Bounds for Balanced and Generalized Feistel Constructions



Similar documents
Cryptography and Network Security Chapter 3

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

The 128-bit Blockcipher CLEFIA Design Rationale

CSCE 465 Computer & Network Security

Cryptography and Network Security

A New 128-bit Key Stream Cipher LEX

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

The Advanced Encryption Standard: Four Years On

Hash Function JH and the NIST SHA3 Hash Competition

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

How To Encrypt With A 64 Bit Block Cipher

{(i,j) 1 < i,j < n} pairs, X and X i, such that X and X i differ. exclusive-or sums. ( ) ( i ) V = f x f x

WINTER SCHOOL ON COMPUTER SECURITY. Prof. Eli Biham

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

The Stream Cipher HC-128

1 Data Encryption Algorithm

Split Based Encryption in Secure File Transfer

Application of cube attack to block and stream ciphers

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

MAC. SKE in Practice. Lecture 5

Table of Contents. Bibliografische Informationen digitalisiert durch

Lecture 4 Data Encryption Standard (DES)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur


Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

VALLIAMMAI ENGINEERING COLLEGE

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

The Advanced Encryption Standard (AES)

Cryptography and Network Security Block Cipher

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

How To Understand And Understand The History Of Cryptography

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Keywords Web Service, security, DES, cryptography.

EXAM questions for the course TTM Information Security May Part 1

Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

6 Data Encryption Standard (DES)

Survey on Enhancing Cloud Data Security using EAP with Rijndael Encryption Algorithm

CS 758: Cryptography / Network Security

SHA3 WHERE WE VE BEEN WHERE WE RE GOING


Message Authentication

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION

A PPENDIX G S IMPLIFIED DES

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard

1) Explain the following evolutionary process models: a) The spiral model. b) The concurrent development model.

RC6. Marcel Felipe Weschenfelder

A NEW DNA BASED APPROACH OF GENERATING KEY- DEPENDENTMIXCOLUMNS TRANSFORMATION

Lightweight Cryptography From an Engineers Perspective

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Hash Function of Finalist SHA-3: Analysis Study

Introduction to SHA-3 and Keccak

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Solutions to Problem Set 1

On the Key Schedule Strength of PRESENT

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Review Jeopardy. Blue vs. Orange. Review Jeopardy

On the Influence of the Algebraic Degree of the Algebraic Degree of

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Network Security. Omer Rana

CIS433/533 - Computer and Network Security Cryptography

Ahsay Online Backup. Whitepaper Data Security

Hardware Implementation of AES Encryption and Decryption System Based on FPGA

A Study of New Trends in Blowfish Algorithm

Security Evaluation of the SPECTR-128. Block Cipher

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Data Superhero Online Backup Whitepaper Data Security

Note on naming. Note on naming

A STUDY OF DES ALGORITHM WITH CELLULAR AUTOMATA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

F3 Symmetric Encryption

Data Structure [Question Bank]

Fast Implementations of AES on Various Platforms

Parallel AES Encryption with Modified Mix-columns For Many Core Processor Arrays M.S.Arun, V.Saminathan

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Transcription:

Bounds for Balanced and Generalized Feistel Constructions Andrey Bogdanov Katholieke Universiteit Leuven, Belgium ECRYPT II SymLab Bounds 2010

Outline Feistel Constructions Efficiency Metrics Bounds for Feistel Ciphers Efficiency Comparison

Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel

Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions

Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations

Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations some security proofs available

Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s............... k i

Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s............... k i Which one is more efficient for Feistel?

Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s............... k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis

Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s............... k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS

Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s............... k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS SPS turns out consistently more efficient than SP for Feistel!

Active S-Boxes

Active S-Boxes Differential and linear cryptanalysis

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks

Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks no evidence against multiset analysis/other structural attacks

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04]

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations!

Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations! Large dense MDS matrices can also involve costly computation

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09]

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

Bounds for Feistel Ciphers Minimum # active S-boxes for SP-functions from literature: [Kanda01], [Shirai-Preneel04], [Wu-Zhang-Lin06], [Shibutani10] BFN-SP GFNI-SP GFNII-SP single-round diffusion M i = M round 4R rounds BR + R 2 16R rounds (3B + 1)R 6R rounds (2B + 2)R multiple-round diffusion M i distinct 3R rounds B R

Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR

Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round

Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function

Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs

Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs all bounds are actually tight

Efficiency Comparison SP vs SPS: E = lim r,m A r,m/s r,m, MDS diffusion

Efficiency Comparison SP vs SPS: E m = lim r A r,m/s r,m, MDS diffusion

Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 8, MDS diffusion

Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 16, MDS diffusion

Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 32, MDS diffusion

Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 64, MDS diffusion

Conjecture Instead of Conclusion Conjecture BFN-SPS is optimal with respect to E in the class of all BFN, GFNI, GFNII, and GFNIII designs with SP-, SPS-, SPSP-, SPSPS-,... -type functions instantiated with MDS matrices.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information