Permutation-based cryptography for the Internet of Things Gilles Van - PowerPoint PPT Presentation

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University RIOT Summit 2017 Berlin, September 25-26, 2017 1 / 56 Joint work with Guido Bertoni, Joan Daemen 1 , 2 , Seth Hoffert, Michaël Peeters 1 and Ronny Van Keer 1

Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 2 / 56

Parameters for the IoT Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 3 / 56

Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time effjciency on the high-end server? protections against side-channel attacks? 4 / 56

Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time effjciency on the high-end server? protections against side-channel attacks? 4 / 56

Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time effjciency on the high-end server? protections against side-channel attacks? 4 / 56

Parameters for the IoT What are side-channel attacks? Leakage from the device Time, electrical consumption, EM radiation simple power analysis ( SPA ) vs differential power analysis ( DPA ) Picture by oskay on Flickr 5 / 56

Parameters for the IoT What are side-channel attacks? Inducing faults in the device Glitch, laser pulse Picture by ViaMoi on Flickr 6 / 56

Parameters for the IoT Usage and ownership Actors: Key owner Device owner Actual user Usually, these are the same person, but… 7 / 56

Parameters for the IoT Usage and ownership Banking card DRM But hopefully the same person in open-source contexts! 8 / 56 When key owner ̸ = device owner

Parameters for the IoT Usage and ownership Not always controlling the device E.g., devices spread over a large area E.g., on-site personnel E.g., lost device Distant eavesdropping Protections against SCA can be needed. 9 / 56 When key/device owner ̸ = actual user

Permutations! Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 10 / 56

Permutations! Symmetric crypto: what textbooks and intro’s say Symmetric cryptographic primitives: Block ciphers Stream ciphers Hash functions And their modes-of-use Picture by GlasgowAmateur 11 / 56

Permutations! Examples of permutations In Salsa, Chacha, Grindhal… In SHA-3 candidates: CubeHash, Grøstl, JH, MD6, … In CAESAR candidates: Ascon, Icepole, Norx, π-cipher, Primates, Stribob, … And of course in Keccak 12 / 56

Permutations! The sponge construction The capacity c determines the generic security: Calls a permutation f 13 / 56 input output r 0 f f f f f f outer inner c 0 absorbing squeezing Hashing: 2 c / 2 Authentication, encryption: 2 c − ϵ

Permutations! Keccak- f The seven permutation army: 25, 50, 100, 200, 400, 800, 1600 bits toy, lightweight, fastest standardized in [FIPS 202] Repetition of a simple round function that operates on a 3D state up to 64-bit each 14 / 56 ( 5 × 5 ) lanes

Permutations! Keccak- f in pseudo-code https://keccak.team/keccak_specs_summary.html 15 / 56 K ECCAK - F [b](A) { forall i in 0…n r -1 A = Round[b](A, RC[i]) return A } Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4) ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4) χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4) ι step A[0,0] = A[0,0] xor RC return A }

Permutations! Bit interleaving 16 / 56 = + ROT 64 ↔ 2 × ROT 32

Permutations! The unbearable lightness of permutations Davies-Meyer block cipher based hash feedforward (block size): n Sponge r can be made arbitrarily small, e.g., 1 byte 17 / 56 Example: hashing with target security strength 2 c / 2 chaining value (block size): n ≥ c input block size (“key” length): typically k ≥ n ⇒ total state ≥ 3 c permutation width: c + r ⇒ total state ≥ c + 8

Permutations! Cost of primitives and modes together [Yalla, Homsirikamol, Kaps, DIAC 2014] 18 / 56

Permutations! Symmetric crypto: a more correct picture Symmetric cryptographic primitives: Block ciphers Key stream generators Permutations And their modes-of-use Picture by Sébastien Wiertz 19 / 56

Keyed applications Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 20 / 56

Keyed applications Use Sponge for MACing 21 / 56 Key Padded message MAC 0 f f f … f f

Keyed applications Use Sponge for (stream) encryption 22 / 56 Key IV 0 f f f Key stream

