Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 STMicroelectronics 2 Radboud University 3 Security Pattern 1
Pseudo-random unction (PRF) input 2
Stream encryption nonce plaintext = ciphertext 3
Message authentication (MAC) plaintext plaintext 4
Authenticated encryption nonce plaintext plaintext = ciphertext 5
String sequence input and incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 F K ( P (3) P (2) P (1)) 6
Session authenticated encryption (SAE) [KT, SAC 2011] 1 K, N A (1) P (1) A (2) P (2) A (3) P (3) T (0) C (1) T (1) C (2) T (3) C (3) T (2) Initialization taking nonce N T 0 t + F K (N) history N return tag T o length t Wrap taking metadata A and plaintext P C P + F K (A history) T 0 t + F K (C A history) history C A history return ciphertext C o length P and tag T o length t 7
Synthetic initialization value (SIV) o [KT, eprint 2016/1188] A P F K F K T C Unwrap taking metadata A, ciphertext C and tag T P C + F K (T A) τ 0 t + F K (P A) i τ = T then return error! else return plaintext P o length C Variant o SIV o [Rogaway & Shrimpton, EC 2006] 8
How to build a PRF? By icelight (lickr.com) 9
Sponge [Keccak Team, Ecrypt 2008] input output r c 0 0 outer inner absorbing squeezing Taking K as irst part o input gives a PRF 10
More eicient: donkeysponge [Keccak Team, DIAC 2012] 11
Incrementality: duplex [Keccak Team, SAC 2011] σ 0 Z 0 σ 1 Z 1 σ 2 Z 2 pad trunc pad trunc pad trunc r 0 c 0 outer inner initialize duplexing duplexing duplexing 12
More eicient: MonkeyDuplex [Keccak Team, DIAC 2012] Instances: Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] + hal a dozen other CAESAR submissions 13
Consolidation: Full-state keyed duplex Z ¾ Z ¾ Z ¾ K ± iv [Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017] 14
SAE with ull-state keyed duplex: Motorist [KT, Keyak 2015] 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) 15
How to build a parallelizable PRF? by Barilla Food Service 16
Faralle: early attempt [KT 2014-2016] k M 0 0 k 0 Z 0 k M 1 1 k 1 Z 1 k M i i j k Z j Similar to Protected Counter Sums [Bernstein, stretch, JOC 1999] Problem: collisions with higher-order dierentials i has low degree 17
Faralle now [Keccak Team + Seth Hoert, ToSC 2018] K 10 p b c k i+2 c k m 0 p c e p e z 0 c k k m 1 p c p d e p e z 1 i c k k m i p c j e p e z j Input mask rolling and p c against accumulator collisions State rolling, p e and output mask against state retrieval at output Middle p d against higher-order DC Input-output attacks have to deal with p e p d p c 18
Kravatte as in TOSC 2018 K 10 k i+2 k m 0 z 0 k k m 1 z 1 i k k m i j z j Target security: 128 bits, incl. multi-target and quantum adv. p i = Keccak-p[1600] with # rounds 6666 : Achoue coniguration Input mask rolling with LFSR, state rolling with NLFSR 19
In which sense is Kravatte lightweight? K 10 k i+2 k m0 z0 k k m1 z1 i k k m i j z j Workload per round (in HW or bit-slice SW) AES: 16 XORs and 4 AND per bit Keccak-p: 3 XORs and 1 AND per bit Number o rounds AES CBC or CTR: 10 rounds Kravatte compress or expand: 6 rounds Disadvantage o Kravatte: 200-byte granularity 20
by Perrie Nicholas Smith (perriesmith.deviantart.com) 21
Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] Ideal size and shape: 48 bytes in 12 words o 32 bits compact on low-end: its registers o ARM Cortex M3/M4 ast on high-end: suitable or SIMD For low-end platorms: locality o operations to limit swapping limits diusion, see e.g. [Mike Hamburg, 2017] no problem or nominal number o rounds: 24 not clear how many rounds needed in Faralle 22
Xoodoo [noun, mythical] /zu: du:/ Alpine mammal that lives in compact herds, can survive avalanches and is appreciated or the wide trails it creates in the landscape. Despite its luy appearance it is very robust and does not get distracted by side channels. 23
Xoodoo [Keccak team with Seth Hoert and Johan De Meulder] https://github.com/xoodooteam/xoodoo 384-bit permutation Main purpose: usage in Faralle: XooPRF Achoue coniguration Full-state rolling unctions Eicient on wide range o platorms But also or small-state authenticated encryption, Ketje style sponge-based hashing, Keccak-p philosophy ported to Gimli dimensions 3 4 32! 24
Xoodoo state z z y y state x plane x z z y y lane x column x State: 3 horizontal planes each consisting o 4 lanes 25
Xoodoo round unction χ ρ west ρ east θ Iterated: n r rounds that dier only by round constant 26
Nonlinear mapping χ Eect on one plane: 2 1 0 complement χ as in Keccak-p, operating on 3-bit columns Involution and same propagation dierentially and linearly 27
Mixing layer θ + = column parity θ-eect old Column parity mixer: compute parity, old and add to state good average diusion, identity or states in kernel 28
Plane shit ρ east 2 shit (2,8) 1 shit (0,1) 0 Ater χ and beore θ Shits planes y = 1 and y = 2 over dierent directions 29
Plane shit ρ west 2 shit (0,11) 1 shit (1,0) 0 Ater θ and beore χ Shits planes y = 1 and y = 2 over dierent directions 30
Xoodoo pseudocode n r rounds rom i = 1 n r to 0, with a 5-step round unction: θ : ρ west : ι : χ : ρ east : P A 0 + A 1 + A 2 E P (1, 5) + P (1, 14) A y A y + E or y {0, 1, 2} A 1 A 1 (1, 0) A 2 A 2 (0, 11) A 0,0 A 0,0 + rc i B 0 A 1 A 2 B 1 A 2 A 0 B 2 A 0 A 1 A y A y + B y or y {0, 1, 2} A 1 A 1 (0, 1) A 2 A 2 (2, 8) 31
Xoodoo sotware perormance width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074 Xoodoo 48 1.20 0.083 on Intel Haswell 32
Xoodoo diusion and conusion Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016]: min. trail weights # rounds di. linear 1 2 2 2 8 8 3 36 36 6 100 100 Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto 85] A mapping satisies SAC i lipping an input bit will make each output bit lip with probability close to 1/2 Xoodoo satisies SAC ater 3 rounds in orward direction ater 2 rounds in backward direction 33
Do you think this is interesting? I m hiring! PhD positions, starting September Scope: Propagation in Xoodoo-like unctions computer-assisted bound proving mathematical uniication o attacks Interaction between modes and permutations Impact o key schedule in block ciphers DPA vulnerability o Xoodoo-like unctions 34
Thanks or your attention! χ ρeast ρwest θ 35