probabilitiesubuntutweak
ubuntutweak 时间:2021-04-01 阅读:(
)
TheAuthenticatedCipherMORUS(v2)15Sep,2016Designers:HongjunWu,TaoHuangSubmitters:HongjunWu,TaoHuangContact:wuhongjun@gmail.
comDivisionofMathematicalSciencesNanyangTechnologicalUniversity,SingaporeTableofContents1Introduction.
32SpecicationofMORUS32.
1Preliminaries32.
1.
1Operations32.
1.
2NotationsandConstants42.
2Parameters42.
3Recommendedparametersets52.
4ThestateupdatefunctionofMOURS52.
5MORUS-64072.
5.
1TheinitializationofMORUS-64072.
5.
2Processingtheassociateddata72.
5.
3TheencryptionofMORUS-64092.
5.
4ThenalizationofMORUS-64092.
5.
5ThedecryptionandvericationofMORUS-64092.
6MORUS-1280.
102.
6.
1TheinitializationofMORUS-1280102.
6.
2Processingtheassociateddata112.
6.
3TheencryptionofMORUS-1280112.
6.
4ThenalizationofMORUS-1280113SecurityGoals124SecurityAnalysis124.
1Thesecurityoftheinitialization124.
1.
1Algebraicdegree124.
1.
2Dierentialcryptanalysis124.
2Thesecurityoftheencryptionprocess144.
3Thesecurityofmessageauthentication144.
3.
1Internalstatecollision144.
3.
2Attacksonthenalization165Features166Performance.
176.
1Softwareperformance176.
2Hardwareperformance177Designrationale187.
1Stateupdatefunction187.
2Encryptionandauthentication187.
3Selectionofrotationconstants198Changes198.
1ChangesfromMORUSv1.
1toMORUSv2198.
2ChangesfromMORUSv1toMORUSv1.
1209Intellectualproperty.
2010Consent2031IntroductionInthisdocument,wespecifytheMORUSfamilyofauthenticatedcipherswithtwodierentinternalstatesizes:640bitsand1280bits,andtwodierentkeysizes:128bitsand256bits.
ThreeMORUSalgorithms–MORUS-640-128,MORUS-1280-128,andMORUS-1280-256arerecommendedinthisspecica-tion.
MORUSisadedicatedauthenticatedcipher.
Ithasthreeparametersets,includingMORUS-640-128,MORUS-1280-128,MORUS-1280-256.
TheinternalstatesizeofMORUSiseither640bitsor1280bits.
Thekeysizecanbe128bitsor256bits.
MORUSusesa128-bitnoncewhichshouldnotbereusedwithoutchangingthekey.
A128-bittagisusedinMORUSforauthentication.
ThedesignofMORUSisbasedonthemethodofdesigningstreamciphers,whichhassmallnumberofoperationsinthestateupdatefunction.
Moreover,wecarefullychoosetheoperationswhichcanbeecientlyimplementedwiththeSIMDinstructions.
MORUSisecientinsoftware.
ThespeedofMORUS-1280canreach0.
69cpbusingIntelHaswellprocessor.
ThisisevenfasterthanAES-128-GCMwithAES-NI.
Tothebestofourknowledge,MOURSisthefastestauthenticatedcipherwithoutusingtheAES-NIinstruction.
MORUSisecientinhardware.
OnlylogicgateAND,XORandrotationsareusedinMORUS.
Theseoperationscanbeecientlyimplementedinhard-ware.
UsingtheCAESARhardwareAPI[5],MORUS-1280-128reaches96Gbit/sinXilinxVirtex-7FPGA.
InDIAC2015,MuehlberghuberandG¨urkaynakpre-sentedthatthespeedofASICimplementationofMORUSstateupdatefunctioncouldreachabove250Gbit/s[8].
Thisdocumentisorganizedasfollows.
TheMORUSspecicationisintro-ducedinSection2.
ThesecurityofMORUSisdiscussedinSection3andSection4.
ThefeaturesofMORUSarediscussedSection5.
TheperformanceofMORUSisgiveninSection6.
ThedesignrationaleisgiveninSection7.
2SpecicationofMORUS2.
1Preliminaries2.
1.
1OperationsThefollowingoperationsareusedinMORUS::bit-wiseexclusiveOR.
