tweaks and keys for block ciphers the tweakey framework
play

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - PowerPoint PPT Presentation

Aug 10, 2023 •250 likes •586 views

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - Ivica Nikoli - Thomas Peyrin NTU - Singapore ASIACRYPT 2014 Kaohsiung, Taiwan - December 11, 2014 Introduction The TWEAKEY Framework The STK Construction AE with TBC

  1. Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jérémy Jean - Ivica Nikolić - Thomas Peyrin NTU - Singapore ASIACRYPT 2014 Kaohsiung, Taiwan - December 11, 2014

  2. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  3. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Tweakable block ciphers Tweakable block ciphers are very useful building blocks: ⊲ block cipher, stream cipher ⊲ parallel MAC ⊲ parallel authenticated encryption: like OCB3 or COPA , but simpler design/proofs and much higher security bounds ⊲ hash function: use the tweak input as block counter (HAIFA framework) or to perform randomized hashing ⊲ tree hashing: use the tweak to encode the position in the tree ⊲ PRNG, KDF, disk encryption

  4. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Contributions ⊲ block cipher based TBC constructions (like XEX ) usually provide birthday security ⊲ building an ad-hoc TBC with full security is not easy (very little number of proposals) ⊲ even designing a key schedule remains a risky task, especially for long keys (see related-key attacks on AES -256) Our contributions ⊲ we propose the TWEAKEY framework to help designers to create tweakable block ciphers ⊲ we provide one cipher example KIASU-BC , the first ad-hoc AES -based TBC ⊲ in the TWEAKEY framework, we propose the STK construction for SPN ciphers ⊲ we provide two cipher examples Joltik-BC and Deoxys-BC

  5. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  6. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  7. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Tweakable block ciphers ? From an efficiency point of view, updating the tweak input of a TBC should be doable very efficiently → the tweak schedule should be lighter than the key schedule From a security point of view, the tweak is fully known and controllable, not the key → the tweak schedule should be stronger than the key schedule Thus, for a TBC designer, this paradox leads to tweak = key

  8. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The TWEAKEY framework Rationale: tweak and key should be treated the same way − → tweakey tk r − 1 tk 1 tk r tk 0 . . . h h h g g g g P = s 0 f f s r + 1 = C . . . s 1 s r TWEAKEY generalizes the class of key-alternating ciphers

  9. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The TWEAKEY framework tk r − 1 tk 1 tk r tk 0 . . . h h h g g g g P = s 0 f . . . f s r + 1 = C s 1 s r The TWEAKEY framework The regular key schedule is replaced by a TWEAKEY schedule that generates subtweakeys. An n -bit key n -bit tweak TBC has 2 n -bit tweakey and g compresses 2 n to n bits: ⊲ such a primitive would be a TK-2 primitive ( TWEAKEY of order 2). ⊲ the same primitive can be seen as a 2 n -bit key cipher with no tweak (or 1 . 5 n -bit key and 0 . 5 n -bit tweak, etc).

  10. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  11. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The tweakable block cipher KIASU-BC KIASU-BC is exactly the AES-128 cipher, but with a fixed 64-bit tweak value T XORed to each subkey (two first rows) AES-128 K . . . AES KS AES KS P . . . C AES round AES round T 0 T 2 T 4 T 6 T 1 T 3 T 5 T 7 T = 0 0 0 0 0 0 0 0

  12. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The tweakable block cipher KIASU-BC KIASU-BC is exactly the AES-128 cipher, but with a fixed 64-bit tweak value T XORed to each subkey (two first rows) AES-128 KIASU-BC K . . . AES KS AES KS T T T T P . . . C AES round AES round T 0 T 2 T 4 T 6 T 1 T 3 T 5 T 7 T = 0 0 0 0 0 0 0 0

  13. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Security of KIASU-BC The security of KIASU-BC is the same as AES-128 for a fixed tweak. The tricky part is to analyse what happens when the tweak varies. If the key is fixed and one varies the tweak: KIASU-BC ’s tweak schedule has been chosen such that it is itself a good key schedule. Bad idea: adding a tweak on the entire 128-bit state, since trivial and very good related-tweakey differential paths would exist. If both the key and tweak vary (aka related-tweakey): KIASU-BC was designed such that no interesting interaction between the key schedule and the tweak schedule will exist. We put a special focus on attacks which are highly impacted by the key schedule: ⊲ related-key related-tweak attacks (aka related-tweakey) ⊲ meet-in-the-middle attacks

