Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light - PowerPoint PPT Presentation

Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh 2 , Virginie Lallemand 2 , María Naya-Plasencia 3 , Léo Perrin 3 , André Schrottenloher 3 1 Université de Rennes, CNRS, Irisa - Rennes, France 
 2 Université de Lorraine, INRIA, Loria, CNRS - Nancy, France 
 3 INRIA - Paris, France CRYPTO 2020 | August 18th, 2020 | your computer screen

Spook Davide Bellizia, Francesco Berti, Olivier Bronchain, Gaëtan Cassiers, Sébastien Duval, Chun Guo, Gregor Leander, Gaëtan Leurent, Itamar Levi, Charles Momin, Olivier Pereira, Thomas Peters, François-Xavier Standaert, Balazs Udvarhelyi and Friedrich Wiemer 2nd round candidate to the NIST LWC standardization process Designed to achieve both resistance against side-channel analysis and low- energy implementations AEAD is provided using three sub-components • the Sponge One-Pass mode of operation (S1P) • the Clyde-128 tweakable block cipher • the Shadow permutation


 Motivations Requirement for the permutation in the S1P mode of operation is that it provides collision resistance with respect to the 255 bits that generate the tag 
 “Hence, a more specific requirement is to prevent truncated di ff erentials with probability larger than 2 -128 for those 255 bits. A conservative heuristic for this purpose is to require that no di ff erential characteristic has probability better than 2 -385 , which happens after twelve rounds (six steps).” 
 Mathematical cryptanalysis challenge proposed by the designers on the permutation


 Summary of our work Practical distinguishers of the full 6-step version of the Shadow-512 permutation and reduced 5-step version of Shadow-384 Practical forgeries with 4-step Shadow for the S1P mode of operation 
 (nonce misuse scenario) 
 All the analyses are practical and have been implemented and tested. Source code available at: https://who.paris.inria.fr/Leo.Perrin/code/spook/index.html

Description of Shadow

A Shadow bundle 128 bits s = 4 ℓ = 32

A Shadow state m = 4 m = 3 s = 4 s = 4 ℓ = 32 ℓ = 32 Shadow-512 Shadow-384

A Shadow encryption step L c’ c L S S S S S S S S S S L L S S S S S S S S S S L L S S S S S S S S S S L D S S S S S S S S S S L S-box L-box AC(2 i ) S-box D-box AC(2 i+ 1) Round A Round B 4-bit LFSR-generated constants added to column i of bundle i 6 steps to complete encryption


 
 The D-layer D is the only di ff usion layer between the m bundles Shadow-512: 
 Shadow-384: 
 D D ( a , b , c ) = ( 0 ) × ( 1 1 1 a c ) 0 1 1 1 a 1 0 1 b 1 0 1 1 b D ( a , b , c , d ) = × c 1 1 1 1 0 1 d 1 1 1 0


 Main ideas Exploit the similarity between the functions applied in parallel on each bundle. 
 Truncated di ff erential distinguisher: variant of di ff erentials in which only a portion of the di ff erence is fixed while the remaining part is undetermined. x x’ = ( *, *, *, 0) and shadow( x ) shadow( x’ ) = D(0, 0, 0, *) 
 ⊕ ⊕ ‘ 0 ’ the two bundles are identical 
 ‘ * ’ the di ff erence between the bundles is not determined 


A Shadow step L c’ c L S S S S S S S S S S L L S S S S S S S S S S L L S S S S S S S S S S L D S S S S S S S S S S L S-box L-box AC(2 i ) S-box D-box AC(2 i+ 1)

A Shadow step rewritten c’ σ 0 c’ c σ 1 L S S S S S S S S S S L D c’ c σ 2 L S S S S S S S S S S L c c’ σ 3 L S S S S S S S S S S L

A Shadow step rewritten c’ σ 0 c’ σ 1 D c’ σ 2 c’ σ 3

A Shadow step rewritten Seen as an SPN, using four 128-bit Super S-boxes interleaved with a linear σ i permutation D operating on the full state. * 0 0 0 σ 0 σ 1 σ 2 σ 3 * 0 0 0 D 0 * * *

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i Initial state

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i S-Box layer

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i L-Box layer

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i AC(2 i )

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i y 3 +c y 2 +c AC(2 i ) y 1 +c y 0 +c

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i S( ) y 3 +c S( ) y 2 +c S-Box layer S( ) y 1 +c S( ) y 0 +c

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i S( ) y 3 +c S( ) y 2 +c D layer S( ) y 1 +c S( ) y 0 +c

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i S( ) y 3 +c S(y 3 )+c’ S( ) y 2 +c S(y 2 )+c’ AC(2 i +1) S( ) y 1 +c S(y 1 )+c’ S( ) y 0 +c S(y 0 )+c’

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i = S( ) y 3 +c S(y 3 )+c’ S( ) y 2 +c = S(y 2 )+c’ S( ) y 1 +c = S(y 1 )+c’ = S( ) y 0 +c S(y 0 )+c’

Structural observations We call -identical an internal state of Shadow in which bundles are equal. i i probabilities of an i-identitical state at step a probabilities of an i-identical state at step s s 0 1 2 3 4 s 0 1 2 3 4 -8 0 0 2 -12 0 i= 4 2 -8 i =4 0 0 2 -12 0 2 i =3 0 0 2 -9 2 -6 0 0 0 2 -6 2 -4 0 i =2

Distinguisher

Distinguisher on 6 steps of Shadow-512 x x’ = ( *, *, *, 0) and shadow( x ) shadow( x’ ) = D(0, 0, 0, *) ⊕ ⊕ Generic cost 2 -64 vs 2 -16.245 here α α α 0 σ 0 σ 1 σ 2 σ 3 step 2 0 β β β D

Distinguisher on 6 steps of Shadow-512 0 * * * σ 0 σ 1 σ 2 σ 3 step 0 0 * * * D 0 0 0 * p=1 σ 0 σ 1 σ 2 σ 3 step 1 α 0 0 0 D α α α 0 σ 0 σ 1 σ 2 σ 3 step 2 0 β β β D

Distinguisher on 6 steps of Shadow-512 α α α 0 σ 0 σ 1 σ 2 σ 3 step 2 0 β β β D 0 0 0 β σ 0 σ 1 σ 2 σ 3 step 3 p=2 -9 γ 0 0 0 D γ γ γ 0 σ 0 σ 1 σ 2 σ 3 p=2 -7.245 step 4 δ δ δ 0 D 0 0 0 δ σ 0 σ 1 σ 2 σ 3 p=1 step 5 0 0 0 * D 0 * * *


 
 
 
 
 
 
 0 * * * Some details σ 0 σ 1 σ 2 σ 3 step 0 0 * * * D 0 0 0 * p=1 Constructing a pair for step 2 : σ 0 σ 1 σ 2 σ 3 step 1 α 0 0 0 D σ 0 ( x ) + σ 0 ( x + α ) = β α α α 0 σ 1 ( x + ϵ ) + σ 1 ( x + ϵ + α ) = β σ 0 σ 1 σ 2 σ 3 σ 2 ( x + ϵ ′ � ) + σ 2 ( x + ϵ ′ � + α ) = β step 2 0 β β β and 3-identical state at the end of step 2 D 0 0 0 β Impact of the constant additions limited to the S-boxes with σ 0 σ 1 σ 2 σ 3 step 3 indices in {0,1,2,3} p=2 -9 γ 0 0 0 D γ γ γ Bits with indices 22 and 23 in each of the 4 input words of a 0 Super S-box have no influence on the output bits with σ 0 σ 1 σ 2 σ 3 p=2 -7.245 step 4 indices in {0,1,2,3} 
 δ δ δ 0 D ∇ = { a × e 22 + b × e 23 , a ∈ 픽 4 2 , b ∈ 픽 4 2 } 0 0 0 δ σ 0 σ 1 σ 2 σ 3 For all , all steps and all bundle index , p=1 step 5 α ∈ ∇ i 0 0 0 * σ i ( x ) + σ i ( x + α ) = ( * , * , . . . , * ,0,0,0,0) D 0 * * *


 
 
 0 * * * Some details σ 0 σ 1 σ 2 σ 3 step 0 0 * * * D 0 0 0 * p=1 Step 3 : probability of a 3-identical state = 2 -9 σ 0 σ 1 σ 2 σ 3 step 1 α 0 0 0 Step 4: di ff erence of the form at the end of the step D (0,0,0, δ ) α α α 0 σ 0 σ 1 σ 2 σ 3 Let and denote two messages after ( y , y , y , w ) ( y ′ � , y ′ � , y ′ � , w ) step 2 the application of and of step 4 then: 
 0 S L β β β D S ( y ′ � 2 ) ⊕ S ( y ′ � 2 ⊕ c ) = S ( y 2 ) ⊕ S ( y 2 ⊕ c ) 0 0 0 β S ( y ′ � 1 ) ⊕ S ( y ′ � 1 ⊕ c ) = S ( y 1 ) ⊕ S ( y 1 ⊕ c ) σ 0 σ 1 σ 2 σ 3 step 3 p=2 -9 S ( y ′ � 0 ) ⊕ S ( y ′ � 0 ⊕ c ) = S ( y 0 ) ⊕ S ( y 0 ⊕ c ) γ 0 0 0 D γ γ γ 0 , probability of 2 -2.415 for each equality with c = 0 x 5 σ 0 σ 1 σ 2 σ 3 p=2 -7.245 step 4 Step 5 has probability 1 δ δ δ 0 D 0 0 0 δ Total probability: (2 -2.415 ) 3 x 2 -9 = 2 -16.245 σ 0 σ 1 σ 2 σ 3 p=1 step 5 0 0 0 * D 0 * * *