the summation truncation hybrid reusing discarded bits
play

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free - PowerPoint PPT Presentation

Sep 08, 2022 •357 likes •931 views

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free Aldo Gunsing and Bart Mennink Crypto 2020 1 / 14 PRP vs. PRF Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES 2 / 14 PRP vs. PRF

  1. The Summation-Truncation Hybrid: Reusing Discarded Bits for Free Aldo Gunsing and Bart Mennink Crypto 2020 1 / 14

  2. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES 2 / 14

  3. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility 2 / 14

  4. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure 2 / 14

  5. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure ◮ Prominent example: CTR mode 0 1 2 0 1 2 P P P F F F x 0 x 1 x 2 x 0 x 1 x 2 y 0 y 1 y 2 y 0 y 1 y 2 n / 2-bit security n -bit-security 2 / 14

  6. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one 3 / 14

  7. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion 3 / 14

  8. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion ◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound 3 / 14

  9. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion ◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound ◮ Conversions like summation and truncation achieve beyond birthday bound security 3 / 14

  10. Summation and Truncation x � 0 x � 1 P P y 4 / 14

  11. Summation and Truncation x � 0 x � 1 P P y ◮ Sums two consecutive calls 4 / 14

  12. Summation and Truncation x � 0 x � 1 P P y ◮ Sums two consecutive calls ◮ n -bit security 4 / 14

  13. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ n -bit security 4 / 14

  14. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ n -bit security 4 / 14

  15. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security 4 / 14

  16. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security ◮ Used in the key derivation function of GCM-SIV 4 / 14

  17. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security ◮ Used in the key derivation function of GCM-SIV ◮ n − a / 2-bit security 4 / 14

  18. Summation-Truncation Hybrid ◮ Instead of discarding bits, we can reuse them by applying summation 5 / 14

  19. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) a n − a a n − a u v w 5 / 14

  20. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation u v w 5 / 14

  21. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation ◮ But we show that it has equal security! u v w 5 / 14

  22. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation ◮ But we show that it has equal security! ◮ Identical to summation when a = 0 u v w 5 / 14

  23. Proof Sketch: Idea $ ← − Perm[ n ] P 0 1 P P u v w 6 / 14

  24. Proof Sketch: Idea $ ← − Perm[ n ] P 0 1 P P u v w ◮ Try to separate the truncation and summation parts 6 / 14

  25. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w 7 / 14

  26. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w ◮ Just write the two parts separately 7 / 14

  27. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w ◮ Just write the two parts separately ◮ Problem: there is a shared secret P 7 / 14

  28. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w 8 / 14

  29. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution 8 / 14

  30. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution ◮ Perm comp ( u , v ) is the set of all permutations that give ( u , v ) as truncation output 8 / 14

  31. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution ◮ Perm comp ( u , v ) is the set of all permutations that give ( u , v ) as truncation output ◮ No shared secret, as u and v are public! 8 / 14

  32. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w 9 / 14

  33. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 − { 0 , 1 } a $ ← u P P P ′ P ′ − { 0 , 1 } a $ ← v u v u v w ◮ Replace the truncation by a random function 9 / 14

  34. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 − { 0 , 1 } a $ ← u P P P ′ P ′ − { 0 , 1 } a $ ← v u v u v w ◮ Replace the truncation by a random function ◮ Perm comp ( u , v ) still well-defined, although u and v are generated differently 9 / 14

  35. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) 0 1 P ′ P ′ u v U V w = U ⊕ V 10 / 14

  36. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V P ′ P ′ u v U V w = U ⊕ V 10 / 14

  37. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ u v U V w = U ⊕ V 10 / 14

  38. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ ◮ U has a uniform distribution u v U V w = U ⊕ V 10 / 14

  39. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ ◮ U has a uniform distribution ◮ For V it depends: u v ◮ If v � = u , V is uniform from { 0 , 1 } b U V ◮ If v = u , V is uniform from { 0 , 1 } b \ { U } w = U ⊕ V 10 / 14

  40. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] 0 1 P u P v U V w = U ⊕ V 11 / 14

  41. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations P u P v U V w = U ⊕ V 11 / 14

  42. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v U V w = U ⊕ V 11 / 14

  43. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v ◮ U has a uniform distribution U V w = U ⊕ V 11 / 14

  44. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v ◮ U has a uniform distribution ◮ For V it depends: ◮ If v � = u , V is uniform from { 0 , 1 } b U V ◮ If v = u , V is uniform from { 0 , 1 } b \ { U } w = U ⊕ V 11 / 14

Recommend

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
1 Transducers Inherently Discrete values devices that convert from one representation to

1 Transducers Inherently Discrete values devices that convert from one representation to

Interpretation of bits depends on context meaning of a group of bits depends on how they are interpreted 1 byte could be Bits, Bytes, 1 bit in use, 7 wasted bits (e.g., M/F in a database) 8 bits storing a number between 0 and 255

543 views • 3 slides
Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a

Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a

Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a hash algorithm H that produces a digest of length N If an application or protocol needs a message digest of length Np, and Np < N

383 views • 7 slides
Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator

Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator

Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator Jean-Michel Morel 2 Truncation error: What is that? X k s X t s 3 Truncation error: What is that? X X t := X k sinc( t k ) k Z 2 4

737 views • 51 slides
Bits and Bytes Topics Topics Why bits? Representing information as bits

Bits and Bytes Topics Topics Why bits? Representing information as bits

Systems I Bits and Bytes Topics Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations numbers characters and strings Instructions Bit-level manipulations Boolean algebra

614 views • 33 slides
ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate

ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate

ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate floating-point summation? ! Round-off error: source and recovery A new method for accurate FP summation on a GPU Added as a function to the open-source

619 views • 28 slides
An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF.