  14. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Security of KIASU-BC Related-tweakey attacks We prove that no good related-key related-tweak (aka related-tweakey) attacks differential path exist for KIASU (even boomerang), with a computer-aided search tool. active upper bound on rounds method used SBoxes probability 2 0 1-2 0 trivial 2 − 6 3 1 Matsui’s 2 − 48 4 8 Matsui’s 2 − 84 ≥ 14 5 Matsui’s 2 − 132 7 ≥ 22 ex. split (3R+4R)

  15. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works KIASU features ⊲ first adhoc tweakable AES-128 ... ⊲ ... which provides 2 128 security - not only birthday security ⊲ extremely fast in software: less than 1 c/B on Haswell ⊲ quite small in hardware ⊲ very simple - almost direct plug-in of AES-128 (reuse existing security analysis and implementations) ⊲ backward compatible with AES-128 (simply set T = 0)

  16. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  17. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Outline 1 Introduction 2 The TWEAKEY Framework ⊲ TWEAKEY ⊲ The tweakable block cipher KIASU-BC 3 The STK Construction ⊲ STK ⊲ Joltik-BC and Deoxys-BC 4 Authenticated encryption with TBC 5 Future works

  18. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works Building fast ad-hod tweakable block ciphers is not easy tk r − 1 tk 1 tk r tk 0 h h . . . h g g g g f f s r + 1 = C P = s 0 . . . s 1 s r The case of AES -like ciphers ⊲ KIASU is limited to 64-bit tweak for AES (insecure otherwise) ⊲ we could do a LED -like design, but slow due to high number of rounds ⊲ the main issue: adding more tweakey state makes the security drop, or renders security hard to study, even for automated tools Idea: separate the tweakey material in several words, design a secure tweakey schedule for one word and then superpose them in a secure way

  19. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 h ′ α 2 h ′ α 2 h ′ . . . h ′ α 2 h ′ α 1 h ′ α 1 h ′ . . . h ′ α 1 C 0 C 1 C 2 C r − 1 XOR XOR XOR XOR C r XOR f f f P = s 0 . . . s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction: ⊲ the tweakey state update function h consists in the same subfunction h ′ applied to each tweakey word ⊲ the subtweakey extraction function g consists in XORing all the words together ◦ reduce the implementation overhead ◦ reduce the area footprint by reusing code ◦ simplify the security analysis

  20. Introduction The TWEAKEY Framework The STK Construction AE with TBC Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 h ′ α 2 h ′ α 2 h ′ . . . h ′ α 2 h ′ α 1 h ′ α 1 h ′ . . . h ′ α 1 C 0 C 1 C 2 C r − 1 XOR XOR XOR XOR C r XOR f f f P = s 0 . . . s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction: ⊲ problem : strong interaction between the parallel branches of tweakey state ⊲ solution : differentiate the parallel branches by simply using distinct multiplications in a small field

Recommend

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S.

Motivation Biclique Cryptanalysis Our Framework Results A Framework for Automated Biclique Cryptanalysis of Block Ciphers F. Abed C. Forler E. List S. Lucks J. Wenzel Bauhaus-Universit at Weimar FSE 2013, Singapore 13.03.2013 F.

633 views • 31 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik

Two ways of building round functions for block ciphers Joan Daemen Radboud University ibenik summer school 2016 1 / 44 Outline 1 Block ciphers and statistical attacks 2 Correlation basics 3 Wide trail strategy: strongly-aligned flavor

620 views • 59 slides
Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation

Outline Crypto basics, contd Stream ciphers CSci 5271 Block ciphers and modes of operation Introduction to Computer Security Announcements Cryptography, symmetric and public-key Hash functions and MACs Stephen McCamant Building a secure

440 views • 11 slides
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad

Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key (seed) Using the seed generates a byte stream ( Keystream): i-th byte is function only of the key

822 views • 69 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers &

CS 166: Information Security Symmetric Key Crypto, Part 1 Prof. Tom Austin San Jos State University Stream Ciphers & Block Ciphers Stream ciphers based on the one-time pad Block ciphers based on codebook ciphers Symmetric

650 views • 52 slides

More recommend