Towards New International Cryptographic Standards Designing and - - PowerPoint PPT Presentation

towards new international cryptographic standards
SMART_READER_LITE
LIVE PREVIEW

Towards New International Cryptographic Standards Designing and - - PowerPoint PPT Presentation

Towards New International Cryptographic Standards Designing and Breaking Cryptography Lo Perrin Cosmiq TEAM Inria, Paris, France FIC 2020, Lille We (the Cosmiq team) are working on the foundations of cryptography. What kind of algorithms do


slide-1
SLIDE 1

Towards New International Cryptographic Standards

Designing and Breaking Cryptography Léo Perrin

Cosmiq TEAM

Inria, Paris, France

FIC 2020, Lille

slide-2
SLIDE 2

We (the Cosmiq team) are working on the foundations of cryptography.

1

What kind of algorithms do we study?

2

Why do we design new ones?

3 What kind of flaws do we find in other ones?

2 / 15

slide-3
SLIDE 3

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

What is Cryptography?

CRYPTO LUX

3 / 15

slide-4
SLIDE 4

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

What is Cryptography?

CRYPTO LUX

Envelope: Confidentiality (nobody can read it)

3 / 15

slide-5
SLIDE 5

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

What is Cryptography?

CRYPTO LUX

Envelope: Confidentiality (nobody can read it) Seal: Integrity (nobody can modify it)

3 / 15

slide-6
SLIDE 6

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

What is Cryptography?

CRYPTO LUX

Envelope: Confidentiality (nobody can read it) Seal: Integrity (nobody can modify it) Signature: Authentication (it was wrien by the right person) Paul

3 / 15

slide-7
SLIDE 7

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-8
SLIDE 8

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-9
SLIDE 9

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-10
SLIDE 10

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-11
SLIDE 11

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-12
SLIDE 12

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

How Is It Used?

Application Communications Secure Library Protocols Cryptographic Primitives RSA, AES, SHA-256, ECDSA...

4 / 15

slide-13
SLIDE 13

Towards New International Cryptographic Standards What Are Cryptographic Primitives?

What Do Primitives Do?

A cryptographic primitive is a basic building block ; it has a very simple API but very sophisticated inner workings! The block cipher

For any k-bit long key κ, Eκ is a permutation of {0, 1}n. Typically, n ∈ {64, 128} and k ∈ {128, 256}. To ensure security: no matter how many pairs (x, Eκ(x)) are known, it is impossible to recover k1

1Except by trying all possible κ which has 2k possible values. 5 / 15

slide-14
SLIDE 14

Towards New International Cryptographic Standards How Are They Picked?

How are the primitives used in practice chosen?

6 / 15

slide-15
SLIDE 15

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-16
SLIDE 16

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-17
SLIDE 17

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-18
SLIDE 18

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-19
SLIDE 19

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-20
SLIDE 20

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-21
SLIDE 21

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-22
SLIDE 22

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-23
SLIDE 23

Towards New International Cryptographic Standards How Are They Picked?

Life Cycle of a Cryptographic Primitive

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Small teams Academic community Industry Conf., competition NIST, ISO, IETF... Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted Implements algorithms in actual products... ...unless a new attack is found

7 / 15

slide-24
SLIDE 24

Towards New International Cryptographic Standards How Are They Picked?

Breaking the Pipeline

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Implements algorithms in actual products Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted ???

8 / 15

slide-25
SLIDE 25

Towards New International Cryptographic Standards How Are They Picked?

Breaking the Pipeline

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Implements algorithms in actual products Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted ???

8 / 15

slide-26
SLIDE 26

Towards New International Cryptographic Standards How Are They Picked?

Breaking the Pipeline

Fundamental Research time

Design Public Analysis Deployment

Publication Standardization Implements algorithms in actual products Small teams Academic community Industry Scope statement Algorithm specification Design choices justifications Security analysis Try and break pub- lished algorithms Unbroken algorithms are eventually trusted ???

Hidden defect?