An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF.

Introduction The Adaptive Plurigaussian Truncation (APT) EnKF framework Experiment Conclusions An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF. Bogdan Sebacher, Remus Hanea, Arnold Heemink

719 views • 35 slides
A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports

A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports

Introduction Basics Balanced Truncation for Many Ports Outlook and Acknowledgement A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports Peter Benner and Andr e Schneider Chemnitz University of

623 views • 45 slides
Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT Corporation 07/Sep/2009 ISC2009@Pisa 1/22 Yu Sasaki, MitM using output truncation of 3 Haval Summary HAVAL is a hash function that can produce

507 views • 23 slides
Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

15-213 The Class That Gives CMU Its Zip! Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l Binary/Hexadecimal l Byte representations numbers characters and strings Instructions n

690 views • 34 slides
Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers

Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers

Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers Representable numbers Rounding/truncation IEEE standard and Java Summation order Newton iteration More iteration

197 views • 18 slides
C/C++ review bits & bytes Same bits, different interpretation What is the value of

C/C++ review bits & bytes Same bits, different interpretation What is the value of

CSC209 Fall 2001 C/C++ review bits & bytes Same bits, different interpretation What is the value of 11111111 ? it depends on the type (unsigned) char 1 byte = 8 bits, (unsigned) Unsigned: 255 short int 2 bytes =

255 views • 12 slides
Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1 Contributions New security notion for standard Hash Functions Truncation-Collision

509 views • 36 slides
Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP

Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP

Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP University VP University WHEN DO YOU USE HYBRI D CONSTRUCTI ON? Hybrid Construction is an economical alternative to conventional steel structures

431 views • 15 slides
2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

Wellesley CS 240 - Data as Bits 8/31/16 positional number representation 2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1 10 0 position 2 1 0 Base determines: bits, bytes, numbers, and

556 views • 6 slides
1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

Starting out slow The CPU s workhorse o Logical operations are easiest, because they map Constructing a basic ALU directly onto the hardware. o Of course we will need to CS240 Computer Organization array this to a full 32- Department of

161 views • 4 slides
PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT

PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT

We do - you succeed! Repair of PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT Who we are Napesco Egypt and Middle East Supplies Dubai started a cooperation to repair PDC bits. Both companies

154 views • 11 slides
Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25 Outline 1 Self-alignment 2 Bitwise operators 3 Bit-fields 4 Endianness (Bytes, bits, etc.,) 2 / 25 Self-alignment of primitive types int i; short s;

594 views • 25 slides
Numerical differentiation & How truncation error and Richardson extrapolation floating

Numerical differentiation & How truncation error and Richardson extrapolation floating

Numerical and Scientific Computing with Applications David F . Gleich CS 314, Purdue November 2, 2016 In this class you should learn: Numerical differentiation & How truncation error and Richardson extrapolation floating point

97 views • 5 slides
Problem of random summation and its role in risk aggregation models Gregory Temnov School of

Problem of random summation and its role in risk aggregation models Gregory Temnov School of

Problem of random summation and its role in risk aggregation models Gregory Temnov School of Mathematical Sciences University College Cork Oct 14, 2011 PRisMa Day, TU Wien Problem of random summation and its role in risk aggregation models N

545 views • 25 slides
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n ). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits; 8th bit is

979 views • 40 slides
Model reduction via principal component truncation for the optimal design of atmospheric

Model reduction via principal component truncation for the optimal design of atmospheric

Model reduction via principal component truncation for the optimal design of atmospheric monitoring networks OLIVIER SAUNIER 1,2 , MARC BOCQUET 2,3 , ANNE MATHIEU 1 AND RACHID ABIDA 2,3 1 Institute of Radiation Protection and Nuclear Safety

507 views • 17 slides
Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents

Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Evaluation of Deterministic Truncation of Monte Carlo (DTMC) Solutions with Partial Currents Fine-Mesh Finite Difference Formulations Inhyung Kim a and Yonghee Kim

1.01k views • 4 slides
Survival of Discarded Trawl Caught Sole ( Solea solea) Peter Randall and Ana Riberio-Santos 11-16

Survival of Discarded Trawl Caught Sole ( Solea solea) Peter Randall and Ana Riberio-Santos 11-16

Survival of Discarded Trawl Caught Sole ( Solea solea) Peter Randall and Ana Riberio-Santos 11-16 November, 2017 International Flatfish Symposium Saint-Malo, France World Class Science for the Marine and Freshwater Environment Background

711 views • 21 slides

More recommend