Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption. Dagstuhl January 12, 2016
|
|
- Warren Brian Lambert
- 6 years ago
- Views:
Transcription
1 Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves EPFL, EPFL, KU Leuven, University of Coimbra Dagstuhl January 12, / 18
2 Tweakable Blockciphers k m E c 2 / 18
3 Tweakable Blockciphers tweakable k m t Ẽ c Tweak: exibility to the cipher Each tweak gives dierent permutation 2 / 18
4 Tweakable Blockciphers in OCBx 2 OCBgen A 1 A 2 A a M i M 1 M 2 M d Ẽ N,A1 k Ẽ N,A2 k Ẽ N,Aa k Ẽ N,M k Ẽ N,M1 k Ẽ N,M2 k Ẽ N,M d k T C 1 C 2 C d Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] Internally based on tweakable blockcipher Ẽ Tweak (N, tweak) is unique for every evaluation 3 / 18
5 Tweakable Blockciphers in OCBx 6 OCBgen-with-arrows A 1 A 2 A a M i M 1 M 2 M d Ẽ N,A1 k Ẽ N,A2 k Ẽ N,Aa k Ẽ N,M k Ẽ N,M1 k Ẽ N,M2 k Ẽ N,M d k T C 1 C 2 C d Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] Internally based on tweakable blockcipher Ẽ Tweak (N, tweak) is unique for every evaluation Change of tweak should be ecient 3 / 18
6 Masking-Based Tweakable Blockciphers 7 picpgen Blockcipher-Based. tweak-based mask ppermutation-based.p tweak-based mask m E k c m P c 4 / 18
7 Masking-Based Tweakable Blockciphers 7 picpgen Blockcipher-Based. tweak-based mask ppermutation-based.p tweak-based mask m E k c m P c typically 128 bits much larger: bits 4 / 18
8 Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) m E k c (α, β, γ, N) is tweak (simplied) 5 / 18
9 Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) m E k c (α, β, γ, N) is tweak (simplied) Used in OCB2 and in various CAESAR candidates 5 / 18
10 Powering-Up Masking (XEX) 4XEX pictem by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) 2 α 3 β 7 γ (k N P (k N)) m E k c m P c (α, β, γ, N) is tweak (simplied) Used in OCB2 and in various CAESAR candidates Permutation-based variants in Minalpher and Prøst 5 / 18
11 Powering-Up Masking in OCB2 1 OCB2g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18
12 Powering-Up Masking in OCB2 7 OCB2-with-arrows-1g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18
13 Powering-Up Masking in OCB2 8 OCB2-with-arrows-2g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18
14 Powering-Up Masking in OCB2 9 OCB2-with-arrows-3g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18
15 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18
16 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d Update of mask: Shift and conditional XOR Variable time computation Expensive on certain platforms 6 / 18
17 Word-Based Powering-Up Masking ccs Chakraborty and Sarkar [CS06]: z i E k (N) m E k c z {0, 1} w is a generator, (i, N) is tweak Tower of elds: z i F 2 w[z]/g instead of x i F 2 [x]/f 7 / 18
18 Word-Based Powering-Up Masking ccs Chakraborty and Sarkar [CS06]: z i E k (N) m E k c z {0, 1} w is a generator, (i, N) is tweak Tower of elds: z i F 2 w[z]/g instead of x i F 2 [x]/f Word-based powering-up Similar drawbacks as regular powering-up 7 / 18
19 Gray Code Masking cgray OCB1 and OCB3 use Gray Codes: ( i (i 1) ) Ek (N) m E k c (i, N) is tweak Updating: G(i) = G(i 1) 2 ntz(i) 8 / 18
20 Gray Code Masking cgray OCB1 and OCB3 use Gray Codes: ( i (i 1) ) Ek (N) m E k c (i, N) is tweak Updating: G(i) = G(i 1) 2 ntz(i) Single XOR Logarithmic amount of eld doublings (precomputed) More ecient than powering-up [KR11] 8 / 18
21 High-Level Contributions Masked Even-Mansour Improved masking of tweakable blockciphers Simpler to implement and more ecient Constant time (by default) Relies on breakthroughs in discrete log computation 9 / 18
22 High-Level Contributions Masked Even-Mansour Improved masking of tweakable blockciphers Simpler to implement and more ecient Constant time (by default) Relies on breakthroughs in discrete log computation Application to Authenticated Encryption Nonce-respecting AE in 0.55 cpb Misuse-resistant AE in 1.06 cpb 9 / 18
23 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) 10 / 18
24 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) Combines advantages of: Powering-up masking Word-based LFSRs 10 / 18
25 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) Combines advantages of: Powering-up masking Word-based LFSRs Simpler, constant-time (by default), more ecient 10 / 18
26 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR 11 / 18
