FNR - Arbitrary length small domain block cipher proposal - PowerPoint PPT Presentation

About This Presentation
Title:

FNR - Arbitrary length small domain block cipher proposal

Description:

FNR denotes Flexible Naor and Reingold. It can cipher small domain data formats like IPv4, Port numbers, MAC Addresses, Credit card numbers, any random short strings while preserving their input length. – PowerPoint PPT presentation

Number of Views:15
Slides: 26
Provided by: karunakarsaroj
Category: Other
Tags:

less

Transcript and Presenter's Notes

Title: FNR - Arbitrary length small domain block cipher proposal


1
Karunakar SarojM.TechIIT PATNA
  • FNR - Arbitrary length small domain block cipher
    proposal

2
Motivation
  • Traditional block ciphers work on fixed blocks of
    dataas an example, AES is well-defined for
    128/192/256 bits. But one of the issues is the
    need for paddingso if you need to encrypt small
    amounts of data you may end with a huge
    difference in input vs. output size. As an
    example, using AES/128 on ECB mode to encrypt an
    IPv4 address results in an input size of 32 bits,
    but an output size of 128 bits. This may not be
    desired for some applications. To address such
    needs, we have designed the FNR encryption
    scheme.
  • Variable Length Block Ciphers-
  • More useful
  • Storage gain (cloud storage would blow up)
  • Aids in preserving formats of the input
    (Port(16), IPv4(32), MAC (48) , IPv6 (128) etc.)

3
About
  • There is a compelling need for privacy of
    sensitive elds before data is shared with any
    cloud provider, semi-trusted vendors, partners
    etc.
  • This paper propose a practical flexible length
    small domain block cipher,FNR encryption scheme.
  • FNR denotes Flexible Naor and Reingold.
  • It can cipher small domain data formats like
    IPv4, Port numbers, MAC Addresses, Credit card
    numbers, any random short strings while
    preserving their input length.
  • While designing privacy for sensitive elds, it
    may be desirable to preserve the length of the
    inputs.
  • Small domain block ciphers are useful tool in
    designing privacy of sensitive data fields of
    smaller length (lt128 bits).

4
Design Goals
D G
Intellectual Property Free
Arbitrary length
Key Length
Supporting software platforms
Secure building blocks
Leveraging hardware support
5
Cont
  • Arbitrary length - Input domains of variable
    lengths need to be supported. For example,a
    system that consists of NetFlow would have
    dierent domains like IPv4, Port, IPv6 etc. all
    are of dierent lengths.
  • Key Length- A system might contain multiple
    domains of various lengths. If the key size is
    dependent on the input length, then managing key
    sizes of various lengths would be cumbersome. For
    this reasons key sizes should not depend on input
    length.
  • Secure building blocks- The building blocks used
    for such design should be considered secure. For
    example techniques based on Feistel Networks of
    Luby Racko constructions, Substitution and
    Permutation Networks of AES are considered good
    blue prints for block cipher designs.

6
Cont
  • Leveraging hardware support - Modern processors
    support AES at assembly level (say AES-NI of
    Intel and AMD). Such provisions should be
    leveraged for faster software implementations
  • Supporting software platforms- Due to the
    advances in cloud computing technology, privacy
    of smaller data fields may need to be implemented
    in variety of software platforms. For example
    browsers that run Java, JavaScript, thin clients
    based on REST interfaces etc. apart from
    ubiquitous C, CPP implementations. For this
    reason, variety of software platforms should be
    easily supportable.
  • Intellectual Property Free- Either the building
    blocks that are used in the block cipher design
    or the block cipher itself should be free from
    any intellectual property rights.

7
Useful Terms
  • Key- A 128 bit long secret key, K, is needed.
    This is used internally by Pseudo Random Function
    (PRF).
  • Tweak- A tweak, T, is like IV. It should be
    nearly n/2 bits length, where n is number of
    input bits.
  • A, B are two matrices- A is invertible binary
    matrix of N X N dimension. B is binary vector of
    1 X N dimension. Where N denotes number of bits
    in the input.
  • FNR, like any other block cipher, has two
    operations encryption and decryption. There are
    three inputs and an output for both of these
    operations. Typically the size of Plain text P is
    n bits such that n is in between 32 to 128 bits.

