Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT - - PowerPoint PPT Presentation

Skinny – A Family of Lightweight Tweakable Block Ciphers for the IoT

• C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi, T. Peyrin,
• Y. Sasaki, P. Sasdrich, S.M. Sim

Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany

Cryptography for the Internet of Things and Cloud November 6, 2017

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 1 / 26

Introduction to Skinny

Skinny is a family of lightweight block ciphers presented at CRYPTO

• 2016. Its main features are:

flexible tweakable cipher allowing several block- and tweak/key sizes an academic design that competes with the lightweight NSA cipher SIMON in terms of performance and efficiency (e.g., area in hardware) having strong security arguments against common attacks

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 2 / 26

Introduction to Skinny

Skinny is a family of lightweight block ciphers presented at CRYPTO

• 2016. Its main features are:

flexible tweakable cipher allowing several block- and tweak/key sizes an academic design that competes with the lightweight NSA cipher SIMON in terms of performance and efficiency (e.g., area in hardware) having strong security arguments against common attacks

A Tweakable Block Cipher and a Possible Application

K K K T IV IV + 1 K IV + n . . . E E E E P C P0 C0 P1 C1 Pn Cn

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 2 / 26

Table of Contents

1

Introduction to Skinny

2

The Design

3

Implementation Results

4

Best Cryptanalysis so far

5

Skinny Cryptanalysis Competition (announced at FSE 2017)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 3 / 26

Common Block Cipher Design - A Key-Alternating Cipher

. . . R R R A A A K P C . . .

Most common block ciphers iterate an unkeyed round function R Round keys are added in between The round keys are derived from the intial key K using a key-scheduling algorithm (here: a key-update function A)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 4 / 26

Common Block Cipher Design - A Key-Alternating Cipher

. . . R R R A A A K P C . . .

Most common block ciphers iterate an unkeyed round function R Round keys are added in between The round keys are derived from the intial key K using a key-scheduling algorithm (here: a key-update function A)

What to do?

In order to build a block cipher, one has to design a proper round function R that is efficient to implement a key schedule for deriving the round keys

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 4 / 26

Designing a Round Function - Two Extremes

Common block ciphers iterate a round function R several times. One can imagine two extremes:

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 5 / 26

Designing a Round Function - Two Extremes

Common block ciphers iterate a round function R several times. One can imagine two extremes:

Employing very strong (but also very expensive) operations

For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low.

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 5 / 26

Designing a Round Function - Two Extremes

Common block ciphers iterate a round function R several times. One can imagine two extremes:

Employing very strong (but also very expensive) operations

For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low.

An extreme lightweight round function

For instance, apply a single AND operation on two bits and permute the

• bits. The number of rounds needed would be extremely high.
• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 5 / 26

Designing a Round Function - Two Extremes

Common block ciphers iterate a round function R several times. One can imagine two extremes:

Employing very strong (but also very expensive) operations

For instance, use very large S-boxes and a very strong diffusion layer. The number of rounds needed would be very low.

An extreme lightweight round function

For instance, apply a single AND operation on two bits and permute the

• bits. The number of rounds needed would be extremely high.

Skinny is designed to achieve one of the best possible trade-offs!

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 5 / 26

The Design Strategy

the basis design is inspired by the well-known AES each of the building blocks is tailored to achieve an optimal trade-off the idea: removing any operation will lead to a much more insecure cipher the design should allow for strong security arguments against known attacks (e.g. differential and linear attacks) even in the related-key/related-tweak model

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 6 / 26

Specifications and Initialization

Specifications

Skinny supports block sizes of either n = 64 or n = 128 bits. The tweak/key size t can be t = n, t = 2n or t = 3n We denote Skinny with n-bit blocks and t-bit tweak/key by Skinny-n-t

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 7 / 26

Specifications and Initialization

Specifications

Skinny supports block sizes of either n = 64 or n = 128 bits. The tweak/key size t can be t = n, t = 2n or t = 3n We denote Skinny with n-bit blocks and t-bit tweak/key by Skinny-n-t

The Internal State

The internal state of Skinny is represented by a 4 × 4 matrix of b-bit elements: n = 64 → b = 4 n = 128 → b = 8 The plaintext P = m0m1 . . . m15 is mapped to the cipher’s initial state

IS =

 

m0 m1 m2 m3 m4 m5 m6 m7 m8 m9 m10 m11 m12 m13 m14 m15

 

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 7 / 26

The Round Function

The Round Function of Skinny

The following (AES-like) function is iterated on the cipher’s internal state:

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

Number of rounds for Skinny-n-t, with n-bit internal state, t-bit tweakey state.