Keyed applications Single pass authenticated encryption But this is no longer the sponge … 23 / 56 Key IV Padded message MAC 0 f f f … f f Key stream

Keyed applications The duplex construction Generic security provably equivalent to that of sponge Applications: authenticated encryption, reseedable pseudorandom generator … 24 / 56

Strobe Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 25 / 56

Strobe What is Strobe? Layer above the duplex construction Safe and easy syntax, to achieve, e.g., secure channels signatures over a complete session Very compact implementation Mechanism to prevent side-channel attacks [Mike Hamburg — https://strobe.sourceforge.io/ ] 26 / 56

Strobe Operations and data fmow in Strobe fjgure courtesy of Mike Hamburg 27 / 56

Strobe Example: key derivation KEY (master shared key K ) RATCHET RATCHET 28 / 56 derived key 1 ← PRF (16 bytes) derived key 2 ← PRF (16 bytes)

Strobe Example: protocol KEY (shared key K ) AD [nonce] (sequence number i ) AD [auth-data] (client IP address | server IP address) send_ENC (“GET fjle”) send_MAC (128 bits) recv_ENC (buffer) recv_MAC (128 bits) 29 / 56

Ketje and Keyak Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 30 / 56

Ketje and Keyak Ketje goals Nonce-based AE function 96-bit or 128-bit security (incl. multi-target) Sessions of header-body pairs keeping the state during the session Small footprint Target niche: secure channel protocol on secure chips banking card, ID, (U)SIM, secure element, FIDO, etc. secure chip has strictly incrementing counter implementation re-use cryptanalysis re-use reasonable side-channel protections 31 / 56 Using reduced-round Keccak- f [ 400 ] or Keccak- f [ 200 ] , to allow

Ketje and Keyak per session 7 rounds 9 rounds per message 8-byte tag comp. 1 round 1 round per block wrapping 12 rounds 12 rounds initialization Ketje instances and lightweight features computational cost processing 4 bytes 2 bytes block size 50 bytes 25 bytes state size Ketje Sr Ketje Jr feature 32 / 56

Ketje and Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Session of header-body pairs keeping the state during the session Optionally parallelizable Conservative safety margin implementation re-use cryptanalysis re-use reasonable side-channel protections 33 / 56 Using reduced-round Keccak- f [ 1600 ] or Keccak- f [ 800 ] , to allow

Ketje and Keyak Keyak in a nutshell SUV = Secret and Unique Value 34 / 56 0 SUV 1 T (0)

Ketje and Keyak Keyak in a nutshell SUV = Secret and Unique Value 34 / 56 P (1) 0 A (1) SUV 1 T (0) C (1) T (1)

Ketje and Keyak Keyak in a nutshell SUV = Secret and Unique Value 34 / 56 P (1) P (2) 0 A (1) SUV 1 T (0) C (1) T (1) C (2) T (2)

Ketje and Keyak Keyak in a nutshell SUV = Secret and Unique Value 34 / 56 P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3)

Ketje and Keyak Leakage robustness the secret state is a moving target [Taha, Schaumont, HOST 2014] then … Provided that uniqueness is enforced SUV = Secret and Unique Value 35 / 56 P (1) P (2) 0 A (1) A (3) SUV 1 T (0) C (1) T (1) C (2) T (2) T (3)

Kravatte and the Farfalle construction Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 36 / 56

Kravatte and the Farfalle construction The new Farfalle construction [IACR ePrint 2016/1188] 37 / 56 K ∥ 10 ∗ p b k ′ k i + 2 c c f p c p e m 0 z 0 e k ′ k c f p c p e m 1 z 1 e p d … … k ′ j i k c f p c p e m i j z j e

Kravatte and the Farfalle construction Kravatte for many purposes Kravatte-PRF Authentication Kravatte-SAE Session authenticated encryption Kravatte-SIV Synthetic-IV authenticated encryption Kravatte-WBC Wide block cipher, authenticated en- cryption with minimal expansion 38 / 56 Kravatte = Farfalle + Keccak- p [ 1600 ]