27 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR Sample LFSRs (state size b as n words of w bits): b w n ϕ (x 1,..., x 15, (x 0 1) (x 9 1) (x 10 1)) (x 1,..., x 3, (x 0 5) x 1 (x 1 13)) (x 1, (x 0 11) x 1 (x 1 13)) (x 1,..., x 3, (x 0 3) (x 3 5)) (x 1,..., x 15, (x 0 5) (x 3 7)) (x 1,..., x 7, (x 0 29) (x 1 9)) (x 1,..., x 15, (x 0 53) (x 5 13)) (x 1,..., x 49, (x 0 3) (x 23 3)) / 18
28 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR Sample LFSRs (state size b as n words of w bits): b w n ϕ (x 1,..., x 15, (x 0 1) (x 9 1) (x 10 1)) (x 1,..., x 3, (x 0 5) x 1 (x 1 13)) (x 1, (x 0 11) x 1 (x 1 13)) (x 1,..., x 3, (x 0 3) (x 3 5)) (x 1,..., x 15, (x 0 5) (x 3 7)) (x 1,..., x 7, (x 0 29) (x 1 9)) (x 1,..., x 15, (x 0 53) (x 5 13)) (x 1,..., x 49, (x 0 3) (x 23 3)).... Work exceptionally well for ARX primitives 11 / 18
29 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms 12 / 18
30 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms / 18
31 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] 12 / 18
32 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] }{{} results implicitly used, e.g., by Prøst (2014) 12 / 18
33 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] } {{ } results implicitly used, e.g., by Prøst (2014) } {{ } solved in this work using breakthroughs in discrete log computation 12 / 18
34 Bare Implementation Results Mask computation in cycles per update In most pessimistic scenario (for ours): Masking Sandy Bridge Haswell Powering-up Gray code Ours Dierences may amplify/diminish in a mode 13 / 18
35 Application to AE: OPP 1 OPPg A 0 A 1 A a 1 M i M 0 M 1 M d 1 ϕ 0 (L) ϕ 1 (L) ϕ a 1 (L) ϕ 2 1 ϕa 1 (L) ϕ 2 ϕ 0 (L) ϕ 2 ϕ 1 (L) ϕ 2 ϕ d 1 (L) P P P P P P P ϕ 0 (L) ϕ 1 (L) ϕ a 1 (L) ϕ 2 1 ϕa 1 (L) ϕ 2 ϕ 0 (L) ϕ 2 ϕ 1 (L) ϕ 2 ϕ d 1 (L) C 1 C 2 C d L = P (N k) ϕ 1 = ϕ id, ϕ 2 = ϕ 2 ϕ id T Oset Public Permutation (OPP) Generalization of OCB3: Permutation-based More ecient MEM masking Security against nonce-respecting adversaries 0.55 cpb with reduced-round BLAKE2b 14 / 18
36 Application to AE: MRO 2 MROg A 0 A a 1 M 0 M d 1 A M T 0 T d 1 ϕ 0 (L) ϕ a 1 (L) ϕ 1 ϕ 0 (L) ϕ 1 ϕ d 1 (L) ϕ 2(L) ϕ 2(L) P P P P P P ϕ 0 (L) ϕ a 1 (L) ϕ 1 ϕ 0 (L) L = P (N k) ϕ 1 = ϕ id, ϕ 2 = ϕ 2 ϕ id ϕ 1 ϕ d 1 (L) ϕ 2 1 (L) P T ϕ 2 1 (L) C 1 ϕ 2(L) M 0 ϕ 2(L) M d 1 C d Misuse-Resistant OPP (MRO) Fully nonce-misuse resistant version of OPP 1.06 cpb with reduced-round BLAKE2b 15 / 18
37 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds 16 / 18
38 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds Main implementation results (more in paper): nonce-respecting misuse-resistant Platform AES-GCM OCB3 Deoxys OPP 4 OPP 6 Cortex-A Sandy Bridge Haswell / 18
39 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds Main implementation results (more in paper): nonce-respecting misuse-resistant Platform AES-GCM OCB3 Deoxys OPP 4 OPP 6 GCM-SIV Deoxys = MRO 4 MRO 6 Cortex-A Sandy Bridge Haswell / 18
40 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) 17 / 18
41 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x / 18
42 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x / 18
43 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x / 18
44 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x / 18
45 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 19 = (x 3 53) (x 8 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x / 18
46 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 19 = (x 3 53) (x 8 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 Parallelizable (AVX2) and word-sliceable 17 / 18
47 Conclusion Masked Even-Mansour Simpler, constant-time (by default), more ecient Justied by breakthroughs in discrete log computation MEM-based AE outperforms its closest competitors More Info Thank you for your attention! 18 / 18
An Introduction to Authenticated Encryption. Palash Sarkar
An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata palash@isical.ac.in 20 September 2016 Presented at the Workshop on Authenticated
More informationAuthenticated Encryption Mode for Beyond the Birthday Bound Security
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 and Kazuhiko Minematsu 2 1 Nagoya University, Nagoya, Japan, tetsu.iwata@nagoya-u.jp 2 NEC Corporation, Kawasaki, Japan, k-minematsu@ah.jp.nec.com Abstract.
