STRIBOB : Authenticated Encryption

Similar documents
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

Symmetric Crypto Systems

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Exam Security January 19, :30 11:30

Symmetric Crypto Systems

Leftovers from Lecture 3

Introduction to Information Security

Week 12: Hash Functions and MAC

Cryptographic Hash Functions

ECS 189A Final Cryptography Spring 2011

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Foundations of Network and Computer Security

Message Authentication Codes (MACs)

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

An introduction to Hash functions

The Hash Function JH 1

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Solution of Exercise Sheet 7

A Pseudo-Random Encryption Mode

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Authenticated Encryption Mode for Beyond the Birthday Bound Security

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

AURORA: A Cryptographic Hash Algorithm Family

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

A (Second) Preimage Attack on the GOST Hash Function

Introduction to Cryptography Lecture 4

Sponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Differential and Correlation Power Analysis Attacks on HMAC-Whirlpool

SMASH - A Cryptographic Hash Function

New Preimage Attack on MDC-4

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Breaking Symmetric Cryptosystems Using Quantum Algorithms

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Question: Total Points: Score:

Lecture 4: DES and block ciphers

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Asymmetric Encryption

5199/IOC5063 Theory of Cryptology, 2014 Fall

Preimage Attacks on Reduced Tiger and SHA-2

Related-key Attacks Against Full Hummingbird-2

McBits: Fast code-based cryptography

Key Recovery Attack against 2.5-round π-cipher

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

CPSC 467: Cryptography and Computer Security

EME : extending EME to handle arbitrary-length messages with associated data

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Introduction to Cybersecurity Cryptography (Part 4)

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

The PHOTON Family of Lightweight Hash Functions

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Quantum Preimage and Collision Attacks on CubeHash

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Cryptanalysis of Hummingbird-2

The MD6 hash function

CPSC 467: Cryptography and Computer Security

All-Or-Nothing Transforms Using Quasigroups

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

The MD6 hash function A proposal to NIST for SHA-3

Introduction to Cybersecurity Cryptography (Part 4)

AES side channel attacks protection using random isomorphisms

SMASH - A Cryptographic Hash Function

Innovations in permutation-based crypto

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Cryptography and Security Final Exam

Lecture 12: Block ciphers

A block cipher enciphers each block with the same key.

CAESAR candidate ICEPOLE

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Cryptography and Security Final Exam

CPSC 467: Cryptography and Computer Security

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

On Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013

Notes for Lecture 9. 1 Combining Encryption and Authentication

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Analysis of cryptographic hash functions

A Composition Theorem for Universal One-Way Hash Functions

An Improved Fast and Secure Hash Algorithm

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

HASH FUNCTIONS. Mihir Bellare UCSD 1

Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway

The Security of Abreast-DM in the Ideal Cipher Model

Fundamentals of Modern Cryptography

Second Preimages for Iterated Hash Functions and their Implications on MACs

Secret Key: stream ciphers & block ciphers

On the Big Gap Between p and q in DSA

On the Security of CTR + CBC-MAC

Public-key Cryptography: Theory and Practice

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Transcription:

1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA

2 / 19 STRIBOB Ideas Security bounds derived from Sponge Theory. Well-understood fundamental permutation: Security reduction to Streebog or Whirlpool, with rounds increased 10 12. Recyclable hardware components. STRIBOBr1: Streebog. STRIBOBr2d1: Streebog. STRIBOBr2d2: Whirlpool - "WhirlBob". Flexible, extensible domain separation with the BLNK Mode ["Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation", CT-RSA 2014.] "Explicit Domain Separation". Fully adjustable security parameters. MAC-then-continue / sessions, Half-duplex protocols.. Fairly conservative design..

History & Real World Crypto Stewed beef, GOST 5284-84 GOST Spam a.k.a. Tushonka 28149-89 Block Cipher (KGB, 1970s) R 34.11-94 was a hash (based on 28149-89) for R 34.10-94 signatures. Cryptanalysis by F. Mendel et al (2008): 2 105 collision, 2 192 preimage. R 34.11-2012 "Streebog" hash algorithm proposed in 2009. Since January 1, 2013, the Russian Federation has mandated the use of R 34.11-2012 (with R 34.10-2012). AES "monoculture" is not universally trusted in some parts of the world. STRIBOB builds a sponge AEAD algorithm from Streebog, perhaps acceptable in those markets. 3 / 19