Tweakey size t Block size n n 2n 3n 64 32 rounds 36 rounds 40 rounds 128 40 rounds 48 rounds 56 rounds

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 8 / 26

The Round Function

The Round Function of Skinny

The following (AES-like) function is iterated on the cipher’s internal state:

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

Number of rounds for Skinny-n-t, with n-bit internal state, t-bit tweakey state.

Tweakey size t Block size n n 2n 3n 64 32 rounds 36 rounds 40 rounds 128 40 rounds 48 rounds 56 rounds

Number of Rounds in AES

AES-128 applies 10 rounds, but uses more expensive components!

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 8 / 26

The SubCells Layer

Skinny SubCells

The value in each cell is substituted according to the b-bit S-box Sb.

Sb

S4 = [(x3, x2, x1, x0) → (x2, x1, x0 ⊕ (x3 ∨ x2), x3)]4 ≫ 1. (12 GE) S8 employs a similar, very lightweight construction. (24 GE)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 9 / 26

The SubCells Layer

Skinny SubCells

The value in each cell is substituted according to the b-bit S-box Sb.

Sb

S4 = [(x3, x2, x1, x0) → (x2, x1, x0 ⊕ (x3 ∨ x2), x3)]4 ≫ 1. (12 GE) S8 employs a similar, very lightweight construction. (24 GE)

AES SubBytes

Each byte is substituted according to the AES S-box. It is affine equivalent to inversion in the finite field F28. x → L(x2n−2) + c (198 GE)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 9 / 26

The AddConstants Layer

The Constant Addition in Skinny

Round-specific constants c0, c1, c2 are XORed to the first column of the state. They are derived from the 6-bit affine LFSR (r5||r4||r3||r2||r1||r0) → (r4||r3||r2||r1||r0||r5⊕r4⊕1) c0 = (r3||r2||r1||r0) c1 = (0||0||r5||r4) c2 = 0x2

c0 c1 c2

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 10 / 26

The AddConstants Layer

The Constant Addition in Skinny

Round-specific constants c0, c1, c2 are XORed to the first column of the state. They are derived from the 6-bit affine LFSR (r5||r4||r3||r2||r1||r0) → (r4||r3||r2||r1||r0||r5⊕r4⊕1) c0 = (r3||r2||r1||r0) c1 = (0||0||r5||r4) c2 = 0x2

c0 c1 c2

SC AC ART >>> 1 >>> 2 >>> 3 ShiftRows MixColumns

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 10 / 26

Introducing Tweaks - The TWEAKEY Framework1

A Block Cipher vs. a Tweakable Block Cipher

E P C K E P C K T

1Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Tweaks and keys for block ciphers:

the TWEAKEY framework. ASIACRYPT 2014. 2014.

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 11 / 26

Introducing Tweaks - The TWEAKEY Framework1

A Block Cipher vs. a Tweakable Block Cipher

E P C K E P C K T

The TWEAKEY Framework

Tweak and key material should be handled in the same way by the tweakey schedule!

P = s0 R s1 . . . R sr sr+1 = C tk0 h g h g tk1 . . . h g tkr−1 g tkr 1Jérémy Jean, Ivica Nikolić, and Thomas Peyrin. Tweaks and keys for block ciphers:

the TWEAKEY framework. ASIACRYPT 2014. 2014.

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 11 / 26

The Tweakey Schedule and the AddRoundTweakey Layer

The tweakey schedule of Skinny - superposition tweakey (STK)

Each n-bit tweakey state is updated by the cell permutation PT (and an LFSR operating on half of the state) and all are combined by XOR.

PT PT lfsr TK XOR R PT PT lfsr XOR R P = s0 PT PT . . . . . . XOR . . . XOR R PT PT lfsr XOR sr = C

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PT

The AddRoundTweakey Layer of Skinny

The sub-tweakey is XORed to the first two rows of the cipher’s state.

Extracted 8s-bit subtweakey PT LFSR LFSR

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 12 / 26

The Tweakey Schedule and the AddRoundTweakey Layer

The tweakey schedule of Skinny - superposition tweakey (STK)

Each n-bit tweakey state is updated by the cell permutation PT (and an LFSR operating on half of the state) and all are combined by XOR.

PT PT lfsr TK XOR R PT PT lfsr XOR R P = s0 PT PT . . . . . . XOR . . . XOR R PT PT lfsr XOR sr = C

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PT

The AddRoundTweakey Layer of Skinny

The sub-tweakey is XORed to the first two rows of the cipher’s state.

Extracted 8s-bit subtweakey PT LFSR LFSR

AES

AES employs a non-linear key schedule and the round keys are added to all 16 cells of the state. It allows no tweaks!

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 12 / 26

The ShiftRows and MixColumns Layer

Skinny ShiftRows

ShiftRows is a cell-wise permutation of the state. In particular, row i of the state is rotated by i positions to the right.

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 13 / 26

The ShiftRows and MixColumns Layer

Skinny ShiftRows

ShiftRows is a cell-wise permutation of the state. In particular, row i of the state is rotated by i positions to the right.

AES ShiftRows

Row i of the state is rotated by i positions to the left.

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 13 / 26

The ShiftRows and MixColumns Layer

Skinny MixColumns

A very lightweight linear transformation (with branch number 2) is applied to each column of the state. It needs 3 XOR operations only!

    

x0 x1 x2 x3

     →     

1 1 1 1 1 1 1 1

         

x0 x1 x2 x3

    

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 14 / 26

The ShiftRows and MixColumns Layer

Skinny MixColumns

A very lightweight linear transformation (with branch number 2) is applied to each column of the state. It needs 3 XOR operations only!

    

x0 x1 x2 x3

     →     

1 1 1 1 1 1 1 1

         

x0 x1 x2 x3

    

AES MixColumns

An MDS transformation (branch number 5) is applied to each column of the state.

    

x0 x1 x2 x3

     →     

0x2 0x3 0x1 0x1 0x1 0x2 0x3 0x1 0x1 0x1 0x2 0x3 0x3 0x1 0x1 0x2

         

x0 x1 x2 x3

    

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 14 / 26

Requirements on the MixColumns Matrix

The Round keys are only added to the first two rows of the state This was taken into account when designing the diffusion layer

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 15 / 26

Requirements on the MixColumns Matrix

The Round keys are only added to the first two rows of the state This was taken into account when designing the diffusion layer

Requirements on the Diffusion Matrix (24 Matrices Remain)

Using at most 3 XORs Ensuring full state diffusion within 5 or 6 rounds One sub-tweakey addition affects the whole state after one round forwards and backwards

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 15 / 26

Table of Contents

1

Introduction to Skinny

2

The Design

3

Implementation Results

4

Best Cryptanalysis so far

5

Skinny Cryptanalysis Competition (announced at FSE 2017)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 16 / 26

Round-Based ASIC Implementations

Round-based implementations (UMC L180 0.18 µm cell library)

Area Delay Clock Throughput

Cycles @100KHz @maximum GE ns # KBit/s MBit/s

Skinny-64-128 1696 1.87 36 177.78 951.11 Skinny-128-128 2391 2.89 40 320.00 1107.20 Skinny-128-256 3312 2.89 48 266.67 922.67 Simon-64-128 1751 1.60 46 145.45 870.00 Simon-128-128 2342 1.60 70 188.24 1145.00 Simon-128-256 3419 1.60 74 177.78 1081.00 For other implementations, see the Skinny homepage https://sites.google.com/site/skinnycipher/

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 17 / 26

Table of Contents

1

Introduction to Skinny

2

The Design

3

Implementation Results

4

Best Cryptanalysis so far

5

Skinny Cryptanalysis Competition (announced at FSE 2017)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 18 / 26

Best Crpytanalysis on Skinny

There are several papers on cryptanalysis of Skinny.

Number of rounds broken by best attacks23.

Tweakey size t Block size n n 2n 3n 64 21/32 23/36 27/40 66% 64% 68% 128 19/40 23/48 27/56 48% 48% 48%

2Guozhen Liu, Mohona Ghosh, and Ling Song. “Security Analysis of SKINNY under

Related-Tweakey Settings”. In: IACR Trans. Symmetric Cryptol. 2017.3 (2017),

• pp. 37–72.

