Innovations in permutation-based crypto based on joint work with Van - PowerPoint PPT Presentation

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michaël Peeters 1 , Gilles Van Assche 1 and Ronny 1 STMicroelectronics 2 Radboud University 3 Security Pattern

Pseudo-random function (PRF) 2 input …

Stream encryption 3 nonce plaintext = ciphertext

Message authentication (MAC) 4 plaintext plaintext

5 Authenticated encryption nonce plaintext plaintext = ciphertext

String sequence input and incrementality F K 6 packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 P ( 3 ) ◦ P ( 2 ) ◦ P ( 1 ) ) (

Session authenticated encryption (SAE) [KT, SAC 2011] Initialization taking nonce N Wrap taking metadata A and plaintext P return tag T of length t 7 A (1) P (1) A (2) P (2) A (3) P (3) K, N 1 T (0) C (1) T (1) C (2) T (3) C (3) T (2) T ← 0 t + F K ( N ) history ← N C ← P + F K ( A ◦ history ) T ← 0 t + F K ( C ◦ A ◦ history ) history ← C ◦ A ◦ history return ciphertext C of length | P | and tag T of length t

Synthetic initialization value (SIV) of [KT, eprint 2016/1188] Unwrap taking metadata A , ciphertext C and tag T Variant of SIV of [Rogaway & Shrimpton, EC 2006] 8 P A F K F K T C P ← C + F K ( T ◦ A ) τ ← 0 t + F K ( P ◦ A ) if τ ̸ = T then return error! else return plaintext P of length | C |

How to build a PRF? By icelight (flickr.com) 9

Sponge [Keccak Team, Ecrypt 2008] 10 input output r 0 f f f f f f outer inner c 0 absorbing squeezing ▶ Taking K as first part of input gives a PRF

More efficient: donkeySponge [Keccak Team, DIAC 2012] 11

Incrementality: duplex [Keccak Team, SAC 2011] 12 σ 0 σ 1 σ 2 Z 0 Z 1 Z 2 pad trunc pad trunc pad trunc r 0 f f f outer … inner c 0 initialize duplexing duplexing duplexing

More efficient: MonkeyDuplex [Keccak Team, DIAC 2012] Instances: 13 ▶ Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] ▶ + half a dozen other CAESAR submissions

Consolidation: Full-state keyed duplex [Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017] 14 Z ¾ Z ¾ Z ¾ K f f f … ± iv

15 SAE with full-state keyed duplex: Motorist [KT, Keyak 2015] P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3)

How to build a parallelizable PRF? by Barilla Food Service 16

Farfalle: early attempt [KT 2014-2016] Similar to Protected Counter Sums [Bernstein, “stretch”, JOC 1999] Problem: collisions with higher-order differentials if f has low degree 17 M 0 k k f f Z 0 0 0 M 1 k k f f Z 1 1 1 … … M i k k f f Z j i j

Farfalle now [Keccak Team + Seth Hoffert, ToSC 2018] output 18 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e ▶ Input mask rolling and p c against accumulator collisions ▶ State rolling, p e and output mask against state retrieval at ▶ Middle p d against higher-order DC ▶ Input-output attacks have to deal with p e ◦ p d ◦ p c

Kravatte as in TOSC 2018 19 K ∥ 10 ∗ f k ′ k i + 2 m 0 f f z 0 k ′ k m 1 f f z 1 f … … k ′ i k m i f j f z j ▶ Target security: 128 bits, incl. multi-target and quantum adv. ▶ p i = Keccak- p [ 1600 ] with # rounds 6666 : Achouffe configuration ▶ Input mask rolling with LFSR, state rolling with NLFSR

In which sense is Kravatte lightweight? 20 K ∥ 10 ∗ f k ′ k i + 2 m 0 f f z 0 k ′ k m 1 f f z 1 f … … k ′ i k m i f j f z j ▶ Workload per round (in HW or bit-slice SW) • AES: 16 XORs and 4 AND per bit • Keccak- p : 3 XORs and 1 AND per bit ▶ Number of rounds • AES CBC or CTR: 10 rounds • Kravatte compress or expand: 6 rounds ▶ Disadvantage of Kravatte: 200-byte granularity

by Perrie Nicholas Smith (perriesmith.deviantart.com) 21

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Stan- daert, Todo, Viguier, CHES 2017] 22 ▶ Ideal size and shape: 48 bytes in 12 words of 32 bits • compact on low-end: fits registers of ARM Cortex M3/M4 • fast on high-end: suitable for SIMD ▶ For low-end platforms: locality of operations to limit swapping • limits diffusion, see e.g. [Mike Hamburg, 2017] • no problem for nominal number of rounds: 24 • not clear how many rounds needed in Farfalle

