Permutation-based symmetric cryptography

..........

......

Guido Bertoni1 Joan Daemen1

Michaël Peeters2 Gilles Van Assche1

1STMicroelectronics

2NXP Semiconductors

Keccak & SHA-3 DayUniversité Libre de Bruxelles

March 27, 2013

..........

......

Outline

1 Mainstream hash functions

2 Block ciphers

3 block-cipher based hashing

4 The sponge construction

5 Applications of the sponge construction

6 The duplex construction

7 Conclusions

..........

......

Mainstream hash functions

Symmetric crypto: what textbooks and intro’s say

Symmetric cryptographic primitives:

Block ciphersStream ciphers

SynchronousSelf-synchronizing

Hash functionsNon-keyedKeyed: MAC functions

And their modes-of-use

..........

......

The swiss army knife of cryptography!

Hash functions:

..........

......

A closer look at mainstream hash functions

Attempts at direct design of hash function are rareMainstream hash functions have two layers:

Fixed-input-length compression functionIterating mode: domain extension

..........

......

The iterating mode

Basic Merkle-Damgård: very simple and elegant

Yes, but can we have collision-resistance preservation?

..........

......

The iterating mode

Merkle-Damgård with strengthening

Yes, but what about length extension attacks and the like?

..........

......

The iterating mode

Enveloped Merkle-Damgård

Yes, but we need long output for full-domain hashing (OAEP,RSA-PSS, KEM, etc)?

..........

......

The iterating mode

Mask generating function construction

This does what we need!

..........

......

The compression function

Sound iterating mode reduces:design of F with variable input and output length todesign of f with fixed input and output length

Sound means there is some kind of provable security:Property-preservation: F inherits the properties of fDifferentiability from a random oracle

bound for the effort to distinguish F from a random oracleassuming f randomly chosen and accessible to adversaryProvides security assurance against generic attacks

Gives some hints of criteria for the compression function

..........

......

Let’s put in a block cipher

Yes, but collisions are easy so collision-resistance preservation …

..........

......

Block cipher in Davies-Meyer mode

That’s it!

..........

......

The final solution

Now we just have to build a suitable block cipher …

..........

......

Block ciphers

What block cipher are used for

Hashing (as discussed) and its modes HMAC, MGF1, …

Block encryption: ECB, CBC, …Stream encryption:

synchronous: counter mode, OFB, …self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, …

Authenticated encryption: OCB, GCM, CCM …

..........

......

Block ciphers

The truth about symmetric crypto today

Block ciphers:

..........

......

block-cipher based hashing

Block-cipher based hashing: time for re-factoring

Goal: hashing mode that is sound and simplewith good level of security against generic attackscalling a block cipher

Remaining problem: design of a suitable block cipherround function: several good approaches knownsoundness proofs are typically in ideal cipher modelkey schedule: not clear how to do design good one

But do we really need a block cipher?

..........

......

Block cipher operation

..........

......

Block cipher operation: the inverse

..........

......

When do you need the inverse?

Indicated in red:

Hashing and its modes HMAC, MGF1, …

Block encryption: ECB, CBC, …Stream encryption:

synchronous: counter mode, OFB, …self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, …Authenticated encryption: OCB, GCM, CCM …

Most schemes with misuse-resistant claims

So for most uses you don’t need the inverse!

..........

......

Block cipher internals

..........

......

Hashing use case: Davies-Meyer compression function

..........

......

Removing diffusion restriction not required in hashing

..........

......

Simplifying the view: iterated permutation

..........

......

Re-factoring of hashing modes, revisited

Goal: hashing mode that is sound and simplewith good level of security against generic attackscalling an iterated permutation

Remaining problem: design of iterated permutationround function: good approaches knownasymmetry: round constants

Advantages with respect to block ciphers:less barriers ⇒ more diffusionno more need for efficient inverseno more worries about key schedule

..........

......

The sponge construction

The result: the sponge construction

f: a b-bit permutation with b = r+ cefficiency: processes r bits per call to fsecurity: provably resists generic attacks up to 2c/2

Flexibility in trading rate r for capacity c or vice versa

..........

......

The sponge construction

What can we say about sponge security

Generic security:assuming f has been chosen randomlycovers security against generic attacksconstruction as sound as theoretically possible

Security for a specific choice of fsecurity proof is infeasibleHermetic Sponge Strategydesign with attacks in mindsecurity based on absence of attacks despite public scrutiny

..........

......

