Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at - - PowerPoint PPT Presentation

introduction to authenticated encryption
SMART_READER_LITE
LIVE PREVIEW

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at - - PowerPoint PPT Presentation

Aug 23, 2023 570 likes •992 views

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

slide-1
SLIDE 1

On ASCON and ISAP

About Two Authenticated Encryption Schemes

Christoph Dobraunig October 2018 Designed by: ASCON: C. Dobraunig, M. Eichlseder, F . Mendel, M. Schl¨ affer ISAP: C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel,

  • T. Unterluggauer
slide-2
SLIDE 2

www.iaik.tugraz.at

Introduction to Authenticated Encryption

1 / 27

slide-3
SLIDE 3

www.iaik.tugraz.at

Interface

N, A, C, T K K Alice Bob

Encryption & Authentication

E(K, N, A, P) → (C, T)

Decryption & Verification

D(K, N, A, C, T) → {P, ⊥}

2 / 27

slide-4
SLIDE 4

www.iaik.tugraz.at

Motivation

Generic composition

E.g., Encrypt-then-MAC

Dedicated mode

E.g., standards like GCM, CCM, OCB, . . .

Which one to use? Can we do better?

3 / 27

slide-5
SLIDE 5

www.iaik.tugraz.at

Competitions

AES, SHA-3, eStream... CAESAR: Competition for Authenticated Encryption – Security, Applicability, and Robustness

http://competitions.cr.yp.to/caesar.html

57 submissions in 2014 7 finalists remaining One of them is ASCON

4 / 27

slide-6
SLIDE 6

www.iaik.tugraz.at

ASCON: A Finalist of CAESAR

5 / 27

slide-7
SLIDE 7

www.iaik.tugraz.at

ASCON – Mode

p12

64 64

0∗K K0∗

128

T p12

256

IV KN Initialization Plaintext Finalization Processing K 1 P1 C1 p6 p6 Pt Ct P2 C2

256 64 256 256

6 / 27

slide-8
SLIDE 8

www.iaik.tugraz.at

ASCON – Permutation

Iterative application of round function One round

Constant addition Substitution layer Linear layer

7 / 27

slide-9
SLIDE 9

www.iaik.tugraz.at

ASCON – Round

Substitution layer

x4 x3 x2 x1 x0

Linear layer

x4 x3 x2 x1 x0

x1

8 / 27

slide-10
SLIDE 10

www.iaik.tugraz.at

ASCON – Round

x0 x1 x2 x3 x4 x0 x1 x2 x3 x4 x0 ⊕ (x0 ≫ 19) ⊕ (x0 ≫ 28) → x0 x1 ⊕ (x1 ≫ 61) ⊕ (x1 ≫ 39) → x1 x2 ⊕ (x2 ≫ 1) ⊕ (x2 ≫ 6) → x2 x3 ⊕ (x3 ≫ 10) ⊕ (x3 ≫ 17) → x3 x4 ⊕ (x4 ≫ 7) ⊕ (x4 ≫ 41) → x4 S-box Linear transformation

9 / 27

slide-11
SLIDE 11

www.iaik.tugraz.at

ASCON – Benefits

Simplicity

Defined on 64-bit words Using bitwise Boolean functions

Online and Single-Pass (duplex-based [BDPV12]) Bitsliced in Software

Utilize 64-bit words Up to 5 instructions in parallel Bit interleaving [BDPVV12] for 32-bit processors

Flexible in hardware

Small area (2.5 kGE) to high speed (13.2 Gbps) [GWDE15]

Balanced design

E.g., lightweight devices communicate to back-end server

10 / 27

slide-12
SLIDE 12

www.iaik.tugraz.at

ASCON – Benefits

Easy integration of side-channel countermeasures

No look-up tables Low degree Sbox using KECCAK’s χ [BDPV11] as core Easy to mask, e.g., DOM implementations [GM18] Protection Order Pipelined Parallel GE Mbit/s GE Mbit/s 1 10 855 108 28 887 2246 2 16 186 108 52 995 1896 3 21 586 110 81 209 1903 4 27 124 71 118 264 1786 5 32 757 95 161 870 1868 . . . 13 81 194 70 725 994 1833 14 87 749 71 828 183 1439 15 94 235 50 926 332 1480

