Introduction to sponge-based cryptography Part 2: Keyed modesmath-sa-sara0050/space16/... · Introduction to sponge-based cryptography Part 2: Keyed modes Beyond birthday-bound security

Introduction to sponge-based cryptography Part 2: Keyed modes

Introduction to sponge-based cryptographyPart 2: Keyed modes

Joan Daemen

STMicroelectronics and Radboud University

SPACE 2016Hyderabad, India, December 14, 2016

1 / 59

Introduction to sponge-based cryptography Part 2: Keyed modes

Outline

1 Sponge

2 Keyed sponge

3 Beyond birthday-bound security

4 Keyed sponge, refactored

5 Focus on authenticated encryption

6 Keyak and Ketje

2 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesSponge

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

3 / 59


RadioGatún [Keccak team, NIST 2nd hash workshop 2006]

XOF: eXtendable Output FunctionProblem: expressing security claimSearch for random oracle but then with inner collisions

4 / 59


(Early) Sponge at Dagstuhl, January 2007

Screenshot:

5 / 59


Generic security of Sponge [KT, Ecrypt hash, September 2007 ]

Random sponges:T-sponge: f is random transformationP-sponge: f is random permutation

Theorem: if no inner collisions, output is uniformly randominner collision: different inputs leading to same inner stateProbability of inner collision:

M2

2c+1 with M : # calls to f

6 / 59


Promoting sponge from reference to usage (2007-2008)

RadioGatún cryptanalysis (1st & 3rd party): not promisingNIST SHA-3 deadline approaching …U-turnSponge with strong permutation f: Keccak [KT, SHA-3, 2008]

M pad trunc Z

outerinner

0

0

r

c

f f f f f f

absorbing squeezing

7 / 59


Distinguishing random sponge from random oracle

Distinguishing advantage: 2−c−1M2

Problem: in real world, adversary has access to f

8 / 59


Differentiating random sponge from random oracle

Indifferentiability framework [Maurer, Renner & Holenstein, 2004]Applied to hashing [Coron, Dodis, Malinaud & Puniya, 2005]Random oracle augmented with simulator for sake of proofDifferentiating advantage: M2/2c+1 [KT, Eurocrypt 2008]

9 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

10 / 59


Message authentication codes

0 f f

Key

…

Padded message

f ff

MAC

11 / 59


Stream encryption

0 f f

Key IV

f

Key stream

Long output stream per IV: similar to OFB modeShort output stream per IV: similar to counter mode

12 / 59


Authenticated encryption: spongeWrap [KT, SAC 2011]

0 f f

Key

…

Padded messageIV

f

Key stream

ff

MAC

Adopted by several CAESAR candidatesBut this is no longer sponge

13 / 59


The duplex construction [KT, SAC 2011]

0

0

r

c

outerinner

initialize

pad trunc

f

duplexing

σ0 Z0

pad trunc

f

duplexing

σ1 Z1

pad trunc

f

duplexing

σ2 Z2

…

Generic security equivalent to that of sponge

14 / 59


Generating duplex responses with a sponge

Z0 = sponge(σ0, ℓ0)

15 / 59



Z1 = sponge(pad(σ0)||σ1, ℓ1)

16 / 59



Z2 = sponge(pad(σ0)||pad(σ1)||σ2, ℓ2)

17 / 59


Keyed sponge: distinguishing setting

Straightforward bound: M2/2c+1 + M/2k

Security strength s: expected complexity of succesful attackstrength s means attack complexity 2s

bounds can be converted to security strength statementsHere: s ≤ min(c/2, k)

e.g., s = 128 requires c = 256 and k = 128c/2: birthday bound

18 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

19 / 59


More fine-grained attack complexity

Splitting attack complexity:queries to construction: data complexity Mqueries to f or f−1: computational complexity N

Our ambition around 2010: M2/2c+1 + NM/2c + N/2k

If we limit data complexity M ≤ 2a ≪ 2c/2:s ≤ min(c− a, k)e.g., s = 128 and a = 64 require c = 192 and k = 128

20 / 59


Intuition behind NM/2c

success probability per guess: 1/2c

21 / 59



µ ≤ M instances with same partial r-bit inputsuccess probability per guess: µ/2c

22 / 59




22 / 59




22 / 59


An initial attempt [KT, SKEW 2011]

bound: M2/2c+1 + NM/2c−1 + N/2k

Problems and limitationsbound did not cover multi-target (key) attacksproof did not convince reviewersnew variant (a.o. in CAESAR): inner-keyed sponge:

M pad trunc Z

outerinner

0

K

r

c

f f f f f f

absorbing squeezing

23 / 59


[Andreeva, Daemen, Mennink, Van Assche, FSE 2015]

Inner/outer-keyed, multi-target (n), multiplicity µ

Modular proof using Patarin’s H-coefficient techniqueBound: M2/2c+1 + µN/2c−1 + nN/2k + . . .

A

...

KSK1

KSK2

KSKn

f ?...

