PRIMATEs v1.1: A Submission to the CAESAR Competition Elena - - PowerPoint PPT Presentation

PRIMATEs v1.1:

A Submission to the CAESAR Competition

Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha,Qingju Wang, and Kan Yasuda

1 July 2014, Bochum

APE

2

PRIMATEs

HANUMAN GIBBON

APE

2

PRIMATEs

HANUMAN GIBBON

Misuse resistant

APE

2

PRIMATEs

HANUMAN GIBBON

Misuse resistant Security with ideal permutation

APE

2

PRIMATEs

HANUMAN GIBBON

Misuse resistant Security with ideal permutation Trades-off security with speed

3

PRIMATEs

• Sponge inspired (9)

3

PRIMATEs

• Sponge inspired (9)

4

PRIMATEs

permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits

• Sponge inspired

4

PRIMATEs

permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits

• Sponge inspired
• Lightweight

4

PRIMATEs

permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits

• Sponge inspired
• Lightweight
• Suggested A and M size is max. 280 (resp. 2120) bits

4

PRIMATEs

permutation PRIMATE-80 PRIMATE-120 security 80 bits 120 bits b (state size) 200 bits 280 bits c (capacity size) 160 bits 240 bits r (rate size) 40 bits 40 bits

• Sponge inspired
• Lightweight
• Countermeasure against DPA is efficient
• Suggested A and M size is max. 280 (resp. 2120) bits

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Nonce based

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Nonce based
• Online encryption

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Nonce based
• Online encryption
• Two permutations for domain separation

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Nonce based
• Online encryption
• Two permutations for domain separation
• No need for inverse permutations

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Nonce based
• Online encryption
• Two permutations for domain separation
• No need for inverse permutations
• No ciphertext extension

5

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

6

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Wrong T → NO ciphertext output

6

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Wrong T → NO ciphertext output
• Security proof with ideal permutation assumption

6

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

• Wrong T → NO ciphertext output
• Security proof with ideal permutation assumption
• No distinguishers in 12 round p1 and p4

6

A[1]

...

A[2] A[u] M[1] C[1] M[w] K T

p1 p4 p4 p1 p1 p1

K||N 0r

...

[C[w]]M[w]

HANUMAN

K, N and T are 80 (resp. 120) bits

7

GIBBON

K, N and T are 80 (resp. 120) bits

p1

K||N K||0c/2

...

A[1] A[u] M[1] C[1] K||0c/2 T K

p2 p2 p3 p3 p1 p3

0r M[w]

...

[C[w]]M[w]

Same story, except:

• Key additions against trivial key recovery or forgery attacks

7

GIBBON

K, N and T are 80 (resp. 120) bits

p1

K||N K||0c/2

...

A[1] A[u] M[1] C[1] K||0c/2 T K

p2 p2 p3 p3 p1 p3

0r M[w]

...

[C[w]]M[w]

Same story, except:

• Key additions against trivial key recovery or forgery attacks
• Three permutations

7

GIBBON

K, N and T are 80 (resp. 120) bits

p1

K||N K||0c/2

...

A[1] A[u] M[1] C[1] K||0c/2 T K

p2 p2 p3 p3 p1 p3

0r M[w]

...

[C[w]]M[w]

Same story, except:

• Key additions against trivial key recovery or forgery attacks
• Three permutations
• Reduced round permutations (p2&p3: 6 rounds) → faster

7

GIBBON

K, N and T are 80 (resp. 120) bits

p1

K||N K||0c/2

...

A[1] A[u] M[1] C[1] K||0c/2 T K

p2 p2 p3 p3 p1 p3

0r M[w]

...

[C[w]]M[w]

Same story, except:

• Key additions against trivial key recovery or forgery attacks
• Three permutations
• Reduced round permutations (p2&p3: 6 rounds) → faster
• No security proof

7

GIBBON

K, N and T are 80 (resp. 120) bits

p1

K||N K||0c/2

...

A[1] A[u] M[1] C[1] K||0c/2 T K

p2 p2 p3 p3 p1 p3

0r M[w]

...

[C[w]]M[w]

Same story, except:

8

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce treatment
• Output….
• Tag….
• Domain separation with a constant XOR
• Inverse permutations are used for decryption

Same story, except:

9

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce treatment
• Output generation
• T can not be truncated
• Domain separation with a constant XOR

Same story, except:

10

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

Same story, except:

• Nonce treatment
• Output generation
• T can not be truncated
• Domain separation with a constant XOR
• Inverse permutations are used for decryption

11

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

Same story, except:

• Nonce treatment
• Output generation
• T can not be truncated
• Domain separation with a constant XOR
• Inverse permutations are used for decryption

12

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

Same story, except:

• Nonce treatment
• Output generation
• T can not be truncated
• Domain separation with a constant XOR
• Inverse permutations are used for decryption

13

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

13

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce misuse resistant: Security up to common prefix

13

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce misuse resistant: Security up to common prefix
• Secure in RUP setting

13

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce misuse resistant: Security up to common prefix
• Secure in RUP setting
• Security proof with ideal permutation assumption

13

APE

0r N[1]

...

A[1] A[u]

p1 p1 p1

K M[1] C[1] T K M[2] [C[w-1]]M[w] M[w] C[w] 0c-1||1

p1 p1 p1 ... ...

