rasta
play

Rasta A cipher with low ANDdepth and few ANDs per bit Christoph - PowerPoint PPT Presentation

Rasta A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018 Rasta Motivation 1 / 26 Rasta


  1. Rasta A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018

  2. Rasta Motivation 1 / 26

  3. Rasta Motivation Several designs minimize number of multiplications FLIP [MJSC16] Kreyvium [CCFLNPS16] LowMC [ARSTZ15] MiMC [AGRRT16] New optimization goals enable/require new design strategies 2 / 26

  4. Rasta Motivation FLIP 25 Kreyvium LowMC 20 ANDdepth 15 10 5 0 2 4 8 16 32 64 128 256 512 1024 ANDs per bit 3 / 26

  5. Rasta Motivation FLIP 25 Kreyvium LowMC 20 ANDdepth Rasta 15 10 5 0 2 4 8 16 32 64 128 256 512 1024 ANDs per bit 3 / 26

  6. Rasta Challenges 4 / 26

  7. Rasta Challenges for Rasta How to minimize ANDdepth and ANDs per bit at the same time? Especially low ANDdepth seems challenging How to analyze the outcome? 5 / 26

  8. Rasta Why do we have a high ANDdepth? I K Function O 6 / 26

  9. Rasta Why do we have a high ANDdepth? I K O 6 / 26

  10. Rasta Why do we have a high ANDdepth? Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection Against higher-order differentials, cube-like attacks, ... O 1 = I 1 K 1 K 3 + I 2 I 3 K 4 + I 1 I 2 K 2 + I 1 I 2 + I 4 K 1 + K 2 O 1 = I 1 I 2 ( K 2 + 1 ) + I 1 K 1 K 3 + I 2 I 3 K 4 + I 4 K 1 + K 2 7 / 26

  11. Rasta Why do we have a high ANDdepth? Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection Against higher-order differentials, cube-like attacks, ... O 1 = I 1 K 1 K 3 + I 2 I 3 K 4 + I 1 I 2 K 2 + I 1 I 2 + I 4 K 1 + K 2 O 1 = I 1 I 2 ( K 2 + 1 ) + I 1 K 1 K 3 + I 2 I 3 K 4 + I 4 K 1 + K 2 7 / 26

  12. Rasta The Design 8 / 26

  13. Rasta Rasta Stream cipher based on family of public permutations P N , i Each permutation evaluated once Different permutations to generate key stream Choice of permutation depends solely on public parameters Public nonce N Block counter i K K P N ,1 P N ,2 · · · key stream 9 / 26

  14. Rasta Rasta public N , i XOF · · · key-dependent · · · ⊕ A 0 , N , i A 1 , N , i A r , N , i K N , i K S S S Seed extendable output function (XOF) with public values “Randomly” generates invertible matrices M j , N , i “Randomly” generates round constants c j , N , i To get affine layer A j , N , i ( x ) = M j , N , i · x ⊕ c j , N , i Use of χ [Dae95] as non-linear function S 10 / 26

  15. Rasta Rasta public N , i XOF · · · key-dependent · · · ⊕ A 0 , N , i A 1 , N , i A r , N , i K N , i K S S S High-level idea to make relevant computations of the cipher independent of the key was first used in Flip [MJSC16] XOF does not influence relevant AND metric 10 / 26

  16. Rasta Design Rationale Changing affine layers against Differential and impossible-differential attacks Cube and higher-order differential attacks Integral attacks Block size, key size ≫ security level against Attacks based on linear approximations Attacks targeting polynomial system of equations 11 / 26

  17. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  18. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  19. Rasta Choosing parameters Parameterizable problem regarding Block size Number of rounds Rasta Base parameters on bounds and arguments Conservative approach Agrasta Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts 12 / 26

  20. Rasta The Road to Rasta 13 / 26

  21. Rasta Linear approximations Bound probability that good approximations exist M 0 M 1 M 2 M 3 M 4 S S S S � �� � � �� � P 1 P 2 14 / 26

  22. Rasta Probability of good approximations 0 log 2 ( probability ) − 200 − 400 128-bit, r = 2 128-bit, r = 4 − 600 128-bit, r = 6 0 256 512 768 1024 1536 key/block size k (bits) 15 / 26

  23. Rasta Solving non-linear multivariate polynomial equations General problem of solving non-linear systems of m equations with k unknowns Limiting the degree limits possible number of different monomials Increase k to prevent trivial linearization 16 / 26

  24. Rasta Maximum number of different monomials log 2 ( maximum different monomials ) 400 depth r = 6 depth r = 5 depth r = 4 300 depth r = 3 depth r = 2 200 100 0 128 256 512 1024 2048 4096 key and block size k (bits) 17 / 26

  25. Rasta Instances of Rasta Security level Rounds 2 3 4 5 6 2 21 . 2 2 12 80-bit 327 327 219 2 33 . 2 2 18 128-bit 1 877 525 351 2 65 . 2 2 34 2 18 . 8 256-bit 3 545 703 18 / 26

  26. Rasta The Road to Agrasta (Cryptanalysis) 19 / 26

  27. Rasta Cryptanalysis SAT solver Exhaustive search performs better for more than 1 round Experiments with toy versions No obvious outliers Various dedicated attacks For various versions of SAS Variants of 2-round Rasta where block size ≈ security level Variants of 3-round Rasta where block size ≈ security level 20 / 26

  28. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  29. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  30. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  31. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  32. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  33. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  34. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  35. Rasta Sketch of 3-round analysis K N , i A 0 A 1 A 2 A 3 K S S S 21 / 26

  36. Rasta Cryptanalysis of instances with 80-bit security Rasta 6 5 rounds r 4 3 2 1 80 128 256 512 key and block size k (bits) 22 / 26

  37. Rasta Cryptanalysis of instances with 80-bit security Rasta 6 Agrasta 5 rounds r 4 3 2 1 80 128 256 512 key and block size k (bits) 22 / 26

  38. Rasta Agrasta: More agressive parameters Security level Rounds Block size 80-bit 4 81 128-bit 4 129 256-bit 5 257 23 / 26

  39. Rasta Conclusion 24 / 26

  40. Rasta Conclusion Rasta: conservative, based on bounds and arguments Agrasta: more aggressive, based on attacks New design approach Even conservative versions competitive in benchmark (HElib) Huge gap between known attacks and bounds 25 / 26

  41. Rasta Bibliography I [AGRRT16] M. R. Albrecht, L. Grassi, C. Rechberger, A. Roy, and T. Tiessen MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity ASIACRYPT 2016 [ARSTZ15] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and M. Zohner Ciphers for MPC and FHE EUROCRYPT 2015 [CCFLNPS16] A. Canteaut, S. Carpov, C. Fontaine, T. Lepoint, M. Naya-Plasencia, P. Paillier, and R. Sirdey Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression FSE 2016

  42. Rasta Bibliography II [Dae95] J. Daemen, Cipher and hash function design – Strategies based on linear and differential cryptanalysis, http://jda.noekeon.org/JDA_Thesis_1995.pdf , PhD thesis, Katholieke Universiteit Leuven, 1995. [MJSC16] P. M´ eaux, A. Journault, F.-X. Standaert, and C. Carlet Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts EUROCRYPT 2016

More recommend