BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

Size: px

Start display at page:

Download "BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018"

Alexia Clark
5 years ago
Views:

Lallemand, Gregor Leander, Patrick Neumann, and Friedrich Wiemer Friedrich

1 BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and Friedrich Wiemer Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

2 Block Ciphers Encrypt plaintext in blocks p i of n bits, under a key of n bits: p 0 {0, 1} n p 1 {0, 1} n k {0, 1} n Enc Enc k {0, 1} n c 0 {0, 1} n c 1 {0, 1} n Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

3 Block Ciphers Encrypt plaintext in blocks p i of n bits, under a key of n bits: k 0 p 0 {0, 1} n p 1 {0, 1} n k 1 k {0, 1} n Enc Enc k {0, 1} n k 2 c 0 {0, 1} k n 3 c 1 {0, 1} n Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

4 The WN construction Published by Tessaro at AsiaCrypt 2015 [ia.cr/2015/868]. Overview round, iterated r times k f x 1 0 y Whitened wap-or-not round function x, k {0, 1} n and f k : {0, 1} n {0, 1} x + k if fk (x) = 1 y = x if f k (x) = 0 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

5 The WN construction Published by Tessaro at AsiaCrypt 2015 [ia.cr/2015/868]. Overview round, iterated r times k f x 1 0 y Whitened wap-or-not round function x, k {0, 1} n and f k : {0, 1} n {0, 1} x + k if fk (x) = 1 y = x if f k (x) = 0 Properties of f k (needed for decryption) f k (x) = f k (x + k) ecurity Proposition (informal) The WN construction with r = (n) rounds is Full Domain secure. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

6 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

7 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

8 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

9 The WN construction Encryption Input x x x + k 0 x x + k 1 x + k 0 x + k 0 + k 1 x x + k 2 x + k 1 x + k 1 + k 2 x + k 0 x + k 0 + k 2 x + k 0 + k 1 x + k 0 + k 1 + k 2 r Encryption: E k (x) := x + λ i k i = y i=1 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

10 An Implementation Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

11 An Implementation Construction f k (x) :=? Key schedule? (n) rounds? Theoretical vs. practical constructions Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

12 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

13 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Distinguishing Attack for r < n rounds There is an u n 2 \ {0}, s. t. u, x = u, y holds always: u, y = = u, x + u, x + λ i k i λ i k i = u, x + 0 u, for all u span {k 1,..., k r } {0} Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

14 Generic Analysis On the number of rounds Observation The ciphertext is the plaintext plus a subset of the round keys: y = x + r λ i k i i=1 For pairs x i, y i : span {x i + y i } span k j. Distinguishing Attack for r < n rounds There is an u n 2 \ {0}, s. t. u, x = u, y holds always: u, y = = u, x + u, x + λ i k i λ i k i = u, x + 0 u, for all u span {k 1,..., k r } {0} Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

15 Generic Analysis On the Boolean functions f Rationale 2 A bit out of the blue sky, but: For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

16 A genus of the WN family: BION Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Rationale 2 For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Generic properties of Bent whitened wap Or Not At least n iterations of the round function Consecutive round keys linearly independent The round function depends on all bits δ : Pr [ f k (x) = f k (x + δ)] = 1 2 (bent) Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

17 A genus of the WN family: BION Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Rationale 2 For any instance, f k has to depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Generic properties of Bent whitened wap Or Not At least n iterations of the round function Consecutive round keys linearly independent Rational 1 & 2: WN is slow in practice! The round function depends on all bits δ : Pr [ f k (x) = f k (x + δ)] = 1 2 (bent) But what about Differential Cryptanalysis? Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

18 Differential Cryptanalysis Primer p p = α k Enc Enc k c Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β

19 Differential Cryptanalysis Primer p k 0 p = α k 1 k Enc Enc k k 2 c k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β

20 Differential Cryptanalysis Primer p k 0 p = α k 1 k Enc Enc k k 2 c k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th, c = β

21 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

22 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Possible differences x + f k (x) k x + α + f k (x + α) k = α + (f k (x) + f k (x + α)) k Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

