Ruhr-Uni-Bochum

Joan Daemen (Radboud University Nijmegen)

"On Deck Functions"

Joan Daemen

Copyright: Joan Daemen

Abstract. Modern symmetric encryption and/or authentication schemes consist of modes of block ciphers. Often these schemes have a proof of security on the condition that the underlying block cipher is PRP or SPRP-secure: keyed with a fixed and unknown key it shall be hard to distinguish from a random permutation. The PRP and SPRP security notions have become so accepted that they are referred to as the standard model. (S)PRP security cannot be proven but thanks to this nice split in primitives and modes, the assurance of block-cipher based cryptographic schemes relies on public scrutiny of the block cipher in the simple standard scenario.

Security proofs of modes can become quite complicated and errors have been made. This complexity can be reduced if we add an input to the block cipher, a so-called tweak. The resulting primitive is called a tweakable block cipher and its (S)PRP security is tweakable (S)PRP. The presence of the tweak makes these primitives more costly for the same target security strength due to the increase in degrees of freedom for the adversary.Another approach is to abandon block ciphers altogether and replace them by permutations.

During the last decade a field of permutation-based cryptography has appeared that defines modes on top of these primitives and many new permutations are proposed. At their core these modes often have a duplex-like construction and its parallel nephew, farfalle. However, while it is reasonable to assume one can build a block cipher that is (S)PRP secure it is impossible to formalize what it means for a permutation to behave like an ideal permutation. We show that permutation-based crypto can have its own standard model with (keyed) duplex functions or farfalle-based functions at their center, both instances of what we call deck functions and the standard model is the pseudorandom function (PRF) security of deck functions.

Modes can be defined in terms of deck functions and can be proven secure in the setting where the keyed deck function is hard to distinguish from a random oracle. The PRF security of the deck function is the subjec of public scrutiny.In this talk I will discuss some modes on top of deck functions and some concrete deck functions.

Biography. After graduating in electromechanical engineering Joan Daemen was awarded his PhD in 1995 from KU Leuven. After his contract ended at COSIC, he privately continued his crypto research and contacted Vincent Rijmen to continue their collaboration that would lead to the Rijndael block cipher, and this was selected by NIST as the new Advanced Encryption Standard in 2000. After over 20 years of security industry experience, including work as a security architect and cryptographer for STMicroelectronics, he is now a professor in the Digital Security Group at Radboud University Nijmegen.

He co-designed the Keccak cryptographic hash function thate was selected as the SHA-3 hash standard by NIST in 2012 and is one of the founders of the permutation-based cryptography movement and co-inventor of the sponge, duplex and farfalle constructions. In 2017 he won the Levchin Prize for Real World Cryptography and in 2020 the RSA award for excellence in mathematics. In 2018 he was awarded an ERC advanced grant called ESCADA and an NWO TOP grant called SCALAR, both for design and analysis of symmetric crypto.

Zum Youtube-Video