SLIDE 1
Rasta
A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018
Rasta
Motivation
1 / 26
Rasta A cipher with low ANDdepth and few ANDs per bit Christoph - - PowerPoint PPT Presentation
Rasta A cipher with low ANDdepth and few ANDs per bit Christoph - - PowerPoint PPT Presentation
Rasta A cipher with low ANDdepth and few ANDs per bit Christoph Dobraunig, Maria Eichlseder, Lorenzo Grassi, Virginie Lallemand, Gregor Leander, Eik List, Florian Mendel, Christian Rechberger Crypto 2018 Rasta Motivation 1 / 26 Rasta
SLIDE 2
SLIDE 3
Rasta
Motivation
Several designs minimize number of multiplications
FLIP [MJSC16] Kreyvium [CCFLNPS16] LowMC [ARSTZ15] MiMC [AGRRT16]
New optimization goals enable/require new design strategies
2 / 26
SLIDE 4
Rasta
Motivation
2 4 8 16 32 64 128 256 512 1024 5 10 15 20 25
ANDs per bit ANDdepth
FLIP Kreyvium LowMC
3 / 26
SLIDE 5
Rasta
Motivation
2 4 8 16 32 64 128 256 512 1024 5 10 15 20 25
ANDs per bit ANDdepth
FLIP Kreyvium LowMC Rasta
3 / 26
SLIDE 6
Rasta
Challenges
4 / 26
SLIDE 7
Rasta
Challenges for Rasta
How to minimize ANDdepth and ANDs per bit at the same time? Especially low ANDdepth seems challenging How to analyze the outcome?
5 / 26
SLIDE 8
Rasta
Why do we have a high ANDdepth?
I K O Function
6 / 26
SLIDE 9
Rasta
Why do we have a high ANDdepth?
I K O
6 / 26
SLIDE 10
Rasta
Why do we have a high ANDdepth?
Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection
Against higher-order differentials, cube-like attacks, ...
O1 = I1K1K3 + I2I3K4 + I1I2K2 + I1I2 + I4K1 + K2 O1 = I1I2(K2 + 1) + I1K1K3 + I2I3K4 + I4K1 + K2
7 / 26
SLIDE 11
Rasta
Why do we have a high ANDdepth?
Evaluated for varying inputs Part of the input potentially public Need high algebraic degree (ANDdepth) for protection
Against higher-order differentials, cube-like attacks, ...
O1 = I1K1K3 + I2I3K4 + I1I2K2 + I1I2 + I4K1 + K2 O1 = I1I2(K2 + 1) + I1K1K3 + I2I3K4 + I4K1 + K2
7 / 26
SLIDE 12
Rasta
The Design
8 / 26
SLIDE 13
Rasta
Rasta
Stream cipher based on family of public permutations PN,i
Each permutation evaluated once Different permutations to generate key stream Choice of permutation depends solely on public parameters
Public nonce N Block counter i
key stream PN,1 K PN,2 K · · ·
9 / 26
SLIDE 14
Rasta
Rasta
public key-dependent XOF N, i · · · K A0,N,i A1,N,i Ar,N,i S S S · · · ⊕ KN,i
Seed extendable output function (XOF) with public values
“Randomly” generates invertible matrices Mj,N,i “Randomly” generates round constants cj,N,i To get affine layer Aj,N,i(x) = Mj,N,i · x ⊕ cj,N,i
Use of χ [Dae95] as non-linear function S
10 / 26
SLIDE 15
Rasta
Rasta
public key-dependent XOF N, i · · · K A0,N,i A1,N,i Ar,N,i S S S · · · ⊕ KN,i
High-level idea to make relevant computations of the cipher independent of the key was first used in Flip [MJSC16] XOF does not influence relevant AND metric
10 / 26
SLIDE 16
Rasta
Design Rationale
Changing affine layers against
Differential and impossible-differential attacks Cube and higher-order differential attacks Integral attacks
Block size, key size ≫ security level against
Attacks based on linear approximations Attacks targeting polynomial system of equations
11 / 26
SLIDE 17
Rasta
Choosing parameters
Parameterizable problem regarding
Block size Number of rounds
Rasta
Base parameters on bounds and arguments Conservative approach
Agrasta
Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts
12 / 26
SLIDE 18
Rasta
Choosing parameters
Parameterizable problem regarding
Block size Number of rounds
Rasta
Base parameters on bounds and arguments Conservative approach
Agrasta
Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts
12 / 26
SLIDE 19
Rasta
Choosing parameters
Parameterizable problem regarding