&:bit-wiseAND.
:concatenation.
>>:rotationtotheright.
x:ceilingoperation,xisthesmallestintegernotlessthanx.
Rotl12832(x,n):Dividea128-bitblockxinto432-bitwords,rotateeachwordleftbynbits.
Rotl25664(x,n):Dividea256-bitblockxinto464-bitwords,rotateeachwordleftbynbits.
42.
1.
2NotationsandConstantsThefollowingnotationsandconstantsareusedinMORUS:0n:nbitsof'0's.
1n:nbitsof'1's.
AD:associateddata(thisdatawillnotbeencryptedordecrypted).
AD128i:a16-byteassociateddatablock(thelastblockmaybeapartialblock).
AD256i:a32-byteassociateddatablock(thelastblockmaybeapartialblock).
adlen:bitlengthoftheassociateddatawith0≤adlen>>w(i1)mod5)mi)Noticethatmiistheplaintextblockusedineachstepandmi=0ifi=0mod5.
AndthedierenceinplaintextwillinjecttoRound2andbethesameinRound3-5.
Toeliminatethedierenceaftertwosteps,weneedthatCV6,CV10havenodierence.
Inourstudy,wewillfocusonfollowingtwoconditions:1:NodierenceatCV6.
ThisisbecauseCV6iscompletelydeterminedbythepreviousstateelementsandhasnothingtodowiththeplaintextblockinthesecondstep.
2:ForeachdierenceatbitiinCV3orCV4theremustbeadierenceatbitiinCV5.
Otherwise,isimpossibletoeliminatethedierenceusingthedierenceinthesecondplaintextblock.
Thenwesearchedtheinputdierencebitstondalowerboundforthenumberofbitswithdierence(activebits)intheinput.
Wefoundthatfortheinputdierencewithweightlessthanorequalto25,thereisnovalid10-rounddierentialcharacteristicsforMORUS.
Nowwemayevaluatetheboundforthedierentialprobabilities.
Wheninputdierenceisnbits,therearenbitsdierencesatCV2,CV3andCV5.
SinceeachbitdierencewillbeinvolvedintwoANDoperations,andeachANDoperationononebithasdierentialprobability21,thedierentialprobabilityisatmost25n(5ANDoperationsforCViandCVi+1,i=1,2,3,4,5).
Thedierentialprobabilityislessthan226*5=2130.
Next,weconsiderthecasethattheinputdierencegeteliminatedin3steps.
Ifthereare3activebitsintheinput,thedierentialprobabilityafter3stepsis2132byourapproximation.
Notethatthedierenceisnoteliminatedthroughtheapproximation.
Muchstrongerconditionsareneededtoeliminatethedif-ferences.
Hencetheprobabilitythattheinputdierencegeteliminatedafter3stepswillbemuchlowerthan2132whenthenumberofactivebitsis3.
Whenweincreasethenumberofactivebitsintheinput,thetrendistoincreasetheweightofactivebitsinthestates,whichwecanobserveinthepreviouscases.
Intuitively,thiscanbeexplainedaswhentheweightofactivebitsislow,thenumberofnewactivebitsexceedsthenumberofactivebitsgeteliminated.
Andwhentheweightishighenoughsuchthatthenumberofeliminatedactivebitsexceedsthenewactivebits,wecanexpecttheoverallweightwillbemuchhigherthanthesingledierencecaseintherst3steps.
Hence,althoughitisimpossi-bletoenumeratealltheinputdierences,webelievethatthereisnodierentialcharacteristicwithprobabilityhigherthan2128whichcaneliminatetheinputdierencein3steps.
Nowwedealwiththecasesthatthenumberofactivebitsintheinputislessthanthree.
16-Onlyoneactivebitintheinput.
Sincethepositionofactivehasnoimpactonthedierentials,weassumetheactivebitisatbit0.
Then,wepropagatethedierenceupto3steps(15rounds),assumingnoinputdierenceatnexttwosteps.
Now,weenumeratetheinputdierenceatstep2suchthatfollowingtwoconditionsaresatised:1.
ThereisnodierenceatRound11.
Again,itisbecausethedierencecannotbeeliminatedthroughthemessageinstep3.
