friet an authenticated encryption scheme with built in
play

Friet: An Authenticated Encryption Scheme with Built-in Fault - PowerPoint PPT Presentation

Apr 24, 2023 •261 likes •543 views

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection Thierry Simon 1,2 Lejla Batina 1 Joan Daemen 1 Vincent Grosso 1,3 Pedro Maat Costa Massolino 1 Kostas Papagiannopoulos 1,4 Francesco Regazzoni 5 Niels Samwel 1 1 Radboud

  1. Friet: An Authenticated Encryption Scheme with Built-in Fault Detection Thierry Simon 1,2 Lejla Batina 1 Joan Daemen 1 Vincent Grosso 1,3 Pedro Maat Costa Massolino 1 Kostas Papagiannopoulos 1,4 Francesco Regazzoni 5 Niels Samwel 1 1 Radboud University 2 STMicroelectronics 3 CNRS/Univ. Lyon 4 NXP Semiconductors Hamburg 5 University of Lugano Eurocrypt, May 2020

  2. Motivation Lightweight cryptographic primitive 1

  3. Motivation Lightweight cryptographic primitive with fault detection • Using an Error Detecting Code (EDC) ◮ ParTI [Schneider et al., ePrint 2016/648] ◮ CRAFT [Beierle et al., ToSC 2019] 1

  4. Motivation Lightweight cryptographic primitive with built-in fault detection • Using an Error Detecting Code (EDC) ◮ ParTI [Schneider et al., ePrint 2016/648] ◮ CRAFT [Beierle et al., ToSC 2019] • Designed with building blocks efficiently adaptable to a specific EDC 1

  5. Designing a Permutation for a Specific Error Detecting Code

  6. The Parity Code [4 , 3 , 2] • Set of encodable messages: Z 3 2 • Set of codewords: C contains all ( a , b , c , d ) ∈ Z 4 2 satisfying the parity equation a ⊕ b ⊕ c ⊕ d = 0 • Encoding function: Enc : Z 3 2 → C , ( a , b , c ) �→ ( a , b , c , a ⊕ b ⊕ c ) • Decoding function: � ( a , b , c ) if a ⊕ b ⊕ c ⊕ d = 0 , Dec : Z 4 2 → Z 3 2 , ( a , b , c , d ) �→ ⊥ else 2

  7. Building a [4 , 3 , 2] -abiding Permutation Let π be a 384-bit permutation whose state ( a , b , c ) is divided in three 128-bit limbs. We define ¯ π : ( a , b , c , d ) �→ ( a ′ , b ′ , c ′ , d ′ ) a 512-bit permutation whose state is divided in four limbs such that π ( C 128 ) = C 128 or equivalently • ¯ π preserves the parity: ¯ ⇒ a ′ ⊕ b ′ ⊕ c ′ ⊕ d ′ = 0 . a ⊕ b ⊕ c ⊕ d = 0 ⇐ We say that ¯ π abides the parity code. π extends π : if ( a , b , c , d ) ∈ C 128 then • ¯ π ( a , b , c , d ) = ( a ′ , b ′ , c ′ , d ′ ) ⇒ π ( a , b , c ) = ( a ′ , b ′ , c ′ ) . We say that π is the embedding of ¯ π by the parity code. 3

  8. Building a [4 , 3 , 2] -abiding Permutation Let π be a 384-bit permutation whose state ( a , b , c ) is divided in three 128-bit limbs. We define ¯ π : ( a , b , c , d ) �→ ( a ′ , b ′ , c ′ , d ′ ) a 512-bit permutation whose state is divided in four limbs such that π ( C 128 ) = C 128 or equivalently • ¯ π preserves the parity: ¯ ⇒ a ′ ⊕ b ′ ⊕ c ′ ⊕ d ′ = 0 . a ⊕ b ⊕ c ⊕ d = 0 ⇐ We say that ¯ π abides the parity code. π extends π : if ( a , b , c , d ) ∈ C 128 then • ¯ π ( a , b , c , d ) = ( a ′ , b ′ , c ′ , d ′ ) ⇒ π ( a , b , c ) = ( a ′ , b ′ , c ′ ) . We say that π is the embedding of ¯ π by the parity code. 3

