CAESAR candidate ICEPOLE

Transcription

1 . CAESAR candidate ICEPOLE Pawel Morawiecki 1,2, Kris Gaj 3, Ekawat Homsirikamol 3, Krystian Matusiewicz 4, Josef Pieprzyk 5,6, Marcin Rogawski 7, Marian Srebrny 1,2, and Marcin Wojcik 8 Polish Academy of Sciences, Poland 1 ; University of Commerce, Poland 2 ; George Mason University, USA 3 ; Intel, Gdansk, Poland 4 ; Queensland University of Technology, Australia 5 ; Macquarie University, Australia 6 ; Cadence Design Systems, USA 7 ; University of Bristol, United Kingdom 8 DIAC 2014: Directions in Authenticated Ciphers DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 1 / 29

2 Co-authors DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 2 / 29

3 Outline 1 Introduction and Motivation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 3 / 29

4 Introduction and Motivation Multiple Internet protocols require authenticated encryption: IPSec/TLS/SSL etc. High-speed hardware-oriented cipher with authentication, more efficient that AES-GCM Existing frameworks/strategies for provably secure cryptographic schemes (e.g.: Sponge Construction etc.) CAESAR competition DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 4 / 29

5 ICEPOLE 101 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View based on duplex framework introduced by Bertoni et al. Duplexing the sponge: (...) Cryptology eprint archive 2011/499 high-speed hardware-oriented ICEPOLE permutation is the heart of our design family of authenticated encryption schemes with three parameters: key, nonce and SMN primary recommendation: ICEPOLE-128: 128-bit key and 128-bit nonce DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 5 / 29

6 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View Encryption and Tag Generation - Overview key nonce c o σ SMN σ AD c n σ P T pad pad pad P 12 P 6 P 6 P 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 6 / 29

7 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View ICEPOLE Internal State Organization 1280-bit internal state S organized into dwo-dimensional array S[4][5] each element of array is a 64-bit word S[x][y][z] refers to the bit z in the row x and the column y the mapping between a vector V and the S: V [64(x + 4y) + z] = S[x][y][z] DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 7 / 29

8 ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View ICEPOLE Round and P6, P12 Permutations R consists of five steps labelled by R = apple µ ICEPOLE Permutations Each P6-6 rounds step of ICEPOLE updates permutation the state as fol P12-12 rounds of ICEPOLE permutation µ: DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 8 / 29

9 Transformation: µ ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View onsists of five steps labelled by the Greek letters: µ (mu), (rho), (pi), (psi), apple (kapp R = apple µ h step updates the state as follows. µ: In the µ step bits are mixed through the MDS (Maximum Distance Separable) matrix. Ev bit slice is mixed through the matrix given below. Formally, a column vector (Z 0,Z 1,Z 2,Z ultiplied by a constant matrix producing a vector of four 5-bit words Z 0 2Z 0 + Z 1 + Z 2 + Z 3 B C BZ Z 2 A = BZ 0 + Z Z 2 +2Z 3 Z 0 +2Z 1 + Z Z 3 A Z 3 Z Z 1 +2Z 2 + Z 3 The operations are done in GF (2 5 ). Here the multiplication is defined as the multiplication GF(2 ary polynomials modulo 5 ) multiplication modulo x the irreducible polynomial 5 + x x There are only three disti s in the chosen matrix, namely 18, 2, 1 and they correspond to the polynomials x 4 + DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 9 / 29

