Symmetric Key Cryptography Introduction to Symmetric Key - PowerPoint PPT Presentation

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography

Introduction to Symmetric Key Cryptography

What can we do? • Authentication (MAC) • Random Number Generation • Key Exchange 1 Symmetric Key Cryptography • Encryption • Hashing • Digital Signature Schemes

Authentication

Message Authentication Code (MAC) Message Tag MAC Key • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication

MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication

CBC-MAC 0 M 1 M 2 M i T 4 Authentication E K E K E K

Hash-based: • Okay with Sponge, fails with MD construction. • Collision on H allows to construct Tag collision. 5 Authentication • H ( k || m ) • H ( m || k ) • HMAC: H ( k ⊕ c 1 ∥| H ( k ⊕ c 2 || m ))

Universal Hashing (UMAC, Poly1305, …) • Attacker does not know which one was chosen. 1 when h is chosen uniformly at random. 6 Authentication • We need a universal hash function family H . • Parties share a secret member of H and key k . Definition A set H of hash functions h : U → N is universal iff ∀ x , y ∈ U : Pr h ∈ H ( h ( x ) = h ( y )) ≤ | N |

• Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages... 7 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] Problem

Encrypt-and-MAC Message 8 Authenticated Encryption [BN00] E K MAC K ′ Ciphertext Tag

MAC-then-Encrypt Message Message Ciphertext Tag 9 Authenticated Encryption [BN00] MAC K ′ E K

Encrypt-then-MAC Message Ciphertext Ciphertext Tag 10 Authenticated Encryption [BN00] E K MAC K ′

11 CBC-MAC CTR-Mode T M i M 1 C 1 M 2 M 1 M 2 C 2 0 You have to be careful! M 3 C 3 Authenticated Encryption N || 1 N || 2 N || 3 E K E K E K E K E K E K

Authenticated Encryption with Associated Data (AEAD) N AE T • Associcated Data A (e.g. packet header) • Nonce N (unique number) 12 Authenticated Encryption A 1 , . . . , A m M 1 , . . . , M l C 1 , . . . , C m

13 C 2 H 0 T Galois/Counter Mode (GCM) M l … C l M 2 C 1 M 1 Authenticated Encryption N || 1 N || 2 N || l N || 0 E K E K E K E K E K A 1 , . . . , A m m || l × H × H × H × H × H

13 A m H H H H H K N 0 H K 0 T l m A 1 Galois/Counter Mode (GCM) C l M l … C 2 M 2 C 1 M 1 Authenticated Encryption N || 1 N || 2 N || l E K E K E K

13 C 2 H 0 T Galois/Counter Mode (GCM) M l … C l M 2 C 1 M 1 Authenticated Encryption N || 1 N || 2 N || l N || 0 E K E K E K E K E K A 1 , . . . , A m m || l × H × H × H × H × H

AES-GCM • Widely used (TLS) • Reusing nonce compromises security • Hardware support for AES + PCLMULQDQ • AES-GCM-SIV? 14 Authenticated Encryption • Weak keys for × H

CAESAR 1 : Competition for Authenticated Encryption: Security, Applicability, and Robustness • Initially 57 submissions. • Third round: 15 Submissions left • Goal is to have a portfolio of AE schemes Most applications need Authenticated Encryption! 1 https://competitions.cr.yp.to/caesar.html 15 Authenticated Encryption Summary

Quantum Attacks

Attack Model • Attacker listens to communication over classical channel. • Can query a classic blackbox with the secret key. • Attacker has large quantum computer. • Only limited set of quantum algorithms available. 16 Quantum Attacks

Encryption / MACs Hash Function 17 Quantum Attacks • Recover Key in O ( 2 k / 2 ) with Grover’s. • Find Preimage in O ( 2 n / 2 ) with Grover’s. • Find Collisions in O ( 2 n / 3 ) [BHT97] ... but needs O ( 2 n / 3 ) hardware.

The costs are not so simple • Costs of quantum operation vs. classic operations • Collision finding not really faster [Ber09]. There is some work on better understanding this: 18 Quantum Attacks • Preimage SHA-256: 2 166 logical-qubit-cycles [Amy+16]. • Preimage SHA3-256: 2 166 logical-qubit-cycles [Amy+16].