  9. Building a [4 , 3 , 2] -abiding Permutation Let π be a 384-bit permutation whose state ( a , b , c ) is divided in three 128-bit limbs. We define ¯ π : ( a , b , c , d ) �→ ( a ′ , b ′ , c ′ , d ′ ) a 512-bit permutation whose state is divided in four limbs such that π ( C 128 ) = C 128 or equivalently • ¯ π preserves the parity: ¯ ⇒ a ′ ⊕ b ′ ⊕ c ′ ⊕ d ′ = 0 . a ⊕ b ⊕ c ⊕ d = 0 ⇐ We say that ¯ π abides the parity code. π extends π : if ( a , b , c , d ) ∈ C 128 then • ¯ π ( a , b , c , d ) = ( a ′ , b ′ , c ′ , d ′ ) ⇒ π ( a , b , c ) = ( a ′ , b ′ , c ′ ) . We say that π is the embedding of ¯ π by the parity code. 3

  10. Detecting Faults In order to compute π ( a , b , c ) 1. Initialize the parity limb d as d = a ⊕ b ⊕ c . 2. Compute ¯ π ( a , b , c , d ) = ( a ′ , b ′ , c ′ , d ′ ). 3. Verify the parity equation a ′ ⊕ b ′ ⊕ c ′ ⊕ d ′ = 0. 4. If the parity holds return ( a ′ , b ′ , c ′ ), else a fault is detected. 4

  11. And Concretely? The permutation π is split as a sequence of step functions where either • a single limb is modified by XORing a function φ of the state, e.g. f ( a , b , c ) = ( a ⊕ φ ( a , b , c ) , b , c ) • two limbs are permuted, e.g. g ( a , b , c ) = ( b , a , c ). Each step function can then be extended by: Limb adaptation Recomputing φ and XORing the result to d ¯ f ( a , b , c , d ) = ( a ⊕ φ ( a , b , c ) , b , c , d ⊕ φ ( a , b , c )) . Limb transposition Reordering the limbs • Non-native: if φ ( a , b , c ) = b ⊕ c then ¯ f ( a , b , c , d ) = ( d , b , c , a ). • Native: ¯ g ( a , b , c , d ) = ( b , a , c , d ). 5

  12. And Concretely? The permutation π is split as a sequence of step functions where either • a single limb is modified by XORing a function φ of the state, e.g. f ( a , b , c ) = ( a ⊕ φ ( a , b , c ) , b , c ) • two limbs are permuted, e.g. g ( a , b , c ) = ( b , a , c ). Each step function can then be extended by: Limb adaptation Recomputing φ and XORing the result to d ¯ f ( a , b , c , d ) = ( a ⊕ φ ( a , b , c ) , b , c , d ⊕ φ ( a , b , c )) . Limb transposition Reordering the limbs • Non-native: if φ ( a , b , c ) = b ⊕ c then ¯ f ( a , b , c , d ) = ( d , b , c , a ). • Native: ¯ g ( a , b , c , d ) = ( b , a , c , d ). 5

  13. And Concretely? The permutation π is split as a sequence of step functions where either • a single limb is modified by XORing a function φ of the state, e.g. f ( a , b , c ) = ( a ⊕ φ ( a , b , c ) , b , c ) • two limbs are permuted, e.g. g ( a , b , c ) = ( b , a , c ). Each step function can then be extended by: Limb adaptation Recomputing φ and XORing the result to d ¯ f ( a , b , c , d ) = ( a ⊕ φ ( a , b , c ) , b , c , d ⊕ φ ( a , b , c )) . Limb transposition Reordering the limbs • Non-native: if φ ( a , b , c ) = b ⊕ c then ¯ f ( a , b , c , d ) = ( d , b , c , a ). • Native: ¯ g ( a , b , c , d ) = ( b , a , c , d ). 5

