Innovations in permutation-based crypto based on joint work with Van - - PowerPoint PPT Presentation

innovations in permutation based crypto
SMART_READER_LITE
LIVE PREVIEW

Innovations in permutation-based crypto based on joint work with Van - - PowerPoint PPT Presentation

Feb 09, 2024 474 likes •844 views

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny 1

slide-1
SLIDE 1

Innovations in permutation-based crypto

Joan Daemen1,2 based on joint work with Guido Bertoni3, Seth Hoffert, Michaël Peeters1, Gilles Van Assche1 and Ronny Van Keer1 Cryptacus Training School, Azores, April 17, 2018

1STMicroelectronics 2Radboud University 3Security Pattern

1

slide-2
SLIDE 2

Pseudo-random function (PRF)

input …

2

slide-3
SLIDE 3

Stream encryption

nonce plaintext = ciphertext

3

slide-4
SLIDE 4

Message authentication (MAC)

plaintext plaintext

4

slide-5
SLIDE 5

Authenticated encryption

nonce plaintext = ciphertext plaintext

5

slide-6
SLIDE 6

String sequence input and incrementality

packet #1 packet #2 packet #3 packet #1 packet #2 packet #3

FK ( P(3) ◦ P(2) ◦ P(1))

6

slide-7
SLIDE 7

Session authenticated encryption (SAE) [KT, SAC 2011]

K, N 1 T(0) A(1) P(1) C(1) T(1) A(2) P(2) C(2) T(3) A(3) P(3) C(3) T(2)

Initialization taking nonce N T ← 0t + FK (N) history ← N return tag T of length t Wrap taking metadata A and plaintext P C ← P + FK (A ◦ history) T ← 0t + FK (C ◦ A ◦ history) history ← C ◦ A ◦ history return ciphertext C of length |P| and tag T of length t

7

slide-8
SLIDE 8

Synthetic initialization value (SIV) of [KT, eprint 2016/1188]

A P FK FK T C

Unwrap taking metadata A, ciphertext C and tag T P ← C + FK (T ◦ A) τ ← 0t + FK (P ◦ A) if τ ̸= T then return error! else return plaintext P of length |C| Variant of SIV of [Rogaway & Shrimpton, EC 2006]

8

slide-9
SLIDE 9

How to build a PRF?

By icelight (flickr.com)

9

slide-10
SLIDE 10

Sponge [Keccak Team, Ecrypt 2008]

input

  • utput
  • uter

inner r c f f f f f f absorbing squeezing

▶ Taking K as first part of input gives a PRF

10

slide-11
SLIDE 11

More efficient: donkeySponge [Keccak Team, DIAC 2012]

11

slide-12
SLIDE 12

Incrementality: duplex [Keccak Team, SAC 2011]

r c

  • uter

inner initialize pad trunc f duplexing σ0 Z0 pad trunc f duplexing σ1 Z1 pad trunc f duplexing σ2 Z2 …

12

slide-13
SLIDE 13

More efficient: MonkeyDuplex [Keccak Team, DIAC 2012]

Instances: ▶ Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] ▶ + half a dozen other CAESAR submissions

13

slide-14
SLIDE 14

Consolidation: Full-state keyed duplex

± K f iv Z ¾ f Z ¾ f Z ¾ …

[Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015] [Daemen, Mennink & Van Assche, Asiacrypt 2017]

14

slide-15
SLIDE 15

SAE with full-state keyed duplex: Motorist [KT, Keyak 2015]

SUV 1 T(0) A(1) P(1) C(1) T(1) P(2) C(2) T(2) A(3) T(3)

15

slide-16
SLIDE 16

How to build a parallelizable PRF?

by Barilla Food Service

16

slide-17
SLIDE 17

Farfalle: early attempt [KT 2014-2016]

k f M0

1

k f M1

i

k f Mi … … f k Z0 f k

1

Z1 f k

j

Zj Similar to Protected Counter Sums [Bernstein, “stretch”, JOC 1999] Problem: collisions with higher-order differentials if f has low degree

17

slide-18
SLIDE 18

Farfalle now [Keccak Team + Seth Hoffert, ToSC 2018]

pc

c

m0 k pc

c

m1 k … pc i

c

mi k pe

e

z0 k′ pe

e

z1 k′ … pe j

e

zj k′ K∥10∗ pb

i+2

c

pd

▶ Input mask rolling and pc against accumulator collisions ▶ State rolling, pe and output mask against state retrieval at

  • utput

▶ Middle pd against higher-order DC ▶ Input-output attacks have to deal with pe ◦ pd ◦ pc

18

slide-19
SLIDE 19

Kravatte as in TOSC 2018

f m0 k f m1 k … f i mi k f z0 k′ f z1 k′ … f j zj k′ K∥10∗ f

i+2

f

▶ Target security: 128 bits, incl. multi-target and quantum adv. ▶ pi = Keccak-p[1600] with # rounds 6666 : Achouffe configuration ▶ Input mask rolling with LFSR, state rolling with NLFSR

19

slide-20
SLIDE 20

In which sense is Kravatte lightweight?

f m0 k f m1 k … f i mi k f z0 k′ f z1 k′ … f j zj k′ K∥10∗ f

i+2

f

▶ Workload per round (in HW or bit-slice SW)

  • AES: 16 XORs and 4 AND per bit
  • Keccak-p: 3 XORs and 1 AND per bit

▶ Number of rounds

  • AES CBC or CTR: 10 rounds
  • Kravatte compress or expand: 6 rounds

▶ Disadvantage of Kravatte: 200-byte granularity

20

slide-21
SLIDE 21

by Perrie Nicholas Smith (perriesmith.deviantart.com)

21

slide-22
SLIDE 22

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Stan-

daert, Todo, Viguier, CHES 2017]

▶ Ideal size and shape: 48 bytes in 12 words of 32 bits

  • compact on low-end: fits registers of ARM Cortex M3/M4
  • fast on high-end: suitable for SIMD

▶ For low-end platforms: locality of operations to limit swapping

  • limits diffusion, see e.g. [Mike Hamburg, 2017]
  • no problem for nominal number of rounds: 24
  • not clear how many rounds needed in Farfalle

22

slide-23
SLIDE 23

Xoodoo · [noun, mythical] · /zu: du:/ · Alpine mammal that lives in compact herds, can survive avalanches and is appreciated for the wide trails it creates in the landscape. Despite its fluffy appear- ance it is very robust and does not get distracted by side channels.

23

slide-24
SLIDE 24

Xoodoo [Keccak team with Seth Hoffert and Johan De Meulder]

https://github.com/XoodooTeam/Xoodoo

▶ 384-bit permutation ▶ Main purpose: usage in Farfalle: XooPRF

  • Achouffe configuration
  • Full-state rolling functions
  • Efficient on wide range of platforms

▶ But also for

  • small-state authenticated encryption, Ketje style
  • sponge-based hashing, …

Keccak-p philosophy ported to Gimli dimensions 3 × 4 × 32!

24

slide-25
SLIDE 25

Xoodoo state

x y z state x y z plane x y z lane x y z column

▶ State: 3 horizontal planes each consisting of 4 lanes

25

slide-26
SLIDE 26

Xoodoo round function

θ ρwest χ ρeast

Iterated: nr rounds that differ only by round constant

26

slide-27
SLIDE 27

Nonlinear mapping χ

Effect on one plane:

1 2

complement

▶ χ as in Keccak-p, operating on 3-bit columns ▶ Involution and same propagation differentially and linearly

27

slide-28
SLIDE 28

Mixing layer θ

+ =

column parity θ-effect fold

▶ Column parity mixer: compute parity, fold and add to state ▶ good average diffusion, identity for states in kernel

28

slide-29
SLIDE 29

Plane shift ρeast

1 2

shift (2,8) shift (0,1)

▶ After χ and before θ ▶ Shifts planes y = 1 and y = 2 over different directions

29

slide-30
SLIDE 30

Plane shift ρwest

1 2

shift (0,11) shift (1,0)

▶ After θ and before χ ▶ Shifts planes y = 1 and y = 2 over different directions

30

slide-31
SLIDE 31

Xoodoo pseudocode

nr rounds from i = 1 − nr to 0, with a 5-step round function: θ : P ← A0 + A1 + A2 E ← P ≪ (1, 5) + P ≪ (1, 14) Ay ← Ay + E for y ∈ {0, 1, 2} ρwest : A1 ← A1 ≪ (1, 0) A2 ← A2 ≪ (0, 11) ι : A0,0 ← A0,0 + rci χ : B0 ← A1 · A2 B1 ← A2 · A0 B2 ← A0 · A1 Ay ← Ay + By for y ∈ {0, 1, 2} ρeast : A1 ← A1 ≪ (0, 1) A2 ← A2 ≪ (2, 8)

31

slide-32
SLIDE 32

Xoodoo software performance

width cycles/byte per round ARM Intel bytes Cortex M3 Skylake Keccak-p[1600] 200 2.44 0.080 ChaCha 64 0.69 0.059 Gimli 48 0.91 0.074∗ Xoodoo 48 1.20 0.083

∗ on Intel Haswell

32

slide-33
SLIDE 33

Xoodoo diffusion and confusion

Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016]:

  • min. trail weights

# rounds diff. linear 1 2 2 2 8 8 3 36 36 6 ≥ 100 ≥ 100 Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto ’85] A mapping satisfies SAC if flipping an input bit will make each

  • utput bit flip with probability close to 1/2

Xoodoo satisfies SAC ▶ after 3 rounds in forward direction ▶ after 2 rounds in backward direction

33

slide-34
SLIDE 34

Do you think this is interesting?

I’m hiring!

PhD positions, starting September Scope: ▶ Propagation in Xoodoo-like functions

  • computer-assisted bound proving
  • mathematical unification of attacks

▶ Interaction between modes and permutations ▶ Impact of key schedule in block ciphers ▶ DPA vulnerability of Xoodoo-like functions ▶ …

34

slide-35
SLIDE 35

Thanks for your attention!

θ ρwest χ ρeast

35