Similarities between encryption and decryption: how far can we go?

Transcription

1 Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark SAC 2013 based on a joint work with Lars Knudsen and Gregor Leander

2 Outline Low-latency and lightweight ciphers Minimizing the overhead of decryption: involutional ciphers and involutional building-blocks Minimizing the overhead of decryption: reection ciphers PRINCE 1

3 Iterated block ciphers K master key key schedule k 1 k 2 k r plaintext x F (1) F (2)... F (r) y ciphertext where each F (i) is a keyed permutation of F n 2. 2

4 Lightweight block ciphers AES [Daemen-Rijmen 98][FIPS PUB 197] blocksize: 128 bits Sbox operates on 8 bits linear diusion layer is a linear permutation of ( ) 4 F 2 8 To make it smaller in hardware: blocksize: 64 bits smaller Sbox, on 3 or 4 bits linear diusion layer over a smaller alphabet simplied key-schedule 3

5 The usual design strategy: PRESENT [Bogdanov et al. 07] 64 bits sk i S S S S S S S S S S S S S S S S 31 rounds (+ a key addition) 4

6 Lightweight but secure... Increase the number of rounds! PRESENT [Bogdanov et al. 07]. 31 rounds LED [Guo et al. 11]: LED-64: 32 rounds, LED-128: 48 rounds SPECK [Beaulieu et al. 13]: SPECK64/128: 27 rounds, SPECK128/256: 34 rounds SIMON [Beaulieu et al. 13]: SIMON64/128: 44 rounds, SIMON128/256: 72 rounds 5

7 Does lightweight mean light + wait? [Kneºevi et al. 12] 6

8 Does lightweight mean light + wait? [Kneºevi et al. 12] Low-latency encryption. Memory encryption SPEED SECURITY VANET (Vehicular ad-hoc network) encryption for high-speed networking... AREA 7

9 How can we design a fast and lightweight cipher? Unrolled implementation. small number of rounds; each round of encryption and decryption should have a low implementation cost; the rounds do not need to be similar. Related open problem. Is it possible to provide security arguments for a cipher iterating very dierent rounds? 8

10 Minimizing the overhead of decryption: involutional building-blocks 9

11 When lightweight encryption was really an issue

12 Scherbius' solution: add a reector A B C D E F A B C D E F B D A B C D E F A C E F B D A B C D E F A C E F B D A B C D E F A C E F keyboard reector lampboard E K = F 1 K M F K where M = M 1 11

13 Can E K be an involution? Fixed points.[youssef-tavares-heys 96] A random permutation of F n 2 has 1 xed point on average; A random involution of F n 2 has 2n 2 + O(1) xed points. In particular, for E K = F 1 K M F K E K has the same cycle structure (and the same number of xed points) as M. Enigma: the reector has no xed points; DES with a weak key: M is the swapping of the 2 halves It has 2 32 xed points [Coppersmith 85]. 12

14 F X construction Add some whitening keys [Rivest 84] k 1 k 0 k 2 m + F + c Slide attack with complexity 2 n+1 2 [Youssef-Tavares-Heys 96][Dunkelman et al. 12] m k 0 x k 1 y k 2 + F + c k 1 k 0 k 2 y x m c + F + If (m, c) and (m, c ) satisfy m c = m c, then check whether k 0 k 2 = m c. 13

15 Using involutional building-blocks Examples: Feistel ciphers involutional SPNs [Youssef-Tavares-Heys 96] Khazad [Barreto-Rijmen 00] ANUBIS [Barreto-Rijmen 00] NOEKEON [Daemen et al. 00] ICEBERG [Standaert et al. 04]... 14

16 AES superbox S S S S L K S S S S S is a permutation over F m 2 The diusion layer is linear over F 2 m and has maximal branch number. 15

17 Involutional Sboxes with an SPN Maximal expected probability for a two-round dierential: MEDP 2 = max a 0,b Pr x,k[ E K (x) = b x = a] For the AES Sbox S(x) = l(x 254 ): MEDP 2 = [Keliher-Sui 07] For the naive Sbox S(x) = x 254 : MEDP 2 = [Daemen-Rijmen 06] Highest possible value for a function having similar values in its dierence table [Park et al. 03] 16

18 A new bound (particular case) [C.-Roué 13] Consider an SPN with a nonlinear layer composed of t parallel applications of a function S over F 2 m and with an MDS linear diusion layer over F 2 m, if S(x) = l(x s ) or S(x) = (l(x)) s where l is an ane permutation of F m 2, we have MEDP 2 2 m(t+1) max 1 u t where δ(a, b) = #{x F m 2, max α,β 0 γ F 2 m δ(α, γ) u δ(γ, β) t+1 u S(x + a) + S(x) = b}. Moreover, the bound is tight for all MDS linear layers if one of the following conditions holds: S(x) = x s ; S(x) = l(x s ) and the maximum is attained for u = 1. 17