Even-Mansour p c k 1 k 2 Classic Security 19 Quantum Attacks • Two keys k 1 , k 2 . • Uses public permutation π . π • D queries to E • T queries to π • Proof for upper bound on attack success O ( DT / 2 n )

Quantum Oracle Access to encryption algorithm • Very strong model for adversary. 20 Quantum Attacks | x ⟩ | x ⟩ E K | 0 ⟩ |E K ( x ) ⟩

Given with promise that there exists such that Output: s 21 Quantum Attacks Simon’s Algorithm f : { 0 , 1 } n → { 0 , 1 } n s ∈ { 0 , 1 } n ∀ ( x , y ) ∈ { 0 , 1 } n : f ( x ) = f ( y ) ⇐ ⇒ x ⊕ y ∈ { 0 n , s } Only needs O ( n ) quantum queries.

Result Circuit v f One steps finds a vector such that y s 0. 22 Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) | 0 n ⟩| 0 n ⟩

Result 22 Circuit 0. One steps finds a vector such that y s x 2 n 1 f v Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) ∑ √ | x ⟩| 0 n ⟩

Result 22 Circuit 0. One steps finds a vector such that y s x 2 n 1 f v Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) ∑ √ | x ⟩| f ( x ) ⟩

Result 22 Circuit 0. One steps finds a vector such that y s v 2 f 2 1 Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) √ | z ⟩ + 1 √ | z ⊕ s ⟩

Result 22 Circuit 0. One steps finds a vector such that y s y 2 n 1 2 1 f v Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) ∑ ( − 1 ) y · z ( 1 + ( − 1 ) y · s ) | y ⟩ √ √

22 1 y 2 n 1 v 2 f Circuit Simon’s Algorithm | 0 ⟩ H ⊗ n H ⊗ n | 0 ⟩ f ( z ) ∑ ( − 1 ) y · z ( 1 + ( − 1 ) y · s ) | y ⟩ √ √ Result One steps finds a vector such that y · s = 0.

Recover k 1 with O n quantum queries. Breaking Even-Mansour [KM12] Construct: This function fulfills Simon’s promise: 23 Quantum E k 1 , k 2 ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 f : { 0 , 1 } n → { 0 , 1 } n x → E k 1 , k 2 ( x ) ⊕ π ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ⊕ k 1 ) = π ( x ⊕ k 1 ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ⊕ k 1 )

Recover k 1 with O n quantum queries. Breaking Even-Mansour [KM12] Construct: This function fulfills Simon’s promise: 23 Quantum E k 1 , k 2 ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 f : { 0 , 1 } n → { 0 , 1 } n x → E k 1 , k 2 ( x ) ⊕ π ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ⊕ k 1 ) = π ( x ) ⊕ k 2 ⊕ π ( x ⊕ k 1 )

Breaking Even-Mansour [KM12] Construct: This function fulfills Simon’s promise: 23 Quantum E k 1 , k 2 ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 f : { 0 , 1 } n → { 0 , 1 } n x → E k 1 , k 2 ( x ) ⊕ π ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) f ( x ⊕ k 1 ) = π ( x ⊕ k 1 ) ⊕ k 2 ⊕ π ( x ) Recover k 1 with O ( n ) quantum queries.

Goal Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks Construct f such that f x f x s for some secret s . 24 Quantum Attacks

Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks 24 Quantum Attacks Goal Construct f such that f ( x ) = f ( x ⊕ s ) for some secret s .

Current Directions in Symmetric Key Cryptography

25 Smart devices 1 https://beta.csrc.nist.gov/projects/lightweight-cryptography Standard Lightweight Computing Power RFID / Sensor Networks ASIC FPGA Microcontrollers Smartphones Lightweight Cryptography Laptop / Desktop Server • Many designs exists • NIST Project 5 • Power/Energy • Computing Power • Memory • Chip area • Resource constraint Symmetric Key Cryptography

26 • Too conservative for this f f f SPHINCS, Haraka [Köl+] • Designs: ChaCha in restricted setting? • Often slow on short inputs. Hash-based Signatures: Current Designs: required • No collision resistance • ...but only very short inputs. function... • Many calls to a hash Symmetric Key Cryptography

Multiparty Computation, Zero Knowledge, Fully Homomorphic Encryption • Multiplications in primitives very costly for these applications. • Signature size directly relates to number of ANDs (for ZK). Symmetric Key Primitives which: • Minimize number of ANDs • Minimize circuit depth • Examples: LowMC [Alb+15], MiMC [Alb+16], Kreyvium [Can+16], Flip [Méa+16] 27 Symmetric Key Cryptography

Symmetric Key Cryptography • Encryption: AES-CTR • Hash: SHA-2, SHA-3 • Authenticated Encryption: AES-GCM, ChaCha20-Poly1305, CAESAR Quantum Attacks • Mostly fine with double the parameter sizes. • Improve cryptanalytic attacks with quantum algorithms. 1 Thanks to https://www.iacr.org/authors/tikz/ for some of the figures. 28 Conclusion

28 Questions?