Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light - - PowerPoint PPT Presentation
Cryptanalysis Results on Spook Bringing Full Shadow-512 to the Light Patrick Derbez 1 , Paul Huynh 2 , Virginie Lallemand 2 , Mara Naya-Plasencia 3 , Lo Perrin 3 , Andr Schrottenloher 3 1 Universit de Rennes, CNRS, Irisa - Rennes, France
CRYPTO 2020 | August 18th, 2020 | your computer screen
Patrick Derbez1, Paul Huynh2, Virginie Lallemand2, María Naya-Plasencia3, Léo Perrin3, André Schrottenloher3
1 Université de Rennes, CNRS, Irisa - Rennes, France 2 Université de Lorraine, INRIA, Loria, CNRS - Nancy, France 3 INRIA - Paris, France
Bringing Full Shadow-512 to the Light
2nd round candidate to the NIST LWC standardization process Designed to achieve both resistance against side-channel analysis and low- energy implementations AEAD is provided using three sub-components
Davide Bellizia, Francesco Berti, Olivier Bronchain, Gaëtan Cassiers, Sébastien Duval, Chun Guo, Gregor Leander, Gaëtan Leurent, Itamar Levi, Charles Momin, Olivier Pereira, Thomas Peters, François-Xavier Standaert, Balazs Udvarhelyi and Friedrich Wiemer
Requirement for the permutation in the S1P mode of operation is that it provides collision resistance with respect to the 255 bits that generate the tag
“Hence, a more specific requirement is to prevent truncated differentials with probability larger than 2-128 for those 255 bits. A conservative heuristic for this purpose is to require that no differential characteristic has probability better than 2-385, which happens after twelve rounds (six steps).”
Mathematical cryptanalysis challenge proposed by the designers on the permutation
Practical distinguishers of the full 6-step version of the Shadow-512 permutation and reduced 5-step version of Shadow-384 Practical forgeries with 4-step Shadow for the S1P mode of operation (nonce misuse scenario) https://who.paris.inria.fr/Leo.Perrin/code/spook/index.html All the analyses are practical and have been implemented and tested. Source code available at:
s = 4 ℓ = 32
s = 4 ℓ = 32 m = 4
Shadow-512
s = 4 ℓ = 32 m = 3
Shadow-384
Round B
L L
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
D c c’
S-box L-box AC(2i) S-box D-box AC(2i+1)
L L L L L L
4-bit LFSR-generated constants added to column i of bundle i 6 steps to complete encryption
Round A
Shadow-512: Shadow-384:
D(a, b, c, d) = 0 1 1 1 1 0 1 1 1 1 0 1 1 1 1 0 × a b c d
D(a, b, c) = ( 1 1 1 1 0 1 1 1 0) × ( a b c)
D
D is the only diffusion layer between the m bundles
Exploit the similarity between the functions applied in parallel on each
Truncated differential distinguisher: variant of differentials in which only a portion of the difference is fixed while the remaining part is undetermined. x x’ = ( *, *, *, 0) and shadow( x ) shadow( x’ ) = D(0, 0, 0, *) ‘0’ the two bundles are identical ‘*’ the difference between the bundles is not determined
⊕ ⊕
L L
S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S S
D c c’
S-box L-box AC(2i) S-box D-box AC(2i+1)
L L L L L L
c’ L L
S S S S S S S S S S
c L L
S S S S S S S S S S
L L
S S S S S S S S S S
c c c’ c’ c’
D
c’ c’ c’ c’
D
D
Seen as an SPN, using four 128-bit Super S-boxes interleaved with a linear permutation D operating on the full state.
