primates v1 1
play

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena - PowerPoint PPT Presentation

PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begl Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum PRIMATEs GIBBON APE HANUMAN 2


  1. PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum

  2. PRIMATEs GIBBON APE HANUMAN 2

  3. PRIMATEs GIBBON APE HANUMAN Misuse resistant 2

  4. PRIMATEs GIBBON APE HANUMAN Misuse resistant Security with ideal permutation 2

  5. PRIMATEs GIBBON APE HANUMAN Misuse Trades-off security resistant with speed Security with ideal permutation 2

  6. PRIMATEs • Sponge inspired (9) 3

  7. PRIMATEs • Sponge inspired (9) 3

  8. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits 4

  9. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight 4

  10. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits 4

  11. PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits • Countermeasure against DPA is efficient 4

  12. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 5

  13. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based 5

  14. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption 5

  15. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation 5

  16. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations 5

  17. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations • No ciphertext extension 5

  18. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 6

  19. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output 6

  20. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption 6

  21. HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption • No distinguishers in 12 round p 1 and p 4 6

  22. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: 7

  23. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks 7

  24. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations 7

  25. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster 7

  26. GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster • No security proof 7

  27. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output…. • Tag…. • Domain separation with a constant XOR • Inverse permutations are used for decryption 8

  28. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR 9

  29. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 10

  30. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 11

  31. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 12

  32. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits 13

  33. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix 13

  34. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting 13

  35. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption 13

  36. APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption • Other AE designs: P RØST 13

  37. PRIMATEs Ranking w.r.t security • APE - 120 • HANUMAN - 120 • GIBBON - 120 • APE - 80 • HANUMAN - 80 • GIBBON - 80 14

  38. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 15

  39. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 15

  40. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate 16

  41. p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate Round Update: CA o MC o SR o SE 16

Recommend


More recommend