23 Xoodoo · [noun, mythical] · /zu: du:/ · Alpine mammal that lives in compact herds, can survive avalanches and is appreciated for the wide trails it creates in the landscape. Despite its fluffy appear- ance it is very robust and does not get distracted by side channels.

Xoodoo [Keccak team with Seth Hoffert and Johan De Meulder] https://github.com/XoodooTeam/Xoodoo 24 ▶ 384-bit permutation ▶ Main purpose: usage in Farfalle: XooPRF • Achouffe configuration • Full-state rolling functions • Efficient on wide range of platforms ▶ But also for • small-state authenticated encryption, Ketje style • sponge-based hashing, … Keccak-p philosophy ported to Gimli dimensions 3 × 4 × 32 !

Xoodoo state 25 z z y y x x state plane z z y y x x lane column ▶ State: 3 horizontal planes each consisting of 4 lanes

26 Xoodoo round function χ ρ west ρ east θ Iterated: n r rounds that differ only by round constant

27 Effect on one plane: Nonlinear mapping χ 2 1 complement 0 ▶ χ as in Keccak- p , operating on 3-bit columns ▶ Involution and same propagation differentially and linearly

28 Mixing layer θ + = column parity θ -e ff ect fold ▶ Column parity mixer: compute parity, fold and add to state ▶ good average diffusion, identity for states in kernel

29 Plane shift ρ east shift (2,8) 2 shift (0,1) 1 0 ▶ After χ and before θ ▶ Shifts planes y = 1 and y = 2 over different directions

30 Plane shift ρ west shift (0,11) 2 shift (1,0) 1 0 ▶ After θ and before χ ▶ Shifts planes y = 1 and y = 2 over different directions

Xoodoo pseudocode 31 n r rounds from i = 1 − n r to 0, with a 5-step round function: θ : P ← A 0 + A 1 + A 2 E ← P ≪ ( 1 , 5 ) + P ≪ ( 1 , 14 ) A y ← A y + E for y ∈ { 0 , 1 , 2 } ρ west : A 1 ← A 1 ≪ ( 1 , 0 ) A 2 ← A 2 ≪ ( 0 , 11 ) ι : A 0 , 0 ← A 0 , 0 + rc i χ : B 0 ← A 1 · A 2 B 1 ← A 2 · A 0 B 2 ← A 0 · A 1 A y ← A y + B y for y ∈ { 0 , 1 , 2 } ρ east : A 1 ← A 1 ≪ ( 0 , 1 ) A 2 ← A 2 ≪ ( 2 , 8 )

Xoodoo software performance 200 48 Xoodoo 48 Gimli width ChaCha 64 32 bytes cycles/byte per round ARM Intel Skylake Cortex M3 Keccak- p [ 1600 ] 2 . 44 0 . 080 0 . 69 0 . 059 0 . 074 ∗ 0 . 91 1 . 20 0 . 083 ∗ on Intel Haswell

Xoodoo diffusion and confusion 8 Xoodoo satisfies SAC A mapping satisfies SAC if flipping an input bit will make each Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto ’85] 6 36 36 Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016] : 3 8 2 2 2 1 linear diff. # rounds min. trail weights 33 ≥ 100 ≥ 100 output bit flip with probability close to 1 / 2 ▶ after 3 rounds in forward direction ▶ after 2 rounds in backward direction

Do you think this is interesting? I’m hiring! PhD positions, starting September Scope: 34 ▶ Propagation in Xoodoo-like functions • computer-assisted bound proving • mathematical unification of attacks ▶ Interaction between modes and permutations ▶ Impact of key schedule in block ciphers ▶ DPA vulnerability of Xoodoo-like functions ▶ …

Thanks for your attention! 35 χ ρ west ρ east θ