the skinny family of tweakable block ciphers
play

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - - PowerPoint PPT Presentation

Aug 28, 2022 •1.28k likes •1.91k views

The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016 The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S.

  1. The Skinny Family of Tweakable Block Ciphers Thomas Peyrin NTU - Singapore ASK 2016 Nagoya, Japan - September 30, 2016

  2. The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY website C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich and S.M. Sim (CRYPTO 2016) Paper, Specifications, Results and Updates available at : https://sites.google.com/site/skinnycipher/ Any new cryptanalysis of SKINNY is welcome !

  3. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  4. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  5. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  6. The STK construction Skinny SKINNY security SKINNY performances Future works Iterated block ciphers An iterated block cipher is composed of two parts : ⊲ an internal permutation f repeated r times (also named round function) ⊲ a key schedule that generates r + 1 subkeys K → ( k 0 , . . . , k r ) K Key Schedule k r − 1 k 0 k 1 k r . . . P = s 0 f f s r + 1 = C s 1 s r For a compression function, the key schedule is also named the message expansion

  7. The STK construction Skinny SKINNY security SKINNY performances Future works Iterated block ciphers An iterated block cipher is composed of two parts : ⊲ an internal permutation f repeated r times (also named round function) ⊲ a key schedule that generates r + 1 subkeys K → ( k 0 , . . . , k r ) g . . . g K k 0 k 1 k r − 1 k r . . . f f s r + 1 = C P = s 0 s 1 s r For a compression function, the key schedule is also named the message expansion

  8. The STK construction Skinny SKINNY security SKINNY performances Future works Permutations We know how to design a good permutation : ⊲ Feistel network DES , SHA-2 ⊲ Substitution-Permutation network (SPN) AES , Keccak ( SHA-3 ) Many recent primitives try to use only permutations to avoid the key schedule (sponge functions, Grøstl , LED )

  9. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  10. The STK construction Skinny SKINNY security SKINNY performances Future works The AES key schedules << ❙ << ❙ << ❙ ❙ AES-128 AES-192 AES-256 Rationale : ⊲ XORs for inter-column diffusion, shift for inter-row diffusion, Sbox for non-linearity, counter to break symmetries ⊲ quite different from the AES round function

  11. The STK construction Skinny SKINNY security SKINNY performances Future works Security issues with the AES key schedule KS KS SB SB SB SB SB SR MC SR MC SR MC SR MC SR MC AK5 AK0 AK1 AK2 AK3 AK4 KS KS KS SB SB SB SB SB SR MC AK6 SR MC AK7 SR MC AK8 SR MC AK9 SR MC AK10 KS KS KS SB SB SB SB SR MC AK11 SR MC AK12 SR MC AK13 SR MC Related-key attacks on the full AES-256 and AES-192 ⊲ existence of 2-round local collision paths [BKN09] ⊲ 14-round path with only 24 active Sboxes (5 in the key schedule, 19 in the internal state) ⊲ later improved in [BK09] using boomerang technique (since very good small differential paths exist) : key recovery attack with 2 99 . 5 time and data ⊲ harder to attack AES-192 and so far no attack on AES-128

  12. The STK construction Skinny SKINNY security SKINNY performances Future works Proven bounds for AES-128 Single-key model Rounds 1 2 3 4 5 6 7 8 9 10 min 1 5 9 25 26 30 34 50 51 55 Related-key model (truncated differences) Rounds 1 2 3 4 5 6 7 8 9 10 min 0 1 3 9 11 13 15 21 23 25 Related-key model (actual differences) Rounds 1 2 3 4 5 6 7 8 9 10 min 0 1 5 13 17 ? ? ? ? ?

  13. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  14. The STK construction Skinny SKINNY security SKINNY performances Future works The TWEAKEY framework The TWEAKEY framework rationale [ASIACRYPT’14] : tweak and key should be treated the same way − → tweakey tk r − 1 tk 1 tk r . . . tk 0 h h h g g g g . . . P = s 0 f f s r + 1 = C s 1 s r TWEAKEY generalizes the class of key-alternating ciphers

  15. The STK construction Skinny SKINNY security SKINNY performances Future works The TWEAKEY framework tk r − 1 tk 1 tk r . . . tk 0 h h h g g g g . . . P = s 0 f f s r + 1 = C s 1 s r The main issue : adding more tweakey state makes the security drop, or renders security hard to study, even for automated tools Idea : separate the tweakey material in several words, design a secure tweakey schedule for one word and then superpose them in a secure way