23 Differential Cryptanalysis One round Proposition For one round of BION the probabilities are: 1 if α = β = k or α = β = 0 1 Pr [α β] = 2 else if β {α, α + k} 0 else Possible differences x + f k (x) k x + α + f k (x + α) k = α + (f k (x) + f k (x + α)) k Remember Pr [f k (x) = f k (x + α)] = 1 2 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

24 Differential Cryptanalysis More rounds Example differences over r = 3 rounds: 1 2 α 1 2 α α + k α α + k 2 α + k 1 α + k 1 + k 2 α α + k 3 α + k 2 α + k 2 + k 3 α + k 1 α + k 1 + k 3 α + k 1 + k 2 α + k 1 + k 2 + k 3 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

25 Differential Cryptanalysis More rounds Example differences over r = 3 rounds: 1 2 α 1 2 α α + k α α + k 2 α + k 1 α + k 1 + k 2 α α + k 3 α + k 2 α + k 2 + k 3 α + k 1 α + k 1 + k 3 α + k 1 + k 2 α + k 1 + k 2 + k 3 For fixed α and β there is only one path! Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

26 BION A concrete species Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

27 Addressing Rationale 1 The Key chedule Rationale 1 Any instance must iterate at least n rounds; any set of n consecutive keys should be linearly indp. Design Decisions Choose number of rounds as 3 n Round keys derived from the state of LFRs Add round constants to round keys Implications Clocking an LFR is cheap For an LFR with irreducible feedback polynomial of degree n, every n consecutive states are linearly independent Round constants avoid structural weaknesses Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

28 Addressing Rationale 2 The Round Function Rationale 2 For any instance, the f k should depend on all bits, and for any δ n 2 : Pr [f k(x) = f k (x + δ)] 1 2. Design Decisions Choose f k : n 2 2 s. t. δ n 2 : Pr [f k(x) = f k (x + δ)] = 1 2, that is, f k is a bent function. Choose the simplest bent function known: Implications Bent functions are well studied Bent functions only exist for even n Instance not possible for every block length n f k (x, y) := x, y Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

29 Details

30 BION Round Function BION s round function For round keys k i n 2 and w i n 1 2 the round function computes R ki,w i (x) := x + f b(i) wi + Φ ki (x) k i. where Φ ki and f b(i) are defined as Φ k (x) : n 2 n 1 2 Φ k (x) := (x + x[i(k)] k)[j] 1 j n j i(k) and b(i) is 0 if i r 2 and 1 else. f b(i) : n n f b(i) (x, y) := x, y + b(i), Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

31 BION Round Function what s different BION s round function For round keys k i n 2 and w i n 1 2 the round function computes R ki,w i (x) := x + f b(i) wi + Φ ki (x) k i. where Φ ki and f b(i) are defined as Φ k (x) : n 2 n 1 2 Φ k (x) := (x + x[i(k)] k)[j] 1 j n j i(k) and b(i) is 0 if i r 2 and 1 else. f b(i) : n n f b(i) (x, y) := x, y + b(i), Φ k basically ensures f k (x) = f k (x + k) (the property we need for decryption). Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

32 BION Key chedule BION s key schedule Given primitive p k, p w 2 [x] with degrees n, n 1 and companion matrices C k, C w. master key K = (k, w) n 2 n 1 2 \ {0, 0} The ith round keys are computed by K i : n 2 n 1 2 n 2 n 1 2 K i (k, w) := (k i, c i + w i ) where k i = (C k ) i k, c i = (C w ) i e 1, w i = (C w ) i w. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

33 Further Cryptanalysis Linear Cryptanalysis For r n rounds, the correlation of any non-trivial linear trail for BION is upper bounded by 2 n+1 2. Zero Correlation For r > 2n 2 rounds, BION does not exhibit any zero correlation linear hulls. Invariant Attacks For r n rounds, neither invariant subspaces nor nonlinear invariant attacks do exist for BION. Impossible Differentials For r > n rounds, there are no impossible differentials for BION. Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

34 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

35 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Missing figure redacted Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

36 Conclusion/Questions Thank you for your attention! BION A first instance of the WN construction Good results for differential cryptanalysis Open Problems Construction for linear cryptanalysis Missing figure redacted Thank you! Questions? 2018/1011 Friedrich Wiemer BION Instantiating the Whitened wap-or-not Construction November 14th,

The Invariant Set Attack 26th January 2017

The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack