Cryptanalysis of NORX v2.0 Colin Chaigneau 1 Thomas Fuhr 2 Henri - PowerPoint PPT Presentation

Cryptanalysis of NORX v2.0 Colin Chaigneau 1 Thomas Fuhr 2 Henri Gilbert 2 Jérémy Jean 2 Jean-René Reinhard 2 1 Université de Versailles, France 2 ANSSI, France FSE 2017 - March 7, 2017 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 1 / 17

A CAESAR Candidate CAESAR competition : Authenticated Encryption with Associated Data (AEAD) Timeline March 2014: 56 initial submissions July 2015: 28 candidates selected for 2nd round August 2016: 15 candidates selected for 3rd round The NORX authenticated encryption scheme (Aumasson, Jovanovic, Neves) Initial submission: NORX v1 (selected for Round 2) August 2015: NORX v2.0 (selected for Round 3) September 2016: NORX v3.0 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 2 / 17

Our results Ciphertext-only forgery attack on full NORX v2.0 Trivial known-plaintext key recovery once a forgery is achieved CAESAR NORX handles only byte strings Version Key size Tag size Data Time 2 66 2 66 NORX v2.0 128 128 2 72 2 72 NORX v2.0 CAESAR 128 128 2 130 2 130 NORX v2.0 256 256 2 136 2 136 NORX v2.0 CAESAR 256 256 Related work Privacy and integrity proofs of the mode [JLM14] Analyses of the permutation [AJN14] , [AJN15] , [DMM15] , [BUV17] Attacks on reduced versions [BHJMS16] Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 3 / 17

1. Description of NORX v2.0

Description of NORX v2.0 AEAD framework Encryption K Notations Authenticated M : Plaintext N , AD , M E C , T AD : Associated data Encrypted N : Nonce K : AEAD Key Decryption C : Ciphertext K T : Authentication Tag � M if T valid N , AD D C , T ⊥ else Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 4 / 17

Description of NORX v2.0 NORX mode of operation MonkeyDuplex mode [BDPV12] This talk: focus on the 128-bit key and 128-bit tag version Out of scope: parallel mode, authenticated trailer, 256-bit keys E K ( N , AD , M ) AD 1 AD a M 1 C 1 M m C m rate 384 128 K T P P P P P P P N capacity 128 U U : init. constants 01 01 02 02 08 D K ( N , AD , C , T ) AD 1 AD a M 1 M m rate 384 128 K C 1 C m T ? P P P P P P P N capacity 128 U 01 01 02 02 08 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 5 / 17

Description of NORX v2.0 The permutation P Inspired by stream cipher ChaCha [B08] Operates on a 512-bit state S State represented as a 4 × 4 matrix of 32-bit words   s 0 s 1 s 2 s 3   s 4 s 5 s 6 s 7 Outer part (rate)   S =   s 8 s 9 s 10 s 11    � s 12 s 13 s 14 s 15 Inner part (capacity) P relies on a 128-bit permutation G Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 6 / 17

Description of NORX v2.0 The permutation P G : 4-branch generalised Feistel a a ′ ≫ 12 ≫ 7 b ′ b c c ′ ≫ 16 ≫ 8 d ′ d a ′ , b ′ , c ′ , d ′ = G ( a , b , c , d ) x ⊞ y = ( x ⊕ y ) ⊕ ( x ∧ y ) ≪ 1   G ( s 0 , s 4 , s 8 , s 12 ) G ( s 0 , s 5 , s 10 , s 15 )     G ( s 1 , s 5 , s 9 , s 13 ) G ( s 1 , s 6 , s 11 , s 12 )   G col = G diag = G ( s 2 , s 6 , s 10 , s 14 ) G ( s 2 , s 7 , s 8 , s 13 )     G ( s 3 , s 7 , s 11 , s 15 ) G ( s 3 , s 4 , s 9 , s 14 )   P : 4 rounds of G col then G diag Words of row i = i -th input of G Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 7 / 17

2. Analysis of P

Analysis of P Properties of P Preservation of symmetries [AJN15]    a ′ a ′ a ′ a ′  a a a a b ′ b ′ b ′ b ′ b b b b P     − →     c ′ c ′ c ′ c ′ c c c c     d ′ d ′ d ′ d ′ d d d d More generally, P commutes with rotations on columns     s 0 s 1 s 2 s 3 s 1 s 2 s 3 s 0 s 4 s 5 s 6 s 7 s 5 s 6 s 7 s 4 ≪ 1     − − →     s 8 s 9 s 10 s 11 s 9 s 10 s 11 s 8     s 12 s 13 s 14 s 15 s 13 s 14 s 15 s 12 State S State S ≪ 1 ∀ i ∈ { 1 , 2 , 3 } , P ( S ≪ i ) = P ( S ) ≪ i Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 8 / 17