19 Dierence table of the inverse function over F 16 1 ζ ζ 2 ζ 3 ζ 4 ζ 5 ζ 6 ζ 7 ζ 8 ζ 9 ζ 10 ζ 11 ζ 12 ζ 13 ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ ζ

20 MEDP 2 for AES and variants 2 m(t+1) max 1 u t max α,β 0 AES Sbox S(x) = l(x 254 ). Naive Sbox S(x) = x 254. max α,β 0 γ F 2 m δ(α, γ) u δ(γ, β) t+1 u MEDP 2 = δ(a, b) = δ(b, a) γ F 2 m δ(α, γ) u δ(γ, β) t+1 u = max α,β 0 = max α 0 δ(α, γ) u δ(β, γ) t+1 u γ F 2 m δ(α, γ) t+1 γ F 2 m MEDP 2 =

21 Minimizing the overhead of decryption: reection ciphers 20

22 Reection ciphers Denition. A block cipher E is a reection cipher if there exists a permutation P of the key space such that, for all K, (E K ) 1 = E P (K) Examples. Feistel cipher with independent round keys: P (k 1,..., k r ) = (k r,..., k 1 ) RSA: P = inversion modulo (p 1)(q 1). 21

23 Properties of the coupling permutation implies (E K ) 1 = E P (K) E K = E P 2 (K) Choice of P. P should be an involution. Example: P (K) = K α 22

24 Iterated reection cipher with P (K) = K α Encryption: K K K K α K α K α m F 1 F 2 F r M Fr 1 F2 1 F1 1 c Decryption: K α K α K α K K K c F 1 F 2 F r M Fr 1 F2 1 F1 1 m where M is an involution. 23

25 Example of a reection cipher with P (k 1, k 2 ) = (k 2 α, k 1 α) k 1 k 2 k 1 k 2 α k 1 α k 2 α m F 1 F 2 F r M Fr 1 F2 1 F1 1 c ( E (k1,k 2 )) 1 = E(k2 α,k 1 α) For all keys with k 2 = k 1 α, the cipher is an involution, and it has the same number of xed points as M. Large class of weak keys. 24

26 Fixed points of the coupling permutation Fixed points of P. The keys for which the encryption function is an involution can be detected with O(2 n 2 ) plaintext-ciphertext pairs. Choice of P. P should be an involution without xed points. Example: P (K) = K α 25

27 On related-key distinguishers for reection ciphers Trivial related-key distinguishers: are not considered. (they may be important in some scenarios, e.g., [Iwata-Kurosawa 03]) Related-key distinguishers: may have an impact in a single-key model. A related-key distinguisher for E K involving two keys K and K related by K = P (K) is a distinguisher in the single-key model. Related-key distinguishers may be relevant! 26

28 On dierential related-key distinguishers Distinguishers involving K and K = P (K) should be avoided. Two strategies: Choose P such that the existence of such distinguishers is very unlikely, e.g., such that K P (K) has always a high weight; Choose P such that such related-key distinguishers can be exploited for a few K only. Trade-o between min K wt(k P (K)) and max #{K : K P (K) = δ} δ For P (K) = K α where wt(α) is high, we maximize the rst quantity. 27

29 PRINCE 28

30 Reection cipher with P (K) = K α k k k k α k α k α m F 1 F F r M Fr 1 F2 1 F1 1 c 29

31 Increasing the key length F X construction [Rivest 84] k = (k 0 k 1 ) k 1 k 0 π(k 0 ) m + PRINCEcore + c with π(x) = (x 1) (x 63) (k 0 k 1, π(k 0 ) k 1 ) takes all possible values when (k 0, k 1 ) varies. 30

32 Security of the F X construction [Kilian-Rogaway 96] F X k0,k 1,k 2 (m) = F k1 (m k 0 ) k 2 k 0, k 1, k 2 F X k F, F 1 π F, F 1 m (x, k) A The advantage of any adversary who makes D queries to E = F X and T queries to (F, F 1 ) is at most DT 2 (κ 1+n 1) 31

33 Impact of the reection property on the F X construction Ideal reection cipher with coupling permutation P. If P is an involution without xed points, the key space can be decomposed as F κ 1 2 = H P (H) where H contains half of the keys. Let F be an ideal block cipher with key space H. We extend it by F k (x) = F k (x) F 1 P (k) (x) if k H if k P (H) Security of the F X construction. The advantage of any adversary who makes D queries to E = F X and T queries to (F, F 1 ) is at most DT 2 (κ 1+n 2). 32

34 Parameters Block size: 64 bits Key size: 128 bits Nb of Sbox layers: 12 Security claim in the single-key model: 126-bit security There is no attack with time and data complexities are such that DT Best attack. MitM attack on 8 rounds with DT = [C. Naya-Plasencia Vayssière 13]. 33

35 Conclusions and open issues Involutional building-blocks may introduce some weaknesses in some cases. How can we use them in secure way? Reection ciphers considerably reduce the overhead on decryption on top of encryption for unrolled implementations. Find some other key schedules (work in progress). 34