Innovations in permutation-based crypto based on joint work with - PowerPoint PPT Presentation

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert, Michaël Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 ECC, Nijmegen, November 14, 2017 1 / 35 Joan Daemen 1 , 2 1 STMicroelectronics 2 Radboud University 3 Security Pattern

Pseudo-random function (PRF) 2 / 35 input …

Stream encryption 3 / 35 nonce plaintext = ciphertext

Message authentication (MAC) 4 / 35 plaintext plaintext

5 / 35 Authenticated encryption plaintext nonce plaintext = ciphertext

String sequence input and incrementality F K 6 / 35 packet #1 packet #1 ( P ( 1 ) )

String sequence input and incrementality F K 6 / 35 packet #1 packet #2 packet #1 packet #2 P ( 2 ) ◦ P ( 1 ) ) (

String sequence input and incrementality F K 6 / 35 packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 P ( 3 ) ◦ P ( 2 ) ◦ P ( 1 ) ) (

Session authenticated encryption (SAE) [KT, SAC 2011] Initialization taking nonce N Wrap taking metadata A and plaintext P return tag T of length t 7 / 35 A (1) P (1) A (2) P (2) A (3) P (3) K, N 1 T (0) C (1) T (1) C (2) T (3) C (3) T (2) T ← 0 t + F K ( N ) history ← N C ← P + F K ( A ◦ history ) T ← 0 t + F K ( C ◦ A ◦ history ) history ← C ◦ A ◦ history return ciphertext C of length | P | and tag T of length t

Session authenticated encryption (SAE) [KT, SAC 2011] Initialization taking nonce N Wrap taking metadata A and plaintext P return tag T of length t 7 / 35 A (1) P (1) A (2) P (2) A (3) P (3) K, N 1 T (0) C (1) T (1) C (2) T (3) C (3) T (2) T ← 0 t + F K ( N ) history ← N C ← P + F K ( A ◦ history ) T ← 0 t + F K ( C ◦ A ◦ history ) history ← C ◦ A ◦ history return ciphertext C of length | P | and tag T of length t

Synthetic initialization value (SIV) of [KT, eprint 2016/1188] Unwrap taking metadata A , ciphertext C and tag T Variant of SIV of [Rogaway & Shrimpton, EC 2006] 8 / 35 P A F K F K T C P ← C + F K ( T ◦ A ) τ ← 0 t + F K ( P ◦ A ) if τ ̸ = T then return error! else return plaintext P of length | C |

Wide block cipher (WBC), as in [KT, eprint 2016/1188] L Inspired by HHFHFH of [Bernstein, Nandi & Sarkar, Dagstuhl 2016] R C Encipher P with K and tweak W L 0 R 9 / 35 R 0 P ʹ left P ʹ right W ( L , R ) ← split ( P ) H K (... ° 0) ← R 0 + H K ( L ◦ 0 ) ← L + G K ( R ◦ W ◦ 1 ) G K (... ° 1) ← R + G K ( L ◦ W ◦ 0 ) ← L 0 + H K ( R ◦ 1 ) G K (... ° 0) ← L ∥ H K (... ° 1) return ciphertext C of length | P | C left C right

How to build a PRF? 10 / 35

How to build a PRF? By icelight (flickr.com) 10 / 35

Sponge [Keccak Team, Ecrypt 2008] Taking K as first part of input gives a PRF 11 / 35 input output r 0 f f f f f f outer inner c 0 absorbing squeezing

More efficient: donkeySponge [Keccak Team, DIAC 2012] 12 / 35

Incrementality: duplex [Keccak Team, SAC 2011] 13 / 35 σ 0 σ 1 σ 2 Z 0 Z 1 Z 2 pad trunc pad trunc pad trunc r 0 f f f outer … inner c 0 initialize duplexing duplexing duplexing

More efficient: MonkeyDuplex [Keccak Team, DIAC 2012] Instances: Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] 14 / 35 + half a dozen other CAESAR submissions

Consolidation: Full-state keyed duplex [Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017] 15 / 35 Z ¾ Z ¾ Z ¾ K f f f … ± iv

16 / 35 SAE with full-state keyed duplex: Motorist [KT, Keyak 2015] P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3)

How to build a parallelizable PRF? by Peter Miller (flick.com) 17 / 35

How to build a parallelizable PRF? by Barilla Food Service 17 / 35

Farfalle: early attempt [KT 2014-2016] Similar to Protected Counter Sums [Bernstein, ”stretch”, JOC 1999] Problem: collisions with higher-order differentials if f has low degree 18 / 35 M 0 k k f f Z 0 0 0 M 1 k k f f Z 1 1 1 … … M i k k f f Z j i j

Farfalle: early attempt [KT 2014-2016] Similar to Protected Counter Sums [Bernstein, ”stretch”, JOC 1999] Problem: collisions with higher-order differentials if f has low degree 18 / 35 M 0 k k f f Z 0 0 0 M 1 k k f f Z 1 1 1 … … M i k k f f Z j i j

