Innovations in permutation-based crypto

Similar documents
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

On Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

New techniques for trail bounds and application to differential trails in Keccak

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Algebraic properties of SHA-3 and notable cryptanalysis results

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Full-State Keyed Duplex With Built-In Multi-User Support

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Cryptanalysis of 1-Round KECCAK

Analysis of cryptographic hash functions

Keccak sponge function family main document

Message Authentication Codes (MACs)

STRIBOB : Authenticated Encryption

Lecture 12: Block ciphers

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Symmetric Crypto Systems

Symmetric Crypto Systems

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Cryptographic Hash Functions Part II

Stronger Security Variants of GCM-SIV

Security of Keyed Sponge Constructions Using a Modular Proof Approach

On High-Rate Cryptographic Compression Functions

The Hash Function JH 1

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Solution of Exercise Sheet 7

An introduction to Hash functions

Cryptanalysis of EnRUPT

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

Online Authenticated Encryption

CAESAR candidate ICEPOLE

New attacks on Keccak-224 and Keccak-256

Practical CCA2-Secure and Masked Ring-LWE Implementation

Public-key Cryptography: Theory and Practice

A Tweak for a PRF Mode of a Compression Function and Its Applications

Overtaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab

PRIMATEs v1.02. Submission to the CAESAR Competition. Engineering, China. 6 NTT Secure Platform Laboratories, Japan.

Cryptography Lecture 4 Block ciphers, DES, breaking DES

EME : extending EME to handle arbitrary-length messages with associated data

Higher-order differential properties of Keccak and Luffa

Key Recovery Attack against 2.5-round π-cipher

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

A Pseudo-Random Encryption Mode

Similarities between encryption and decryption: how far can we go?

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

ACORN: A Lightweight Authenticated Cipher (v3)

Rotational cryptanalysis of round-reduced Keccak

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

New Results on Boomerang and Rectangle Attacks

A block cipher enciphers each block with the same key.

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

Zero-Sum Partitions of PHOTON Permutations

Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions

On Security Arguments of the Second Round SHA-3 Candidates

ECS 189A Final Cryptography Spring 2011

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Higher-order differential properties of Keccak and Luffa

Security Reductions of the Second Round SHA-3 Candidates

Linear Cryptanalysis of Reduced-Round PRESENT

Sponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1

Table Of Contents. ! 1. Introduction to AES

Related-key Attacks Against Full Hummingbird-2

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Unaligned Rebound Attack: Application to Keccak

Security Reductions of the Second Round SHA-3 Candidates

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Lecture 4: DES and block ciphers

An Introduction to Authenticated Encryption. Palash Sarkar

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Security of Permutation-based Compression Function lp231

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

SPCS Cryptography Homework 13

Higher-order differential properties of Keccak and Luffa

Security and Cryptography 1

A Five-Round Algebraic Property of the Advanced Encryption Standard

Linear Cryptanalysis of Reduced-Round Speck

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Beyond 2 c/2 Security in Sponge-Based Authenticated Encryption Modes

Rhythmic Keccak: SCA Security and Low Latency in HW

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Cryptanalysis of the GOST Hash Function

New Insights into Divide-and-Conquer Attacks on the Round-Reduced Keccak-MAC

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Algebraic Attacks and Stream Ciphers

McBits: Fast code-based cryptography

Preimage Attacks on Reduced Tiger and SHA-2

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Subspace Trail Cryptanalysis and its Applications to AES

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Version 3.0 January 14, STMicroelectronics 2 NXP Semiconductors

Block Ciphers/Pseudorandom Permutations

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Type 1.x Generalized Feistel Structures

Transcription:

Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 STMicroelectronics 2 Radboud University 3 Security Pattern 1

Pseudo-random unction (PRF) input 2

Stream encryption nonce plaintext = ciphertext 3

Message authentication (MAC) plaintext plaintext 4

Authenticated encryption nonce plaintext plaintext = ciphertext 5

String sequence input and incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 F K ( P (3) P (2) P (1)) 6

Session authenticated encryption (SAE) [KT, SAC 2011] 1 K, N A (1) P (1) A (2) P (2) A (3) P (3) T (0) C (1) T (1) C (2) T (3) C (3) T (2) Initialization taking nonce N T 0 t + F K (N) history N return tag T o length t Wrap taking metadata A and plaintext P C P + F K (A history) T 0 t + F K (C A history) history C A history return ciphertext C o length P and tag T o length t 7

Synthetic initialization value (SIV) o [KT, eprint 2016/1188] A P F K F K T C Unwrap taking metadata A, ciphertext C and tag T P C + F K (T A) τ 0 t + F K (P A) i τ = T then return error! else return plaintext P o length C Variant o SIV o [Rogaway & Shrimpton, EC 2006] 8

How to build a PRF? By icelight (lickr.com) 9

Sponge [Keccak Team, Ecrypt 2008] input output r c 0 0 outer inner absorbing squeezing Taking K as irst part o input gives a PRF 10

More eicient: donkeysponge [Keccak Team, DIAC 2012] 11

Incrementality: duplex [Keccak Team, SAC 2011] σ 0 Z 0 σ 1 Z 1 σ 2 Z 2 pad trunc pad trunc pad trunc r 0 c 0 outer inner initialize duplexing duplexing duplexing 12