2.
TheactivebitsatCV10coverstheactivesbitsatCV8andCV9.
Oursearchshowthatevenifweincreasethenumberofactivebitsto20intheinputofthesecondstep,itisimpossibletondadierentialcharacter-isticsatisedtheaboveconditions.
Withsimilarevaluationofprobability,andtakeconsiderationtothedierentialprobabilityintroducedbytheini-tialdierence,wecanconcludethattheprobabilitythattheinternalstatecollisionislessthan2128inthiscase.
-Twoactivebitsintheinput.
Byourapproximation,thedierentialproba-bilityisatleast2101foranytwoactivebitspropagateto3steps.
Wethinkitissafetoconsidertheprobabilityforinternalstatecollisiontobelessthan2128ifthenumberofactivebitsinthesecondstepislargerthan20,inspitethatsomedierenceintheinternalstatemaybecanceledeachother.
Inoursearch,wexonebitdierenceatbit0andtrytoimposeadierenceattheother127possiblepositions.
Andthesearchresultconrmsthatnovaliddierentialcharacteristicisfoundwhenthenumberofactivebitsislessthan21.
Now,considertherestcases:thedierencegeteliminatedafteratleast4steps.
Ifthereisonebitdierenceattheinput,thedierentialprobabilityisatleast2196usingourapproximation,whichismuchlowerthan2128.
Andifwewanttoeliminatethedierences,moreconditionsarerequired.
Hence,itisreasonabletoconsidertheprobabilitytoeliminatedtheinternaldierenceinthesecasestobelessthan2128.
Thisconcludeouranalysiswhentheinternalstatecollisionisconstructedthroughinjectionofplaintextdierences.
4.
3.
2AttacksonthenalizationInadditiontotheinternalstatecollision,whenthereisadierenceintheinternalstatebeforethenalization,thedierentialprobabilityislessthan2256after10rounds(accordingtotheanalysisgiveninSection4.
1.
2).
Hence,thedierenceatthetagisunpredictableinthiscase.
5FeaturesMORUShasthefollowingadvantages:171.
MORUSisecientinsoftware.
Accordingtotheprevioussection,thespeedofMORUS-1280is0.
69cpbonIntelHaswellprocessorsforlongmessages,whichisaround30%fasterthanAES-GCM[6].
2.
MORUSisfastinhardwareperformance.
InMORUS,thecriticalpathtogenerateakeystreamblockis3ANDgatesand8XORgates.
3.
MORUSisecientacrossplatforms.
Inconstructingauthenticatedencryp-tionschemes,AESisfrequentlyusedasabuildingblock.
Thereareau-thenticatedencryptionmodessothattheAEScanbeusedasunderlyingblockcipher,e.
g.
,EAX[1],CCM[10],GCM[6]andOCB2.
0[9].
Anum-berofdedicatedAEschemesuseAESroundfunction,e.
g.
,AEGIS[11]andALE[3].
TheseschemescanbenetfromtheAES-NIwhichperformsoneroundAESencryption/decryptioninasingleinstruction.
Ontheotherhand,althoughthewidelyuseofAES,thereareplatformswhichdonotsupporttheAES-NIinstructionset.
TheperformanceofAESbasedauthenticatedencryptionschemeswillbenotablyslowerontheseplatforms.
Incontrast,theMORUSfamilyoeramoresteadyperformanceacrossplatformssinceitsperformancedoesnotrelyontheuseofAES-NIinstructionset.
4.
Secure.
MORUSprovides128-bitauthenticationsecurity,strongerthanAES-GCM.
6Performance6.
1SoftwareperformanceWeimplementedMORUSinCcode.
WetestedthespeedontheIntelCorei7-4770processor(Haswell)running64-bitUbuntu13.
01.
Turboboostisturnedointheexperiment.
Thecompilerbeingusedisgcc4.
8.
1,andtheoptions"-O3-mavx2"areused.
Thetestisperformedbyencrypting/decryptingamessagerepeatedly,andprintingoutthenalmessage.
Toensurethatthetaggenerationisnotremovedduringthecompileroptimizationprocess,weusethetagastheIVforprocessingthenextmessage.
Toensurethatthetagvericationisnotremovedduringthecompileroptimizationprocess,wesumupthenumberoffailedvericationsandprintoutthenalresult.
