Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles - - PowerPoint PPT Presentation

ketje and keyak
SMART_READER_LITE
LIVE PREVIEW

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles - - PowerPoint PPT Presentation

Dec 26, 2023 9 likes •340 views

Ketje and Keyak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors DIAC 2014 1 / 19 Overview Outline 1 Overview 2 Keyak 3 Ketje 4 Conclusions and Current

slide-1
SLIDE 1

Ketje and Keyak

Guido Bertoni1 Joan Daemen1 Michaël Peeters2 Gilles Van Assche1 Ronny Van Keer1

1STMicroelectronics 2NXP Semiconductors

DIAC 2014

1 / 19

slide-2
SLIDE 2

Overview

Outline

1

Overview

2

Keyak

3

Ketje

4

Conclusions and Current Developments

2 / 19

slide-3
SLIDE 3

Overview

Overview

Inspired by Keccak and Duplex Keyak targeting high performances

Using reduced-round Keccak-f[1600] or Keccak-f[800] Optionally parallelizable

Ketje targeting lightweight

Using reduced-round Keccak-f[400] or Keccak-f[200]

3 / 19

slide-4
SLIDE 4

Overview

Overview

Inspired by Keccak and Duplex Keyak targeting high performances

Using reduced-round Keccak-f[1600] or Keccak-f[800] Optionally parallelizable

Ketje targeting lightweight

Using reduced-round Keccak-f[400] or Keccak-f[200]

3 / 19

slide-5
SLIDE 5

Overview

Overview

Inspired by Keccak and Duplex Keyak targeting high performances

Using reduced-round Keccak-f[1600] or Keccak-f[800] Optionally parallelizable

Ketje targeting lightweight

Using reduced-round Keccak-f[400] or Keccak-f[200]

3 / 19

slide-6
SLIDE 6

Overview

Two approaches

Keyak: DuplexWrap A (strong) permutation

fixed #rounds

Block-oriented Cryptanalysis

permutation-level

Ketje: MonkeyWrap A (thin) round function

#rounds in phases

Stream-oriented Cryptanalysis

round function + construction

4 / 19

slide-7
SLIDE 7

Overview

Two approaches

Keyak: DuplexWrap A (strong) permutation

fixed #rounds

Block-oriented Cryptanalysis

permutation-level

Ketje: MonkeyWrap A (thin) round function

#rounds in phases

Stream-oriented Cryptanalysis

round function + construction

4 / 19

slide-8
SLIDE 8

Keyak

Outline

1

Overview

2

Keyak

3

Ketje

4

Conclusions and Current Developments

5 / 19

slide-9
SLIDE 9

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-10
SLIDE 10

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-11
SLIDE 11

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-12
SLIDE 12

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-13
SLIDE 13

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-14
SLIDE 14

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-15
SLIDE 15

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-16
SLIDE 16

Keyak

Keyak goals

Nonce-based AE function 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Optionally parallelizable Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections (… and because we like it …)

6 / 19

slide-17
SLIDE 17

Keyak

Duplex layer

Keccak-p[1600, nr = 12] or Keccak-p[800, nr = 12]

7 / 19

slide-18
SLIDE 18

Keyak

DuplexWrap layer

DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs.

A(1) 1 B(1) C(1) T(1)

A(1) contains the key and must be unique, e.g., A(1) contains a session key used only once; A(1) contains a key and a nonce. In general: A(1) = key||nonce||associated data.

8 / 19

slide-19
SLIDE 19

Keyak

DuplexWrap layer

DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs.

A(1) 1 B(1) C(1) T(1)

A(1) contains the key and must be unique, e.g., A(1) contains a session key used only once; A(1) contains a key and a nonce. In general: A(1) = key||nonce||associated data.

8 / 19

slide-20
SLIDE 20

Keyak

DuplexWrap layer

DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs.

