The Subterranean 2.0 Cipher Suite Joan Daemen 1 , Pedro Maat Costa Massolino 3 , Alireza Mehrdad 1 , Yann Rotella 2 1 Radboud University NL, 3 PQShield UK, 2 UVSQ, LMV, Universit´ e Paris-Saclay FR Fast Software Encryption Workshop November 9, 2020 1/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control 2/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h 2/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ R ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22
Subterranean [JDA 1992] : a stream/hash module • • • C ❄ C ✲ • • state a squeeze here ❄ blank R rounds ✻ C • ✲ • absorb here shift register b • control Subhash: → M h Substream: ( K ; D ) → Z 2/22
Subterranean ’s round function R b : 256-bit shift register with 32-bit stages 3/22
Subterranean ’s round function R b : 256-bit shift register with 32-bit stages a : 257-bit state: a ← R ( a , b ) . . . a 76 a 77 a 78 a 79 a 80 a 81 a 82 a 83 a 84 a 85 a 86 . . . a 0 t ◦ ◦ ◦ ✡✠ ✡✠ ✡✠ ❄ ❄ ❄ ❄ γ ◦ ◦ ◦ ✛ ✛ ✛ ✛ � � � � ▽ ς ◦ ✁ ✁ θ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✛ b 3 � � σ [ b ] 10 64 88 100 112 124 136 P ✏ P ❍ ❍ �✟✟✟ ✏✏✏✏ ✟ π P ❍ ❅ ✘✘✘ ✘ P ✥ P ❍ ❅ � ✥ . . . a 91 a 92 a 93 . . . a 0 t + 1 3/22
Could Subterranean 1992 compete in the lightweight competition 2020? 4/22
Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 4/22
Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software 4/22
Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway 4/22
Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit 4/22
Could Subterranean 1992 compete in the lightweight competition 2020? • In 1992 it was not intended as lightweight • 257-bit CV (the state) • compare with 128-bit CVs in MD4 and MD5 • R is hardware-oriented and unsuitable for software • but we would go for low energy and that implies ASIC anyway • Low energy? • R takes 4 XOR, 1 NAND, 1 NOT per bit and is shallow • absorbing: 32 bits per round → 32 XOR, 8 NAND, 8 NOT per bit • squeezing: 16 bits per round → 64 XOR, 16 NAND, 16 NOT per bit • Not bad, so let’s give it a shot! 4/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • Mode 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • Mode 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • Mode 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing 5/22
Subterranean 2.0 is Subterranean 1992 refurbished Three primitives XOF: unkeyed hashing with arbitrary-length output & input strings Deck: keyed function with arbitrary-length output & input strings SAE: session-supporting nonce-based authentication encryption Refactoring into two levels • Duplex • r = 32 in squeezing and keyed absorbing • r = 8 per 2 rounds in unkeyed absorbing (for 112 bits of security) • delete shift register b and just absorb in, and squeeze from a • Mode • 8 blank rounds between absorbing and squeezing • except for encryption/decryption in SAE that relies on nonce uniqueness 5/22
And now to Subterranean 2.0 and its rationale in more detail! 6/22
Subterranean-XOF M 0 M 1 M i Z 0 Z 1 Z 2 Z 7 R 8 R 2 R 2 R 2 0 R R R • | M j | : one byte • | Z j | : 4 bytes 7/22
Subterranean-Deck K 0 K 1 M 0 M 1 Z 0 Z 1 Z 2 Z i R 8 0 R R R R R R R • | M j | , | Z j | , | K j | : 4 bytes 8/22
Subterranean-SAE A i a Z 0 Z i +1 K 0 N 2 A 0 P 0 Z 1 P i T 0 T 1 T 3 R 8 R 8 0 R R R R R R R R • | K j | , | N j | , | A j | , | Z j | , | P j | , | T j | : 4 bytes 9/22
The Subterranean 2.0 round function . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ ❄ ❄ ❄ ❄ χ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✙ ✟ θ � � 64 88 100 112 124 136 π P P ✏✏✏✏ ✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ P ❍ ❅ � ✥ ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 χ : s i ← s i + ( s i +1 + 1) s i +2 ι : s i ← s i + δ i θ : s i ← s i + s i +3 + s i +8 π : s i ← s 12 i 10/22
Absorb and Squeeze . . . s 76 s 77 s 78 s 79 s 80 s 81 s 82 s 83 s 84 s 85 s 86 . . . s 0 t ◦ ◦ ◦ ✝ ✆ ✝ ✆ ✝ ✆ χ ❄ ❄ ❄ ❄ ✛ ✛ ✛ ✛ � � � � ▽ ι ◦ ✁ ✁ ☛ ✟ ☛ ✟ ❄ ✁ ❄ ✁ ✙ ✟ ✟ ✙ ✲ θ � � 64 88 100 112 124 136 π P ✏ P ✏✏✏✏ ❍ ✟ P ❍ �✟✟ ❅ ✘ P ✘✘ ✥ P ❍ ❅ � ✥ . . . s 91 s 92 s 93 . . . s 0 t + 1 12 4 = 176 G 64 = { 1 , 176 , 136 , . . . , 92 } ≺ Z / 257 Z ∗ z i = s 176 i + s 176 − i s 176 i = s 176 i + p i 11/22
Design Rationale in a nutshell The choice of G 64 : • non-consecutive bits (State-Recovery attacks on Ketje Jr [Fuhr, Naya-Plasencia, Rotella, ToSC 2018] ) • consistent with π dispersion 12/22
Recommend
More recommend