ▽ ς ◦ ✁ ✁ θ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✛ b 3 � � σ [ b ] 10 64 88 100 112 124 136 P ✏ P ❍ ❍ �✟✟✟ ✏✏✏✏ ✟ π P ❍ ❅ ✘✘✘ ✘ P ✥ P ❍ ❅ � ✥ . . . a 91 a 92 a 93 . . . a 0 t + 1 3/22

  10. Could Subterranean 1992 compete in the lightweight competition 2020? 4/22

  11. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 4/22

  12. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software 4/22

  13. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway 4/22

  14. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit 4/22

  15. Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit • Not bad, so let’s give it a shot! 4/22

  16. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption 5/22

  17. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels 5/22

  18. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • Mode 5/22

  19. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • Mode 5/22

  20. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • Mode 5/22

  21. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode 5/22

  22. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing 5/22

  23. Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing • except for encryption/decryption in SAE that relies on nonce uniqueness 5/22

  24. And now to Subterranean 2.0 and its rationale in more detail! 6/22

  25. Subterranean-XOF M 0 M 1 M i Z 0 Z 1 Z 2 Z 7 R 8 R 2 R 2 R 2 0 R R R • | M j | : one byte • | Z j | : 4 bytes 7/22

  26. Subterranean-Deck K 0 K 1 M 0 M 1 Z 0 Z 1 Z 2 Z i R 8 0 R R R R R R R • | M j | , | Z j | , | K j | : 4 bytes 8/22

  27. Subterranean-SAE A i a Z 0 Z i +1 K 0 N 2 A 0 P 0 Z 1 P i T 0 T 1 T 3 R 8 R 8 0 R R R R R R R R • | K j | , | N j | , | A j | , | Z j | , | P j | , | T j | : 4 bytes 9/22

  28. The Subterranean 2.0 round function . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ ❄ ❄ ❄ ❄ χ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✙ ✟ θ � � 64 88 100 112 124 136 π P P ✏✏✏✏ ✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ P ❍ ❅ � ✥ ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 χ : s i ← s i + ( s i +1 + 1) s i +2 ι : s i ← s i + δ i θ : s i ← s i + s i +3 + s i +8 π : s i ← s 12 i 10/22

  29. Absorb and Squeeze . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ χ ❄ ❄ ❄ ❄ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✲ θ � � 64 88 100 112 124 136 π P ✏ P ✏✏✏✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ ✥ P ❍ ❅ � ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 12 4 = 176 G 64 = { 1 , 176 , 136 , . . . , 92 } ≺ Z / 257 Z ∗ z i = s 176 i + s 176 − i s 176 i = s 176 i + p i 11/22

  30. Design Rationale in a nutshell The choice of G 64 : • non-consecutive bits (State-Recovery attacks on Ketje Jr [Fuhr, Naya-Plasencia, Rotella, ToSC 2018] ) • consistent with π dispersion 12/22

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite 12 spacious Suites Junior Suite: 45m 2 Suite: 65m 2 Apartment Suite: 110m 2 Fine Italian Cuisine Renowned Chef Vito Grippa

498 views • 18 slides
Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim

Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim

Spray Foam m Insulation Imp mpacts on Subterranean Termi mite Inspections 5 March 2019 Jim Fredericks National Pest Management Association Termite Impact Eastern Subterranean Termite ( Reticulitermes flavipes) Consumers spend $2-3

323 views • 16 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Subterranean surroundings, whether real or imaginary, furnish a model of an artificial

Subterranean surroundings, whether real or imaginary, furnish a model of an artificial

Subterranean surroundings, whether real or imaginary, furnish a model of an artificial environment from which nature has been effectively banished...human beings who live underground must use mechanical devices to provide the necessities of

251 views • 8 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
underground Planning and subterranean development Jonathan Bore Going underground...

underground Planning and subterranean development Jonathan Bore Going underground...

Going underground Planning and subterranean development Jonathan Bore Going underground... Background Why here? Why now? Pros and cons Number of applications Permitted development Impact during construction

282 views • 17 slides
Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis

Introduction SVK Hill Cipher TF Hill Cipher Summary Extending the Hill Cipher Two secure modifications of the classic cipher John Chase Matt Davis Cryptography 625.480 December 2, 2010 / Final Paper Presentation Introduction SVK Hill

1.31k views • 90 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z

Vigenre Cipher - a polyalphabetic version of the shift cipher Key: (k 1 ,k 2 ,,k m ) Z 26m , where m is the key length Encryption in blocks: (x 1 , x 2 , , x m ) (x 1 +k 1 , x 2 +k 2 , , x m +k m ) Z 26m Example: encrypt

413 views • 10 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design

Project: Toy Cipher Competition May 1, 2019 1 / 9 Overall structure Two phases: Design phase - Everyone designs a cipher. Analysis phase - Everyone analyses the ciphers published. 2 / 9 Design phase The design of your cipher

264 views • 9 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides

More recommend