  14. Fault Model What are the fault detection capabilities of the code-abiding permutation? � Single limb fault ◮ Any simple fault affecting only one limb is guaranteed to be caught. ✗ Other simple fault ◮ e.g. flipping the i-th bit of two different limbs will not break the parity equation ✗ Multiple faults ◮ e.g. injecting the same fault in the two computations of φ during a limb adaptation △ Extra care must be taken when verifying the parity equation since the countermeasure does ! not cover the verification itself! 6

  15. Checking the Parity Equation Verifying the parity equation after each step function or after each round is not worth it. A single check at the end of the permutation is enough: • An attacker that is capable of injecting multiple compensating faults over different step functions should also be able to inject them in the same step function. • Frequent checks impact the performance. 7

  16. Friet

  17. Friet ❼ Fault-Resistant Iterative Extended Transformation ❼ Authenticated encryption scheme ◮ Duplex construction [Bertoni et al., Selected Areas in Cryptography, 2011] ◮ SpongeWrap mode ❼ Friet-PC : the 384-bit underlying cryptographic permutation ❼ Friet-P : the 512-bit implemented permutation abiding the parity code [4 , 3 , 2] 8

  18. Friet-PC pseudocode ❼ State: three 128-bit limbs ( a , b , c ) ❼ 24 rounds from i = 0 to 23, with a 6-step round function: δ : c ← c ⊕ rc i ⊲ round constant addition τ 1 : ( a , b , c ) ← ( a ⊕ b ⊕ c , c , a ) ⊲ transposition µ 1 : b ← b ⊕ ( c ≪ 1) ⊲ mixing step µ 2 : c ← c ⊕ ( b ≪ 80) ⊲ mixing step τ 2 : b ← a ⊕ b ⊕ c ⊲ transposition ξ : a ← a ⊕ (( b ≪ 36) ∧ ( c ≪ 67)) ⊲ non-linear step 9

  19. From Friet-PC to Friet-P � Friet-P round function Friet-PC round function 10

  20. Performances

  21. Hardware (ASIC) Area Freq. Throu. Power ( µ W) AE Scheme (GE) (MHz) (Mb/s) static dynamic Ketje-Sr 1 9478 503 16096 161 2152 Friet-C (1R/Cy) 6943 508 2322 110 1724 Friet (1R/Cy) 9253 508 2322 148 2226 Friet-C (2R/Cy) 8890 508 4064 141 1737 Friet (2R/Cy) 11100 508 4064 174 2245 ASIC Nangate 45 nm standard cell 1 [Bertoni et al., Caesar submission, 2016] 11

  22. Software Permutation Rounds Cycles/byte Cycles/byte per round Xoodoo 2 12 13.20 1.10 24 17.78 0.74 Friet-PC Gimli 3 24 21.81 0.91 Friet-P 24 24.23 1.01 ➤ Cortex-M3/M4 ARM ❼ Competitive performances with Xoodoo and Gimli ❼ Friet-P is 36% slower then Friet-PC , mainly due to the additional load and store instructions 2 [Daemen et al., ToSC 2018] 3 [Bernstein et al., CHES 2017] 12

  23. Fault Resistance Evaluation

  24. Hardware Simulation ❼ Experiment: Injection of single-bit glitches on a simulated hardware implementation of Friet-P ◮ At RTL level ◮ After synthesis ❼ Result: 100% fault detection rate 13

  25. EM Fault Injection in Software VC Glitcher EM-FI Transient Probe Picoscope Current Probe Target XY-Table ❼ Experiment: Electromagnetic fault injection on a single round implementation of Friet-P ➤ Cortex-M4 on ARM ❼ Chip divided as 100 × 100 grid ❼ 10 grid scans with 10 faults injected per position Result Normal Reset Detected Undetected Number 860488 138916 596 0 14

  26. Conclusion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

Motivations Design of SPAE Security of the scheme Performances SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 , Sbastien Riou 2 1 Univ. Grenoble Alpes / Institut Fourier,

519 views • 27 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech

DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech

A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by NSF grant no. 1115839. Leakage-Resilient

636 views • 48 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for Boolean functions Pierrick M AUX cole normale suprieure, INRIA, CNRS, PSL Boolean Functions and their Applications (BFA) Os, Norway Tuesday

