Permutation-based symmetric cryptography and Keccak Joan Daemen 1 - - PowerPoint PPT Presentation

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak

Permutation-based symmetric cryptography and Keccak

Joan Daemen1 joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1

1STMicroelectronics 2NXP Semiconductors

Ecrypt II, Crypto for 2020, Tenerife, January 22 to 24, 2013

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Symmetric crypto: what textbooks and intro’s say

Symmetric cryptographic primitives: Block ciphers Stream ciphers

Synchronous Self-synchronizing

Hash functions

Non-keyed Keyed: MAC functions

And their modes-of-use

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

The hash function cliché

Hash functions:

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

The hash function cliché

Hash functions: But MD5, SHA-1, etc.: just block ciphers in some mode

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

You can do everything with a block cipher

Block encryption: ECB, CBC, … Stream encryption:

synchronous: counter mode, OFB, … self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, … Hashing and its modes HMAC, MGF1, … Authenticated encryption: OCB, GCM, CCM …

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Seems like this is closer to the truth nowadays

Block cipher:

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Block cipher operation

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Block cipher operation: the inverse

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

When do you need the inverse?

Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption:

synchronous: counter mode, OFB, … self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM …

Most schemes with misuse-resistant claims

So for most uses you don’t need the inverse!

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Internals of a typical block cipher

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Hashing use case: Davies-Meyer compression function

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Removing unnecessary diffusion restriction

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Simplifying the view: iterated permutation

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography

Where can you plug in a permutation?

In all modes but those in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption:

synchronous: counter mode, OFB, … self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … But also nice opportunity to clean up the modes!

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

The sponge construction

f: a b-bit permutation with b = r + c

efficiency: processes r bits per call to f security: provably resists generic attacks up to 2c/2

Flexibility in trading rate r for capacity c or vice versa

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

What can we say about sponge security

Proof of security against generic attacks:

assuming f has been chosen randomly tight: as sound as theoretically possible limitation: inner collisions in c-bit inner part

Security for a specific choice of f

security proof is infeasible design f with attacks in mind assurance by absence of attacks despite public scrutiny

Security claim: target for attacks

tight claim: no attacks better than generic attacks Hermetic Sponge Strategy weaker claims relax conditions on f

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Regular hashing

Pre-sponge permutation-based hash functions

Truncated permutation as compression function: Snefru

[Merkle ’90], FFT-Hash [Schnorr ’90], …MD6 [Rivest et al. 2007]

Streaming-mode: Subterranean, Panama, RadioGatún, Grindahl [Knudsen, Rechberger

, Thomsen, 2007], …

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Message authentication codes

Pre-sponge (partially) permutation-based MAC function: Pelican-MAC [Daemen, Rijmen 2005]

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Stream encryption

Similar to block cipher modes:

Long keystream per IV: like OFB Short keystream per IV: like counter mode

Independent permutation-based stream ciphers: Salsa and ChaCha [Bernstein 2007]

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Mask generating function

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Authenticated encryption: MAC generation

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Authenticated encryption: encryption

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

Authenticated encryption: just do them both?

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

The duplex construction

Object: D = duplex[f, pad, r] Requesting ℓ-bit output Z = D.duplexing(σ, ℓ) Generic security provably equivalent to that of sponge

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

SpongeWrap authenticated encryption

Single-pass authenticated encryption Processes up to r bits per call to f Functionally similar to (P)helix [Lucks, Muller

, Schneier , Whiting, 2004]

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Permutation-based cryptography

What textbooks and intro’s should say from now on:-)

Symmetric cryptographic primitives: Permutations Block ciphers Stream ciphers Hash functions

Non-keyed Keyed: MAC functions

And their modes-of-use

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Efficiency: working memory required for hashing

Assume security strength c/2 Davies-Meyer block cipher based hash (“narrow pipe”)

chaining value (block size): n ≥ c input block size (key length): typically k ≥ n feedforward (block size): n total state ≥ 3c

Sponge (“huge state”)

permutation width: c + r r can be made arbitrarily small, e.g. 1 byte total state ≥ c + 8

Similar arguments apply to other use cases

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Efficiency: speed of keyed permutation modes

One cryptographic expert’s opinion: “The sponge construction is a pretty poor way to encrypt. One either gets high-speed but low security or low-speed and high security.” Keccak showed that sponge can be secure and fast Not significantly slower than block cipher modes But very fast dedicated primitives exist for:

MAC computation stream encryption, well at least for long cleartexts

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Boosting keyed permutation modes

1 Keyed modes have higher generic security level

generic security strength level c − a instead of c/2 with 2a ranging from 1 to the data complexity allows increasing the rate by c/2 − a bits