N[y]

p1

N is 80 (resp. 120) bits K and T are 160 (resp. 240) bits

• Nonce misuse resistant: Security up to common prefix
• Secure in RUP setting
• Security proof with ideal permutation assumption
• Other AE designs: PRØST

14

PRIMATEs

Ranking w.r.t security

• APE - 120
• HANUMAN - 120
• GIBBON - 120
• APE - 80
• HANUMAN - 80
• GIBBON - 80

15

PRIMATE

Structure

p1 p2 p3 p4 5x8

Primate-80 Primate-120

7x8

200-bit state 280-bit state

15

PRIMATE

Structure

p1 p2 p3 p4 5x8

Primate-80 Primate-120

7x8

200-bit state 280-bit state 5-bit elements 5-bit elements

16

PRIMATE

Structure

p1 p2 p3 p4 5x8

Primate-80 Primate-120

7x8

200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate

16

PRIMATE

Structure

p1 p2 p3 p4 5x8

Primate-80 Primate-120

7x8

200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate Round Update: CA o MC o SR o SE

16

PRIMATE

Structure

p1 p2 p3 p4 5x8

Primate-80 Primate-120

7x8

200-bit state 280-bit state 5-bit elements 5-bit elements 40-bit rate 40-bit rate Round Update: CA o MC o SR o SE p1, p2, p3 and p4 differ in # of rounds and constants

17

PRIMATE

SubElements

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

17

PRIMATE

SubElements

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 S(x) 1 25 26 17 29 21 27 20 5 4 23 14 18 2 28 x 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 S(x) 15 8 6 3 13 7 24 16 30 9 31 10 22 12 11 19

17

PRIMATE

SubElements

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 S(x) 1 25 26 17 29 21 27 20 5 4 23 14 18 2 28 x 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 S(x) 15 8 6 3 13 7 24 16 30 9 31 10 22 12 11 19

No fixed points

18

PRIMATE

S-box

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

18

PRIMATE

S-box

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

• Almost bent permutation

18

PRIMATE

S-box

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

• Almost bent permutation
• Optimal linear and differential probabilities

18

PRIMATE

S-box

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

• Almost bent permutation
• Optimal linear and differential probabilities
• Small area for both plain and DPA secure implementation

19

PRIMATE

ShiftRows

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

<< 0 << 1 << 2 << 4 << 7 << 0 << 1 << 2 << 3 << 4 << 5 << 7

20

PRIMATE

MixColumns

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

Recursive MDS matrix

20

PRIMATE

MixColumns

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

Recursive MDS matrix Lightweight implementation

21

PRIMATE

ConstantAddition

p1 p2 p3 p4

Primate-80 Primate-120

5x8 7x8

• 5-bit Fibonacci LFSR
• Breaking symmetry between rounds
• Generating different permutations

⊕ p1 p2 p3 p4 Number of rounds 12 6 6 12 Initial value of the LFSR 1 24 30 24

22

PRIMATE

Security

p1 p2 p3 p4

22

PRIMATE

Security

• 12 round differential and linear approximation upper bound:

2-100 and 2-196

p1 p2 p3 p4

22

PRIMATE

Security

• 12 round differential and linear approximation upper bound:

2-100 and 2-196

• 6 and 5 round impossible differential trails with prob. 1

p1 p2 p3 p4

22

PRIMATE

Security

• 12 round differential and linear approximation upper bound:

2-100 and 2-196

• 6 and 5 round impossible differential trails with prob. 1
• No collision producing trails up to 6 rounds

p1 p2 p3 p4

22

PRIMATE

Security

• 12 round differential and linear approximation upper bound:

2-100 and 2-196

• 6 and 5 round impossible differential trails with prob. 1
• No collision producing trails up to 6 rounds
• Collision trails with 84 and 127 active S-boxes from 6 to 12

rounds

p1 p2 p3 p4

23

PRIMATEs vs. Other AE

23

PRIMATEs vs. Other AE

• PRIMATEs:

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:
• AES alone is 2600 GE (21 cpr)

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:
• AES alone is 2600 GE (21 cpr)
• Difference nonce lengths are treated in the same way

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:
• AES alone is 2600 GE (21 cpr)
• Difference nonce lengths are treated in the same way
• PRIMATEs vs. Ketje:

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:
• AES alone is 2600 GE (21 cpr)
• Difference nonce lengths are treated in the same way
• PRIMATEs vs. Ketje:
• Ketje Jr. : 1270 GE reg. only

23

PRIMATEs vs. Other AE

• PRIMATEs:
• ~ 1300 (resp. 1900 GE)
• 55 (resp. 61 cpr)
• AES-GCM:
• AES alone is 2600 GE (21 cpr)
• Difference nonce lengths are treated in the same way
• PRIMATEs vs. Ketje:
• Ketje Jr. : 1270 GE reg. only
• Ketje Sr.: 2500 GE reg only

24

DrunkenMonkey Competition

For the most interesting cryptanalysis of PRIMATEs

Deadline: DIAC 2014

24

DrunkenMonkey Competition

For the most interesting cryptanalysis of PRIMATEs

Deadline: DIAC 2014

Runner-up

25

PRIMATEs

General Info

http://primates.ae

25

PRIMATEs

General Info

http://primates.ae

Up to date specifications

25

PRIMATEs

General Info

http://primates.ae

Up to date specifications SW implementation

25

PRIMATEs

General Info

http://primates.ae

Up to date specifications SW implementation

C

• m

i n g s

• n

: H W i m p l e m e n t a t i

• n

26

About Us

✓ Other AE

Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes

26

About Us

✓ Other AE

Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes

✓ Monkey-proof implementation

26

About Us

✓ Other AE

Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes

✓ Monkey-proof implementation

? Higher-order SCA security

26

About Us

✓ Other AE

Beyond 2c/2 Security in Sponge-Based Authenticated Encryption Modes

✓ Monkey-proof implementation

? Higher-order SCA security ? Eager to hear implementation issues

26

About Us

27

Thank You!