CAESAR candidate ICEPOLE
|
|
- Gertrude Hancock
- 5 years ago
- Views:
Transcription
1 . CAESAR candidate ICEPOLE Pawel Morawiecki 1,2, Kris Gaj 3, Ekawat Homsirikamol 3, Krystian Matusiewicz 4, Josef Pieprzyk 5,6, Marcin Rogawski 7, Marian Srebrny 1,2, and Marcin Wojcik 8 Polish Academy of Sciences, Poland 1 ; University of Commerce, Poland 2 ; George Mason University, USA 3 ; Intel, Gdansk, Poland 4 ; Queensland University of Technology, Australia 5 ; Macquarie University, Australia 6 ; Cadence Design Systems, USA 7 ; University of Bristol, United Kingdom 8 DIAC 2014: Directions in Authenticated Ciphers DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 1 / 29
2 Co-authors DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 2 / 29
3 Outline 1 Introduction and Motivation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 3 / 29
4 Introduction and Motivation Multiple Internet protocols require authenticated encryption: IPSec/TLS/SSL etc. High-speed hardware-oriented cipher with authentication, more efficient that AES-GCM Existing frameworks/strategies for provably secure cryptographic schemes (e.g.: Sponge Construction etc.) CAESAR competition DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 4 / 29
5 ICEPOLE 101 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View based on duplex framework introduced by Bertoni et al. Duplexing the sponge: (...) Cryptology eprint archive 2011/499 high-speed hardware-oriented ICEPOLE permutation is the heart of our design family of authenticated encryption schemes with three parameters: key, nonce and SMN primary recommendation: ICEPOLE-128: 128-bit key and 128-bit nonce DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 5 / 29
6 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View Encryption and Tag Generation - Overview key nonce c o σ SMN σ AD c n σ P T pad pad pad P 12 P 6 P 6 P 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 6 / 29
7 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View ICEPOLE Internal State Organization 1280-bit internal state S organized into dwo-dimensional array S[4][5] each element of array is a 64-bit word S[x][y][z] refers to the bit z in the row x and the column y the mapping between a vector V and the S: V [64(x + 4y) + z] = S[x][y][z] DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 7 / 29
8 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View ICEPOLE Round and P6, P12 Permutations R consists of five steps labelled by R = apple µ ICEPOLE Permutations Each P6-6 rounds step of ICEPOLE updates permutation the state as fol P12-12 rounds of ICEPOLE permutation µ: DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 8 / 29
9 Transformation: µ ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View onsists of five steps labelled by the Greek letters: µ (mu), (rho), (pi), (psi), apple (kapp R = apple µ h step updates the state as follows. µ: In the µ step bits are mixed through the MDS (Maximum Distance Separable) matrix. Ev bit slice is mixed through the matrix given below. Formally, a column vector (Z 0,Z 1,Z 2,Z ultiplied by a constant matrix producing a vector of four 5-bit words Z 0 2Z 0 + Z 1 + Z 2 + Z 3 B C BZ Z 2 A = BZ 0 + Z Z 2 +2Z 3 Z 0 +2Z 1 + Z Z 3 A Z 3 Z Z 1 +2Z 2 + Z 3 The operations are done in GF (2 5 ). Here the multiplication is defined as the multiplication GF(2 ary polynomials modulo 5 ) multiplication modulo x the irreducible polynomial 5 + x x There are only three disti s in the chosen matrix, namely 18, 2, 1 and they correspond to the polynomials x 4 + DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 9 / 29
10 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 10 / 29
11 Introduction 19. Junod, and P., Motivation Vaudenay, S.: Perfect di usion primitives for block ciphers. In: Selected Areas in Cryptograp Lecture Icepole Notes Design in Computer Science, vol. 3357, pp. ICEPOLE Springer (2004) 20. Khovratovich, D., Nikolić, I.: Rotational Basic Ingredients of ICEPOLE HWThe and SW operations Performanceare done in GF (2 5 cryptanalysis of ARX. In: Proceedings of the 17th internation conference on Fast software encryption. pp. ) Here Highthe Level LNCS, multiplication View Springer-Verlag is(2010) defined as the multip 21. Matsui, M., Yamagishi, A.: A new method for known plaintext attack binary polynomials modulo the irreducible polynomial x 5 of + x 2 feal cipher. In: EUROCRYPT. p + 1. There are only thr (1992) terms 22. Morawiecki, in the chosen P., Pieprzyk, matrix, J., Srebrny, namely M.: Rotational 18, 2, 1cryptanalysis and theyof correspond round-reducedto Keccak. the In: polynomia Fast Softwa x, andencryption. 