  16. The STK construction Skinny SKINNY security SKINNY performances Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 α 2 α 2 . . . α 2 h ′ h ′ h ′ h ′ α 1 α 1 . . . α 1 h ′ h ′ h ′ h ′ C 0 C 1 C 2 C r − 1 XOR XOR XOR XOR XOR C r f f . . . f P = s 0 s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction : ⊲ the tweakey state update function h consists in the same subfunction h ′ applied to each tweakey word ⊲ the subtweakey extraction function g consists in XORing all the words together ◦ reduce the implementation overhead ◦ reduce the area footprint by reusing code ◦ simplify the security analysis

  17. The STK construction Skinny SKINNY security SKINNY performances Future works The STK construction (Superposition- TWEAKEY ) STK Tweakey Schedule α p α p . . . α p h ′ h ′ h ′ h ′ . . . . . . . . . . . . tk 0 . . . α 2 α 2 α 2 h ′ h ′ h ′ h ′ . . . α 1 α 1 α 1 h ′ h ′ h ′ h ′ XOR C 0 XOR C 1 XOR C 2 XOR C r − 1 XOR C r . . . P = s 0 f f f s r = C ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ ❆❘❚ From the TWEAKEY framework to the STK construction : ⊲ problem : strong interaction between the parallel branches of tweakey state ⊲ solution : differentiate the parallel branches by simply using distinct small linear layers

  18. The STK construction Skinny SKINNY security SKINNY performances Future works Outline 1 The STK construction ⊲ Block ciphers ⊲ The example of AES ⊲ TWEAKEY framework and the STK construction 2 The Skinny tweakable block cipher 3 SKINNY security 4 SKINNY performances 5 Future works

  19. The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY goals and results Goals ⊲ Provide an alternative to NSA-designed SIMON block cipher ⊲ Construct a lightweight (tweakable) block cipher ⊲ Achieve scalable security ⊲ Suitable for most lightweight applications ⊲ Perform and share full security analysis ⊲ Efficient software/hardware implementations in many scenarios Results ⊲ SKINNY family of (tweakable) block ciphers ⊲ Block sizes n : 64 and 128 bits ⊲ Various key+tweak sizes : n , 2 n and 3 n bits ⊲ Security guarantees for differential/linear cryptanalysis (both single and related-key) ⊲ Efficient and competitive software/hardware implementations ◦ Round-based SKINNY-64-128 : 1696 GE ( SIMON : 1751 GE) ◦ on Skylake (avx2) : 2.78 c/B ( SIMON : 1.81 c/B) for fixed-key

  20. The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY general design strategy ⊲ Start from weak crypto components, but providing very efficient implementations ◦ Opposed to AES : strong Sbox and diffusion ⇒ only 10 rounds ◦ Similar to SIMON : only AND/XOR/ROT ⇒ many rounds ⊲ Reuse AES well-understood design ⊲ Remove all operations not strictly necessary to security ⊲ Result : removing any operations from SKINNY results in an unsecure cipher

  21. The STK construction Skinny SKINNY security SKINNY performances Future works SKINNY specifications : overview Specifications ⊲ SKINNY has a state of either 64 bit ( s = 4) or 128 bits ( s = 8). ⊲ Internal state IS : viewed as a 4 × 4 matrix of s -bit elements. ⇒ | IS | = n = 16 s ∈ { 64 , 128 } . ⊲ The tweakey size can be n , 2 n or 3 n . Number of rounds Tweakey size Block size n n 2 n 3 n 64 32 36 40 128 40 48 56 Comparison : SKINNY-64-128 has 36 rounds, SIMON-64-128 has 44 rounds.

Recommend

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with:

The SKINNY Family of Lightweight Tweakable Block Ciphers Jrmy Jean joint work with: Christof Beierle Stefan Klbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim CRYPTO 2016 August 17, 2016

472 views • 33 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

1.79k views • 120 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles

Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweaking Even-Mansour Ciphers Benot Cogliati 1 Rodolphe Lampe 1 Yannick Seurin 2 1 Versailles University, France 2 ANSSI, France August 17, 2015 CRYPTO

784 views • 77 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

709 views • 67 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides
A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and Seth Terashima Portland State University Motivation: Full Disk Encryption File System Virtual Disk (Exposes plaintexts) FDE Physical Disk

1.24k views • 59 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides

More recommend