the skinny family of lightweight tweakable block ciphers
play

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean - PowerPoint PPT Presentation

Sep 13, 2023 •134 likes •472 views

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with: Christof Beierle Stefan Klbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

  1. The SKINNY Family of Lightweight Tweakable Block Ciphers Jérémy Jean joint work with: Christof Beierle Stefan Kölbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

  2. Introduction Specifications Rationale Security Analysis Implementations Conclusion Goals and Results Goals [BSS ✰ 13] Alternative to NSA-designed SIMON block cipher Construct a lightweight (tweakable) block cipher Achieve scalable security Suitable for most lightweight applications Perform and share full security analysis Efficient software/hardware implementations in many scenarios 1/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  3. Introduction Specifications Rationale Security Analysis Implementations Conclusion Goals and Results Goals [BSS ✰ 13] Alternative to NSA-designed SIMON block cipher Construct a lightweight (tweakable) block cipher Achieve scalable security Suitable for most lightweight applications Perform and share full security analysis Efficient software/hardware implementations in many scenarios Results SKINNY family of lightweight (tweakable) block ciphers Generalize the STK construction from TWEAKEY framework [JNP14] Block sizes n : 64 and 128 bits Various key+tweak sizes: n , 2 n and 3 n bits Security guarantees for differential/linear cryptanalysis in both single-key (SK) and related-key (RK) models Efficient and competitive software/hardware implementations Round-based SKINNY-64-128: 1696 GE CTR mode @ Skylake (avx2): 2.63 c/B 1/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  4. Introduction Specifications Rationale Security Analysis Implementations Conclusion Tweakable Block Cipher Having a tweakable block cipher has many applications: Authenticated encryption Disk/memory encryption Hashing: block counter as tweak for HAIFA-like CF (More ✿ ✿ ✿ ) There are have been several proposed constructions, most of which rely on a block cipher, and generically introduce the tweak (XEX, XPX, XTS, etc.) Very few direct constructions: Hasty Pudding Cipher, Threefish, Mercy, BLAKE2 TWEAKEY framework [JNP14]: as a designer, key and tweak seem like they have to be handled in the same way by the primitive, with a ‘‘tweakey schedule’’ 2/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  5. Introduction Specifications Rationale Security Analysis Implementations Conclusion TWEAKEY Framework [JNP14] High-Level Overview Bring key and tweak schedules together Extend key-alternating strategy Superposition-Tweakey (STK) Fully linear scheduling ( h ’ : cell permutation) Provide bounds in terms of number of active Sboxes in related-key/related-tweak (RK/RT) Trick: linear code due to small field multiplications to bound the number of cancellations in the XORs Allows usage of automated tools to find bounds (even for RK/RT) Example of the TK2 construction: ❥ KT ❥ ❂ ❥ K ❥ ✰ ❥ T ❥ ❂ 2 ✁ ❥ P ❥ . . . h ′ 2 h ′ 2 h ′ h ′ 2 KT . . . h ′ h ′ h ′ h ′ C 0 C 1 C 2 C r − 1 XOR C r XOR XOR XOR XOR . . . s r = C P = s 0 f f f 3/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  6. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY : General Design Strategy Start from weak crypto components, but providing very efficient implementations Opposed to AES: strong Sbox and diffusion ✮ only 10 rounds Similar to SIMON: only AND/XOR/ROT ✮ many rounds Reuse AES well-understood design strategy Remove all operations not strictly necessary to security 4/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  7. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY : Similarities and Differences with the AES Similarities Design Security Key-alternating cipher Diffusion achieved by SR+MC 4 ✂ 4 internal state Bounds on # of active Sboxes AES-like SPN round function Design resistant against lin. and diff. cryptanalysis Differences Design Security More rounds Related-key/related-tweak Linear TWEAKEY schedule security claimed Non-optimal diffusion matrix SK bounds harder to prove than AES (non MDS) ✦ MILP (binary, branch number: 2) Simpler MILP modeling (RK/RT) 5/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  8. Introduction Specifications Rationale Security Analysis Implementations Conclusion Specifications: Overview Specifications SKINNY has a state of either 64 bit ( s ❂ 4 ) or 128 bits ( s ❂ 8 ). Internal state IS : viewed as a 4 ✂ 4 matrix of s -bit elements. ✮ ❥ IS ❥ ❂ n ❂ 16 s ✷ ❢ 64 ❀ 128 ❣ . The tweakey size can be n , 2 n or 3 n . ✷ ✸ m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 ✻ ✼ IS ❂ ✻ ✼ m 8 m 9 m 10 m 11 ✹ ✺ m 12 m 13 m 14 m 15 Number of Rounds Tweakey size Block size n n 2 n 3 n 64 32 36 40 128 40 48 56 Comparison: SKINNY-64-128 has 36 rounds, SIMON-64-128 has 44 rounds. 6/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  9. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY Round Function AES -like Round Function SubCells (SC) : Application of a s -bit Sbox to all 16 cells AddConstants (AC) : Inject round constants in the state AddRoundTweakey (ART) : Extract and inject the subtweakeys to half the state ShiftRows (SR) : Right-rotate Line i by i positions MixColumns (MC) : Multiply the state by a binary matrix ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 7/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  10. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY 4-bit Sbox MSB LSB ❙ 4 : 4-bit Sbox for SKINNY -64- ✄ Almost PICCOLO Sbox [SIH ✰ 11] Implementation: 4 NOR and 4 XOR Hardware cost: 12 GE Properties Maximal diff. probability: 2 � 2 Maximal abs. linear bias: 2 � 2 deg ✭ ❙ 4 ✮ ❂ deg ✭ ❙ � 1 4 ✮ ❂ 3 One fixed point: ❙ 4 ✭ 0xF ✮ ❂ 0xF MSB LSB Branch number: 2 8/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  11. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY 8-bit Sbox MSB LSB ❙ 8 : 8-bit Sbox for SKINNY -128- ✄ Generalize the ❙ 4 construction Implementation: 8 NOR and 8 XOR Hardware cost: 24 GE Properties Maximal diff. probability: 2 � 2 Maximal abs. linear bias: 2 � 2 deg ✭ ❙ 8 ✮ ❂ deg ✭ ❙ � 1 8 ✮ ❂ 6 MSB LSB One fixed point: ❙ 8 ✭ 0xFF ✮ ❂ 0xFF Branch number: 2 9/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  12. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY Round Constants rc 5 rc 4 rc 3 rc 2 rc 1 rc 0 1 6-bit LFSR The round constants are produced with a LFSR State: ✭ rc 5 ❥❥ rc 4 ❥❥ rc 3 ❥❥ rc 2 ❥❥ rc 1 ❥❥ rc 0 ✮ Initial value 0, clocked before injection Hardware cost: 1 XNOR s ❂ 4 s ❂ 8 ✷ ✸ ✷ ✸ rc 3 ❦ rc 2 ❦ rc 1 ❦ rc 0 0 0 0 0 ❦ 0 ❦ 0 ❦ 0 ❦ rc 3 ❦ rc 2 ❦ rc 1 ❦ rc 0 0 0 0 0 ❦ 0 ❦ rc 5 ❦ rc 4 0 0 0 0 ❦ 0 ❦ 0 ❦ 0 ❦ 0 ❦ 0 ❦ rc 5 ❦ rc 4 0 0 0 ✻ ✼ ✻ ✼ ✻ ✼ ✻ ✼ 0x2 0x2 0 0 0 0 0 0 ✹ ✺ ✹ ✺ 0 0 0 0 0 0 0 0 10/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  13. Introduction Specifications Rationale Security Analysis Implementations Conclusion TWEAKEY Schedule in SKINNY . . . h ′ 4 h ′ 4 h ′ h ′ 4 . . . KT h ′ 2 h ′ 2 h ′ h ′ 2 . . . h ′ h ′ h ′ h ′ C r − 1 XOR C r XOR C 0 XOR C 1 XOR C 2 XOR . . . P = s 0 f f f s r = C TWEAKEY Schedule Similar to the STK construction Subtweakey: first and second rows of all tweakey words are injected in the internal state Then, the tweakey words are updated independently: The cells are reordered with a permutation P T Half the cells are individually updated with LFSRs (1 XOR each) LFSR LFSR P T Extracted 8 s -bit subtweakey 11/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  14. Introduction Specifications Rationale Security Analysis Implementations Conclusion SKINNY MixColumns MixColumns Matrix multiplication performed as in the MixColumns of the AES However: The matrix M is binary It has branch number 2: M ✂ ✭ 0 ❀ ☛❀ 0 ❀ 0 ✮ ❃ ❂ ✭ 0 ❀ 0 ❀ ☛❀ 0 ✮ ❃ ✵ ✶ 1 0 1 1 1 0 0 0 ❇ ❈ M ❂ ❇ ❈ 0 1 1 0 ❅ ❆ 1 0 1 0 Implementation Using 3 XORs 12/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

