PRIMATEs v1.1: A Submission to the CAESAR Competition Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda 1 July 2014, Bochum
PRIMATEs GIBBON APE HANUMAN 2
PRIMATEs GIBBON APE HANUMAN Misuse resistant 2
PRIMATEs GIBBON APE HANUMAN Misuse resistant Security with ideal permutation 2
PRIMATEs GIBBON APE HANUMAN Misuse Trades-off security resistant with speed Security with ideal permutation 2
PRIMATEs • Sponge inspired (9) 3
PRIMATEs • Sponge inspired (9) 3
PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits 4
PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight 4
PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits 4
PRIMATEs • Sponge inspired permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits • Lightweight • Suggested A and M size is max. 2 80 (resp. 2 120 ) bits • Countermeasure against DPA is efficient 4
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Nonce based • Online encryption • Two permutations for domain separation • No need for inverse permutations • No ciphertext extension 5
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits 6
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output 6
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption 6
HANUMAN A[1] A[2] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r p 1 p 4 ... p 1 ... p 1 p 1 p 4 K||N T K K, N and T are 80 (resp. 120) bits • Wrong T → NO ciphertext output • Security proof with ideal permutation assumption • No distinguishers in 12 round p 1 and p 4 6
GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: 7
GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks 7
GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations 7
GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster 7
GIBBON A[1] A[u] M[1] M[w] [C[w]] M[w] C[1] 0 r ... ... p 2 p 2 p 3 p 3 p 3 p 1 p 1 K||N T K K||0 c/2 K||0 c/2 K, N and T are 80 (resp. 120) bits Same story, except: • Key additions against trivial key recovery or forgery attacks • Three permutations • Reduced round permutations (p 2 &p 3 : 6 rounds) → faster • No security proof 7
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output…. • Tag…. • Domain separation with a constant XOR • Inverse permutations are used for decryption 8
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR 9
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 10
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 11
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits Same story, except: • Nonce treatment • Output generation • T can not be truncated • Domain separation with a constant XOR • Inverse permutations are used for decryption 12
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits 13
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix 13
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting 13
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption 13
APE M[1] N[1] A[1] A[u] M[2] N[y] M[w] C[1] C[w] [C[w-1]] M[w] 0 r p 1 p 1 p 1 ... p 1 ... p 1 ... p 1 p 1 K T 0 c-1 ||1 K N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits • Nonce misuse resistant: Security up to common prefix • Secure in RUP setting • Security proof with ideal permutation assumption • Other AE designs: P RØST 13
PRIMATEs Ranking w.r.t security • APE - 120 • HANUMAN - 120 • GIBBON - 120 • APE - 80 • HANUMAN - 80 • GIBBON - 80 14
p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 15
p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 15
p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate 16
p 1 p 2 p 3 p 4 PRIMATE Structure Primate-80 Primate-120 5x8 7x8 200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate Round Update: CA o MC o SR o SE 16
Recommend
More recommend