8 / 15

slide-27
SLIDE 27

Towards New International Cryptographic Standards Primitives We Designed

Primitives we designed Primitives we attacked

9 / 15

slide-28
SLIDE 28

Towards New International Cryptographic Standards Primitives We Designed

Primitives we designed Primitives we attacked

9 / 15

slide-29
SLIDE 29

Towards New International Cryptographic Standards Primitives We Designed

Post-Quantum Public Key

Quantum computers will break current public key algorithms

= ⇒ we need new algorithms! Cosmiq Involvement

3 Cosmiq candidates made it to the second round! (Bike, Classic McEliece, and Rollo)

10 / 15

slide-30
SLIDE 30

Towards New International Cryptographic Standards Primitives We Designed

Ligthweight Secret Key

IoT devices cannot handle the (low!) complexity of current symmetric ciphers.

= ⇒ we need new algorithms! Cosmiq Involvement

3 Cosmiq candidates made it to the second round! (Saturnin, Sparkle, Spook)

11 / 15

slide-31
SLIDE 31

Towards New International Cryptographic Standards Primitives we Attacked

Primitives we designed Primitives we attacked

12 / 15

slide-32
SLIDE 32

Towards New International Cryptographic Standards Primitives we Attacked

Breaking SHA-1

SHA-1 is a hash function.

Collision Resistance

For a hash function H, it should not be possible to find messages x and y such that H(x) = H(y) .

Cosmiq Involvement

It is possible in practice to find meaningful messages a||x and a||y where a and b are meaningful and such that H(a||x) = H(a||y)

  • G. Leurent, T. Peyrin. From Collisions to Chosen-Prefix Collisions – Application to Full SHA-1. Eurocrypt

2019.

13 / 15

slide-33
SLIDE 33

Towards New International Cryptographic Standards Primitives we Attacked

Finding Weird Patterns in Russian Standards

[...]

Cosmiq Involvement

The designers of Streebog and Kuznyechik are lying. The probability that a random S-box is as structured as theirs is < 2−1000 (≈ winning the “loto” 60 times in a row).

Scientific publication: X. Bonnetain, L. Perrin, S. Tian. Anomalies and Vector Space Search: Tools for S-box Analysis. Asiacrypt 2019.

14 / 15

slide-34
SLIDE 34

Towards New International Cryptographic Standards Conclusion

Conclusion

Cryptography is an active research area motivated by concrete needs for standard algorithms. Thank you! Delenda Russian Algo

15 / 15

slide-35
SLIDE 35

Towards New International Cryptographic Standards Conclusion

Conclusion

Cryptography is an active research area motivated by concrete needs for standard algorithms. Thank you! Delenda Russian Algo

15 / 15

slide-36
SLIDE 36

Appendix

1 / 5

slide-37
SLIDE 37

On the Russian Standards

Saturnin

2 / 5

slide-38
SLIDE 38

On the Russian Standards

The TKlog Structure

π :

           F28 → F28 → κ(0) α17j → κ(16 − j)

for 1 ≤ j ≤ 15

αi+17j → κ(16 − i) ⊕ (α17)s(j)

for 0 < i, 0 ≤ j < 16

{0}

F24 α × F24 α2 × F24

...

α16 × F24 κ(0) ⊕ F24 κ(15) ⊕ F24 κ(14) ⊕ F24

...

κ({1, . . . , 15})

κ(0) ...

3 / 5

slide-39
SLIDE 39

On the Russian Standards “Randomness” of a Structure: The Kolmogorov Anomaly

Definition

165 ASCII characters that fit on 7 bits: this program is 1155-bit long.

https://codegolf.stackexchange.com/questions/186498/ proving-that-a-russian-cryptographic-standard-is-too-structured

Let P(S) be the bitlength of a C implementation of S ∈ S2n.

Definition (Kolmogorov Anomaly)

The Kolmogorov Anomaly of S for C is the opposite of the log2 of the probability that a random S-box has a C implementation at most as long as that of S.

4 / 5

slide-40
SLIDE 40

On the Russian Standards How to Estimate It?

Estimating the Kolmogorov Anomaly

How to estimate it? (≤ 1155)-bit C programs implementing 8-bit permutations (≤ 1155)-bit strings S28

For π, we get:

#(≤ 1155)-bit C prog. |S28| ≤ #(≤ 1155)-bit strings. |S28| = 21156 − 1

256!

≈ 2−528 ,

meaning that the Kolmogorov anomaly of π for C is at least 528.

5 / 5