Table5showsthespeedcomparisonoftheMORUS.
Forlongmessage,thespeedofMORUS-640andMOURS-1280isabout1.
19cpband0.
69cpb,respec-tively.
ThespeedofMOURS-1280isfasterthanthatofAES-128-GCMontheHaswell,whichis1.
03cpb[4].
6.
2HardwareperformanceMORUSisdesigntobeecientinhardwareimplementation.
WeimplementedMORUS-1280-128usingtheCAESARhardwareAPIproposedbyHomsirikamoletal.
fromGMU[5].
OnmodernFPGAVertix-7,thefrequencyofMORUSis367.
6MHz,using1179slices(4122LUTs)inarea.
ThethroughputofMORUS-1280forlongmessageis94,117Mbits/s.
18Table5:Thespeedcomparison(incyclesperbyte)fordierentmessagelengthonIntelHaswell.
EAmeansencryption-authentication;DVmeansdecryption-verication.
16B64B512B1024B4096B16384BMORUS-640(EA)40.
6410.
352.
301.
721.
301.
19MORUS-640(DV)38.
4710.
132.
301.
721.
291.
18MORUS-1280(EA)45.
3210.
381.
851.
240.
800.
69MORUS-1280(DV)45.
7410.
661.
911.
280.
810.
70InDIAC2015,MuehlberghuberandG¨urkaynakprovidedASICimplementa-tionresultsofMORUSandanumberofotherhardware-ecientauthenticatedciphers,includingAES-128-GCM,ICEPOLE,AEGIS,NORX,Tiaoxin-346[8].
ThethroughputoftheMORUSstateupdatefunctionisabove250Gbit/sforlongmessage.
Thethroughput/Arearatioismorethan8000kbps/GE.
Bothresultsarethehighestamongthoseauthenticatedciphers.
7DesignrationaleInourdesignofMORUS,wearetryingtodesignafastauthenticatedcipherwhichisnotbasedonAESsothatthisciphercanrunfastinplatformswithnoAES-NI.
Ourdesignisaimedatachievingthefollowinggoals:-Simple-Secure-Fastinhardware-Ecientinsoftware-AvoidusingAESroundfunction7.
1StateupdatefunctionTheconstructionofstateupdatefunctionofMORUSisbasedon5smallroundfunctionswithsimilaroperations.
Ineachroundfunction,onlyXOR,ANDandrotationsareused.
ThediusionofMORUSisfromtwotypesofrotations:therotationsonthewholeregisters(<<<)andtherotationsonfourpartialwordsinsidearegister(Rotlxxxyy).
ThelateroperationtakesadvantageoftheSSE2andAVXinstructionsinwhichtheshiftsonfourwordcanbedoneinonein-struction.
WechoosetheANDnon-linearfunctionsinceitcanbeeasilyandecientlyimplementedinbothsoftwareandhardware.
Twointernalstateele-mentsgetupdatedinaroundfunction.
Hence,everyinternalstateelementwillgetupdatedtwiceinastep.
ItisremarkablethatMORUSisconstructedusingsimplebit-wiseoperations,whichmakesitfastinhardwareimplementations.
7.
2EncryptionandauthenticationTheencryptionofMORUSadoptsthemethodusedinstreamciphers.
Thekeyandnoncearemixedintothestateduringinitializationandafterthat,thecipher19generateskeystreamsandXORsthekeystreamswiththeplaintexttoproduceciphertext.
InMORUS,messageblocksareinjectedintoitsstateupdatefunctionsoastoauthenticatethemessagesimultaneouslywiththeencryption.
IntheinitializationofMORUS,weuse16stepsofstateupdatefunction(80rounds).
Thisistoensurethestatecannotberecoveredandthedierentialprobabilityissmallaftertheinitialization.
Inthenalization,weintroduceanextraXORoperationtodistinguishthenalizationfromtheencryptionandweuseasimilarmethodasusedinAEGIS:mixingthelengthofassociateddataandplaintextisXORedtooneoftheinternalstateelementsandusedasamessageblocktoupdatethestatesfor8steps.
Inthisway,anychangeintheinternalstateorthelengthofmessagewillbeinvolvedincomputingthetag.