σi
* * * * *
We call -identical an internal state of Shadow in which bundles are equal.
i i
Initial state We call -identical an internal state of Shadow in which bundles are equal.
i i
S-Box layer We call -identical an internal state of Shadow in which bundles are equal.
i i
L-Box layer We call -identical an internal state of Shadow in which bundles are equal.
i i
AC(2i) We call -identical an internal state of Shadow in which bundles are equal.
i i
AC(2i) y0+c y1+c y2+c y3+c We call -identical an internal state of Shadow in which bundles are equal.
i i
S-Box layer y0+c y1+c y2+c S( ) y3+c S( ) S( ) S( ) We call -identical an internal state of Shadow in which bundles are equal.
i i
D layer y0+c y1+c y2+c S( ) y3+c S( ) S( ) S( ) We call -identical an internal state of Shadow in which bundles are equal.
i i
S(y0)+c’
AC(2i+1) y0+c y1+c y2+c S( ) y3+c S( ) S( ) S( ) S(y3)+c’ S(y2)+c’ S(y1)+c’ We call -identical an internal state of Shadow in which bundles are equal.
i i
S(y0)+c’
y0+c y1+c y2+c S( ) y3+c S( ) S( ) S( ) S(y3)+c’ S(y2)+c’ S(y1)+c’ = = = = We call -identical an internal state of Shadow in which bundles are equal.
i i
probabilities of an i-identitical state at step a s 1 2 3 4 i=4 2-12 2
i=3 2-9 2-6 i=2 2-6 2-4
We call -identical an internal state of Shadow in which bundles are equal.
i i
probabilities of an i-identical state at step s s 1 2 3 4 i=4 2-12 2
x x’ = ( *, *, *, 0) and shadow( x ) shadow( x’ ) = D(0, 0, 0, *) Generic cost 2-64 vs 2-16.245 here
⊕ ⊕
σ0 σ1 σ2 σ3
D
step 2
α α α β β β
σ0 σ1 σ2 σ3
D
step 0
σ0 σ1 σ2 σ3
D
step 1
σ0 σ1 σ2 σ3
D
step 2
α α α β β β * * * * * * * α
p=1
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α α β β β γ β γ γ γ δ δ δ δ * * * *
p=1 p=2-9 p=2-7.245
σ0 σ1 σ2 σ3
D
step 0
σ0 σ1 σ2 σ3
D
step 1
* * * * * * * α
p=1
Constructing a pair for step 2: and 3-identical state at the end of step 2 Impact of the constant additions limited to the S-boxes with indices in {0,1,2,3} Bits with indices 22 and 23 in each of the 4 input words of a Super S-box have no influence on the output bits with indices in {0,1,2,3} For all , all steps and all bundle index ,
σ0(x) + σ0(x + α) = β σ1(x + ϵ) + σ1(x + ϵ + α) = β σ2(x + ϵ′) + σ2(x + ϵ′+ α) = β ∇ = {a × e22 + b × e23, a ∈ 픽4
2, b ∈ 픽4 2}
α ∈ ∇ i σi(x) + σi(x + α) = ( * , * , . . . , * ,0,0,0,0)
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α α β β β γ β γ γ γ δ δ δ δ * * * *
p=1 p=2-9 p=2-7.245
σ0 σ1 σ2 σ3
D
step 0
σ0 σ1 σ2 σ3
D
step 1
* * * * * * * α
p=1
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α α β β β γ β γ γ γ δ δ δ δ * * * *
p=1 p=2-9 p=2-7.245
Step 3: probability of a 3-identical state = 2-9
Step 4: difference of the form at the end of the step Let and denote two messages after the application of and of step 4 then: with , probability of 2-2.415 for each equality
(0,0,0,δ) (y, y, y, w) (y′, y′, y′, w) S L S(y′2) ⊕ S(y′2 ⊕ c) = S(y2) ⊕ S(y2 ⊕ c) S(y′1) ⊕ S(y′1 ⊕ c) = S(y1) ⊕ S(y1 ⊕ c) S(y′0) ⊕ S(y′0 ⊕ c) = S(y0) ⊕ S(y0 ⊕ c) c = 0x5
Step 5 has probability 1 Total probability: (2-2.415)3 x 2-9 = 2-16.245
.
that will be a state after step 2.
, obtaining .
and ,
and .
difference in the last bundle.
2-16.245, it satisfies the truncated trail.
