tweaking even mansour ciphers
play

Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 - PowerPoint PPT Presentation

Aug 31, 2023 •14 likes •784 views

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles University, France 2 ANSSI, France August 17, 2015 CRYPTO

  1. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweaking Even-Mansour Ciphers Benoît Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles University, France 2 ANSSI, France August 17, 2015 — CRYPTO 2015 Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 1 / 26

  2. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 2 / 26

  3. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k y x � E • tweak t : brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

  4. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k y x � E t • tweak t : brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

  5. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k y x � E t • tweak t : brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

  6. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k y x � E t • tweak t : brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

  7. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k y x � E t • tweak t : brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26

  8. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC � E • example: LRW construction by Liskov et al. [LRW02] k y x E • h is XOR-universal, e.g. h k ′ ( t ) = k ′ ⊗ t (field mult.) • secure up to ∼ 2 n / 2 queries • related construction XEX [Rog04] uses E k ( t ) instead of h k ′ ( t ) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

  9. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC � E • example: LRW construction by Liskov et al. [LRW02] k y x E • h is XOR-universal, e.g. h k ′ ( t ) = k ′ ⊗ t (field mult.) • secure up to ∼ 2 n / 2 queries • related construction XEX [Rog04] uses E k ( t ) instead of h k ′ ( t ) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

  10. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC � E • example: LRW construction by Liskov et al. [LRW02] h k ′ ( t ) h k ′ ( t ) k y x E • h is XOR-universal, e.g. h k ′ ( t ) = k ′ ⊗ t (field mult.) • secure up to ∼ 2 n / 2 queries • related construction XEX [Rog04] uses E k ( t ) instead of h k ′ ( t ) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

  11. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC � E • example: LRW construction by Liskov et al. [LRW02] h k ′ ( t ) h k ′ ( t ) k y x E • h is XOR-universal, e.g. h k ′ ( t ) = k ′ ⊗ t (field mult.) • secure up to ∼ 2 n / 2 queries • related construction XEX [Rog04] uses E k ( t ) instead of h k ′ ( t ) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

  12. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs • A generic TBC construction turns a conventional block cipher E into a TBC � E • example: LRW construction by Liskov et al. [LRW02] h k ′ ( t ) h k ′ ( t ) k y x E • h is XOR-universal, e.g. h k ′ ( t ) = k ′ ⊗ t (field mult.) • secure up to ∼ 2 n / 2 queries • related construction XEX [Rog04] uses E k ( t ) instead of h k ′ ( t ) (used e.g. in the XTS disk encryption mode) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26

  13. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

  14. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

  15. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

  16. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction k ′ 1 ⊗ t k ′ 2 ⊗ t k ′ r ⊗ t y x E k 1 E k 2 E k r • k 1 , . . . , k r and k ′ 1 , . . . , k ′ r independent keys ⇒ total key-length = r ( κ + n ) • 2 rounds: provably secure up to ∼ 2 2 n / 3 queries [LST12] rn r + 2 queries [LS13] • r rounds, r even: provably secure up to ∼ 2 • NB: only assuming E is a PRP (standard security notion, no ideal model) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26

  17. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline Background: Tweakable Block Ciphers Our Contribution Overview of the Proof for Two Rounds Longer Cascades Conclusion and Perspectives Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 6 / 26

  18. Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL + 07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers) k f 0 f 1 f r y x P 1 P 2 P r • analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s) Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26

Recommend

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Tweaking structures: working on the fiddly bits Kevin Karplus karplus@soe.ucsc.edu Biomolecular

Tweaking structures: working on the fiddly bits Kevin Karplus karplus@soe.ucsc.edu Biomolecular

Tweaking structures: working on the fiddly bits Kevin Karplus karplus@soe.ucsc.edu Biomolecular Engineering Department University of California, Santa Cruz Tweaking structures p.1/12 Outline of Talk Cost functions Clash detection

334 views • 12 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Classical Ciphers Classical

Classical Ciphers Classical

Classical Ciphers Classical Cryptography Monoalphabetic ciphers: letters of the plaintext alphabet are mapped into unique ciphertext letters Polyalphabetic ciphers:

512 views • 49 slides
RFC6962-bis update Some tweaking still needed. Last call should wait for our

RFC6962-bis update Some tweaking still needed. Last call should wait for our

RFC6962-bis update Some tweaking still needed. Last call should wait for our implementation. A member of the Certificate Transparency team at Google is working on it. We think all major issues resolved.

258 views • 10 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides
B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers

1 B.e) Stream Ciphers W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.125 Stream Ciphers Normally, stream ciphers are symmetric algorithms with encryption = decryption In this course we only consider symmetric stream ciphers.

828 views • 44 slides
Hyper-parameters/Tweaking Yufeng Ma, Chris Dusold Virginia Tech November 17, 2015 Yufeng Ma,

Hyper-parameters/Tweaking Yufeng Ma, Chris Dusold Virginia Tech November 17, 2015 Yufeng Ma,

Hyper-parameters/Tweaking Yufeng Ma, Chris Dusold Virginia Tech November 17, 2015 Yufeng Ma, Chris Dusold (Virginia Tech) Hyper-parameters/Tweaking November 17, 2015 1 / 40 Overview Batch Normalization 1 Internal Covariate Shift

1.29k views • 105 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori Aono Phong Q.

Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori Aono Phong Q.

Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori Aono Phong Q. Nguyen Yixin Shen ASIACRYPT 2018 Context NIST standardization of post-quantum cryptography: Need to convince security

232 views • 22 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream

Stream Ciphers and Coding Theory Tor Helleseth University of Bergen Norway Outline Stream ciphers Building blocks in stream ciphers m-sequences Clock-control registers / Nonlinear combiner / Filter generator Correlation

666 views • 39 slides

More recommend