Farfalle now [Keccak Team + Seth Hoffert, ToSC 2017] 19 / 35 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c m i p c j p e z j e Input mask rolling and p c against accumulator collisions State rolling, p e and output mask against state retrieval at output Middle p d against higher-order DC Input-output attacks have to deal with p e ◦ p d ◦ p c

Kravatte = Farfalle with Keccak- p as in eprint 2016/1188 Target security: 128 bits, incl. multi-target Rolling function as in [Granger, Jovanovic, Mennink & Neves, EC 2016] , 20 / 35 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p i = Keccak- p [ 1600 ] with # rounds in p b , p c , p d , p e being 6 , 6 , 4 , 4 linear with order 2 320 − 1

Kravatte = Farfalle with Keccak- p as in eprint 2016/1188 Target security: 128 bits, incl. multi-target Rolling function as in [Granger, Jovanovic, Mennink & Neves, EC 2016] , 20 / 35 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p i = Keccak- p [ 1600 ] with # rounds in p b , p c , p d , p e being 6 , 6 , 4 , 4 linear with order 2 320 − 1

Kravatte = Farfalle with Keccak- p as in eprint 2016/1188 Target security: 128 bits, incl. multi-target Rolling function as in [Granger, Jovanovic, Mennink & Neves, EC 2016] , 20 / 35 K ∥ 10 ∗ p b k ′ k i + 2 c c p c p e m 0 z 0 e k ′ k c p c p e m 1 z 1 e p d … … k ′ i k c p c p e m i j z j e p i = Keccak- p [ 1600 ] with # rounds in p b , p c , p d , p e being 6 , 6 , 4 , 4 linear with order 2 320 − 1

Kravatte as in TOSC 2018 Due to theoretical attack reversing last rounds, increase # rounds Disadvantage of Kravatte: 200-byte granularity 21 / 35 K ∥ 10 ∗ f k ′ k i + 2 m 0 f f z 0 k ′ k m 1 f f z 1 f … … k ′ i k m i f j f z j p i = Keccak- p [ 1600 ] with # rounds 6666 : Achouffe configuration

Kravatte as in TOSC 2018 Due to theoretical attack reversing last rounds, increase # rounds Disadvantage of Kravatte: 200-byte granularity 21 / 35 p i = Keccak- p [ 1600 ] with # rounds 6666 : Achouffe configuration

Kravatte as in TOSC 2018 Due to theoretical attack reversing last rounds, increase # rounds Disadvantage of Kravatte: 200-byte granularity 21 / 35 K ∥ 10 ∗ f k ′ k i + 2 m 0 f f z 0 k ′ k m 1 f f z 1 f … … k ′ i k m i f j f z j p i = Keccak- p [ 1600 ] with # rounds 6666 : Achouffe configuration

by Perrie Nicholas Smith (perriesmith.deviantart.com) 22 / 35

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] has ideal size and shape: 48 bytes in 12 words of 32 bits fits in registers of ARM Cortex M3/M4 and suitable for SIMD For low-end platforms: locality of operations minimizes swapping on AVR, M0, etc. limits diffusion, see e.g. [Mike Hamburg, 2017] no problem for nominal number of rounds: 24 not clear how many rounds needed in Farfalle 23 / 35

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] has ideal size and shape: 48 bytes in 12 words of 32 bits fits in registers of ARM Cortex M3/M4 and suitable for SIMD For low-end platforms: locality of operations minimizes swapping on AVR, M0, etc. limits diffusion, see e.g. [Mike Hamburg, 2017] no problem for nominal number of rounds: 24 not clear how many rounds needed in Farfalle 23 / 35

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] has ideal size and shape: 48 bytes in 12 words of 32 bits fits in registers of ARM Cortex M3/M4 and suitable for SIMD For low-end platforms: locality of operations minimizes swapping on AVR, M0, etc. limits diffusion, see e.g. [Mike Hamburg, 2017] no problem for nominal number of rounds: 24 not clear how many rounds needed in Farfalle 23 / 35

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] has ideal size and shape: 48 bytes in 12 words of 32 bits fits in registers of ARM Cortex M3/M4 and suitable for SIMD For low-end platforms: locality of operations minimizes swapping on AVR, M0, etc. limits diffusion, see e.g. [Mike Hamburg, 2017] no problem for nominal number of rounds: 24 not clear how many rounds needed in Farfalle 23 / 35

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Standaert, Todo, Viguier, CHES 2017] has ideal size and shape: 48 bytes in 12 words of 32 bits fits in registers of ARM Cortex M3/M4 and suitable for SIMD For low-end platforms: locality of operations minimizes swapping on AVR, M0, etc. limits diffusion, see e.g. [Mike Hamburg, 2017] no problem for nominal number of rounds: 24 not clear how many rounds needed in Farfalle 23 / 35