Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sébastien Duval 2 Gaëtan Leurent 1 María Naya-Plasencia 1 Léo Perrin 1 Thomas Pornin 3 André Schrottenloher 1 1 Inria, France 2 UCL Crypto Group, Belgium 3 NCC Group, Canada
Introduction The Block Cipher Modes of Operation Outline Introduction 1 The Block Cipher 2 Modes of Operation 3 A. Canteaut et al. Saturnin 2/25
Introduction The Block Cipher Modes of Operation Introduction A. Canteaut et al. Saturnin 3/25
Introduction The Block Cipher Modes of Operation Our design goals Design choices Goals SPN cipher Strong security arguments 1 Wide-trail strategy (AES-like) 256-bit keys and blocks Quantum security 2 Carefully chosen modes Bitslice design Efficient in hardware and software 3 Small components A. Canteaut et al. Saturnin 4/25
Introduction The Block Cipher Modes of Operation Saturnin in the LWC process 13 second-round candidates are based on block ciphers Saturnin is the only block cipher with 256-bit blocks Saturnin is the only proposal (cipher + modes) claiming security against superposition queries Saturnin is the most efficient generalization of the AES wide-trail strategy to a 256-bit block size (in terms of security and implementation). A. Canteaut et al. Saturnin 5/25
Introduction The Block Cipher Modes of Operation On quantum security A key size of 256 bits mitigates quantum exhaustive search A block size of 256 bit mitigates attacks (on modes) at the quantum birthday bound (2 256 / 3 ≃ 2 85 . 3 ) Also simplifies the design of a hash function We claim security against classical and quantum attacks . Quantum attackers can query the secret-key cipher / the modes in superposition . This is the strongest model available It is non-trivial It includes all intermediate definitions, and all use cases A. Canteaut et al. Saturnin 6/25
Introduction The Block Cipher Modes of Operation On the name Saturnin is a famous french duck Kids TV show in the 60’s The duck is well known standard of lightness Historically used as a weight standard for witches [Sir Bedevere, Monty Python and the Holy Grail ] The planet Saturn is associated to the cube [Kepler, Mysterium Cosmographicum ] Saturnin’s state is represented as a cube A. Canteaut et al. Saturnin 7/25
Introduction The Block Cipher Modes of Operation The Block Cipher A. Canteaut et al. Saturnin 8/25
Introduction The Block Cipher Modes of Operation The state 51 55 59 63 15 63 14 35 39 43 47 13 47 12 19 23 27 31 62 11 31 10 3 7 11 15 46 61 9 15 30 8 3 7 11 15 45 7 60 14 6 29 2 6 10 14 5 44 4 13 28 3 1 5 9 13 2 12 1 i 0 4 8 12 y z 0 b 0 1 2 3 4 5 6 7 8 9 101112131415 x 16 registers of 16 bits A cube of 4 × 4 × 4 nibbles of 4 bits Generic nibble index: ( x , y , z ) �→ y + 4 x + 16 z A. Canteaut et al. Saturnin 9/25
Introduction The Block Cipher Modes of Operation The round function AES-inspired operations: S-Box layer: applies σ 0 to nibbles of even index, σ 1 to nibbles of odd index Nibble permutation SR : depends on the round number Linear MixColumns: applies a 4 × 4 MDS mapping over F 2 4 to each column Inverse of SR Sub-key addition A. Canteaut et al. Saturnin 10/25
Introduction The Block Cipher Modes of Operation The nibble permutation Let r be the round index (starts at 0). r mod 4 = 1: shift rows in “slices” (left) r mod 4 = 3: shift rows in “sheets” (right) otherwise do nothing 51 55 59 63 51 55 59 63 63 63 35 39 43 47 35 39 43 47 47 47 19 23 27 31 62 19 23 27 31 62 31 31 3 7 11 15 46 3 7 11 15 46 61 61 15 15 30 30 3 7 11 15 3 7 11 15 45 45 60 60 14 14 29 29 2 6 10 14 2 6 10 14 44 44 13 13 28 28 1 5 9 13 1 5 9 13 12 12 0 4 8 12 0 4 8 12 y y z z x x A. Canteaut et al. Saturnin 11/25
Introduction The Block Cipher Modes of Operation As registers In the register representation: S and MC are bitsliced SR slices and SR sheets correspond to rotations in the registers Before Slices Sheets 15 15 15 14 14 14 13 13 13 12 12 12 11 11 11 10 10 10 9 9 9 8 8 8 7 7 7 6 6 6 5 5 5 4 4 4 3 3 3 2 2 2 1 1 1 0 0 0 0 1 2 3 4 5 6 7 8 9 101112131415 0 1 2 3 4 5 6 7 8 9 101112131415 0 1 2 3 4 5 6 7 8 9 101112131415 A. Canteaut et al. Saturnin 12/25
Introduction The Block Cipher Modes of Operation The subkey addition Only at odd rounds . r mod 4 = 3: XOR the master key K r mod 4 = 1: XOR K rotated by 20 nibbles otherwise do nothing Round constants Two 16-bit words XORed to the state (on 32 nibbles, one bit per nibble). Depend on the 4-bit domain separator A. Canteaut et al. Saturnin 13/25