1.23k views • 101 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
COVID 19 Recovery Resources Small Business Assistance Team May 6 th , 2020 1 Accommodations

COVID 19 Recovery Resources Small Business Assistance Team May 6 th , 2020 1 Accommodations

COVID 19 Recovery Resources Small Business Assistance Team May 6 th , 2020 1 Accommodations Notice Streaming text link: https://tcc.1capapp.com/event/gov2 This webinar offers live captioning and subtitles in English, Spanish, Chinese

183 views • 15 slides
Monthly Webinar Series March 2020 Todays Agenda Announcements & Trial Updates/Reminders

Monthly Webinar Series March 2020 Todays Agenda Announcements & Trial Updates/Reminders

Monthly Webinar Series March 2020 Todays Agenda Announcements & Trial Updates/Reminders Shannon Hillery Highlights from the TREAT-MS SAC Meeting Scott Newsome & Ellen Mowry Monthly Randomization Race Shannon Hillery Single Scull

610 views • 40 slides
Using Surveillance Data from Youth-Serving Public Systems Kristen Quinlan, Ph.D. Epidemiologist

Using Surveillance Data from Youth-Serving Public Systems Kristen Quinlan, Ph.D. Epidemiologist

Using Surveillance Data from Youth-Serving Public Systems Kristen Quinlan, Ph.D. Epidemiologist Julie Ebin, Ed.M. Manager, Special Initiatives @SPRCTweets www.sprc.org SPRC | Suicide Prevention Resource Center The Suicide Prevention Resource

426 views • 27 slides
1: cuLearn from Instructor & Evaluations : measuring LOs Student view MEASURING LOs

1: cuLearn from Instructor & Evaluations : measuring LOs Student view MEASURING LOs

PSYC 2002: Introduction to Statistics for Psychology Thursday, April 16, 2020 PSYC 2002A PSYC 2002A Introduction to Statistics for Psychology Introduction to Statistics for Psychology A Required Course that Students Dont Want to Take

228 views • 4 slides
EDC Forum 2017 Big Spatial Data in Agriculture Marlena Gtza, Thilo Steckel, Heinrich Warkentin

EDC Forum 2017 Big Spatial Data in Agriculture Marlena Gtza, Thilo Steckel, Heinrich Warkentin

EDC Forum 2017 Big Spatial Data in Agriculture Marlena Gtza, Thilo Steckel, Heinrich Warkentin CLAAS E-Systems 1. CLAAS & GIS Technologies 2. Hadoop as a Big Data Ecosystem 3. Big Data & GIS Technologies 4. Rsum 21.09.2017

587 views • 30 slides
1. Sometimes Always Never Answer whether each is true Sometimes Always or Never: 1. A rhombus

1. Sometimes Always Never Answer whether each is true Sometimes Always or Never: 1. A rhombus

1. Sometimes Always Never Answer whether each is true Sometimes Always or Never: 1. A rhombus has four congruent sides. 2. A rectangle has exactly one right angle 3. A square is a rectangle 4. A rhombus is a square 5. A parallelogram is a

381 views • 13 slides
MIO-Live, Jan 20-21 2020, Rome Speaker: Prof. Thomas Helmberger Neuroradiologie und

MIO-Live, Jan 20-21 2020, Rome Speaker: Prof. Thomas Helmberger Neuroradiologie und

MIO-Live, Jan 20-21 2020, Rome Speaker: Prof. Thomas Helmberger Neuroradiologie und minimal-invasive Therapie, Institut fr Radiologie, Klinikum Bogenhausen Mnchen, Germany Study objectives Primary end point The primary objective is to

411 views • 13 slides
Preventing Suicide: The Suicide Prevention Resource Centers Effective Prevention Model

Preventing Suicide: The Suicide Prevention Resource Centers Effective Prevention Model

Preventing Suicide: The Suicide Prevention Resource Centers Effective Prevention Model Wednesday, May 30 th , 2018 2:00 PM 3:00 PM ET About the National Center for Fatality Review and Prevention The National Center for Fatality Review

696 views • 44 slides

More recommend