α ∈ ∇ (y2, y2, y2, z2) (y2, y2, y2, z2) (x1, y1, z1, t1) (x1, y1, z1, t1) (x1 ⊕ α, y1 ⊕ α, z1 ⊕ α, t1) (x0, y0, z0, t0) (x0, y0, z0, t′
0)
≥
σ0 σ1 σ2 σ3
D
step 0
σ0 σ1 σ2 σ3
D
step 1
* * * * * * * α
p=1
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α α β β β γ β γ γ γ δ δ δ δ * * * *
p=1 p=2-9 p=2-7.245
σ0 σ1 σ2 σ3
D
step 0
σ0 σ1 σ2 σ3
D
step 1
* * * * * * * α
p=1
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α α β β β γ β γ γ γ δ δ δ δ * * * *
p=1 p=2-9 p=2-7.245
σ0 σ1 σ2 σ3
D
step 6
* * *
No extra cost.
D
step 0 step 1 p=1 p=2-4.83 p=2-12 p=2-8
σ0 σ1 σ2
D D
step 2 step 3
D
step 4
D D
step 5 step 6
D
p=1
D(a, b, c) = ( 1 1 1 1 1 1 1 0) × ( a b c) 1
σ0 σ1 σ2 σ0 σ1 σ2 σ0 σ1 σ2 σ0 σ1 σ2 σ0 σ1 σ2 σ0 σ1 σ2
* * * * * * β β α α β β γ γ * * γ γ * * δ δ * * δ δ α α * *
“Aggressive parameters”: 8 rounds for Shadow-512 Shifted version (step 2 to step 5) Same nonce used 3 times (nonce misuse scenario) to build collisions: 2 different plaintexts that yield the same tag
S1P mode in our attack setting
N, K Initialize Initialize Initialize M0 C0 π π π M1 C1 Finalize Finalize Finalize Tag
rate: bundle 0, 1 capacity: bundle 2, 3, not visible
Differential trail
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
ϵ ϵ α α β β * *
p=2-12 p=2-8
α α
p=2-4.83
β β γ γ γ γ * *
Differential trail
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
α α β β * * * * α α β β γ γ γ γ
Total probability: 2-24.83
ϵ ϵ
Outline
σ0 σ1 σ2 σ3
D
step 3
σ0 σ1 σ2 σ3
D
step 4
σ0 σ1 σ2 σ3
D
step 5
σ0 σ1 σ2 σ3
D
step 2
ϵ ϵ α α β β * * * * α α β β γ γ γ γ
N, K Initialize Initialize Initialize M0 C0 π π π M1 C1 Finalize Finalize Finalize Tag
Attack Outline
N, K Initialize Initialize Initialize M0 C0 π π π M1 C1 Finalize Finalize Finalize Tag
ϵ
p = 2−24.83
ϵ * *
2 different plaintexts that yield the same tag (M0, M1) and (M’0, M’1) that yield a (0,0,0,0) difference after π
Attack Outline
recover the 2-bundle rate value after Initialize (C0).
that satisfy the truncated trail with probability .
Encrypt to obtain the value of the rate after on , denoted by (C1). Encrypt to obtain the value of the rate after on , denoted by (C1).
and yield the same internal state before Finalize with probability . (x1, y1)
(x′
1, y′ 1), (x′′ 1, y′′ 1)
p π (x1 ⊕ x′
1, y1 ⊕ y′ 1), (0,0)
π (x′
1, y′ 1, a, b)
(c′
2, c′ 3)
(x1 ⊕ x′′
1, y1 ⊕ y′′ 1), (0,0)
π (x′′
1, y′′ 1, a, b)
(c′′
2, c′′ 3)
π (x1 ⊕ x′
1, y1 ⊕ y′ 1), (c′ 2, c′ 3)
(x1 ⊕ x′′
1, y1 ⊕ y′′ 1), (c′′ 2, c′′ 3)
p ≃ 2−24.83
N, K Initialize Initialize Initialize M0 C0 π π π M1 C1 Finalize Finalize Finalize Tag
ϵ
p = 2−24.83
ϵ * * x1 y1
a b
Summary of our work: Practical distinguishers of the full 6-step version of Shadow-512 and Shadow-384 (shifted) Practical forgeries with 4-step Shadow for the S1P mode of operation (nonce misuse scenario) After our results, the authors proposed Spook v2 [ToSC special Issue] : D matrix replaced with an efficient MDS matrix modification of the round constants of Shadow for more efficiency 2nd mathematical challenge ongoing: https://www.spook.dev/challenges New criterion for choosing round constants: prevent more than invariant subspaces attacks