A(1) 1 B(1) C(1) T(1) A(2) B(2) C(2) T(2)

A(1) contains the key and must be unique, e.g., A(1) contains a session key used only once; A(1) contains a key and a nonce. In general: A(1) = key||nonce||associated data.

8 / 19

slide-21
SLIDE 21

Keyak

DuplexWrap layer

DuplexWrap is a nonce-based authenticated encryption mode; works on sequences of header-body pairs.

A(1) 1 B(1) C(1) T(1) A(2) B(2) C(2) T(2) A(3) T(3)

A(1) contains the key and must be unique, e.g., A(1) contains a session key used only once; A(1) contains a key and a nonce. In general: A(1) = key||nonce||associated data.

8 / 19

slide-22
SLIDE 22

Keyak

Inside DuplexWrap

d d d d +00 +00 +10

9 / 19

slide-23
SLIDE 23

Keyak

Inside DuplexWrap

d d d d d d +00 +00 +01 +11 +10

9 / 19

slide-24
SLIDE 24

Keyak

Keyak instances and efficiency

Name Width b Parallelism P Ocean Keyak 1600 4 Sea Keyak 1600 2 Lake Keyak 1600 1 River Keyak 800 1 Processing for Lake Keyak

long messages: about 50 % of SHAKE128 short messages: 24 rounds

Working memory footprint

reasonable on high- and middle-end platforms not ideal on constrained platforms

10 / 19

slide-25
SLIDE 25

Keyak

Security of Keyak

Generic security of Keyak thanks to a combination of results: Sound tree hashing modes [IJIS 2013] for parallelized modes Keyed sponge indistinguishability [SKEW 2011 + work in progress] SpongeWrap generic security [SAC 2011], adapted to DuplexWrap Safety margin against shortcut attacks: Practical attacks up to 6 rounds [Dinur et al. SHA-3 2014] Academic attacks up to 9 rounds [Dinur et al. SHA-3 2014]

11 / 19

slide-26
SLIDE 26

Ketje

Outline

1

Overview

2

Keyak

3

Ketje

4

Conclusions and Current Developments

12 / 19

slide-27
SLIDE 27

Ketje

Ketje goals

Nonce-based AE function 96-bit or 128-bit security (incl. multi-target) Sequence of header-body pairs

keeping the state during the session

Small footprint Target niche: secure channel protocol on secure chips

banking card, ID, (U)SIM, secure element, FIDO, etc. secure chip has strictly incrementing counter

Using reduced-round Keccak-f[400] or Keccak-f[200], to allow

implementation re-use cryptanalysis re-use reasonable side-channel protections

(… and because we like it …)

13 / 19

slide-28
SLIDE 28

Ketje

Inside Ketje: the MonkeyDuplex layer

nstart = 12 rounds should provide strong instance separation nstep = 1, r = 2b/25 should avoid single-instance state retrieval nstride = 6 rounds should avoid a forgery with one instance

14 / 19

slide-29
SLIDE 29

Ketje

Inside MonkeyWrap

1

start step step step step

stride

step

+00 +00 +01 +11 +10

15 / 19

slide-30
SLIDE 30

Ketje

Ketje instances and lightweight features

feature Ketje Jr Ketje Sr state size 25 bytes 50 bytes block size 2 bytes 4 bytes processing computational cost initialization per session 12 rounds 12 rounds wrapping per block 1 round 1 round 8-byte tag comp. per message 9 rounds 7 rounds

16 / 19

slide-31
SLIDE 31

Conclusions and Current Developments

Outline

1

Overview

2

Keyak

3

Ketje

4

Conclusions and Current Developments

17 / 19

slide-32
SLIDE 32

Conclusions and Current Developments

Current developments

Optimized software implementations

Gross estimations can be derived from Keccak Lake Keyak expected twice faster than SHAKE128 There might be interesting improvement with new AVX512 (VPTERNLOG, rotations and 32 registers)

Hardware implementations

18 / 19

slide-33
SLIDE 33

Conclusions and Current Developments

Conclusions

Thanks for your attention!

Q?

19 / 19