1, respectively. LNCS, Springer The µ (2013) step can be e ciently implemented with simple bitwise 23. National Institute of Standards and Technology: Recommendations for Block Cipher Modes of Operatio (see Appendix H). Galois/Counter Mode (GCM) and GMAC. NIST special publication D (November 2007) 24. Rivest, R., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash functio : Soos, M.: CryptoMiniSat In: SAT Race competitive event booklet (July 2010), The org/cryptominisat2 step is the bitwise rotation applied to each of the twenty 64-bit words of the Transformation: ρ bitwise rotation moves bit at position z into position (z +r value ) modulo 64. For each w is di erent. Appendix AS[x][y] :=S[x][y] n o sets[x][y] for all (0 apple x apple 3), (0 apple y apple 4) The rotation o sets used in the step are given below. The rotation o sets are given in Appendix A. o sets[0][0] := 0 o sets[0][1] := 36 o sets[0][2] := 3 o sets[0][3] := 41 o sets[0][4] : := 18 o sets[1][0] := 1 o sets[1][1] := 44 o sets[1][2] := 10 o sets[1][3] := 45 o sets[1][4] := 2 o sets[2][0] := 62 o sets[2][1] := reorders the words in the state. Words are moved from S[x][y] tos[x 0 6 ][y 0 ] and the o sets[2][2] dinates (x 0,y 0 := 43 o sets[2][3] := 15 o sets[2][4] := 61 o sets[3][0] := 28 o sets[3][1] ) := are 55 calculated o sets[3][2] from := the 25 following o sets[3][3] simple := 21 formula. o sets[3][4] := 56 x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 11 / 29 2
12 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 12 / 29
13 bitwise rotation moves bit at position z into position (z +r v is di erent. Introduction and Motivation Transformation: π ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View S[x][y] :=S[x][y] n o sets[x][y] for all (0 apple x apple The rotation o sets are given in Appendix A. : reorders the words in the state. Words are moved from S dinates (x 0,y 0 ) are calculated from the following simple for x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 : π reorders the words in the state S S[x ][y ] π(s[x][y]) In the step the ICEPOLE S-box is applied to each of 25 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 13 / 29
14 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 14 / 29
15 Icepole S[x][y] Design :=S[x][y] n o sets[x][y] for ICEPOLE all (0 apple101x apple 3), (0 apple y apple 4) Basic Ingredients of ICEPOLE High Level View The rotation o sets are given in Appendix A. : Transformation ψ reorders the words in the state. Words are moved from S[x][y] tos[x 0 ][y 0 ] and the new coordinates (x 0,y 0 ) are calculated from the following simple formula. x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 : In the step the ICEPOLE S-box is applied to each of 256 rows of the state. The S-box maps a 5-bit input vector (M 0,M 1,...,M 4 ) to a 5-bit output vector (Z 0,Z 1,...,Z 4 ). The S-box functionality can be easily described by the following bitwise equation. Operations on the index k are done modulo 5. The bitwise AND operator is omitted for clarity. for all (0 apple k apple 4) Z k = M k ( M k+1 M k+2 ) (M 0 M 1 M 2 M 3 M 4 ) ( M 0 M 1 M 2 M 3 M 4 ) ICEPOLE S-box The S-box maps a 5-bit input vector (M 0,... M 4 ) to a 5-bit output vector (Z 0,... Z 4 ) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 15 / 29
16 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 16 / 29
17 Transformation: apple: κ ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View In apple the 64-bit constant is xored with S[0][0]. S[0][0] := S[0][0] constant[numberofround] The constant value for each round is di erent. The values are ICEPOLE Constants The constant values are taken as the output of a simple 64-bit 2.4 maximum-cycle Initialization LinearPhase Feedback Shift Register (LFSR). First, The polynomial the state is representation initialized of with LFSR theis1280-bit pseudorandom tained x 64 + by x 63 applying + x 61 + x 60 the + 1. Keccak-f[1600] permutation (an under standard) The LFSRto seed the abcdef all-zero vector and truncating the result to 12 Appendix each cyclec.) generates a subsequent constant. Once the state is filled with the constant, the 128-bit key K duced into the state. K 0 and K 1 denote two 64-bit words of th DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 17 / 29