More eicient: MonkeyDuplex [Keccak Team, DIAC 2012] Instances: Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] + hal a dozen other CAESAR submissions 13

Consolidation: Full-state keyed duplex Z ¾ Z ¾ Z ¾ K ± iv [Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017] 14

SAE with ull-state keyed duplex: Motorist [KT, Keyak 2015] 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) 15

How to build a parallelizable PRF? by Barilla Food Service 16

Faralle: early attempt [KT 2014-2016] k M 0 0 k 0 Z 0 k M 1 1 k 1 Z 1 k M i i j k Z j Similar to Protected Counter Sums [Bernstein, stretch, JOC 1999] Problem: collisions with higher-order dierentials i has low degree 17

Faralle now [Keccak Team + Seth Hoert, ToSC 2018] K 10 p b c k i+2 c k m 0 p c e p e z 0 c k k m 1 p c p d e p e z 1 i c k k m i p c j e p e z j Input mask rolling and p c against accumulator collisions State rolling, p e and output mask against state retrieval at output Middle p d against higher-order DC Input-output attacks have to deal with p e p d p c 18

Kravatte as in TOSC 2018 K 10 k i+2 k m 0 z 0 k k m 1 z 1 i k k m i j z j Target security: 128 bits, incl. multi-target and quantum adv. p i = Keccak-p[1600] with # rounds 6666 : Achoue coniguration Input mask rolling with LFSR, state rolling with NLFSR 19

In which sense is Kravatte lightweight? K 10 k i+2 k m0 z0 k k m1 z1 i k k m i j z j Workload per round (in HW or bit-slice SW) AES: 16 XORs and 4 AND per bit Keccak-p: 3 XORs and 1 AND per bit Number o rounds AES CBC or CTR: 10 rounds Kravatte compress or expand: 6 rounds Disadvantage o Kravatte: 200-byte granularity 20

by Perrie Nicholas Smith (perriesmith.deviantart.com) 21

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] Ideal size and shape: 48 bytes in 12 words o 32 bits compact on low-end: its registers o ARM Cortex M3/M4 ast on high-end: suitable or SIMD For low-end platorms: locality o operations to limit swapping limits diusion, see e.g. [Mike Hamburg, 2017] no problem or nominal number o rounds: 24 not clear how many rounds needed in Faralle 22

Xoodoo [noun, mythical] /zu: du:/ Alpine mammal that lives in compact herds, can survive avalanches and is appreciated or the wide trails it creates in the landscape. Despite its luy appearance it is very robust and does not get distracted by side channels. 23

Xoodoo [Keccak team with Seth Hoert and Johan De Meulder] https://github.com/xoodooteam/xoodoo 384-bit permutation Main purpose: usage in Faralle: XooPRF Achoue coniguration Full-state rolling unctions Eicient on wide range o platorms But also or small-state authenticated encryption, Ketje style sponge-based hashing, Keccak-p philosophy ported to Gimli dimensions 3 4 32! 24

Xoodoo state z z y y state x plane x z z y y lane x column x State: 3 horizontal planes each consisting o 4 lanes 25

Xoodoo round unction χ ρ west ρ east θ Iterated: n r rounds that dier only by round constant 26

Nonlinear mapping χ Eect on one plane: 2 1 0 complement χ as in Keccak-p, operating on 3-bit columns Involution and same propagation dierentially and linearly 27

Mixing layer θ + = column parity θ-eect old Column parity mixer: compute parity, old and add to state good average diusion, identity or states in kernel 28

Plane shit ρ east 2 shit (2,8) 1 shit (0,1) 0 Ater χ and beore θ Shits planes y = 1 and y = 2 over dierent directions 29

Plane shit ρ west 2 shit (0,11) 1 shit (1,0) 0 Ater θ and beore χ Shits planes y = 1 and y = 2 over dierent directions 30

Xoodoo pseudocode n r rounds rom i = 1 n r to 0, with a 5-step round unction: θ : ρ west : ι : χ : ρ east : P A 0 + A 1 + A 2 E P (1, 5) + P (1, 14) A y A y + E or y {0, 1, 2} A 1 A 1 (1, 0) A 2 A 2 (0, 11) A 0,0 A 0,0 + rc i B 0 A 1 A 2 B 1 A 2 A 0 B 2 A 0 A 1 A y A y + B y or y {0, 1, 2} A 1 A 1 (0, 1) A 2 A 2 (2, 8) 31

Xoodoo sotware perormance width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074 Xoodoo 48 1.20 0.083 on Intel Haswell 32

Xoodoo diusion and conusion Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016]: min. trail weights # rounds di. linear 1 2 2 2 8 8 3 36 36 6 100 100 Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto 85] A mapping satisies SAC i lipping an input bit will make each output bit lip with probability close to 1/2 Xoodoo satisies SAC ater 3 rounds in orward direction ater 2 rounds in backward direction 33

Do you think this is interesting? I m hiring! PhD positions, starting September Scope: Propagation in Xoodoo-like unctions computer-assisted bound proving mathematical uniication o attacks Interaction between modes and permutations Impact o key schedule in block ciphers DPA vulnerability o Xoodoo-like unctions 34

Thanks or your attention! χ ρeast ρwest θ 35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback