Innovations in permutation-based encryption & authentication . - - PowerPoint PPT Presentation

▶

Oct 16, 2023 533 likes •858 views

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

SLIDE 1

Innovations in permutation-based encryption & authentication

.

Joan Daemen1,2 based on joint work with Guido Bertoni1, Michaël Peeters1, Gilles Van Assche1 and Ronny Van Keer1 Fast Software Encryption Conference 2017

1STMicroelectronics 2Radboud University

SLIDE 2

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 3

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 4

Pseudo-random function (PRF) .

input …

SLIDE 5

Stream encryption .

nonce plaintext = ciphertext

SLIDE 6

Message authentication (MAC) .

plaintext plaintext

SLIDE 7

Authenticated encryption .

nonce plaintext = ciphertext plaintext

SLIDE 8

String sequence input and incrementality .

packet #1 packet #1

FK ( P(1))

SLIDE 9

String sequence input and incrementality .

packet #1 packet #2 packet #1 packet #2

FK ( P(2) ◦ P(1))

SLIDE 10

String sequence input and incrementality .

packet #1 packet #2 packet #3 packet #1 packet #2 packet #3

FK ( P(3) ◦ P(2) ◦ P(1))

SLIDE 11

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 12

Session authenticated encryption (SAE) [Keccak Team, SAC 2011] .

K, N 1 T(0) A(1) P(1) C(1) T(1) A(2) P(2) C(2) T(3) A(3) P(3) C(3) T(2)

Initialization taking nonce N T ← 0t + FK(N) history ← N return tag T of length t Wrap taking metadata A and plaintext P C ← P + FK(A ◦ history) T ← 0t + FK(C ◦ A ◦ history) history ← C ◦ A ◦ history return ciphertext C of length |P| and tag T of length t

SLIDE 13

Synthetic initialization value (SIV), as in [Keccak Team, eprint 2016/1188] .

A P FK FK T C

Wrap taking metadata A and plaintext P T ← 0t + FK(P ◦ A) C ← P + FK(T ◦ A) return ciphertext C of length |P| and tag T Unwrap taking metadata A, ciphertext C and tag T P ← C + FK(T ◦ A) τ ← 0t + FK(P ◦ A) if τ ̸= T then return error! else return plaintext P of length |C| Variant of SIV of [Rogaway & Shrimpton, EC 2006]

SLIDE 14

Wide block cipher (WBC), as in [Keccak Team, eprint 2016/1188] .

Encipher P with K and tweak W (L, R) ← split(P) R0 ← R0 + HK(L ◦ 0) L ← L + FK(R ◦ W ◦ 1) R ← R + FK(L ◦ W ◦ 0) L0 ← L0 + HK(R ◦ 1) C ← L || R return ciphertext C of length |P|

Pʹleft Pʹright W HK(... ° 0) FK(... ° 1) FK(... ° 0) HK(... ° 1) Cleft Cright

Instance of HHFHFH of [Bernstein, Nandi & Sarkar, Dagstuhl 2016]

SLIDE 15

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 16

Sponge [Keccak Team, Ecrypt 2008] .

M pad trunc Z

uter

inner r c f f f f f f absorbing squeezing

◮ Pre-pending M with K gives PRF

SLIDE 17

More efficient: donkeySponge [Keccak Team, DIAC 2012] .

SLIDE 18

Incrementality: duplex [Keccak Team, SAC 2011] .

r c

uter

inner initialize pad trunc f duplexing σ0 Z0 pad trunc f duplexing σ1 Z1 pad trunc f duplexing σ2 Z2 …

SLIDE 19

More efficient: MonkeyDuplex [Keccak Team, DIAC 2012] .

Instances: Ketje + half a dozen other CAESAR submissions

SLIDE 20

Consolidation: Full-state keyed duplex .

± K f iv Z ¾ f Z ¾ f Z ¾ …

[Mennink, Reyhanitabar, & Vizar, AC 2015], [Keccak Team & Mennink, 2016-2017]

SLIDE 21

SAE with full-state keyed duplex: Motorist [Keccak Team, Keyak 2015] .

SUV 1 T(0) A(1) P(1) C(1) T(1) P(2) C(2) T(2) A(3) T(3)

SLIDE 22

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 23

A parallel sponge variant: early attempt [Keccak Team 2014-2016] . k f M0

k f M1

k f Mi … … f k Z0 f k

Z1 f k

Zj

Similar to Protected Counter Sums [Bernstein, "stretch", JOC 1999] Problem: collisions with higher-order differentials if f has low degree

SLIDE 24

A parallel sponge variant: early attempt [Keccak Team 2014-2016] . k f M0

k f M1

k f Mi … … f k Z0 f k

Z1 f k

Zj

Similar to Protected Counter Sums [Bernstein, "stretch", JOC 1999] Problem: collisions with higher-order differentials if f has low degree

SLIDE 25

Farfalle as in [Keccak Team, eprint 2016/1188] . k f M0 k f M1

k f Mi … … f k Z0 f k Z1 f k

Zj

with k derived from arbitrary-length K using compression layer Problem: generic higher-order differential attack if f at right has low-degree

SLIDE 26

Farfalle as in [Keccak Team, eprint 2016/1188] . k f M0 k f M1

k f Mi … … f k Z0 f k Z1 f k

Zj

with k derived from arbitrary-length K using compression layer Problem: generic higher-order differential attack if f at right has low-degree

SLIDE 27

Farfalle now [Keccak Team, eprint 2016/1188, update TODO] . k f m0 k f m1

k f mi … … f k z0 f k z1 f k

zj f

◮ Input mask rolling and f against accumulator collisions ◮ State rolling, f and output mask against state retrieval from output ◮ Middle f against higher-order DC ◮ Input-output attacks would span 3 f layers

SLIDE 28

Outline .

Pseudo-random functions PRF modes Sponge Farfalle Kravatte

SLIDE 29

Kravatte = Farfalle with Keccak-p . k f m0 k f m1

k f mi … … f k z0 f k z1 f k

zj f

◮ Target security: 128 bits, incl. multi-target (claimed c = 256) ◮ f = Keccak-p[1600, nr] with nr = 6, 4, 4 ◮ Rolling function: operates on 4 lanes only, linear with order 2256 − 1

lightweight, taken from [Granger, Jovanonvic, Mennink & Neves, EC 2016]
protects against higher-order DC

SLIDE 30