❉❡♦①②s Jérémy Jean - Ivica Nikolić Thomas Peyrin - Yannick Seurin NTU (Singapore) and ANSSI (France) DIAC 2016 Nagoya, Japan - September 27, 2016 ❤tt♣✿✴✴✇✇✇✶✳s♣♠s✳♥t✉✳❡❞✉✳s❣✴⑦s②❧❧❛❜✴❉❡♦①②s
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ ❉❡♦①②s in third round For 3rd round, two tweaks for ❉❡♦①②s : 1 use of cheap LFSRs instead of multiplication in GF ( 2 8 ) in the tweakable block cipher ❉❡♦①②s✲❇❈ : ◦ no change in security reasoning ◦ faster and smaller implementation 2 changed the way the nonce is handled in ❉❡♦①②s✲■■ : ◦ faster (removes two encryption calls) ◦ more secure (we now obtain graceful security reduction for both authentication and confidentiality)
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Parameters We also changed the names: ⊲ ❉❡♦①②s � = becomes ❉❡♦①②s✲■ (nonce-respecting) ⊲ ❉❡♦①②s = becomes ❉❡♦①②s✲■■ (nonce-misuse resistant) Mode Internal primitive ❚❆❊ -like ❙❈❚✲✷ ❉❡♦①②s✲❇❈✲✷✺✻ ❉❡♦①②s✲❇❈✲✸✽✹ ❉❡♦①②s✲■✲✶✷✽ � � ❉❡♦①②s✲■■✲✶✷✽ � � ❉❡♦①②s✲■✲✷✺✻ � � ❉❡♦①②s✲■■✲✷✺✻ � �
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ The ❉❡♦①②s✲❇❈ tweakey schedule . . . h ′ LFSR 3 h ′ LFSR 3 h ′ h ′ LFSR 3 . . . tk 0 h ′ LFSR 2 h ′ LFSR 2 h ′ h ′ LFSR 2 . . . h ′ h ′ h ′ h ′ C r C 0 C 1 C 2 C r − 1 ❳❖❘ ❳❖❘ ❳❖❘ ❳❖❘ ❳❖❘ . . . s r = C P = s 0 AES round AES round AES round In details: ⊲ ❚❲❊❆❑❊❨ framework and ❙❚❑ construction [ASIACRYPT’14] ⊲ round function is the ❆❊❙ round function ⊲ h ′ will simply be a permutation of the nibbles positions ⊲ each nibble of the k -th tweakey word is updated with LFSR k ⊲ very simple transformations: linear and lightweight
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ The ❉❡♦①②s✲❇❈ tweakable block ciphers ❉❡♦①②s✲❇❈ -256 and ❉❡♦①②s✲❇❈ -384 ⊲ 128-bit tweakable block ciphers ⊲ The round function is exactly the ❆❊❙ round function ⊲ ❉❡♦①②s✲❇❈✲✷✺✻ : ◦ 14 rounds ◦ 256-bit tweakey (2 tweakey words) ⊲ ❉❡♦①②s✲❇❈✲✸✽✹ : ◦ 16 rounds ◦ 384-bit tweakey (3 tweakey words) The ❚❲❊❆❑❊❨ schedule: ⊲ h ′ is a simple permutation of the 16 nibbles ⊲ The LFSRs can be clocked with a single XOR ⊲ Constant additions to break symmetries ( ❘❈❖◆ from ❆❊❙ KS)
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ The ❙❚❑ construction: rationale . . . h ′ LFSR 3 h ′ LFSR 3 h ′ h ′ LFSR 3 . . . h ′ h ′ h ′ h ′ tk 0 LFSR 2 LFSR 2 LFSR 2 h ′ h ′ h ′ . . . h ′ C r − 1 ❳❖❘ C r ❳❖❘ C 0 ❳❖❘ C 1 ❳❖❘ C 2 ❳❖❘ . . . s r = C P = s 0 AES round AES round AES round Related-tweakey security analysis A security analysis is now possible with ❙❚❑ : ⊲ when considering one tweakey word, we ensure that function h ′ is itself a good tweakey schedule ⊲ the LFSRs control the number of cancellations in g , when the subtweakeys are XORed to the internal state ⊲ when considering several tweakey words, we can now reuse existing tools searching for good differential paths: for these tools it is easy to add the cancellation bound
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Security of the ❙❚❑ construction Related-key related-tweak attacks ( 4 × 4 ❆❊❙ -like design) We prove that no good related-key related-tweak attacks differential path exist (even boomerang), with a computer-aided search tool. active upper bound on rounds method used SBoxes probability 2 − 72 /2 − 24 6 12 Matsui’s 2 − 108 /2 − 34 8 ≥ 17 ex. split (4R+4R) 2 − 132 /2 − 44 10 ≥ 22 ex. split (5R+5R) Meet-in-the-middle attacks Using a computer-aided search tool, we checked that Demirci-Selćuk MitM attack and its improvements cannot apply, even when using the tweak input as extra leverage.
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Comparing ❉❡♦①②s✲❇❈ and ❆❊❙ Number of active Sboxes in single-key (SK) and related-key (RTK) Rounds Cipher Model 1 2 3 4 5 6 7 8 SK 1 5 9 25 26 30 34 50 ❉❡♦①②s✲❇❈✲✷✺✻ (14 rounds) RTK 0 0 1 5 9 12 ≥ 17 ≥ 22 SK 1 5 9 25 26 30 34 50 ❆❊❙✲✷✺✻ (14 rounds) RTK 0 0 1 3 5 5 5 10 Comparison of security claims ❆❊❙✲✷✺✻ claims 2 256 security, while we only need to claim 2 128 security for ❉❡♦①②s✲❇❈✲✷✺✻
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Nonce-respecting mode: ❉❡♦①②s✲■ ❉❡♦①②s✲■ is similar to ❚❆❊ or ❖❈❇✸ For associated data authentication: A ∗ 10 ∗ A 1 A 2 A l a . . . E 2 || 0 E 2 || 1 E 6 || l a E 2 || l a − 1 K K K K . . . 0 ❆✉t❤ For plaintext: M ∗ 10 ∗ M 1 M 2 M l Σ 0 n E 0 || N || 0 E 0 || N || 1 . . . . . . E 0 || N || l − 1 E 5 || N || l E 4 || N || l K K K K K ❆✉t❤ C 1 C 2 C l C ∗ t❛❣
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Nonce-respecting mode: ❉❡♦①②s✲■ As the nonce is never reused, it is ensured that every call to the TBC during the encryption will have distinct tweak input values We can directly reuse the ❚❆❊ or ❖❈❇✸ security proofs: ⊲ but ensuring full security instead of birthday bound ⊲ independent of the amount of data ⊲ the proofs are simpler (see Θ ❈❇✸ and ❖❈❇✸ proofs) ⊲ no long initialization required: fast for short inputs
Introduction Operating mode(s) Performances Conclusion ❉❡♦①②s✲❇❈ Outline 1 Introduction 2 The ❉❡♦①②s✲❇❈ tweakable BC ⊲ ❉❡♦①②s✲❇❈ and the ❙❚❑ construction ⊲ Security of ❉❡♦①②s✲❇❈ 3 The operating mode(s) ⊲ Nonce-respecting mode: ❉❡♦①②s✲■ ⊲ Nonce-misuse resistant mode: ❉❡♦①②s✲■■ ⊲ Security claims and features 4 Performances 5 Conclusion
Recommend
More recommend