GOST R 34.11-2012 "Streebog" Streebog is a (non-keyed) hash function that produces a 256-bit or 512-bit message digest for a bit string of arbitrary length. Streebog is Clearly AES & Whirlpool-inspired. Intended for Digital Signatures (R 34.10-2012). Also used in HMAC mode. Standard security claims: Collision resistance: m 1 and m 2, h(m 1 ) = h(m 2 ) requires 2 n 2 effort. Pre-image resistance: m for given h in h = H(m) requires 2 n effort. Second pre-image resistance: m 2 for given m 1 with h(m 1 ) = h(m 2 ) requires 2n m 2 effort. Not a Sponge, but a Miyaguchi Preneel - inspired construction: h i = E g(hi 1 )(m i ) h i 1 m i. 4 / 19

5 / 19 GOST Streebog: Computing h(m) n i=0 mi (mod 2512 ) ɛ = 0 h = 0 M = g 0 g 512 g 1024 g 512n g 0 M total length m 0 m 1 m 2 m n pad g 0 checksum h(m) Padded message M is processed in 512-bit blocks M = m 0 m 1 m n by a compression function h = g N (h, m i ). Chaining variable h has 512 bits. N is the bit offset of the block. There are finalization steps involving two invocations of g, first on the total bit length of M, and then on checksum ϵ, which is computed over all input blocks mod 2 512.

Streebog: The Compression Function g N (h, m) N h = g N (h, m) C 1 C 2 C 3 C 12 h K 1 K 2 K 3 4, 5,, 11 K 12 h m N: bit offset h: chaining value m: 512-bit message block The compression function is built form a 512 512 - bit keyless permutation and XOR operations. All data paths are 512 bits. The 12 random round constants C i are given in the standard spec. One can see the upper "line" (kinda) keying the lower line via K i. 6 / 19

7 / 19 Streebog: = L P S = L(P (S(x))) S P L S S S S S S S S S S S S S S S S S S S S S S S S S ( 8 8-bit S-Box ) S S S S S S S S S S S S S S S S S S S S S S S S S S S 0 8 16 24 32 40 48 56 1 9 17 25 33 41 49 57 2 10 18 26 34 42 50 58 3 4 ( byte transpose ) 59 60 5 6 7 13 21 29 37 45 53 61 14 22 30 38 46 54 62 15 23 31 39 47 55 63 L P S L L L ( 64 64-bit matrix ) L L L S : ("Substitution") An 8 8 - bit S-Box applied to each one of 64 bytes (8 64 = 512 bits). P : ("Permutation") Transpose of 8 8 - byte matrix. L : ("Linear") Mixing of rows with a 64 64 binary matrix. [KaKa13] L is actually an 8 8 MDS Matrix in GF(2 8 )

8 / 19 vs.. Sponge Construction for Hashing (SHA3) Built from a b-bit permutation f (π) with b = r + c r bits of rate, related to hashing speed c bits of capacity, related to security More general than traditional hash: arbitrary-length output

9 / 19 vs.. Sponge-based Authenticated Encryption Æ r d 0 d p 0 c 0 p 1 c 1 p c h 0 h IV c π π π π π π π absorbtion phase encryption phase squeezing phase 1. Absorption. Key, nonce, and associated data (d i ) are mixed. 2. Encryption. Plaintext p i is used to produce ciphertext c i. 3. Squeezing. Authentication Tag h i is squeezed from the state. 4. Why not use that final state as IV for reply and go straight to Step 2? (feature called "sessions" in Ketje and Keyak) [Sa14a] BLNK mode defines "explicit domain separation" and applies that to build ultra-light weight half-duplex protocols.

10 / 19 DuplexWrap (basic Sponge Æ Scheme) Bounds Theorem The DuplexWrap and BLNK authenticated encryption modes satisfy the following privacy and authentication security bounds: Adv priv sbob (A) < (M + N)2 k + M 2 + 4MN 2 c+1 Adv auth sbob (A) < (M + N)2 k + M 2 + 4MN 2 c+1 against any single adversary A if K $ {0, 1} k, tags of l t bits are used, and π is a randomly chosen permutation. M is the data complexity (total number of blocks queried) and N is the time complexity (in equivalents of π). Proof. Theorem 4 of [KeyakV1]. See also [AnMePr10,BeDaPeAs11].

11 / 19 STRIBOB: Sponge Permutation π For some vector of twelve 512-bit subkeys C i we define a 512-bit permutation π C (X 1 ) = X 13 with iteration x i+1 = (X i C i ) for 1 i 12. We adopt 12 rounds of as the Sponge permutation with: b Permutation size b = r + c = 512, the permutation size. r Rate r = 256 bits. c Capacity c = 256 bits. As π satisfies the indistinguishability criteria, we may choose: k Key size k = 192 bits. t Authentication tag (MAC) size t = 128 bits. k Nonce (IV) size t = 128 bits.

