Innovations in permutation-based crypto

Transcription

1 Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores, April 17, STMicroelectronics 2 Radboud University 3 Security Pattern 1

2 Pseudo-random unction (PRF) input 2

3 Stream encryption nonce plaintext = ciphertext 3

4 Message authentication (MAC) plaintext plaintext 4

5 Authenticated encryption nonce plaintext plaintext = ciphertext 5

6 String sequence input and incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 F K ( P (3) P (2) P (1)) 6

7 Session authenticated encryption (SAE) [KT, SAC 2011] 1 K, N A (1) P (1) A (2) P (2) A (3) P (3) T (0) C (1) T (1) C (2) T (3) C (3) T (2) Initialization taking nonce N T 0 t + F K (N) history N return tag T o length t Wrap taking metadata A and plaintext P C P + F K (A history) T 0 t + F K (C A history) history C A history return ciphertext C o length P and tag T o length t 7

8 Synthetic initialization value (SIV) o [KT, eprint 2016/1188] A P F K F K T C Unwrap taking metadata A, ciphertext C and tag T P C + F K (T A) τ 0 t + F K (P A) i τ = T then return error! else return plaintext P o length C Variant o SIV o [Rogaway & Shrimpton, EC 2006] 8

9 How to build a PRF? By icelight (lickr.com) 9

10 Sponge [Keccak Team, Ecrypt 2008] input output r c 0 0 outer inner absorbing squeezing Taking K as irst part o input gives a PRF 10

11 More eicient: donkeysponge [Keccak Team, DIAC 2012] 11

12 Incrementality: duplex [Keccak Team, SAC 2011] σ 0 Z 0 σ 1 Z 1 σ 2 Z 2 pad trunc pad trunc pad trunc r 0 c 0 outer inner initialize duplexing duplexing duplexing 12

13 More eicient: MonkeyDuplex [Keccak Team, DIAC 2012] Instances: Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] + hal a dozen other CAESAR submissions 13

14 Consolidation: Full-state keyed duplex Z ¾ Z ¾ Z ¾ K ± iv [Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017] 14

15 SAE with ull-state keyed duplex: Motorist [KT, Keyak 2015] 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) 15

16 How to build a parallelizable PRF? by Barilla Food Service 16

17 Faralle: early attempt [KT ] k M 0 0 k 0 Z 0 k M 1 1 k 1 Z 1 k M i i j k Z j Similar to Protected Counter Sums [Bernstein, stretch, JOC 1999] Problem: collisions with higher-order dierentials i has low degree 17

18 Faralle now [Keccak Team + Seth Hoert, ToSC 2018] K 10 p b c k i+2 c k m 0 p c e p e z 0 c k k m 1 p c p d e p e z 1 i c k k m i p c j e p e z j Input mask rolling and p c against accumulator collisions State rolling, p e and output mask against state retrieval at output Middle p d against higher-order DC Input-output attacks have to deal with p e p d p c 18

19 Kravatte as in TOSC 2018 K 10 k i+2 k m 0 z 0 k k m 1 z 1 i k k m i j z j Target security: 128 bits, incl. multi-target and quantum adv. p i = Keccak-p[1600] with # rounds 6666 : Achoue coniguration Input mask rolling with LFSR, state rolling with NLFSR 19

20 In which sense is Kravatte lightweight? K 10 k i+2 k m0 z0 k k m1 z1 i k k m i j z j Workload per round (in HW or bit-slice SW) AES: 16 XORs and 4 AND per bit Keccak-p: 3 XORs and 1 AND per bit Number o rounds AES CBC or CTR: 10 rounds Kravatte compress or expand: 6 rounds Disadvantage o Kravatte: 200-byte granularity 20

21 by Perrie Nicholas Smith (perriesmith.deviantart.com) 21

22 Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] Ideal size and shape: 48 bytes in 12 words o 32 bits compact on low-end: its registers o ARM Cortex M3/M4 ast on high-end: suitable or SIMD For low-end platorms: locality o operations to limit swapping limits diusion, see e.g. [Mike Hamburg, 2017] no problem or nominal number o rounds: 24 not clear how many rounds needed in Faralle 22

23 Xoodoo [noun, mythical] /zu: du:/ Alpine mammal that lives in compact herds, can survive avalanches and is appreciated or the wide trails it creates in the landscape. Despite its luy appearance it is very robust and does not get distracted by side channels. 23

24 Xoodoo [Keccak team with Seth Hoert and Johan De Meulder] bit permutation Main purpose: usage in Faralle: XooPRF Achoue coniguration Full-state rolling unctions Eicient on wide range o platorms But also or small-state authenticated encryption, Ketje style sponge-based hashing, Keccak-p philosophy ported to Gimli dimensions ! 24

25 Xoodoo state z z y y state x plane x z z y y lane x column x State: 3 horizontal planes each consisting o 4 lanes 25

26 Xoodoo round unction χ ρ west ρ east θ Iterated: n r rounds that dier only by round constant 26

27 Nonlinear mapping χ Eect on one plane: complement χ as in Keccak-p, operating on 3-bit columns Involution and same propagation dierentially and linearly 27

28 Mixing layer θ + = column parity θ-eect old Column parity mixer: compute parity, old and add to state good average diusion, identity or states in kernel 28

29 Plane shit ρ east 2 shit (2,8) 1 shit (0,1) 0 Ater χ and beore θ Shits planes y = 1 and y = 2 over dierent directions 29

30 Plane shit ρ west 2 shit (0,11) 1 shit (1,0) 0 Ater θ and beore χ Shits planes y = 1 and y = 2 over dierent directions 30

31 Xoodoo pseudocode n r rounds rom i = 1 n r to 0, with a 5-step round unction: θ : ρ west : ι : χ : ρ east : P A 0 + A 1 + A 2 E P (1, 5) + P (1, 14) A y A y + E or y {0, 1, 2} A 1 A 1 (1, 0) A 2 A 2 (0, 11) A 0,0 A 0,0 + rc i B 0 A 1 A 2 B 1 A 2 A 0 B 2 A 0 A 1 A y A y + B y or y {0, 1, 2} A 1 A 1 (0, 1) A 2 A 2 (2, 8) 31

32 Xoodoo sotware perormance width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600] ChaCha Gimli Xoodoo on Intel Haswell 32

33 Xoodoo diusion and conusion Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016]: min. trail weights # rounds di. linear Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto 85] A mapping satisies SAC i lipping an input bit will make each output bit lip with probability close to 1/2 Xoodoo satisies SAC ater 3 rounds in orward direction ater 2 rounds in backward direction 33

34 Do you think this is interesting? I m hiring! PhD positions, starting September Scope: Propagation in Xoodoo-like unctions computer-assisted bound proving mathematical uniication o attacks Interaction between modes and permutations Impact o key schedule in block ciphers DPA vulnerability o Xoodoo-like unctions 34

35 Thanks or your attention! χ ρeast ρwest θ 35