aes based primitives lux cheetah
Download
Skip this Video
Download Presentation
AES-based primitives LUX, Cheetah

Loading in 2 Seconds...

play fullscreen
1 / 23

AES-based primitives LUX, Cheetah - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

AES-based primitives LUX, Cheetah. Alex Biryukov University of Luxembourg 2009. Contents. Design of Cheetah Design of LUX Speed vs Security discussion (see the last slide). Cheetah. 256-bit state 1024-bit message 16 Rijndael 256-bit rounds

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'AES-based primitives LUX, Cheetah' - heath


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
aes based primitives lux cheetah

AES-based primitivesLUX, Cheetah

Alex Biryukov

University of Luxembourg

2009

contents
Contents
  • Design of Cheetah
  • Design of LUX
  • Speed vs Security discussion

(see the last slide)

cheetah
Cheetah
  • 256-bit state
  • 1024-bit message
  • 16 Rijndael 256-bit rounds
  • 3 rounds of 1024-bit Rijndael in the keyschedule
  • MD-HAIFA construction (128-bit optional salt is treated as part of the message)
cheetah round
Cheetah Round
  • Just a Rijndael-256 Round
security
Security
  • Trunc-Differential attacks not possible (analysis to appear at CT-RSA’09)
  • Generic attacks – HAIFA
  • Length extension – final permutation

(Hirose at al Asiacrypt’07)

external cryptanalysis
External Cryptanalysis
  • Length extension (Gligorsky)

Need to fix the permutation to avoid fixed points (make IV non-zero, adding a constant, output transform?)

  • 8.5/12 round for 512-bit version

(Schläffer et al)

Resume: scratched but not broken.

We encourage more cryptanalysis of the compression function and the mode.

speed
Speed
  • Intel 2 Core Duo. Standard AES-code.
  • Can be further optimised. One of the fastest.
slide11
LUX
  • Stream cipher-like (sponge-like) design
  • Round trasform based on 256-bit AES
  • Wide-pipe design
  • Belt: 16 words (512-bits)
  • Mill: 8 words (256-bits)
  • Message XORed 32-bits at a time to both Belt and Mill
  • 32-bit feedback from Belt to Mill
slide13
LUX
  • 16 Blank rounds at the end
  • 8 filter rounds (32-bit outputs, each round)
  • Constant XORed each round to break symmetry
  • Supports Salt (128-bits), treated the same way as the message.
lux external cryptanalysis
LUX External Cryptanalysis
  • Free-start collision, free-start preimage (Wu, Feng, Wu).
  • This a 768-bit “free” start, works for any sponge-like hash.
  • Length extension slide attack (Peyrin)
  • needs salt size to be equal to 31 (mod 32) bits. Salt size is fixed to 128-bits in LUX.
speed1
Speed
  • 32/64-bit Intel Core 2 Duo,
  • Intel compiler 10.1, Windows XP
  • 1.2 times faster than standard AES implementation on the same platform.
  • Should be possible to bring below 10 cpb
speed vs security
Speed vs Security
  • Many AES-based constructions.
  • Many very concervative constructions. Slow but secure approach.
  • Users need fast hashes, reluctant to switch even from MD5.
  • Ideally we need hash that is not slower than AES and has tunable number of rounds. Much faster than SHA-256.
speed vs security1
Speed vs Security
  • Observable universe: 3 × 10^52 kg
  • 5% of total mass. Total mass only: 2^179
  • E = MC^2
  • so if we burn the universe in order to power our computers we can perform O(2^235 ) computations.
speed vs security2
Speed vs Security
  • Observable universe: 3 × 10^52 kg
  • 5% of total mass. Total mass only: 2^179
  • E = MC^2
  • so if we burn the universe in order to power our computers we can perform O(2^235 ) computations.
  • Forget about attacks that have complexities higher than 2^256.

(Reversible computation ????)

speed vs security3
Speed vs Security
  • Parallel or sequential attacks?
  • For attacks with complexities above 2^256 it doesn’t matter. They don’t exist in this world anyway.
  • Number of computations is a simple standard measure of attack complexity.
  • In the price of the parallel computer don’t forget about the electricity bill.
possible scenario
Possible Scenario
  • Allow to tweak #rounds, other trivial tweaks by the end of round 1.
  • Select 15 fastest still unbroken (or even unscratched) candidates.
  • Let cryptanalysts do the work.
ad