More informationParallelizable and Authenticated Online Ciphers
Parallelizable and Authenticated Online Ciphers Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 1,2, and Kan Yasuda 1,4 1 Department of Electrical Engineering,
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1, Kazuhiko Minematsu 2, Thomas Peyrin 3,4,5, and Yannick Seurin 6 1 Nagoya University, Japan tetsu.iwata@nagoya-u.jp
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationOnline Authenticated Encryption
Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland ASK 2015 30 Sept - 3 Oct Singapore 1/34 Agenda I. The Emergence of Online-AE (OAE) II. Definitions of Security Notions III. Our New Security
More informationInnovations in permutation-based crypto
Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,
More informationAES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:
AES-OTR v3 Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address: k-minematsu@ah.jp.nec.com Date: April 4, 2016 1 Specification OTR, which stands for Offset Two-Round, is a blockcipher
More informationA Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)
A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version) Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau ANSSI, France Abstract In this note we show that the
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationProvable Security of Submissions to the CAESAR Cryptographic Competition
Provable Security of Submissions to the CAESAR Cryptographic Competition MASTER'S THESIS to achieve the university degree of Diplom-Ingenieur Master's degree programme: Telematics submitted to Graz University
More informationCharacterization of EME with Linear Mixing
Characterization of EME with Linear Mixing Nilanjan Datta and Mridul Nandi Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata, India 700108 nilanjan isi
More informationA New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation
A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation Debrup Chakraborty and Palash Sarkar Computer Science Department, CINVESTAV-IPN Av. IPN No. 2508 Col. San Pedro Zacatenco
More informationOn the Influence of Message Length in PMAC s Security Bounds
1 On the Influence of Message Length in PMAC s Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016
More informationAnalysis of Message Injection in Stream Cipher-based Hash Functions
Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o
More informationBeyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing
Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing Benoît Cogliati and Yannick Seurin September 7, 2015 Abstract. The iterated Even-Mansour construction
More informationFORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol
FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection
More informationIntegrity Analysis of Authenticated Encryption Based on Stream Ciphers
Integrity Analysis of Authenticated Encryption Based on Stream Ciphers Kazuya Imamura 1, Kazuhiko Minematsu 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k_imamur@echo.nuee.nagoya-u.ac.jp 2 NEC Corporation,
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationACORN: A Lightweight Authenticated Cipher (v3)
ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification
More informationIntrinsic Side-Channel Analysis Resistance and Efficient Masking
Intrinsic Side-Channel Analysis Resistance and Efficient Masking A case study of the use of SCA-related metrics and of design strategies leading to low-cost masking for CAESAR candidates Ko Stoffelen Master
More informationZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication
ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1, Kazuhiko Minematsu 2(B), Thomas Peyrin 3,4,5, and Yannick Seurin 6 1 Nagoya University, Nagoya, Japan tetsu.iwata@nagoya-u.jp
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationTweakable Blockciphers with Beyond Birthday-Bound Security
Tweakable Blockciphers with Beyond Birthday-Bound Security Will Landecker, Thomas Shrimpton, and R. Seth Terashima Dept. of Computer Science, Portland State University {landeckw,teshrim,robert22}@cs.pdx.edu
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Full and Updated Version 2013-12-05 Ewan Fleischmann, Christian Forler, Stefan Lucks, and Jakob Wenzel Bauhaus-University Weimar,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationTweak-Length Extension for Tweakable Blockciphers
Tweak-Length Extension for Tweakable Blockciphers Kazuhiko Minematsu 1 and Tetsu Iwata 2 1 NEC Corporation, Japan, k-minematsu@ah.jp.nec.com 2 Nagoya University, Japan, iwata@cse.nagoya-u.ac.jp Abstract.