18 Decryption and Tag Generation ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View key nonce c o σ SMN σ AD c n σ P T pad pad pad P 12 P 6 P 6 P 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 18 / 29
19 ICEPOLE Security (Parameters) ICEPOLE Security ICEPOLE is based on the duplex construction - parameters: r (bitrate) and c (capacity) ICEPOLE-128: r=1026 bits and c=256 bits (up to blocks) ICEPOLE-256: r=962 bits and c=318 bits (up to 2 62 blocks) Security level proven, unless permuation is unsecure SKEW 11: Bertoni et al. in On the security of the keyed sponge construction proved that if the data complexity is limited to 2 a r-bit blocks, the keyed mode withstands generic attacks with time complexity up to 2 c a calls of the underlying permutation. If a < c/2, this results in an increase of the security strength from c/2 to c a. DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 19 / 29
20 Nonce Requirement ICEPOLE Security ICEPOLE requires a nonce In case of nonce reuse, some level of intermediate robustness provided by secret message number and associated data (if distinct) In case of violating all nonce-like mechanisms (nonce reused, secret message number reused, the same associated data), security claims do not hold (recent analysis by Tao Huang, Hongjun Wu, Ivan Tjuawinata) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 20 / 29
21 ICEPOLE ICEPOLE Security Differential cryptanalysis (with aid of a SAT solver, we provide a bound on differential trail probability for 12 rounds, probability 2 84 ) Linear cryptanalysis (good linear profile of s-box, propagation of linear masks very similar to differential analysis, expecting similar security margin. Rigorous analysis to be done) Rotational cryptanalysis (good selection of round constants and pseudo-random initial state prevent this kind of attack) SAT-based cryptanalysis (experimentally verified, the attack reaches only 3 rounds) Techniques exploiting low algebraic degree (algebraic degree of a single round is 4, then for 4 rounds a degree is 256, making the attacks infeasible) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 21 / 29
22 Hardware Architecture Software Implementation Basic Iterative Architecture of-of-concept single iterative round design for the hardware implementation of ICE Source: parison. Both implementations use also the same interface and comm Morawiecki et al. ICEPOLE: High-speed, Hardware-oriented er to reduce any discrepancies between the two designs. Similar to I Authenticated Encryption at CHES 14 tains the full padding unit and supports both encryption and decrypt DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 22 / 29
23 FPGA Implementation Results Hardware Architecture Software Implementation Xilinx Virtex-6 Throughput: Mbps Area: 1501 Slices Throughput/Area: Mbps/Slice Altera Stratix-IV Throughput: Mbps Area: 4564 ALUTs Throughput/Area: 8.50 Mbps/ALUT DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 23 / 29
24 Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE FPGA Implementation - Area Hardware Architecture Software area Implementation [Virtex 6: slices, Stratix IV: ALUTs] Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE Source: Keyak and Keccak (multi-purpose mode) from anonymous submission to anonymous conference :) Thanks for sharing! DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 24 / 29
25 Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE throughput Hardware Architecture Software Implementation FPGA Implementation - Throughput Gb/s Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 25 / 29
26 Virtex 6 Stratix IV HW andaes-gcm SW Performance Keccak Keyak ICEPOLE throughput_area Hardware Architecture Software Implementation FPGA Implementation - Throughput/Area [Virtex 6: Mbps/slice, Stratix IV: Mbps/ALUT] Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 26 / 29
27 Software Implementation Hardware Architecture Software Implementation straightforward C implementation compiled for speed no beyond-c optimization 9 cycles per byte on Intel Ivy Bridge (i5-3320m) 8 cycles per byte on Haswell (Intel Xeon E3 1275) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 27 / 29
28 Conclusions Conclusions Questions duplex construction + very efficient permutation = ICEPOLE highly efficient in modern FPGAs very-high speed in modern FPGAs good software performance DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 28 / 29
29 Questions Conclusions Questions Thank you! Questions? Questions? CERG: DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 29 / 29