Block size Number of rounds
Rasta
Base parameters on bounds and arguments Conservative approach
Agrasta
Aggressive parameter set of Rasta design strategy Base parameters on best known attacks Challenge for cryptanalysts
12 / 26
SLIDE 20
Rasta
The Road to Rasta
13 / 26
SLIDE 21
Rasta
Linear approximations
Bound probability that good approximations exist
S M0 S M1 S M2 S M3 M4
- P1
P2
14 / 26
SLIDE 22
Rasta
Probability of good approximations
256 512 768 1024 1536 −600 −400 −200
key/block size k (bits) log2(probability)
128-bit, r = 2 128-bit, r = 4 128-bit, r = 6
15 / 26
SLIDE 23
Rasta
Solving non-linear multivariate polynomial equations
General problem of solving non-linear systems of m equations with k unknowns Limiting the degree limits possible number of different monomials Increase k to prevent trivial linearization
16 / 26
SLIDE 24
Rasta
Maximum number of different monomials
128 256 512 1024 2048 4096 100 200 300 400 key and block size k (bits) log2(maximum different monomials)
depth r = 6 depth r = 5 depth r = 4 depth r = 3 depth r = 2
17 / 26
SLIDE 25
Rasta
Instances of Rasta
Security level Rounds 2 3 4 5 6 80-bit 221.2 212 327 327 219 128-bit 233.2 218 1 877 525 351 256-bit 265.2 234 218.8 3 545 703
18 / 26
SLIDE 26
Rasta
The Road to Agrasta (Cryptanalysis)
19 / 26
SLIDE 27
Rasta
Cryptanalysis
SAT solver
Exhaustive search performs better for more than 1 round
Experiments with toy versions
No obvious outliers Various dedicated attacks
For various versions of SAS Variants of 2-round Rasta where block size ≈ security level Variants of 3-round Rasta where block size ≈ security level
20 / 26
SLIDE 28
Rasta
Sketch of 3-round analysis
A0 S A1 S A2 S A3 K KN,i
21 / 26
SLIDE 29
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 30
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 31
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 32
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 33
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 34
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 35
Rasta
Sketch of 3-round analysis
S S S A0 A1 A2 A3 K KN,i
21 / 26
SLIDE 36
Rasta
Cryptanalysis of instances with 80-bit security
80 128 256 512 1 2 3 4 5 6 key and block size k (bits) rounds r Rasta
22 / 26
SLIDE 37
Rasta
Cryptanalysis of instances with 80-bit security
80 128 256 512 1 2 3 4 5 6 key and block size k (bits) rounds r Rasta Agrasta
22 / 26
SLIDE 38
Rasta
Agrasta: More agressive parameters
Security level Rounds Block size 80-bit 4 81 128-bit 4 129 256-bit 5 257
23 / 26
SLIDE 39
Rasta
Conclusion
24 / 26
SLIDE 40
Rasta
Conclusion
Rasta: conservative, based on bounds and arguments Agrasta: more aggressive, based on attacks New design approach Even conservative versions competitive in benchmark (HElib) Huge gap between known attacks and bounds
25 / 26
SLIDE 41
Rasta
Bibliography I
[AGRRT16]
- M. R. Albrecht, L. Grassi, C. Rechberger, A. Roy, and T. Tiessen
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity ASIACRYPT 2016 [ARSTZ15]
- M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and M. Zohner
Ciphers for MPC and FHE EUROCRYPT 2015 [CCFLNPS16]
- A. Canteaut, S. Carpov, C. Fontaine, T. Lepoint, M. Naya-Plasencia, P. Paillier, and
- R. Sirdey
Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression FSE 2016
SLIDE 42
Rasta
Bibliography II
[Dae95]
- J. Daemen,
Cipher and hash function design – Strategies based on linear and differential cryptanalysis, http://jda.noekeon.org/JDA_Thesis_1995.pdf, PhD thesis, Katholieke Universiteit Leuven, 1995. [MJSC16]
- P. M´
eaux, A. Journault, F.-X. Standaert, and C. Carlet Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts EUROCRYPT 2016