12 / 19 Easy Security Reduction Theorem If π C (x) can be effectively distinguished from a random permutation for some C i, so can g N (h, x) for any h and N. Proof. If h is known, so are all of the subkeys K i as those are a function of h alone. We have the equivalence g N (h, x) x h = π K (x N). Assuming that the round constants C i offer no advantage over known round keys K i, π C is as secure as π K and any distinguisher should have the same complexity. We see that a generic powerful attack against π is also an attack on g. A distinguishing attack against g does not imply a collision attack against Streebog as a whole.

Security Reduction Explained STRIBOB: Just replace C with K in π: x = π K (x) K 1 K 2 K 3 K 12 x x Streebog: We have g N (h, x) x h = π K (x N): N h = g N (h, m) C 1 C 2 C 3 C 12 h K 1 K 2 K 3 4, 5,, 11 K 12 h m 13 / 19

WHIRLBOB Variant (STRIBOBr2d2) Whirlpool is a NESSIE final portfolio algorithm and an ISO standard. If STRIBOB is accepted to R2, we will add a variant which is more directly based on Whirlpool [RiBa00] v3.0 [RiBa03]. STRIBOBr1 STRIBOBr2d1 = STRIBOBr1 STRIBOBr2d2 a.k.a. WHIRLBOB S E E 1 R E E 1 S-Box structure saves hardware gates & makes bitslicing faster. Current constant-time (timing attack resistant) bitsliced version runs at about 35 % of table lookup -based implementation. 14 / 19

STRIBOB Software Performance STRIBOB requires 12 invocations per 256 bits processed whereas Streebog requires 25 invocations per 512 bits: STRIBOB is faster. Also the runtime memory requirement is cut down to 25 %. WHIRLBOB performance is equal to STRIBOB. Implementation techniques are similar to AES. 64-bit "rows" are better suited for 64-bit architectures (AES is from 90s, 32-bit era). Algorithm Throughput AES - 128 / 192 / 256 109.2 / 90.9 / 77.9 MB/s SHA - 256 / 512 212.7 / 328.3 MB/s GOST 28147-89 53.3 MB/s GOST R 34.11-1994 20.8 MB/s GOST R 34.11-2012 109.4 MB/s STRIBOB 115.7 MB/s ( bitsliced WHIRLBOB ) > 40 MB/s -- w. current S-Boxes..as measured on my few years old Core i7 @ 2.80. 15 / 19

Briefly about FPGA Implementations Total logic on Xilinx Artix-7: WHIRLBOB: 4,946, Keyak 7,972 Report on these & a Proposal for CAESAR HW/SW API: "Simple AEAD Hardware Interface (SÆHI) in a SoC: Implementing an On-Chip Keyak/WhirlBob Coprocessor", eprint 2014/575. 16 / 19

17 / 19 Mikko Hypponen, CRO of F-Secure, 29 Apr 2014. Implementation of secure links over TCP using the BLNK protocol. Can be used as a secure replacement for netcat. File encryption and decryption using an authenticated chunked file format; you can efficiently encrypt a backup stream up to terabytes in size. Hashing of files and streams. StriCat can also do 256- and 512-bit standard-compliant GOST Streebog hashes. Portable, self-contained, open source, POSIX compliant, relatively small (couple of thousand lines).

18 / 19 Originally written to debug real-world BLNK.. $./stricat -h stricat: STRIBOB / Streebog Cryptographic Tool. (c) 2013-4 Markku-Juhani O. Saarinen <mjos@iki.fi>. See LICENSE. stricat [OPTION].. [FILE].. -h This help text -t Quick self-test and version information Shared secret key (use twice to verify): -q Prompt for key -f <file> Use file as a key -k <key> Specify key on command line Files: -e Encrypt stdin or files (add.sb1 suffix) -d Decrypt stdin or files (must have.sb1 suffix) -s Hash stdin or files in STRIBOB BNLK mode (optionally keyed) -g GOST R 34.11-2012 unkeyed Streebog hash with 256-bit output -G GOST R 34.11-2012 unkeyed Streebog hash with 512-bit output Communication via BLNK protocol: -p <port> Specify TCP port (default 48879) -c <host> Connect to a specific host (client) -l Listen to incoming connection (server) http://www.stribob.com/stricat

19 / 19 References.. Sa14a "Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation" CT-RSA 2014, IACR eprint 2013/772. Sa14b "STRIBOB: Authenticated Encryption from GOST R 34.11-2012 Permutation (Extended Abstract)" CTCrypt '14, IACR eprint 2014/271. Sa14c "Lighter, Faster, and Constant-Time: WHIRLBOB, the Whirlpool variant of STRIBOB", Submitted for publication, eprint 2014/501. Sa14d "Simple AEAD Hardware Interface (SÆHI) in a SoC: Implementing an On-Chip Keyak/WhirlBob Coprocessor", Submitted for publication, IACR eprint 2014/575. http://www.stribob.com http://www.mjos.fi

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback