Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors DIAC 2014 1 / 19
Overview Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 2 / 19
Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]
Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]
Overview Overview Inspired by Keccak and Duplex Keyak targeting high performances Optionally parallelizable Ketje targeting lightweight 3 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ]
Overview MonkeyWrap construction round function + Cryptanalysis Stream-oriented #rounds in phases A (thin) round function Ketje : Two approaches permutation-level Cryptanalysis Block-oriented fixed #rounds A (strong) permutation DuplexWrap Keyak : 4 / 19
Overview MonkeyWrap construction round function + Cryptanalysis Stream-oriented #rounds in phases A (thin) round function Ketje : Two approaches permutation-level Cryptanalysis Block-oriented fixed #rounds A (strong) permutation DuplexWrap Keyak : 4 / 19
Keyak Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 5 / 19
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Optionally parallelizable implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 6 / 19 Using reduced-round Keccak - f [ 1600 ] or Keccak - f [ 800 ] , to allow
Keyak Duplex layer 7 / 19 Keccak - p [ 1600 , n r = 12 ] or Keccak - p [ 800 , n r = 12 ]
Keyak DuplexWrap layer DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs. 8 / 19 A (1) B (1) 0 1 C (1) T (1) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.
Keyak DuplexWrap layer DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs. 8 / 19 A (1) B (1) 0 1 C (1) T (1) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.
Keyak works on sequences of header-body pairs. DuplexWrap layer 8 / 19 DuplexWrap is a nonce-based authenticated encryption mode; A (1) B (1) A (2) B (2) 0 1 C (1) T (1) C (2) T (2) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.
Keyak works on sequences of header-body pairs. DuplexWrap layer 8 / 19 is a nonce-based authenticated encryption mode; DuplexWrap A (1) B (1) A (2) B (2) A (3) 0 1 C (1) T (1) C (2) T (2) T (3) A ( 1 ) contains the key and must be unique, e.g., A ( 1 ) contains a session key used only once; A ( 1 ) contains a key and a nonce. In general: A ( 1 ) = key || nonce || associated data.
Keyak Inside DuplexWrap 9 / 19 +00 +00 +10 0 0 d d d d
Keyak Inside DuplexWrap 9 / 19 +00 +00 +01 +11 +10 0 0 d d d d d d
Keyak 1 not ideal on constrained platforms reasonable on high- and middle-end platforms Working memory footprint short messages: 24 rounds long messages: about 50 % of SHAKE128 Processing for Lake Keyak 1 800 River Keyak 1600 Keyak instances and efficiency Lake Keyak 2 1600 Sea Keyak 4 1600 Ocean Keyak Parallelism P Width b Name 10 / 19
Keyak Security of Keyak Generic security of Keyak thanks to a combination of results: Sound tree hashing modes [IJIS 2013] for parallelized modes Keyed sponge indistinguishability [SKEW 2011 + work in progress] SpongeWrap generic security [SAC 2011] , adapted to DuplexWrap Safety margin against shortcut attacks: Practical attacks up to 6 rounds [Dinur et al. SHA-3 2014] Academic attacks up to 9 rounds [Dinur et al. SHA-3 2014] 11 / 19
Ketje Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 12 / 19
Ketje Ketje goals Nonce-based AE function 96-bit or 128-bit security (incl. multi-target) Sequence of header-body pairs keeping the state during the session Small footprint Target niche: secure channel protocol on secure chips banking card, ID, (U)SIM, secure element, FIDO, etc. secure chip has strictly incrementing counter implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …) 13 / 19 Using reduced-round Keccak - f [ 400 ] or Keccak - f [ 200 ] , to allow
Ketje Inside Ketje : the MonkeyDuplex layer 14 / 19 n start = 12 rounds should provide strong instance separation n step = 1 , r = 2 b / 25 should avoid single-instance state retrieval n stride = 6 rounds should avoid a forgery with one instance
Ketje Inside MonkeyWrap 15 / 19 1 +00 +00 +01 +11 +10 0 stride start step step step step step
Ketje per session 7 rounds 9 rounds per message 8-byte tag comp. 1 round 1 round per block wrapping 12 rounds 12 rounds initialization Ketje instances and lightweight features computational cost processing 4 bytes 2 bytes block size 50 bytes 25 bytes state size Ketje Sr Ketje Jr feature 16 / 19
Conclusions and Current Developments Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current Developments 17 / 19
Conclusions and Current Developments Current developments Optimized software implementations Gross estimations can be derived from Keccak Lake Keyak expected twice faster than SHAKE128 There might be interesting improvement with new AVX512 (VPTERNLOG, rotations and 32 registers) Hardware implementations 18 / 19
Conclusions and Current Developments Conclusions Thanks for your attention! Q? 19 / 19
More recommend