Analysis of P Sketch of proof  s 0 s 1 s 2 s 3   s 1 s 2 s 3 s 0  s 4 s 5 s 6 s 7 s 5 s 6 s 7 s 4 ≪ 1     − − →     s 8 s 9 s 10 s 11 s 9 s 10 s 11 s 8     s 12 s 13 s 14 s 15 s 13 s 14 s 15 s 12     � G col � G col    s ′ s ′ s ′ s ′   s ′ s ′ s ′ s ′  0 1 2 3 1 2 3 0 s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′ ≪ 1  4 5 6 7   5 6 7 4  − − →     s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′     8 9 10 11 9 10 11 8 s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′ 12 13 14 15 13 14 15 12 Rotation commutes with G col layers... Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 9 / 17

Analysis of P Sketch of proof  s 0 s 1 s 2 s 3   s 1 s 2 s 3 s 0  s 4 s 5 s 6 s 7 s 5 s 6 s 7 s 4 ≪ 1     − − →     s 8 s 9 s 10 s 11 s 9 s 10 s 11 s 8     s 12 s 13 s 14 s 15 s 13 s 14 s 15 s 12     � G diag � G diag    s ′ s ′ s ′ s ′   s ′ s ′ s ′ s ′  0 1 2 3 1 2 3 0 s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′ ≪ 1  4 5 6 7   5 6 7 4  − − →     s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′  8 9 10 11   9 10 11 8  s ′ s ′ s ′ s ′ s ′ s ′ s ′ s ′ 12 13 14 15 13 14 15 12 ... and with G diag layers (and therefore with P ) Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 10 / 17

3. Forgery attack on NORX v2.0

Forgery attack on NORX v2.0 Forgeries on NORX without padding (1/2) Idea: modify the last block of a known ciphertext ( N , AD , C 1 , . . . , C m ) → ( N , AD , C 1 , . . . , C ′ m ) M m C m K T = ( t 0 , t 1 , t 2 , t 3 ) ( N , AD , C , T ) : N P P P P Known Ciphertext U P 2 ( X ) 02 08 X M ′ m K C ′ T ′ ( N , AD , C ′ , T ′ ) : m N P P P P Forgery Attempt U 02 08 P 2 ( X ′ ) X ′ � P 2 ( X ′ ) P 2 ( X ≪ 2 ) = If X ′ = X ≪ 2 then thus T ′ = T ≪ 2 P 2 ( X ) ≪ 2 = Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 11 / 17

Forgery attack on NORX v2.0 Forgeries on NORX without padding (2/2) Set T ′ = T ≪ 2, choice of C ′ ? State X during encryption State X’ during decryption     c 0 c 1 c 2 c 3 c 4 c 5 c 6 c 7 ≪ 2     − →     c 8 c 9 c 10 c 11     s 12 s 13 s 14 s 15 s 12 s 13 s 14 s 15 Known, Unknown Chosen, Fixed Conditions: Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 12 / 17

Forgery attack on NORX v2.0 Forgeries on NORX without padding (2/2) Set T ′ = T ≪ 2, choice of C ′ ? State X during encryption State X’ during decryption     c 0 c 1 c 2 c 3 c 0 c 4 c 5 c 6 c 7 c 4 ≪ 2     − →     c 8 c 9 c 10 c 11 c 8     s 12 s 13 s 14 s 15 s 12 s 13 s 14 s 15 Known, Unknown Chosen, Fixed Conditions: s 12 = s 14 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 12 / 17

Forgery attack on NORX v2.0 Forgeries on NORX without padding (2/2) Set T ′ = T ≪ 2, choice of C ′ ? State X during encryption State X’ during decryption     c 0 c 1 c 2 c 3 c 0 c 1 c 4 c 5 c 6 c 7 c 4 c 5 ≪ 2     − →     c 8 c 9 c 10 c 11 c 8 c 9     s 12 s 13 s 14 s 15 s 12 s 13 s 14 s 15 Known, Unknown Chosen, Fixed Conditions: s 12 = s 14 , s 13 = s 15 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 12 / 17

Forgery attack on NORX v2.0 Forgeries on NORX without padding (2/2) Set T ′ = T ≪ 2, choice of C ′ ? State X during encryption State X’ during decryption     c 0 c 1 c 2 c 3 c 2 c 0 c 1 c 4 c 5 c 6 c 7 c 6 c 4 c 5 ≪ 2     − →     c 8 c 9 c 10 c 11 c 10 c 8 c 9     s 12 s 13 s 14 s 15 s 12 s 13 s 14 s 15 Known, Unknown Chosen, Fixed Conditions: s 12 = s 14 , s 13 = s 15 Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 12 / 17

Forgery attack on NORX v2.0 Forgeries on NORX without padding (2/2) Set T ′ = T ≪ 2, choice of C ′ ? State X during encryption State X’ during decryption     c 0 c 1 c 2 c 3 c 2 c 3 c 0 c 1 c 4 c 5 c 6 c 7 c 6 c 7 c 4 c 5 ≪ 2     − →     c 8 c 9 c 10 c 11 c 10 c 11 c 8 c 9     s 12 s 13 s 14 s 15 s 12 s 13 s 14 s 15 Known, Unknown Chosen, Fixed Conditions: s 12 = s 14 , s 13 = s 15 Probability 2 − 64 (for each forgery attempt) Chaigneau, Fuhr, Gilbert, Jean, Reinhard Cryptanalysis of NORX v2.0 FSE 2017 12 / 17