10 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 10 / 29

11 Introduction 19. Junod, and P., Motivation Vaudenay, S.: Perfect di usion primitives for block ciphers. In: Selected Areas in Cryptograp Lecture Icepole Notes Design in Computer Science, vol. 3357, pp. ICEPOLE Springer (2004) 20. Khovratovich, D., Nikolić, I.: Rotational Basic Ingredients of ICEPOLE HWThe and SW operations Performanceare done in GF (2 5 cryptanalysis of ARX. In: Proceedings of the 17th internation conference on Fast software encryption. pp. ) Here Highthe Level LNCS, multiplication View Springer-Verlag is(2010) defined as the multip 21. Matsui, M., Yamagishi, A.: A new method for known plaintext attack binary polynomials modulo the irreducible polynomial x 5 of + x 2 feal cipher. In: EUROCRYPT. p + 1. There are only thr (1992) terms 22. Morawiecki, in the chosen P., Pieprzyk, matrix, J., Srebrny, namely M.: Rotational 18, 2, 1cryptanalysis and theyof correspond round-reducedto Keccak. the In: polynomia Fast Softwa x, andencryption. 1, respectively. LNCS, Springer The µ (2013) step can be e ciently implemented with simple bitwise 23. National Institute of Standards and Technology: Recommendations for Block Cipher Modes of Operatio (see Appendix H). Galois/Counter Mode (GCM) and GMAC. NIST special publication D (November 2007) 24. Rivest, R., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash functio : Soos, M.: CryptoMiniSat In: SAT Race competitive event booklet (July 2010), The org/cryptominisat2 step is the bitwise rotation applied to each of the twenty 64-bit words of the Transformation: ρ bitwise rotation moves bit at position z into position (z +r value ) modulo 64. For each w is di erent. Appendix AS[x][y] :=S[x][y] n o sets[x][y] for all (0 apple x apple 3), (0 apple y apple 4) The rotation o sets used in the step are given below. The rotation o sets are given in Appendix A. o sets[0][0] := 0 o sets[0][1] := 36 o sets[0][2] := 3 o sets[0][3] := 41 o sets[0][4] : := 18 o sets[1][0] := 1 o sets[1][1] := 44 o sets[1][2] := 10 o sets[1][3] := 45 o sets[1][4] := 2 o sets[2][0] := 62 o sets[2][1] := reorders the words in the state. Words are moved from S[x][y] tos[x 0 6 ][y 0 ] and the o sets[2][2] dinates (x 0,y 0 := 43 o sets[2][3] := 15 o sets[2][4] := 61 o sets[3][0] := 28 o sets[3][1] ) := are 55 calculated o sets[3][2] from := the 25 following o sets[3][3] simple := 21 formula. o sets[3][4] := 56 x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 11 / 29 2

12 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 12 / 29

13 bitwise rotation moves bit at position z into position (z +r v is di erent. Introduction and Motivation Transformation: π ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View S[x][y] :=S[x][y] n o sets[x][y] for all (0 apple x apple The rotation o sets are given in Appendix A. : reorders the words in the state. Words are moved from S dinates (x 0,y 0 ) are calculated from the following simple for x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 : π reorders the words in the state S S[x ][y ] π(s[x][y]) In the step the ICEPOLE S-box is applied to each of 25 DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 13 / 29

14 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 14 / 29

15 Icepole S[x][y] Design :=S[x][y] n o sets[x][y] for ICEPOLE all (0 apple101x apple 3), (0 apple y apple 4) Basic Ingredients of ICEPOLE High Level View The rotation o sets are given in Appendix A. : Transformation ψ reorders the words in the state. Words are moved from S[x][y] tos[x 0 ][y 0 ] and the new coordinates (x 0,y 0 ) are calculated from the following simple formula. x 0 := (x + y) mod 4 y 0 := (((x + y) mod 4) + y + 1) mod 5 : In the step the ICEPOLE S-box is applied to each of 256 rows of the state. The S-box maps a 5-bit input vector (M 0,M 1,...,M 4 ) to a 5-bit output vector (Z 0,Z 1,...,Z 4 ). The S-box functionality can be easily described by the following bitwise equation. Operations on the index k are done modulo 5. The bitwise AND operator is omitted for clarity. for all (0 apple k apple 4) Z k = M k ( M k+1 M k+2 ) (M 0 M 1 M 2 M 3 M 4 ) ( M 0 M 1 M 2 M 3 M 4 ) ICEPOLE S-box The S-box maps a 5-bit input vector (M 0,... M 4 ) to a 5-bit output vector (Z 0,... Z 4 ) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 15 / 29

16 ICEPOLE Round ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View R consists of five steps labelled by R = apple µ Each step updates the state as fol DIAC, August 23-24, 2014 µ: Marcin Rogawski CAESAR candidate ICEPOLE 16 / 29

17 Transformation: apple: κ ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View In apple the 64-bit constant is xored with S[0][0]. S[0][0] := S[0][0] constant[numberofround] The constant value for each round is di erent. The values are ICEPOLE Constants The constant values are taken as the output of a simple 64-bit 2.4 maximum-cycle Initialization LinearPhase Feedback Shift Register (LFSR). First, The polynomial the state is representation initialized of with LFSR theis1280-bit pseudorandom tained x 64 + by x 63 applying + x 61 + x 60 the + 1. Keccak-f[1600] permutation (an under standard) The LFSRto seed the abcdef all-zero vector and truncating the result to 12 Appendix each cyclec.) generates a subsequent constant. Once the state is filled with the constant, the 128-bit key K duced into the state. K 0 and K 1 denote two 64-bit words of th DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 17 / 29