Applications of the sponge construction

Regular hashing

Pre-sponge permutation-based hash functionsTruncated permutation as compression function: Snefru[Merkle ’90], FFT-Hash [Schnorr ’90], …MD6 [Rivest et al. 2007]Streaming-mode: Subterranean, Panama, RadioGatún,Grindahl [Knudsen, Rechberger, Thomsen, 2007], …

..........

......

Mask generating function

..........

......

Use Sponge for MACing

Padded message

Pre-sponge (partially) permutation-based MAC function:Pelican-MAC [Daemen, Rijmen 2005]

..........

......

Use Sponge for (stream) encryption

Key IV

Key stream

Similar to block cipher modes:Long keystream per IV: like OFBShort keystream per IV: like counter mode

Independent permutation-based stream ciphers: Salsa andChaCha [Bernstein 2005]

..........

......

Single pass authenticated encryption

Padded messageIV

Key stream

But this is no longer the sponge …

..........

......

The duplex construction

Generic security provably equivalent to that of sponge

Applications: authenticated encryption, reseedablepseudorandom generator …

..........

......

The duplex construction

SpongeWrap authenticated encryption

Single-pass authenticated encryption

Processes up to r bits per call to f

Functionally similar to (P)helix [Lucks, Muller, Schneier, Whiting,

..........

......

Conclusions

Features of iterated permutations

Iterated permutations arethe natural choice for hashing modesversatile cryptographic primitivesmore flexible in modes than block ciphers

In keyed modes efficiency can be boosted:Security beyond 2c/2 in keyed modesDedicated variants for higher efficiency:donkeySponge for MACmonkeyDuplex for (authenticated) encryption

..........

......

Conclusions

What textbooks and intro’s should say from now on:-)

Symmetric cryptographic primitives:

Permutations

Block ciphers

Stream ciphersHash functions

Non-keyedKeyed: MAC functions

And their modes-of-use

..........

......

Conclusions

Questions?

http://sponge.noekeon.org/http://keccak.noekeon.org/

Permutation-based symmetric cryptography

Documents

Symmetric Cryptography: DES and RC4 - WINLAB … Symmetric Cryptography: DES and RC4 Modern Symmetric Ciphers zWe will now look at two examples of modern symmetric key ciphers: –DES

Cryptography - A Revie · Outline Trust Symmetric Cryptography Asymmetric Cryptography Key Management Network Security 1 Trust Need for Trust Trust = Shared Secret 2 Symmetric Cryptography

Introduction to Symmetric and Asymmetric Cryptography · Introduction to Symmetric and Asymmetric Cryptography . ConSoLiDatE Multi-disciplinary Cooperation for Cyber Security, Legal

Classical (Symmetric) Cryptography

Introduction to symmetric cryptography · 2019. 11. 21. · Introduction to symmetric-key cryptography Symmetric encryption schemes Stream ciphers Combine (XOR) plaintext bits with

Kerberos and Active Directory—symmetric cryptography in practice · 2019-09-19 · How does Kerberos use cryptography? • Kerberos works with symmetric key cryptography • Can

Cryptography: Symmetric Foundations€¦ · Cryptography: Symmetric Foundations Slides derived from Vitaly Shmatikov’s. Basic Problem Alice Bob M M ... (attack integrity) M

Symmetric Cryptography - Technische Universität · PDF fileNetwork Security (WS 2002): 03 – Symmetric Cryptography Network Security Chapter 3 Symmetric Cryptography! Modes of Encryption!

1 Overview of Cryptography. Contents Introduction Symmetric-key cryptography Block ciphers Symmetric-key algorithms Cipher block modes Stream cipher Public-key

SYMMETRIC CRYPTOGRAPHY THE BASICS. SYMMETRIC CRYTPOGRAPHY Symmetric key cryptography literally means that the same key is used to encrypt the message

Permutation-symmetric three-particle hyper-spherical harmonics

Report from Dagstuhl Seminar 16021 Symmetric Cryptography

Modern Symmetric Cryptography

symmetric key cryptography

Symmetric Key Cryptography - cdn.ttgtmedia.com · Symmetric Key Cryptography Symmetric key ciphers are one of the workhorses of cryptography. They are used to secure bulk data, provide

CSE 127: Computer Security Symmetric-key Cryptography

C HAPTER 12 Symmetric Key Cryptography

Conventional Cryptography (Symmetric Ciphers)

JavaCryptography - Cogent Logic · JavaCryptography SymmetricKeyCryptography • Cryptography. Cryptography

Cryptography - A Reviewweb.cse.msstate.edu/~ramkumar/review1.pdfSymmetric Cryptography Asymmetric Cryptography Key Management Network Security Symmetric Cryptography Overview Block