  15. Introduction Specifications Rationale Security Analysis Implementations Conclusion Design Choices Criteria for Elementary Component Selection Informally: Minimize number of operations, maximize security Many new components, selected incrementally: Sboxes ShiftRows + MixColumns TWEAKEY Permutation P T Selection based on two independent estimations: Security (manual analysis and MILP) Implementation efficiency (hardware/software) Hardware Area Estimation NOR/NAND gate: 1 GE OR/AND gate: 1.33 GE XOR/XNOR gate: 2.67 GE NOT gate: 0.67 GE One memory bit: 6 GE (using scan flip-flop) 13/23 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016

Recommend

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya,

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016 The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S.

1.91k views • 55 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

1.79k views • 120 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer

Dependency Other Win Open Cryptanalysis of Lightweight Block Ciphers: Theory Meets Dependencies Orr Dunkelman Computer Science Department University of Haifa, Israel December 14th, 2019 Orr Dunkelman Cryptanalysis of Lightweight Block

322 views • 31 slides
Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren

Performance Analysis of Contemporary Lightweight Block Ciphers on 8-bit Microcontrollers Sren Rinne, Thomas Eisenbarth, and Christof Paar Horst Grtz Institute for IT Security Ruhr-Universitt Bochum, Germany 11.06.2007 SPEED Workshop,

469 views • 18 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS

On the Lightweight Design Choices for Diffusion Layer of Block Ciphers SUMANTA SARKAR TCS Innovation Labs December 11, 2017 SUMANTA SARKAR Lightweight Cryptography Internet of Things / Connected Cars Internet of things (IoT): Network of

786 views • 45 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles

Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles University, France 2 ANSSI, France August 17, 2015 CRYPTO

784 views • 77 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides

More recommend