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationBernstein Bound on WCS is Tight
Bernstein Bound on WCS is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata mridul.nandi@gmail.com Abstract. In Eurocrypt 208, Luykx and Preneel described
More informationStudies on Disk Encryption
Studies on Disk Encryption Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Nov 14, 2011 Cuauhtemoc Mancillas López Advisor: Debrup Chakraborty Studies () on Disk Encryption Nov 14, 2011 1 / 74 Disk
More informationRobust Authenticated-Encryption
The proceedings version of this paper appears in EUROCRYPT 2015. This is the full paper. Robust Authenticated-Encryption AEZ and the Problem that it Solves Viet Tung Hoang 1,2 Ted rovetz 3 Phillip Rogaway
More informationEfficient Message Authentication Codes with Combinatorial Group Testing
Efficient Message Authentication Codes with Combinatorial Group Testing Kazuhiko Minematsu (NEC Corporation) The paper was presented at ESORICS 2015, September 23-25, Vienna, Austria ASK 2015, October
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationImpact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs
Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC 9797 1:2011 MACs Tetsu Iwata, Nagoya University Lei Wang, Nanyang Technological University FSE 2014 March 4, 2014, London, UK 1 Overview ANSI X9.24
More informationOn the Design of Trivium
On the Design of Trivium Yun Tian, Gongliang Chen, Jianhua Li School of Information Security Engineering, Shanghai Jiaotong University, China ruth tian@sjtu.edu.cn, chengl@sjtu.edu.cn, lijh888@sjtu.edu.cn
More informationImproving Upon the TET Mode of Operation
Improving Upon the TET Mode of Operation Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. Naor and Reingold
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationA Tweak for a PRF Mode of a Compression Function and Its Applications
A Tweak for a PRF Mode of a Compression Function and Its Applications Shoichi Hirose 1 and Atsushi Yabumoto 2 1 Faculty of Engineering, University of Fukui, Japan hrs shch@u-fukui.ac.jp 2 Graduate School
More informationFaster Evaluation of S-Boxes via Common Shares
Faster Evaluation of S-Boxes via Common Shares J-S. Coron, A. Greuet, E. Prouff, R. Zeitoun F.Rondepierre CHES 2016 CHES 2016 1 S-Box Evaluation AES By definition: S AES (x) = A x 254 + b F 2 8[x] CHES
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationDeterministic Authenticated-Encryption
An earlier version of this paper appears in Advances in Cryptology EUROCRYPT 06, Lecture Notes in Computer Science, vol. 4004, Springer, 2006. This is the full version of that paper. Deterministic Authenticated-Encryption
More informationA Modular Framework for Building Variable-Input-Length Tweakable Ciphers
A Modular Framework for Building Variable-Input-Length Tweakable Ciphers Thomas Shrimpton and R. Seth Terashima Dept. of Computer Science, Portland State University {teshrim,seth}@cs.pdx.edu Abstract.
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationFull-State Keyed Duplex With Built-In Multi-User Support
Full-State Keyed Duplex With Built-In Multi-User Support Joan Daemen 1,, Bart Mennink 1,3, and Gilles Van Assche 1 Digital Security Group, Radboud University, Nijmegen, The Netherlands joan@cs.ru.nl, b.mennink@cs.ru.nl
More informationThe Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3
The proceedings version is in CRYPTO 2016. This is the full version, with substantial modifications. The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3 Mihir Bellare 1 Björn Tackmann
More informationCAESAR candidate ICEPOLE
. CAESAR candidate ICEPOLE Pawel Morawiecki 1,2, Kris Gaj 3, Ekawat Homsirikamol 3, Krystian Matusiewicz 4, Josef Pieprzyk 5,6, Marcin Rogawski 7, Marian Srebrny 1,2, and Marcin Wojcik 8 Polish Academy
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationTweakable Block Ciphers
Tweakable Block Ciphers Moses Liskov 1, Ronald L. Rivest 1, and David Wagner 2 1 Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139, USA mliskov@theory.lcs.mit.edu,
More informationNonlinear Invariant Attack
Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLinear Cryptanalysis: Key Schedules and Tweakable Block Ciphers
Linear Cryptanalysis: Key Schedules and Tweakable Block Ciphers Thorsten Kranz, Gregor Leander, Friedrich Wiemer Horst Görtz Institute for IT Security, Ruhr University Bochum Block Cipher Design k KS m
More informationKey Recovery with Probabilistic Neutral Bits
ESC 7.1. 11. 1. 2007 Key Recovery with Probabilistic Neutral Bits Simon Fischer 1, Shahram Khazaei 2 and Willi Meier 1 1 FHNW, Windisch, Switzerland 2 EPFL, Lausanne, Switzerland Outline Motivation Probabilistic
More informationOn the Counter Collision Probability of GCM*
On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf
More informationRevisiting Variable Output Length XOR Pseudorandom Function