18 Decryption and Tag Generation ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View key nonce c o σ SMN σ AD c n σ P T pad pad pad P 12 P 6 P 6 P 6 Initialization Processing phase Tag generation DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 18 / 29

19 ICEPOLE Security (Parameters) ICEPOLE Security ICEPOLE is based on the duplex construction - parameters: r (bitrate) and c (capacity) ICEPOLE-128: r=1026 bits and c=256 bits (up to blocks) ICEPOLE-256: r=962 bits and c=318 bits (up to 2 62 blocks) Security level proven, unless permuation is unsecure SKEW 11: Bertoni et al. in On the security of the keyed sponge construction proved that if the data complexity is limited to 2 a r-bit blocks, the keyed mode withstands generic attacks with time complexity up to 2 c a calls of the underlying permutation. If a < c/2, this results in an increase of the security strength from c/2 to c a. DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 19 / 29

20 Nonce Requirement ICEPOLE Security ICEPOLE requires a nonce In case of nonce reuse, some level of intermediate robustness provided by secret message number and associated data (if distinct) In case of violating all nonce-like mechanisms (nonce reused, secret message number reused, the same associated data), security claims do not hold (recent analysis by Tao Huang, Hongjun Wu, Ivan Tjuawinata) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 20 / 29

21 ICEPOLE ICEPOLE Security Differential cryptanalysis (with aid of a SAT solver, we provide a bound on differential trail probability for 12 rounds, probability 2 84 ) Linear cryptanalysis (good linear profile of s-box, propagation of linear masks very similar to differential analysis, expecting similar security margin. Rigorous analysis to be done) Rotational cryptanalysis (good selection of round constants and pseudo-random initial state prevent this kind of attack) SAT-based cryptanalysis (experimentally verified, the attack reaches only 3 rounds) Techniques exploiting low algebraic degree (algebraic degree of a single round is 4, then for 4 rounds a degree is 256, making the attacks infeasible) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 21 / 29

22 Hardware Architecture Software Implementation Basic Iterative Architecture of-of-concept single iterative round design for the hardware implementation of ICE Source: parison. Both implementations use also the same interface and comm Morawiecki et al. ICEPOLE: High-speed, Hardware-oriented er to reduce any discrepancies between the two designs. Similar to I Authenticated Encryption at CHES 14 tains the full padding unit and supports both encryption and decrypt DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 22 / 29

23 FPGA Implementation Results Hardware Architecture Software Implementation Xilinx Virtex-6 Throughput: Mbps Area: 1501 Slices Throughput/Area: Mbps/Slice Altera Stratix-IV Throughput: Mbps Area: 4564 ALUTs Throughput/Area: 8.50 Mbps/ALUT DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 23 / 29

24 Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE FPGA Implementation - Area Hardware Architecture Software area Implementation [Virtex 6: slices, Stratix IV: ALUTs] Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE Source: Keyak and Keccak (multi-purpose mode) from anonymous submission to anonymous conference :) Thanks for sharing! DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 24 / 29

25 Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE throughput Hardware Architecture Software Implementation FPGA Implementation - Throughput Gb/s Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 25 / 29

26 Virtex 6 Stratix IV HW andaes-gcm SW Performance Keccak Keyak ICEPOLE throughput_area Hardware Architecture Software Implementation FPGA Implementation - Throughput/Area [Virtex 6: Mbps/slice, Stratix IV: Mbps/ALUT] Virtex 6 Stratix IV AES-GCM Keccak Keyak ICEPOLE DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 26 / 29

27 Software Implementation Hardware Architecture Software Implementation straightforward C implementation compiled for speed no beyond-c optimization 9 cycles per byte on Intel Ivy Bridge (i5-3320m) 8 cycles per byte on Haswell (Intel Xeon E3 1275) DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 27 / 29

28 Conclusions Conclusions Questions duplex construction + very efficient permutation = ICEPOLE highly efficient in modern FPGAs very-high speed in modern FPGAs good software performance DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 28 / 29

29 Questions Conclusions Questions Thank you! Questions? Questions? CERG: DIAC, August 23-24, 2014 Marcin Rogawski CAESAR candidate ICEPOLE 29 / 29