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function
Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École
More informationOn the invertibility of the XOR of rotations of a binary word
On the invertibility of the XOR of rotations of a binary word Ronald L. Rivest November 10, 2009 Abstract We prove the following result regarding operations on a binary word whose length is a power of
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationRotational cryptanalysis of round-reduced Keccak
Rotational cryptanalysis of round-reduced Keccak Pawe l Morawiecki 1,3, Josef Pieprzyk 2, and Marian Srebrny 1,3 1 Section of Informatics, University of Commerce, Kielce, Poland pawelm@wsh-kielce.edu.pl
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationCryptanalysis of 1-Round KECCAK
Cryptanalysis of 1-Round KECCAK Rajendra Kumar 1,Mahesh Sreekumar Rajasree 1 and Hoda AlKhzaimi 2 1 Center for Cybersecurity, Indian Institute of Technology Kanpur, India rjndr@iitk.ac.in, mahesr@iitk.ac.in
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationImproved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method
Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method Zheng Li 1, Wenquan Bi 1, Xiaoyang Dong 2, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationKeccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1
Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors 17th Workshop on Elliptic Curve Cryptography Leuven, Belgium, September 17th, 2013 1
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationOn Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationInnovations in permutation-based crypto
Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationKey Recovery Attack against 2.5-round π-cipher
Key Recovery Attack against 2.5-round -Cipher Christina Boura 1, Avik Chakraborti 2, Gaëtan Leurent 3, Goutam Paul 2, Dhiman Saha 4, Hadi Soleimany 5,6 and Valentin Suder 7 1 University of Versailles,
More informationStream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden
Dept. of EIT, Lund University, P.O. Box 118, 221 00 Lund, Sweden thomas@eit.lth.se May 16, 2011 Outline: Introduction to stream ciphers Distinguishers Basic constructions of distinguishers Various types
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni 1, Christophe Négre 2 and M. Anwar Hasan 1 1 Department of Electrical and Computer Engineering University of Waterloo, Canada 2 Team DALI/ELIAUS
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationMaximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers
Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationRotational Cryptanalysis of ARX Revisited
Rotational Cryptanalysis of ARX Revisited Dmitry Khovratovich 1, Ivica Nikolić 2, Josef Pieprzyk 3, Przemys law Soko lowski 4, Ron Steinfeld 5 1 University of Luxembourg, Luxembourg 2 Nanyang Technological
More informationCryptanalysis of the Stream Cipher ABC v2
Cryptanalysis of the Stream Cipher ABC v2 Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun,bart.preneel}@esat.kuleuven.be
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationA Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA
A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA Souradyuti Paul 1, Ekawat Homsirikamol 2, and Kris Gaj 2 1 University of Waterloo, Canada, and K.U. Leuven, Belgium souradyuti.paul@esat.kuleuven.be
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationTransform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and
Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationA Brief Comparison of Simon and Simeck
A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based
More informationAES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.
AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION. ED KNAPP Abstract. We give a framework for construction and composition of universal hash functions. Using this framework,
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationDifferential Attack on Five Rounds of the SC2000 Block Cipher
Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationLessons Learned from High-Speed Implementa6on and Benchmarking of Two Post-Quantum Public-Key Cryptosystems
Lessons Learned from High-Speed Implementa6on and Benchmarking of Two Post-Quantum Public-Key Cryptosystems Malik Umar Sharif, Ahmed Ferozpuri, and Kris Gaj George Mason University USA Partially supported
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationSTREAM CIPHER. Chapter - 3
STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.