Introduction The Block Cipher Modes of Operation The Super S-Box representation Supernibbles: columns in 51 55 59 63 63 35 39 43 47 the cube 47 19 23 27 31 62 31 3 7 11 15 46 61 15 30 3 7 11 15 45 60 14 29 2 6 10 14 44 13 28 1 5 9 13 12 y 0 4 8 12 z x Let’s have a look at 4 rounds: � r = 0 S MC → → nothing → → nothing → nothing SR − 1 r = 1 → S → SR slices → MC → → K rot slices � r = 2 S MC → → nothing → → nothing → nothing SR − 1 r = 3 S SR sheets MC K → → → → → sheets A. Canteaut et al. Saturnin 14/25
Introduction The Block Cipher Modes of Operation The Super S-Box representation (ctd.) 4 rounds of Saturnin apply: A Super S-Box A linear transformation on the Super-columns A rotated key addition A Super S-Box The same linear transformation on the Super-rows A key addition A. Canteaut et al. Saturnin 15/25
Introduction The Block Cipher Modes of Operation The Super S-Box representation (ctd.) 2 rounds of Saturnin (a Super-round) ⇐ ⇒ a single round of an AES on 16-bit nibbles, with a transposition ( i.e. the block cipher Square). SB T MC We use 10 Super-rounds for standard Saturnin We recommend 16 Super-rounds for related-key security (Faturnin) Our best key-recovery targets 7.5 Super-rounds A. Canteaut et al. Saturnin 16/25
Introduction The Block Cipher Modes of Operation Security overview Extensive analysis of the AES is transferable to Saturnin 125 active S-Boxes for 8 rounds 4-bit S-Box has optimal properties δ = 4 L = 8 degree 3 Super S-Box has good properties thanks to the MDS layer: δ = 80 L = 3072 degree 9 Bounds on 8-rounds trails p ≤ 2 − 241 . 9 Linear: p ≤ 2 − 220 . 7 Differential: A. Canteaut et al. Saturnin 17/25
Introduction The Block Cipher Modes of Operation Modes of operation A. Canteaut et al. Saturnin 18/25
Introduction The Block Cipher Modes of Operation Overview The submission includes three modes of operation: Saturnin-CTR-Cascade for AEAD Saturnin-Short for small AE (< 128 bits) Saturnin-Hash for hashing We use separate round constants for domain separation . Known quantum security proofs: Encrypt then MAC [Soukharev, Jao & Seshadri, PQCrypto 2016] CTR mode for encryption [Anand, Targhi, Tabia, Unruh, PQCrypto 2016] Cascade MAC [Song & Yun, Crypto ’17] Quantum indifferentiability of Merkle-Damgård [Zhandry, Crypto ’19] A. Canteaut et al. Saturnin 19/25
Introduction The Block Cipher Modes of Operation Saturnin-Short: for small messages A single block m of < 128 bits (Actually it can be defined for 128 bits by reducing the nonce size) A. Canteaut et al. Saturnin 20/25
Introduction The Block Cipher Modes of Operation Saturnin-CTR-Cascade: the main proposal Under a qPRP assumption: CTR: IND-qCPA Cascade MAC: unforgeable A. Canteaut et al. Saturnin 21/25
Introduction The Block Cipher Modes of Operation Saturnin-Hash: hash function proposal We use a Merkle-Damgård construction with the MMO mode, and 16 Super-rounds. Classical birthday bound at 2 256 / 2 = 2 128 Quantum birthday bound at 2 256 / 3 = 2 85 . 3 Quantum collision algorithms are memory-intensive: we make a stronger (conjectural) security claim that depends on the adversary’s quantum memory A. Canteaut et al. Saturnin 22/25
Introduction The Block Cipher Modes of Operation Performance considerations Hardware Software Block cipher gate count: Saturnin-Cascade on an ARM Cortex M4: 118.5 gpb 144 cpb constant-time AES-256: 283.5 AES-GCM: 143 cpb [Adomnicai & Peyrin, 2020] Skinny-256: 156 Saturnin-Hash performs fairly well on Rhys Weatherley’s microcontroller benchmarks ∗ Saturnin-Short is very competitive for short messages ∗ https://rweather.github.io/lightweight-crypto/index.html A. Canteaut et al. Saturnin 23/25
Introduction The Block Cipher Modes of Operation The Faturnin Challenge We need to know more about the related-key security of the 16 Super-round version The key-schedule is simpler than the AES Classical reduced-round attacks? How about quantum attacks? Saturnin-QCB The QCB mode is a quantum-secure rate-one mode similar to Θ CB, based on a tweakable block cipher. We propose to use: K , T , M �→ Faturnin K ⊕ T ( M ) Bhaumik, Bonnetain, Chailloux, Leurent, Naya-Plasencia, Seurin, S., QCB: Efficient quantum-secure authenticated encryption A. Canteaut et al. Saturnin 24/25
Recommend
More recommend