2 Keyed modes seem harder to attack

in keyed modes attacker has less power allows decreasing number of rounds in permutation

3 Introducing functionally optimized constructions

donkeySponge: MAC computation monkeyDuplex: nonce-imposing (authenticated) encryption

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Reducing rounds for keyed modes

MD5 hash function [Rivest 1992]

unkeyed: constructing fake certificates [Stevens et al. 2009] keyed: very little progress in 1st pre-image generation

Panama hash and stream cipher [Clapp, Daemen 1998]

unkeyed: instantaneous collisions [Daemen, Van Assche 2007] keyed: stream cipher unbroken till this day

Keccak crypto contest with reduced-round challenges

unkeyed: 4-round collisions [Dinur

, Dunkelman, Shamir 2012]

keyed: pre-image up to 2 rounds only [Morawiecki 2011]

In keyed modes use a permutation with less rounds

e.g. for Keccak: speedup factor up to 3 while still offering a comfortable safety margin

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

Introducing functionally optimized constructions

Sponge and duplex are generic modes

flexible and multi-purpose do not exploit mode-specific features

MAC computation

before squeezing adversary has no information about state relaxes requirements on f during absorbing

Authenticated encryption in presence of nonces

nonce can be used to decorrelate computations

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography

The donkeySponge MAC construction

Usage of full state width b during absorbing, as in

[Pelican-MAC]

nabsorb determined by max DP over nabsorb rounds of f Spectacular speedup especially for small b

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Requirements for the permutation

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Requirements for the permutation

Desired cryptographic properties of the permutation

Classical LC/DC criteria

absence of large differential propagation probabilities absence of large input-output correlations study trail weights and clustering

Immunity to

integral cryptanalysis algebraic attacks slide and symmetry-exploiting attacks …

Infeasibility of the CICO problem

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Requirements for the permutation

The CICO problem

Given partial input and output, determine remaining parts Important in many attacks Generalization: multi-target Pre-image generation in hashing

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Requirements for the permutation

The CICO problem

Given partial input and output, determine remaining parts Important in many attacks Generalization: multi-target State recovery in stream encryption

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x y z state

(5 × 5)-bit slices 2ℓ-bit lanes

• param. 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants

# rounds: 12 + 2ℓ for b = 2ℓ25

12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x y z row

(5 × 5)-bit slices 2ℓ-bit lanes

• param. 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants

# rounds: 12 + 2ℓ for b = 2ℓ25

12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x y z column

(5 × 5)-bit slices 2ℓ-bit lanes

• param. 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants

# rounds: 12 + 2ℓ for b = 2ℓ25

12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x y z slice

(5 × 5)-bit slices 2ℓ-bit lanes

• param. 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants

# rounds: 12 + 2ℓ for b = 2ℓ25

12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x y z lane

(5 × 5)-bit slices 2ℓ-bit lanes

• param. 0 ≤ ℓ < 7

Round function with 5 steps:

θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants

# rounds: 12 + 2ℓ for b = 2ℓ25

12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

The χ non-linear layer

Convolutional transformation rather than S-box Finding simpler/cheaper would be hard

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

The θ mixing layer

+ =

column parity θ effect combine

Much cheaper than MDS and still good average diffusion Bad worst-case diffusion: kernel

Addressed in bit transpositions ρ and π

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

The θ mixing layer

θ

Much cheaper than MDS and still good average diffusion Bad worst-case diffusion: kernel

Addressed in bit transpositions ρ and π

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Keccak

Some distinguishing Keccak features

Strong symmetry enabling different implementation

• ptions

lane-wise, slice-wise bit interleaving see [Keccak 1001 ways] and [Keccak implementation overview]

Lightweight mixing and non-linear layers

global approach instead of local optimization

Different from both ARX and AES-based

rebound/truncated no applicable thanks to weak alignment no complexity due to carry propagation challenge: improve trail weight bounds of [Daemen, Van

Assche, FSE 2012]

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Conclusions

Outline

1

Mainstream symmetric cryptography

2

Permutation-based cryptography

3

On the efficiency of permutation-based cryptography

4

Requirements for the permutation

5

Keccak

6

Conclusions

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Conclusions

Conclusions

Iterated permutations

are versatile and efficient cryptographic primitives allow cleaner and more flexible modes

Cryptanalysis of iterated permutations

no more key schedule or message expansion introducing the CICO problem

Keccak may inspire

new designs: lightweight, weakly aligned, symmetric, … new research: trail weight bound techniques, … new attacks: no assurance without scrutiny!

. .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. . . .. .

Permutation-based symmetric cryptography and Keccak Conclusions

Questions?

Thanks for your attention!

Q?

More information on http://keccak.noekeon.org/ http://sponge.noekeon.org/