Whirlpool R-94 Manuel d'utilisateur

STRIBOB : Authenticated Encryptionfrom GOST R 34.11-2012 LPS or WhirlpoolMarkku-Juhani O. [email protected] University of Science and

DuplexWrap (basic Sponge Æ Scheme) BoundsTheoremThe DuplexWrap and BLNK authenticated encryption modes satisfythe following privacy and authentication

STRIBOB: Sponge Permutation πFor some vector of twelve 512-bit subkeys Ciwe define a 512-bitpermutation πC(X1) = X13with iterationxi+1= LPS(Xi⊕ Ci) fo

Easy Security ReductionTheoremIf πC(x) can be effectively distinguished from a random permutationfor some Ci, so can gN(h, x) for any h and N .Proof.I

Security Reduction ExplainedSTRIBOB: Just replace C with K in π:LPSK1LPSK2LPS LPSK3K12x0xx0= πK(x)Streebog: We have gN(h, x) ⊕ x ⊕ h = πK(x ⊕ N ):LPS

WHIRLBOB Variant (STRIBOBr2d2)Whirlpool is a NESSIE final portfolio algorithm and an ISOstandard. If STRIBOB is accepted to R2, we will add a variant

STRIBOB Software PerformanceSTRIBOB requires 12 LPS invocations per 256 bits processedwhereas Streebog requires 25 LPS invocations per 512 bits:STRIBO

Briefly about FPGA ImplementationsTotal logic on Xilinx Artix-7: WHIRLBOB: 4,946, Keyak 7,972Report on these & a Proposal for CAESAR HW/SW API:&qu

Mikko Hypponen, CRO of F-Secure, 29 Apr 2014.▶Implementation of secure links over TCP using the BLNKprotocol. Can be used as a secure replacement for

Originally written to debug real-world BLNK..$ ./stricat -hstricat: STRIBOB / Streebog Cryptographic Tool.(c) 2013-4 Markku-Juhani O. Saarinen <mjo

References..Sa14a "Beyond Modes: Building a Secure Record Protocol from aCryptographic Sponge Permutation" CT-RSA 2014, IACR ePrint2013/772.

STRIBOB Ideas▶Security bounds derived from Sponge Theory.▶Well-understood fundamental permutation: Security reduction toStreebog or Whirlpool, with ro

History & Real World CryptoStewed beef, GOST 5284-84GOST Spama.k.a. Tushonka▶28149-89 Block Cipher (KGB, 1970s)▶R 34.11-94 was a hash (based on281

GOST R 34.11-2012 "Streebog"Streebog is a (non-keyed) hash function that produces a 256-bit or512-bit message digest for a bit string of arb

GOST Streebog: Computing h(M)g0g512g1024g512nm0m1m2padmng0|M|g0total length“checksum”h(M)· · ·Pni=0mi(mod 2512)h = 0 = 0M =Padded message M is proces

Streebog: The Compression Function gN(h, m)LPS LPSLPSLPSLPSLPSLPSLPSLPShmh0C3NC2C1C124, 5, · · · , 11h0= gN(h, m)K12K3K2K1N: bit offset h: chaining va

Streebog: LPS = L ◦ P ◦ S = L(P (S(x)))S S S S S S S SS S S S S S S SS S S S S S S SS SS SS S S S S S S SS S S S S S S SS S S S S S S S( byte transpos

vs.. Sponge Construction for Hashing (SHA3)▶Built from a b-bit permutation f (π) with b = r + c▶r bits of rate, related to hashing speed▶c bits of cap

vs.. Sponge-based Authenticated Encryption Æπ π π π π π πrcIVd0d···p1c1p···c···h0h···p0c0squeezing phaseencryption phaseabsorbtion phase1. Absorption.