Revisiting Variable Output Length XOR Pseudorandom Function Srimanta Bhattacharya, Mridul andi Indian Statistical Institute, Kolkata, India. Abstract. Let σ be some positive integer and C {i, j : 1 i
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationFurther More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata
Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures
More informationTweakable Enciphering Schemes From Stream Ciphers With IV
Tweakable Enciphering Schemes From Stream Ciphers With IV Palash Sarkar Applied Statistics Unit Indian Statistical Institute 03, B.T. Road, Kolkata India 700108. email: palash@isical.ac.in Abstract. We
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-18 Pierre-Alain Fouque 1, Jérémy Jean,, and Thomas Peyrin 3 1 Université de Rennes 1, France École Normale Supérieure, France 3
More informationEWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benoît Cogliati and Yannick Seurin University of Versailles, France benoitcogliati@hotmail.fr ANSSI, Paris, France yannick.seurin@m4x.org
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationNew Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract)
New Distinguishers for Reduced Round Trivium and Trivia-SC using Cube Testers (Extended Abstract) Anubhab Baksi 1, Subhamoy Maitra 1, Santanu Sarkar 2 1 Indian Statistical Institute, 203 B. T. Road, Kolkata
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationInsuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security
Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blokipher Seurity Bart Mennink Radboud University (The Netherlands) SC 2017 January 16, 2017 1 / 16 Tweakable Blokiphers ertweakable
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationCBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an
CBC MAC for Real-Time Data Sources Erez Petrank Charles Racko y Abstract The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice.
More informationKey Recovery Attack against 2.5-round π-cipher
Key Recovery Attack against 2.5-round -Cipher Christina Boura 1, Avik Chakraborti 2, Gaëtan Leurent 3, Goutam Paul 2, Dhiman Saha 4, Hadi Soleimany 5,6 and Valentin Suder 7 1 University of Versailles,
More informationLS-Designs. Bitslice Encryption for Efficient Masked Software Implementations
Bitslice Encryption for Efficient Masked Software Implementations Vincent Grosso 1 Gaëtan Leurent 1,2 François Xavier Standert 1 Kerem Varici 1 1 UCL, Belgium 2 Inria, France FSE 2014 G Leurent (UCL,Inria)
More informationImpossible Differential Cryptanalysis of Reduced-Round SKINNY
Impossible Differential Cryptanalysis of Reduced-Round SKINNY Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal,
More informationThesis Research Notes
Thesis Research Notes Week 26-2012 Christopher Wood June 29, 2012 Abstract This week was devoted to reviewing some classical literature on the subject of Boolean functions and their application to cryptography.
More informationOCB Mode. Proposal to NIST for a block-cipher mode of operation which simultaneously provides privacy and authenticity
OCB Mode Proposal to NIST for a block-cipher mode of operation which simultaneously provides privacy and authenticity Submitted on April 1, 2001 Revised on April 18, 2001 Submitter: Phillip Rogaway rogaway@cs.ucdavis.edu
More informationXHX A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing
XHX A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing Ashwin Jha, Eik List 2, Kazuhiko Minematsu 3, Sweta Mishra 4, and Mridul Nandi Indian Statistical
More informationMulti-user collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE (Full version * )
Multi-user collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE (Full version * ) Pierre-Alain Fouque, Antoine Joux, Chrysanthi Mavromati To cite this version: Pierre-Alain Fouque, Antoine
More informationOn the Security of CTR + CBC-MAC
On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationHaraka v2 Efficient Short-Input Hashing for Post-Quantum Applications
Haraka v2 Efficient Short-Input Hashing for Post-Quantum Applications Stefan Kölbl 1, Martin M. Lauridsen 2, Florian Mendel 3 and Christian Rechberger 1,3 1 DTU Compute, Technical University of Denmark,
More informationMESSAGE AUTHENTICATION 1/ 103
MESSAGE AUTHENTICATION 1/ 103 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit 2/ 103 Integrity and authenticity
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationPRIMATEs v1.02. Submission to the CAESAR Competition. Engineering, China. 6 NTT Secure Platform Laboratories, Japan.
PRIMAEs v1.02 Submission to the CAESAR Competition Designers/Submitters: Elena Andreeva 1, Begül Bilgin 1,2, Andrey Bogdanov 3, Atul Luykx 1, Florian Mendel 4, Bart Mennink 1, Nicky Mouha 1, Qingju Wang
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More information