+ All Categories
Home > Engineering > Ppt fnr arbitrary length small domain block cipher proposal

Ppt fnr arbitrary length small domain block cipher proposal

Date post: 16-Jul-2015
Category:
Upload: karunakar-saroj
View: 38 times
Download: 1 times
Share this document with a friend
25
FNR - Arbitrary length small domain block cipher proposal
Transcript

FNR - Arbitrary length small domain block cipher proposal

Traditional block ciphers work on fixed blocks of data—as an example, AES is well-defined for 128/192/256 bits. But one of the issues is the need for padding—so if you need to encrypt small amounts of data you may end with a huge difference in input vs. output size. As an example, using AES/128 on ECB mode to encrypt an IPv4 address results in an input size of 32 bits, but an output size of 128 bits. This may not be desired for some applications. To address such needs, we have designed the FNR encryption scheme.

Variable Length Block Ciphers-

More useful

Storage gain (cloud storage would blow up)

Aids in preserving formats of the input (Port(16), IPv4(32), MAC (48) , IPv6 (128) etc.)

There is a compelling need for privacy of sensitive elds before data is shared with any cloud provider, semi-trusted vendors, partners etc.

This paper propose a practical flexible length small domain block cipher,FNR encryption scheme.

FNR denotes Flexible Naor and Reingold. It can cipher small domain data formats like IPv4, Port numbers, MAC

Addresses, Credit card numbers, any random short strings while preserving their input length.

While designing privacy for sensitive elds, it may be desirable to preserve the length of the inputs.

Small domain block ciphers are useful tool in designing privacy of sensitive data fields of smaller length (<128 bits).

D G

Arbitrary length

Key Length

Intellectual Property

Free

Supporting software platforms

Secure building blocks

Leveraging hardware support

Arbitrary length - Input domains of variable lengths need to be supported. For example,a system that consists of NetFlow would have dierent domains like IPv4, Port, IPv6 etc. all are of dierent lengths.

Key Length- A system might contain multiple domains of various lengths. If the key size is dependent on the input length, then managing key sizes of various lengths would be cumbersome. For this reasons key sizes should not depend on input length.

Secure building blocks- The building blocks used for such design should be considered secure. For example techniques based on Feistel Networks of Luby Racko constructions, Substitution and Permutation Networks of AES are considered good blue prints for block cipher designs.

Leveraging hardware support - Modern processors support AES at assembly level (say AES-NI of Intel and AMD). Such provisions should be leveraged for faster software implementations

Supporting software platforms- Due to the advances in cloud computing technology, privacy of smaller data fields may need to be implemented in variety of software platforms. For example browsers that run Java, JavaScript, thin clients based on REST interfaces etc. apart from ubiquitous C, CPP implementations. For this reason, variety of software platforms should be easily supportable.

Intellectual Property Free- Either the building blocks that are used in the block cipher design or the block cipher itself should be free from any intellectual property rights.

Key- A 128 bit long secret key, K, is needed. This is used internally by Pseudo Random Function (PRF).

Tweak- A tweak, T, is like IV. It should be nearly n/2 bits length, where n is number of input bits.

A, B are two matrices- A is invertible binary matrix of N X N dimension. B is binary vector of 1 X N dimension. Where N denotes number of bits in the input.

FNR, like any other block cipher, has two operations encryption and decryption. There are three inputs and an output for both of these operations. Typically the size of Plain text P is n bits such that n is in between 32 to 128 bits.

The plaintext is divided into two halves L0 and R0. Then the two halves pass through n rounds of processing then combine to produce the cipher block.

Each round has as input L and R derived from the previous round as well as a sub-key derived from the overall K .

All rounds have the same structure. A substitution is performed on the left half of the data. This is done by

applying a round function to the right half of the data followed by the XOR of the output of that function and the left half of the data.

Feistel is symmetric structure to construct block ciphers. One round of Feistel is a 2n bit permutation δ with an n bit round function as defined below

An r round Feistel network is simply the composition of r one round Feistel structures, transforming r n-bit functions f1, f2,…fr into a 2n bit permutation

Pair-wise Independent Permutations (PwIP) Algorithm -

(Output, B)

Inverse PwIP Algorithm-

Security of LR (Luby Rackoff) schemes under went rigorous analysis by the community over many years.

Also usage of PWIP is later proven to mitigate basic linear and differential cryptanalysis.

Security

Round Functions

Round Count

Round Functions- If assume that the AES output for any given input is uniformly distributed, that means the AES output bits we actually use in the Feistel will be independent between even and odd rounds if the attacker could engineer a collision with probability 1; the fact that the collision probability between even and odd round is actually considerably smaller turns out to be irrelevant.

Round Count- A minimum of 7 rounds are needed to mitigate adaptive chosen plaintext and chosen ciphertext attacks due to Patarin's proof.The security measure of block ciphers is based on the probability with which an attacker can distinguish the ciphertext from a random text. Although our PwIP is different from theirs, without loss of generality, holds good for FNR.

Security measure using PwIP functions

Classic fiestel network without PwIP

Where r is round count, n is number of bits of input domain, m is number of queries an attacker needs to make.

So for example an input domain of 32 bits and round count of 7, it requires approximately 8757 pairs of plain text and cipher text. Where as without the use of PwIP functions attacker just needs around 950 pairs of plain text and cipher text.

Plain Text

Rank

Encrypt

Derank

Cipher Text

IPv4 addresses- Each IPv4 is ranked as 32 bit integer before it is encrypted, the resultant cipher text is a 32 bit integer which is de-ranked into a dotted notation.

Credit card numbers- Each CC number is ranked as 15 digit number by dropping the LUHN CHECKSUM. The ranked integer is then encrypted to get a cipher text that is again 15 digit number. Such integer is de-ranked by appending a LUHN CHECKSUM at the end into a valid Credit card number.

Advantages

No length expansion Key Length

Range Preservation

Arbitrary Length

No length expansion -The length of plain text and cipher text is same. No expansion in cipher text facilitates avoiding re-engineering of packet formats, database columns etc.

Range Preservation- The encryption function results in the cipher which is in the same range of input values. This aides in designing format preservation of input domains.

Arbitrary Length -The design does not mandate any xed input lengths. FNR is flexible for input domains that are 32 bits and 128 bits.

Key Length -The key length is not dependent on the input length and rather depends on underlying PRF (in this case AES-128/256).

Disadvantages

Performance Deterministic

No Integrity

Performance- The usage of matrices might add performance over head.

No Integrity - FNR does not provide authentication and integrity.

Deterministic- FNR does not provide any semantic security when used in ECB mode (like all other deterministic modes)


Recommended