7.
3SelectionofrotationconstantsThediusioninMORUSreliesonthe10rotations.
Therefore,therotationcon-stantsneedtobecarefullychosen.
Weusefollowingrulesintheselectionofrotationsconstants:1.
Therotationconstantsshouldexcludethemultiplesof8.
2.
Norotationconstantshouldbeamultipleofanotherrotationconstant.
3.
Thesumofanytwoconstantsmodular32(or64forMORUS-1280)isnotequalto0oranotherconstant.
Weenumeratethepossiblechoicesofrotationconstantssatisfyingtheaboverequirementsandpropagatea1-bitdierenceonmessagetocounttheweightafterfourstepsforMORUS-640andvestepsforMORUS-1280.
Thenweselectasetoftherotationconstantswhichresultsinhighweight.
Thedesignershavenothiddenanyweaknessesinthiscipher.
8Changes8.
1ChangesfromMORUSv1.
1toMORUSv2MinormodicationsinthenalizationofMORUS.
ThestateSu+v3isre-movedinthecomputationofthemessageword.
Thetaggenerationischangedtothesamewayasthekeystreamgeneration.
ThesechangesareaimedtoimprovethehardwareeciencyofMORUS.
Thenumberofstepsusedinnalizationisincreasedfrom8to10,whichimprovesthesecuritymarginofMORUSnalization.
MoreexplanationsinthesecurityanalysisofMORUSinitializationand-nalizationareadded.
ThehardwareperformanceofMORUSisadded.
Someeditorialchanges.
208.
2ChangesfromMORUSv1toMORUSv1.
1ThereisnotweakofMORUSinthesecondroundofCAESARcompetition.
WecorrectedtheFig.
1ofthestateupdatefunctionandafewtyposinthisdocumentversion.
9IntellectualpropertyMOURSisnotpatentedanditisfreeofintellectualpropertyrestrictions.
Ifanyofthisinformationchanges,thesubmitter/submitterswillpromptly(andwithinatmostonemonth)announcethesechangesonthecrypto-competitionsmailinglist.
10ConsentThesubmitter/submittersherebyconsenttoalldecisionsoftheCAESARse-lectioncommitteeregardingtheselectionornon-selectionofthissubmissionasasecond-roundcandidate,athird-roundcandidate,analist,amemberofthenalportfolio,oranyotherdesignationprovidedbythecommittee.
Thesub-mitter/submittersunderstandthatthecommitteewillnotcommentontheal-gorithms,exceptthatforeachselectedalgorithmthecommitteewillsimplycitethepreviouslypublishedanalysesthatledtotheselectionofthealgorithm.
Thesubmitter/submittersunderstandthattheselectionofsomealgorithmsisnotanegativecommentregardingotheralgorithms,andthatanexcellentalgorithmmightfailtobeselectedsimplybecausenotenoughanalysiswasavailableatthetimeofthecommitteedecision.
Thesubmitter/submittersacknowledgethatthecommitteedecisionsreectthecollectiveexpertjudgmentsofthecommitteemembersandarenotsubjecttoappeal.
Thesubmitter/submittersunderstandthatiftheydisagreewithpublishedanalysesthentheyareexpectedtopromptlyandpubliclyrespondtothoseanalyses,nottowaitforsubsequentcommitteedecisions.
Thesubmitter/submittersunderstandthatthisstatementisrequiredasaconditionofconsiderationofthissubmissionbytheCAESARselectioncommittee.
References1.
M.
Bellare,P.
Rogaway,andD.
Wagner.
TheEAXmodeofoperation.
InFastSoftwareEncryption,pages389–407.
Springer,2004.
2.
E.
BihamandA.
Shamir.
DierentialCryptanalysisoftheDataEncryptionStan-dard.
Springer-Verlag,London,UK,UK,1993.
3.
A.
Bogdanov,F.
Mendel,F.
Regazzoni,V.
Rijmen,andE.
Tischhauser.
ALE:AES-BasedLightweightAuthenticatedEncryption.
InFastSoftwareEncryption,2013.
4.
S.
Gueron.
AES-GCMsoftwareperformanceonthecurrenthighendCPUsasaperformancebaselineforCAESAR.