11 / 27

slide-13
SLIDE 13

www.iaik.tugraz.at

Simple Power Analysis (SPA) [KJJ99]

Observe device processing the same or a few inputs Techniques directly interpreting measurements

12 / 27

slide-14
SLIDE 14

www.iaik.tugraz.at

Simple Power Analysis (SPA) [KJJ99]

2000 4000 6000 8000 10000 12000 14000 16000

Samples

  • 0.25
  • 0.2
  • 0.15
  • 0.1
  • 0.05

0.05 0.1 0.15 0.2

Power Consumption

by Robert Primas

12 / 27

slide-15
SLIDE 15

www.iaik.tugraz.at

Differential Power Analysis (DPA) [KJJ99]

Observe device processing many different inputs Allows for the use of statistical techniques

13 / 27

slide-16
SLIDE 16

www.iaik.tugraz.at

Differential Power Analysis (DPA) [KJJ99]

2000 4000 6000 8000 10000 12000 14000 16000

Samples

  • 8
  • 6
  • 4
  • 2

2 4 6 8 10 12

Difference of Mean

10 -3

by Robert Primas

13 / 27

slide-17
SLIDE 17

www.iaik.tugraz.at

Masking and Threshold Implementations [NRR06]

f x y

14 / 27

slide-18
SLIDE 18

www.iaik.tugraz.at

Masking and Threshold Implementations [NRR06]

f2 x2 y2 f1 x1 y1 f0 x0 y0

14 / 27

slide-19
SLIDE 19

www.iaik.tugraz.at

ISAP: Designed to Withstand Side-channel Attacks

15 / 27

slide-20
SLIDE 20

www.iaik.tugraz.at

ISAP

Authenticated encryption scheme

Following requirements of CAESAR call No assumptions on choice of the nonce

Provides protection against DPA for:

Encryption Decryption

Solely based on sponges

Limits the attack surface against SPA

16 / 27

slide-21
SLIDE 21

www.iaik.tugraz.at

Fresh Re-keying [MSGR10]

g E N K P K ∗ Tag E −1 Reader P C g K K ∗

17 / 27

slide-22
SLIDE 22

www.iaik.tugraz.at

Fresh Re-keying [MPRRS11]

E Na P Party 1 E −1 Party 2 P C Nb g K K ∗ g K K ∗

18 / 27

slide-23
SLIDE 23

www.iaik.tugraz.at

What About Storage?

E P Device Storage C g K K ∗ N

Encryption still fine Decryption causes problems

19 / 27

slide-24
SLIDE 24

www.iaik.tugraz.at

How to Protect Decryption?

Solely rely on implementation countermeasures

Makes re-keying for encryption kind of obsolete

Limit to one decryption

Keep track of the nonce Re-encrypt data Time consuming Damaging

20 / 27

slide-25
SLIDE 25

www.iaik.tugraz.at

Priciple of ISAP’s Decryption

“Bind” the session key to the data that is decrypted

21 / 27

slide-26
SLIDE 26

www.iaik.tugraz.at

Priciple of ISAP’s Decryption

“Bind” the session key to the data that is decrypted

g NC H MAC T g C N Dec P K K

21 / 27

slide-27
SLIDE 27

www.iaik.tugraz.at

Priciple of ISAP’s Decryption

“Bind” the session key to the data that is decrypted

g NC H MAC T g C N Dec P K K

21 / 27

slide-28
SLIDE 28

www.iaik.tugraz.at

ISAP’s Authentication/Verification

C1 p Ct p p y p K ∗

A

T N IV IV C1 p Ct p p N IV IV KA g

22 / 27

slide-29
SLIDE 29

www.iaik.tugraz.at

ISAP’s Authentication/Verification

C1 p Ct p p y p K ∗

A

T N IV IV KA g

22 / 27

slide-30
SLIDE 30

www.iaik.tugraz.at

ISAP’s Authentication/Verification

NIV1 C1 pa

r1

Ct pa pa

c1

y KA pa g

r1 c1

K ∗

A

k k

T

k

Use suffix MAC instead of hash-then-MAC

22 / 27

slide-31
SLIDE 31

www.iaik.tugraz.at

Absorbing the Key

Idea: Reduce rate to a minimum [TS14] Related to the classical GGM construction [GGM86]

r2

yw pb pc KAIV2

c2 r2

y1 pc

c2

K ∗

A

k

pb

r2

y2

c2

23 / 27

slide-32
SLIDE 32

www.iaik.tugraz.at

ISAP’s En-/Decryption

r2

Nu

c3

pb pc pc pc KEIV3

c2 r3 r2

N1 pc

c2

P1 C1 Pv Cv

r3

24 / 27

slide-33
SLIDE 33

www.iaik.tugraz.at

Sponges and Side-channel Leakage

p p c r r ℓi ℓi+1

25 / 27

slide-34
SLIDE 34

www.iaik.tugraz.at

Sponges and Side-channel Leakage

p p c r r ℓi ℓi+1 p p c′ r r ℓi + ℓi+1

c′ = c − (ℓi + ℓi+1)

25 / 27

slide-35
SLIDE 35

www.iaik.tugraz.at

Properties

AE scheme following requirements of CAESAR call Provides protection against DPA

Encryption Decryption

Two-pass Cannot turn protection off

26 / 27

slide-36
SLIDE 36

www.iaik.tugraz.at

Thank you

27 / 27

slide-37
SLIDE 37

www.iaik.tugraz.at

Bibliography I

[BDPV11]

  • G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche

The Keccak SHA-3 submission (Version 3.0) http://keccak.noekeon.org/Keccak-submission-3.pdf, 2011 [BDPV12]

  • G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche

Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications Selected Areas in Cryptography, SAC 2011 [BDPVV12]

  • G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and
  • R. Van Keer

Keccak implementation overview https://keccak.team/files/Keccak-implementation- 3.2.pdf, 2012

slide-38
SLIDE 38

www.iaik.tugraz.at

Bibliography II

[DEMMU17]

  • C. Dobraunig, M. Eichlseder, S. Mangard, F. Mendel, and
  • T. Unterluggauer

ISAP – Towards Side-Channel Secure Authenticated Encryption IACR Transactions on Symmetric Cryptology 2017:1, 2017 [DEMS14]

  • C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schl¨

affer Ascon Submission to the CAESAR competition: http://competitions.cr.yp.to, 2014 [GGM86]

  • O. Goldreich, S. Goldwasser, and S. Micali

How to construct random functions

  • J. ACM 33:4, 1986

[GM18]

  • H. Groß and S. Mangard

A unified masking approach

  • J. Cryptographic Engineering 8:2, 2018
slide-39
SLIDE 39

www.iaik.tugraz.at

Bibliography III

[GWDE15]

  • H. Groß, E. Wenger, C. Dobraunig, and C. Ehrenh¨
  • fer

Suit up! - Made-to-Measure Hardware Implementations of ASCON DSD 2015 [KJJ99] P . C. Kocher, J. Jaffe, and B. Jun Differential Power Analysis CRYPTO ’99 [MPRRS11]

  • M. Medwed, C. Petit, F

. Regazzoni, M. Renauld, and F.-X. Standaert Fresh Re-keying II: Securing Multiple Parties against Side-Channel and Fault Attacks Smart Card Research and Advanced Applications, CARDIS 2011

slide-40
SLIDE 40

www.iaik.tugraz.at

Bibliography IV

[MSGR10]

  • M. Medwed, F.-X. Standaert, J. Großsch¨

adl, and F. Regazzoni Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices AFRICACRYPT 2010 [NRR06]

  • S. Nikova, C. Rechberger, and V. Rijmen

Threshold Implementations Against Side-Channel Attacks and Glitches Information and Communications Security, ICICS 2006 [TS14]

  • M. M. I. Taha and P

. Schaumont Side-channel countermeasure for SHA-3 at almost-zero area

  • verhead

HOST 2014