Introduction State Recovery Forgery Tradeoffs The end Cryptanalysis of FIDES Itai Dinur 1 Jérémy Jean 1 , 2 1 École Normale Supérieure, France 2 Nanyang Technological University, Singapore FSE 2014 – March 3, 2014 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 1/23
Introduction State Recovery Forgery Tradeoffs The end Authenticated Encryption (AE) Motivations ◮ Crypto is not only about encryption ◮ Integrity and authenticity are often required ◮ Existing solutions (modes, MAC) ◮ Few dedicated ciphers ◮ Recent focus on this topic with the CAESAR competition Regular cipher AE AEAD ( M , K ) − → C ( M , K ) − → ( C , T ) ( M , K , A ) − → ( C , T , A ) M : plaintext T : authentication tag C : ciphertext A : optional associated data K : key FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 2/23
Introduction State Recovery Forgery Tradeoffs The end Description of FIDES (1/2) FIDES ◮ Designed by Bilgin et al. and published at CHES 2013 ◮ Nonce-based lightweight authenticated cipher (N) ◮ Key sizes: 80 and 96 bits (K) ◮ Handle optional associated data (A) ◮ Leak-extraction structure similar to the duplex sponge construction ◮ Permutation: application of an unkeyed AES round A 0 A 1 A v − 1 C 0 M 0 C n − 1 M n − 1 16 Rounds 16 Rounds Truncate 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round K || N • • • • • • T 16 c K || 0 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 3/23
Introduction State Recovery Forgery Tradeoffs The end Description of FIDES (2/2) Internal state: Internal state ◮ Internal state of 4 × 8 × c bits c bits ◮ Nibble size c : ◮ c = 5 for FIDES-80 ◮ c = 6 for FIDES-96 One Round of the Internal Permutation: Diffusion Matrix ◮ Extract 2 c -bit mask �� 0 1 1 1 ◮ 2 c -bit message injection �� 1 0 1 1 M = ◮ AES -like operations: SB, SR, MC, AC. 1 1 0 1 1 1 1 0 ◮ Suboptimal diffusion matrix (non MDS) M i RC i SB SR MC AC Inj FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 4/23
Introduction State Recovery Forgery Tradeoffs The end Leakage and Security Claims Leakage ◮ The same positions are used to leak and inject nibbles ◮ 2 c out of 32 c bits are leaked before each round Security Claims ◮ Nonce-respecting adversary assumption ◮ Attack scenarios: state recovery, key recovery and forgery ◮ FIDES advertises 16 c -bit security against all scenarios Our Attack ◮ State recovery can be done in 2 15 c operations ◮ We can forge any message after a state recovery FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 5/23
Introduction State Recovery Forgery Tradeoffs The end Similar designs FIDES is reminiscent of other AES -based design using leak-extraction. ALE [BMR + 13] LEX [Bir06] ◮ 128-bit AE cipher ◮ 128-bit key stream cipher ◮ 4/16 leaked nibbles per round ◮ 4/16 leaked nibbles per round ◮ Inject 16 nibbles every 4 rounds ◮ No injection (stream cipher) Alpha-MAC [DR05] ASC-1 [JK11] ◮ 128-bit MAC ◮ 128-bit AE cipher ◮ 4 nibbles injected per round ◮ 4/16 leaked nibbles per round ◮ No extraction ◮ Inject 16 nibbles every 4 rounds ◮ Whitening key before leakage FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 6/23
Introduction State Recovery Forgery Tradeoffs The end Similar designs FIDES is reminiscent of other AES -based design using leak-extraction. ALE [BMR + 13] LEX [Bir06] ◮ 128-bit AE cipher ◮ 128-bit key stream cipher ◮ 4/16 leaked nibbles per round ◮ 4/16 leaked nibbles per round ◮ Inject 16 nibbles every 4 rounds ◮ No injection (stream cipher) Broken [KR13] Broken [DK13, BDF11] Alpha-MAC [DR05] ASC-1 [JK11] ◮ 128-bit MAC ◮ 128-bit AE cipher ◮ 4 nibbles injected per round ◮ 4/16 leaked nibbles per round ◮ No extraction ◮ Inject 16 nibbles every 4 rounds ◮ Whitening key before leakage Broken [YWJ + 09, BDF11] FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 6/23
Introduction State Recovery Forgery Tradeoffs The end Results on FIDES Results Cipher Data Time Memory Generic Ref 2 75 2 15 2 80 1 KP This paper FIDES-80 2 64 KP 2 73 2 64 2 80 Long version 2 90 2 18 2 96 1 KP This paper FIDES-96 2 77 KP 2 88 2 77 2 96 Long version Notes: ◮ Guess-and-determine attacks ◮ Recover the internal state ◮ Allow to forge arbitrary messages FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 7/23
Introduction State Recovery Forgery Tradeoffs The end Preliminaries (1/2) How many leaked nibbles are needed to recover the state faster than exhaustive search? Information theoretically speaking: ◮ The state consists of 32 nibbles ◮ Known-plaintext scenario ◮ 15 rounds would leak a total ( 15 + 1 ) × 2 = 32 state nibbles ◮ Uniquely determine the state ◮ But analyzing 15 consecutive AES -like rounds is difficult 2 c 2 c 2 c 2 c 2 c 2 c 2 c 2 c 2 c Initialization 16 Rounds 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round Truncate K || N T FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 8/23
Introduction State Recovery Forgery Tradeoffs The end Preliminaries (2/2) With n ∈ [ 0 , 14 ] rounds: ◮ Reduce the analysis to n consecutive AES -like rounds ◮ A total of ( n + 1 ) × 2 state nibbles are leaked ◮ Unicity of the state no longer true: about 2 ( 32 − 2 n − 2 ) × c different initial states would leak the same sequence ◮ Goal: Generating all of them in less than 2 16 c computations ◮ 32 − 2 n − 2 < 16 = ⇒ n ≥ 8. FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 9/23
Introduction State Recovery Forgery Tradeoffs The end Preliminaries (2/2) With n ∈ [ 0 , 14 ] rounds: ◮ Reduce the analysis to n consecutive AES -like rounds ◮ A total of ( n + 1 ) × 2 state nibbles are leaked ◮ Unicity of the state no longer true: about 2 ( 32 − 2 n − 2 ) × c different initial states would leak the same sequence ◮ Goal: Generating all of them in less than 2 16 c computations ◮ 32 − 2 n − 2 < 16 = ⇒ n ≥ 8. Our Attack ◮ We use the knowledge of 18 leaked nibbles, in 9 consecutive states linked by n = 8 rounds (in fact, only 17 nibbles) ◮ Data: less than 16 bytes of a single known plaintext ◮ Time: about 2 15 c computations to enumerate the 2 ( 32 − 17 ) c = 2 15 c state candidates ◮ Check: additional leaked bytes, or authentication tag T . FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 9/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 2 X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) 4. Guess the 3 nibbles in the set N 2 FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Introduction State Recovery Forgery Tradeoffs The end High-Level Overview of the State-Recovery Attack 1R 1R 1R 1R 1R 1R 1R 1R N 2 X T 2 X T 1 N 1 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Steps of the Guess-and-determine Procedure 1. Guess the 12 nibbles in the set N 1 2. Determine other nibble values ( N ′ 1 ) 3. Construct two tables T 1 and T 2 (independently) 4. Guess the 3 nibbles in the set N 2 5. Determine new nibble values ( N ′ 2 ) FSE 2014 – Itai Dinur, Jérémy Jean – Cryptanalysis of FIDES 10/23
Recommend
More recommend