8
Feistel Cipher Structure
  • The plaintext is divided into two halves L0 and
    R0. Then the two halves pass through n rounds of
    processing then combine to produce the cipher
    block.
  • Each round has as input L and R derived from
    the previous round as well as a sub-key derived
    from the overall K .
  • All rounds have the same structure.
  • A substitution is performed on the left half of
    the data. This is done by applying a round
    function to the right half of the data followed
    by the XOR of the output of that function and the
    left half of the data.
  • Feistel is symmetric structure to construct block
    ciphers. One round of Feistel is a 2n bit
    permutation d with an n bit round function as
    defined below

9
Cont
  • An r round Feistel network is simply the
    composition of r one round Feistel structures,
    transforming r n-bit functions f1, f2,fr into a
    2n bit permutation

Pseudorandom Function
10
Pairwise Independent Random Variables
11
Cont
  • Pair-wise Independent Permutations (PwIP)
    Algorithm -

(Output, B)
12
  • Inverse PwIP Algorithm-

13
Two Round FNR
14
FNR Encryption
15
FNR Decryption
16
FNRs Security Measure
Security
  • Security of LR (Luby Rackoff) schemes under went
    rigorous analysis by the community over many
    years.
  • Also usage of PWIP is later proven to mitigate
    basic linear and differential cryptanalysis.

Round Count
Round Functions
17
Cont
  • Round Functions- If assume that the AES output
    for any given input is uniformly distributed,
    that means the AES output bits we actually use in
    the Feistel will be independent between even and
    odd rounds if the attacker could engineer a
    collision with probability 1 the fact that the
    collision probability between even and odd round
    is actually considerably smaller turns out to be
    irrelevant.
  • Round Count- A minimum of 7 rounds are needed to
    mitigate adaptive chosen plaintext and chosen
    ciphertext attacks due to Patarin's proof.
  • The security measure of block ciphers is
    based on the probability with which an attacker
    can distinguish the ciphertext from a random
    text. Although our PwIP is different from theirs,
    without loss of generality, holds good for FNR.

18
Cont
  • Security measure using PwIP functions
  • Classic fiestel network without PwIP
  • Where r is round count, n is number of bits of
    input domain, m is number of queries an attacker
    needs to make.
  • So for example an input domain of 32 bits and
    round count of 7, it requires approximately 8757
    pairs of plain text and cipher text. Where as
    without the use of PwIP functions attacker just
    needs around 950 pairs of plain text and cipher
    text.

19
FPE (Format Preserving Encryption) on Test Vector
Plain Text
Rank
Encrypt
Derank
Cipher Text
20
Cont
  • IPv4 addresses- Each IPv4 is ranked as 32 bit
    integer before it is encrypted, the resultant
    cipher text is a 32 bit integer which is
    de-ranked into a dotted notation.

21
Cont
  • Credit card numbers- Each CC number is ranked as
    15 digit number by dropping the LUHN CHECKSUM.
    The ranked integer is then encrypted to get a
    cipher text that is again 15 digit number. Such
    integer is de-ranked by appending a LUHN CHECKSUM
    at the end into a valid Credit card number.

22
Advantages Disadvantages
Advantages
No length expansion
Key Length
Range Preservation
Arbitrary Length
23
Cont
  • No length expansion -The length of plain text and
    cipher text is same. No expansion in cipher text
    facilitates avoiding re-engineering of packet
    formats, database columns etc.
  • Range Preservation- The encryption function
    results in the cipher which is in the same range
    of input values. This aides in designing format
    preservation of input domains.
  • Arbitrary Length -The design does not mandate any
    xed input lengths. FNR is flexible for input
    domains that are 32 bits and 128 bits.
  • Key Length -The key length is not dependent on
    the input length and rather depends on underlying
    PRF (in this case AES-128/256).

24
Disadvantages
Performance
Deterministic
No Integrity
25
Cont
  • Performance- The usage of matrices might add
    performance over head.
  • No Integrity - FNR does not provide
    authentication and integrity.
  • Deterministic- FNR does not provide any
    semantic security when used in ECB mode (like all
    other deterministic modes)
Write a Comment
User Comments (0)
About PowerShow.com