Presentation is loading. Please wait.

Presentation is loading. Please wait.

AES-based primitives LUX, Cheetah Alex Biryukov University of Luxembourg 2009.

Published byCassandra Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "AES-based primitives LUX, Cheetah Alex Biryukov University of Luxembourg 2009."— Presentation transcript:

1 AES-based primitives LUX, Cheetah Alex Biryukov University of Luxembourg 2009

2 Contents Design of Cheetah Design of LUX Speed vs Security discussion (see the last slide)

3 Cheetah 256-bit state 1024-bit message 16 Rijndael 256-bit rounds 3 rounds of 1024-bit Rijndael in the keyschedule MD-HAIFA construction (128-bit optional salt is treated as part of the message)

4 Cheetah

5 Cheetah Compression

6 Cheetah Round Just a Rijndael-256 Round

7 Cheetah Message Expansion

8 Security Trunc-Differential attacks not possible (analysis to appear at CT-RSA’09) Generic attacks – HAIFA Length extension – final permutation (Hirose at al Asiacrypt’07)

9 External Cryptanalysis Length extension (Gligorsky) Need to fix the permutation to avoid fixed points (make IV non-zero, adding a constant, output transform?) 8.5/12 round for 512-bit version (Schläffer et al) Resume: scratched but not broken. We encourage more cryptanalysis of the compression function and the mode.

10 Speed Intel 2 Core Duo. Standard AES-code. Can be further optimised. One of the fastest.

11 LUX Stream cipher-like (sponge-like) design Round trasform based on 256-bit AES Wide-pipe design Belt: 16 words (512-bits) Mill: 8 words (256-bits) Message XORed 32-bits at a time to both Belt and Mill 32-bit feedback from Belt to Mill

12 LUX

13 16 Blank rounds at the end 8 filter rounds (32-bit outputs, each round) Constant XORed each round to break symmetry Supports Salt (128-bits), treated the same way as the message.

14 Security

15

16 LUX External Cryptanalysis Free-start collision, free-start preimage (Wu, Feng, Wu). This a 768-bit “free” start, works for any sponge-like hash. Length extension slide attack (Peyrin) needs salt size to be equal to 31 (mod 32) bits. Salt size is fixed to 128-bits in LUX.

17 Speed 32/64-bit Intel Core 2 Duo, Intel compiler 10.1, Windows XP 1.2 times faster than standard AES implementation on the same platform. Should be possible to bring below 10 cpb

18 Speed vs Security Many AES-based constructions. Many very concervative constructions. Slow but secure approach. Users need fast hashes, reluctant to switch even from MD5. Ideally we need hash that is not slower than AES and has tunable number of rounds. Much faster than SHA-256.

19 Speed vs Security Observable universe: 3 × 10^52 kg 5% of total mass. Total mass only: 2^179 E = MC^2 so if we burn the universe in order to power our computers we can perform O(2^235 ) computations.

20 Speed vs Security Observable universe: 3 × 10^52 kg 5% of total mass. Total mass only: 2^179 E = MC^2 so if we burn the universe in order to power our computers we can perform O(2^235 ) computations. Forget about attacks that have complexities higher than 2^256. (Reversible computation ????)

21 Speed vs Security Parallel or sequential attacks? For attacks with complexities above 2^256 it doesn’t matter. They don’t exist in this world anyway. Number of computations is a simple standard measure of attack complexity. In the price of the parallel computer don’t forget about the electricity bill.

22 Possible Scenario Allow to tweak #rounds, other trivial tweaks by the end of round 1. Select 15 fastest still unbroken (or even unscratched) candidates. Let cryptanalysts do the work.

23 The End

Download ppt "AES-based primitives LUX, Cheetah Alex Biryukov University of Luxembourg 2009."

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.
Your Security in the IT Market www.i.cz Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK.

Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK.
Web Security for Network and System Administrators1 Chapter 4 Encryption.

Web Security for Network and System Administrators1 Chapter 4 Encryption.
Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Cryptography and Network Security

Cryptography and Network Security
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.

Similar presentations

Ads by Google