3Ralph Ankele et al. Related-Key Impossible-Differential Attack on Reduced-Round

• SKINNY. . ACNS 2017, pp. 208–228.
• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 19 / 26

Table of Contents

1

Introduction to Skinny

2

The Design

3

Implementation Results

4

Best Cryptanalysis so far

5

Skinny Cryptanalysis Competition (announced at FSE 2017)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 20 / 26

Cryptanalysis Competition - Round 2

5 Categories, Best Cryptanalysis for:

1

32 rounds of Skinny-64-128 or 30 rounds of Skinny-128-128

2

30 rounds of Skinny-64-128 or 28 rounds of Skinny-128-128

3

28 rounds of Skinny-64-128 or 26 rounds of Skinny-128-128

4

26 rounds of Skinny-64-128 or 24 rounds of Skinny-128-128

5

24 rounds of Skinny-64-128 or 22 rounds of Skinny-128-128

36 24 26 28 30 32 Skinny-64-128 40 22 24 26 28 30 Skinny-128-128

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 21 / 26

Cryptanalysis Competition - Round 2

5 Categories, Best Cryptanalysis for:

1

32 rounds of Skinny-64-128 or 30 rounds of Skinny-128-128 gets 5 presents (one from each country: )

2

30 rounds of Skinny-64-128 or 28 rounds of Skinny-128-128 gets 4 presents from 4 different countries (chosen by the winner)

3

28 rounds of Skinny-64-128 or 26 rounds of Skinny-128-128 gets 3 presents from 3 different countries (chosen by the winner)

4

26 rounds of Skinny-64-128 or 24 rounds of Skinny-128-128 gets 2 presents from 2 different countries (chosen by the winner)

5

24 rounds of Skinny-64-128 or 22 rounds of Skinny-128-128 gets 1 present from 1 country (chosen by the winner)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 22 / 26

Submitting to the Competition

When:

deadline for submission 1st of February 2018

More Information:

https://sites.google.com/site/skinnycipher/ cryptanalysis-competition Attacks are to be submitted to skinny@googlegroups.com (state in the submission from which countries you want the gift)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 23 / 26

Submitting to the Competition

When:

deadline for submission 1st of February 2018

More Information:

https://sites.google.com/site/skinnycipher/ cryptanalysis-competition Attacks are to be submitted to skinny@googlegroups.com (state in the submission from which countries you want the gift)

Thank you! Any Questions?

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 23 / 26

Evaluating the Security against Differential Attacks

Differences

Considering a 4 × 4 state with b-bit words, a (non-zero) difference is a value X ∈ (Fb

2)4×4\{0}.

Differential Characteristic

For a round-iterated cipher, an r-round differential characteristic is a (r + 1)-tuple of differences.

R0 R0 R1 R1 . . . . . . Rr−1 Rr−1 P2 C2 P1 C1 X 0 X 1 X 2 X r−1 X r

A related key/tweak differential characteristic also consists of differences Y i in the tweakey state

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 24 / 26

Evaluating the Security against Differential Attacks

For any characteristic, the designer wants to guarantee a sufficient upper bound on the probability for it to hold One approach: Increase the minimal number of active S-boxes

Definition

In a differential characteristic, the S-box in state position i, j of round r is called active, if X r

i,j = 0.

In The Case of Related Tweak/Key Attacks

Allowing differences in the tweakey state may cause cancellation of active S-boxes over the tweakey addition! → harder to analyze

Counting active S-boxes using Mixed-Integer Linear Programming

The design of Skinny allows to use computer-aided tools for counting the minimal number of active S-boxes (e.g. MILP)

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 25 / 26

Security Analysis - Number of active S-boxes

Bounds on the minimal number of differential active Sboxes for Skinny-64-128 and various lightweight 64-bit block 128-bit key ciphers.

Cipher Model Rounds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Skinny SK 1 2 5 8 12 16 26 36 41 46 51 55 58 61 66 75 (36 rounds) TK2 1 2 3 6 9 12 16 21 25 31 35 40 LED SK 1 5 9 25 26 30 34 50 51 55 59 75 76 80 84 100 (48 rounds) TK2 1 5 9 25 26 30 34 50 Piccolo SK 5 9 14 18 27 32 36 41 45 50 54 59 63 68 72 (31 rounds) TK2 5 9 14 18 18 23 27 27 32 Midori SK 1 3 7 16 23 30 35 38 41 50 57 62 67 72 75 84 (16 rounds) TK2

• The Influence of the Cipher’s Building Blocks

ShiftRows and MixColumns were chosen to maximize the minimal number of active S-boxes in the SK case The cell permutation PT was chosen to maximize the minimal number of active S-boxes in the related-tweakey case

• C. Beierle (HGI)

The Skinny Family of Block Ciphers November 6, 2017 26 / 26