DIAC2013:DirectionsinAuthenticatedCiphers,Augest2013.
215.
E.
Homsirikamol,W.
Diehl,A.
Ferozpuri,F.
Farahmand,P.
Yalla,J.
-P.
Kaps,andK.
Gaj.
CAESARHardwareAPI.
CryptologyePrintArchive,Report2016/626,2016.
http://eprint.
iacr.
org/2016/626.
6.
D.
McGrewandJ.
Viega.
TheGalois/CounterModeofOperation(GCM).
http://csrc.
nist.
gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.
pdf.
7.
A.
Mileva,V.
Dimitrova,andV.
Velichkov.
AnalysisoftheAuthenticatedCipherMORUS(v1),pages45–59.
SpringerInternationalPublishing,Cham,2016.
8.
M.
MuehlberghuberandF.
K.
G¨urkaynak.
TowardsEvaluatingHigh-SpeedASICImplementationsofCAESARCandidatesforDataatRestandDatainMotion.
WorkshoponDirectionsinAuthenticatedCiphers(DIAC)2015,2015.
9.
P.
Rogaway.
EcientInstantiationsofTweakableBlockciphersandRenementstoModesOCBandPMAC.
InAdvancesinCryptology–ASIACRYPT2004,pages16–31.
Springer,2004.
10.
D.
Whiting,R.
Housley,andN.
Ferguson.
CounterwithCBC-MAC(CCM).
Avail-ablefromhttp://csrc.
nist.
gov/groups/ST/toolkit/BCM/documents/proposedmo-des/ccm/ccm.
pdf,2003.
11.
H.
WuandB.
Preneel.
AEGIS:AFastAuthenticatedEncryptionAlgorithm.
SelectedAreasinCryptography–SAC2013,2013.
台湾云服务器去哪里买?国内有没有哪里的台湾云服务器这块做的比较好的?有很多用户想用台湾云服务器,那么判断哪家台湾云服务器好,不是按照最便宜或最贵的选择,而是根据您的实际使用目的选择服务器,只有最适合您的才是最好的。总体而言,台湾云服务器的稳定性确实要好于大陆。今天,云服务器网(yuntue.com)小编来介绍一下台湾云服务器哪里买和一年需要多少钱!一、UCloud台湾云服务器UCloud上市云商,...
wordpress简洁英文主题,wordpress简洁通用大气的网站风格设计 + 更适于欧美国外用户操作体验,完善的外贸企业建站功能模块 + 更好的移动设备特色模块支持,更高效实用的后台自定义设置 + 标准高效的代码程序功能结构,更利于Goolge等国际搜索引擎的SEO搜索优化和站点收录排名。点击进入:wordpress简洁通用型高级外贸主题主题价格:¥3980 特 惠 价:¥1280安装环境:运...
可以看到这次国庆萤光云搞了一个不错的折扣,香港CN2产品6.5折促销,还送50的国庆红包。萤光云是2002年创立的商家,本次国庆活动主推的是香港CN2优化的机器,其另外还有国内BGP和高防服务器。本次活动力度较大,CN2优化套餐低至20/月(需买三个月,用上折扣+代金券组合),有需求的可以看看。官方网站:https://www.lightnode.cn/地区CPU内存SSDIP带宽/流量价格备注购...
ubuntutweak为你推荐
冯媛甑尸城女主角叫什么名字xyq.163.cbg.com梦幻西游里,CBG是什么?在那里,能帮忙详细说一下吗杨丽晓博客杨丽晓今年高考了吗?www.175qq.com求带名字的情侣网名!www.dm8.cc有没有最新的日本动漫网站?猴山条约游猴山,观猴子长房娇人物描写片段,不用太长,150字左右,要有出处!急!!!!!达林赞雅请问佛教迦雅是什么意思啊源代码求一个C++的完整源代码,简单一点的?关键词挖掘关键词挖掘的作用有那些?
国外虚拟主机 域名中介 韩国vps 主机测评 dns是什么 瓦工 哈喽图床 好看的桌面背景图片 建站代码 商务主机 dux howfile 腾讯实名认证中心 phpmyadmin配置 ftp免费空间 www789 太原联通测速 独立主机 lamp什么意思 注册阿里云邮箱 更多