More informationThe LILI-128 Keystream Generator
The LILI-128 Keystream Generator E. Dawson 1 A. Clark 1 J. Golić 2 W. Millan 1 L. Penna 1 L. Simpson 1 1 Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane
More informationTruncated differential cryptanalysis of five rounds of Salsa20
Truncated differential cryptanalysis of five rounds of Salsa20 Paul Crowley 17th October 2005 Abstract We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationThe MD6 hash function
The MD6 hash function Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139 rivest@mit.edu Benjamin Agre Daniel V. Bailey Sarah
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationLinear Approximations for 2-round Trivium
Linear Approximations for 2-round Trivium Meltem Sönmez Turan 1, Orhun Kara 2 1 Institute of Applied Mathematics, Middle East Technical University Ankara, Turkey msonmez@metu.edu.tr 2 TUBITAK-UEKAE, Gebze,
More informationHigh Performance GHASH Function for Long Messages
High Performance GHASH Function for Long Messages Nicolas Méloni, Christophe Negre, M. Anwar Hasan To cite this version: Nicolas Méloni, Christophe Negre, M. Anwar Hasan. High Performance GHASH Function
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationComplementing Feistel Ciphers
Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationCryptanalysis of the Stream Cipher DECIM
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD-COSIC Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium {wu.hongjun, bart.preneel}@esat.kuleuven.be
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationCryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur
Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed
More informationImpact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers
Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationSecurity of Keyed Sponge Constructions Using a Modular Proof Approach
Security of Keyed Sponge Constructions Using a Modular Proof Approach Elena Andreeva 1, Joan Daemen 2, Bart Mennink 1, and Gilles Van Assche 2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson 1, Emilia Käsper 2, Lars Ramkilde Knudsen 3, Krystian Matusiewicz 4, Rune Ødegård 5, Thomas Peyrin
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationKeccak sponge function family main document
Keccak sponge function family main document Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 http://keccak.noekeon.org/ Version 1.1 January 9, 2009 1 STMicroelectronics 2 NXP Semiconductors
More informationThe MD6 hash function A proposal to NIST for SHA-3
The MD6 hash function A proposal to NIST for SHA-3 Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139 rivest@mit.edu Benjamin
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More information3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis
3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationCryptanalysis of the Light-Weight Cipher A2U2 First Draft version
Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography COST Training School on Symmetric Cryptography and Blockchain Stefan Kölbl February 19th, 2018 DTU Compute, Technical University of Denmark Practical Information
More informationFiltering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications
Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University
More informationRevisit and Cryptanalysis of a CAST Cipher
2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia
More informationSpecification on a Block Cipher : Hierocrypt L1
Specification on a Block Cipher : Hierocrypt L1 Toshiba Corporation September 2001 Contents 1 Design principle 3 1.1 Data randomizing part........................ 3 1.1.1 Nested SPN structure....................
More information2. Accelerated Computations
2. Accelerated Computations 2.1. Bent Function Enumeration by a Circular Pipeline Implemented on an FPGA Stuart W. Schneider Jon T. Butler 2.1.1. Background A naive approach to encoding a plaintext message
More informationFurther improving security of Vector Stream Cipher
NOLTA, IEICE Paper Further improving security of Vector Stream Cipher Atsushi Iwasaki 1a) and Ken Umeno 2 1 Fukuoka Institute of Technology Wajiro-higashi, Higashiku, Fukuoka 811-0295, Japan 2 Graduate
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationSecret Key: stream ciphers & block ciphers
Secret Key: stream ciphers & block ciphers Stream Ciphers Idea: try to simulate one-time pad define a secret key ( seed ) Using the seed generates a byte stream (Keystream): i-th byte is function only
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More information