RO1

RO2

ROn

f

24 / 59


Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015]

Absorbing on full permutation width does not degrade boundsWe decided to use that insight in Keyak v2But proven bounds had some limitations and problems:

term µN/2k rather than µN/2c

no multi-key securitymultiplicity µ only known a posteriori

25 / 59


Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015]

Absorbing on full permutation width does not degrade boundsWe decided to use that insight in Keyak v2But proven bounds had some limitations and problems:

term µN/2k rather than µN/2c

no multi-key securitymultiplicity µ only known a posteriori

25 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

26 / 59


The new core: (full-state) keyed duplex

±

Kf

iv

Z ¾

f

Z ¾

f

Z ¾

…

Full-state absorbing, no padding: |σ| = bInitial state: concatenation of key k and IVMulti-key: k selected from an array K with index δ

Re-phased: f,Z, σ instead of σ, f,Z≈ all keyed sponge functions are modes of this

27 / 59


Generic security of keyed duplex: the setup

±

Kf

IV

Z ¾

f

Z ¾

f

Z ¾

… f

x y

?

(±, IV)

Path

¾

RO

Z

f

x y

Ideal function: Ideal eXtendable Input Function (IXIF)RO-based object with duplex interfaceIndependent outputs Z for different paths

Further refine adversary’s capabilityL: # queries to keyed duplex/RO with repeated pathqIV : maxIV # init queries with different keys

28 / 59


Generic security of keyed duplex: the bound

±

Kf

IV

Z ¾

f

Z ¾

f

Z ¾

… f

x y

?

(±, IV)

Path

¾

RO

Z

f

x y

L2/2c+1 + (L + 2ν)N/2c + qIVN/2k + . . .

with ν: chosen such that probability of ν-wise multi-collision in setof M r-bit values is negligible

Joint work with Gilles Van Assche and Bart Mennink, in submission29 / 59


Application: counter-like stream cipher

Only init calls, each taking Z as keystream blockIV is nonce, so L = 0Assume M ≪ 2r/2: ν = 1

Bound:(2ν)N/2c + qIVN/2k + . . .

Strength:s ≤ min(c− 1, k− log2(qIV))

30 / 59


Application: lightweight MAC

Message padded and fed via IV and σ blockst-bit tag, squeezed in chunks of r bits: c = b− radversary chooses IV so L ≈ M = 2a

qIV is total number of keys n

Bound:M2/2c+1 + MN/2c−1 + nN/2k + . . .

Strength:s ≤ min(b− a− r− 1, k− log2(n))

Imposes a minimum width of the permutation:

b > s + a + r

31 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

32 / 59


What is authenticated encryption (AE)?

Messages and cryptogramsM = (AD,P) message with associated data and plaintextMc = (AD,C,T) cryptogram with assoc. data, ciphertext andtag

All of M is authenticated but only P is encryptedwrapping: M to Mcunwrapping: Mc to M

Symmetric cryptography: same key used for both operationsAuthentication aspect

unwrapping includes verification of tag Tif not valid, it returns an error ⊥

Note: this is usually called AEAD

33 / 59


The CAESAR competition

Public competition for AE schemesconsortium from academia and industryaims for portfolio instead of single winnerCAESAR committee (secretary Dan Bernstein)

Timelinesubmission deadline: March 15, 2014end of round 1: July 7, 2015end of round 2: August 15, 2016target end date: December 2017

Status:Round 1: 57 candidatesRound 2: 29Round 3: 15 left

http://competitions.cr.yp.to/caesar-submissions.html34 / 59

http://competitions.cr.yp.to/caesar-submissions.html


Limitations of AE

No protection against traffic analysisAE does not hide length and number of messagesto be addressed separately: random padding and dummymessages

Determinism: equal messages lead to equal cryptogramsinformation leakageconcern of replay attackssolution: ensure message uniqueness at wrapping endinclude nonce N in input when wrapping

wrapping becomes statefula simple message counter suffices

From now on we always include a nonce N

35 / 59


Functional behaviour

Wrapping:state: K and past nonces Ninput: M = (N,AD,P)output: C,T or ⊥processing:

if (N ∈ N ) return ⊥else add N to N and return C,T←Wrap[K](N,AD,P)

Unwrapping:state: Kinput: Mc = (N,AD,C,T)output: P or ⊥processing:

return Unwrap[K](N,AD,C,T): P if valid and ⊥ otherwise

36 / 59


Sessions

Session: tag in cryptogram authenticates also previousmessages

full sequence of messages since the session startedAdditional protection against:

insertion,omission,re-ordering of messages within a session

Attention point: last message of sessionAlternative views:

split of a long cryptogram in shorter onesintermediate tags

See [Bellare, Kohno and Namprempre, ACM 2003], [Keccak Team, SAC2011], [Boldyreva, Degabriele, Paterson, Stam, EC 2012] and [Hoang,Reyhanitabar, Rogaway and Vizár, 2015]

37 / 59


Functional behaviour, with sessions

K, N1 AD(1) P(1)

C(1) T(1)

AD(2) P(2)

C(2) T(3)

AD(3) P(3)

C(3) T(2)

Session start: creation of stateful session object Dif (N ∈ N ) (past nonces) return ⊥else add N to N and create D with State← Start(K,N)

Wrappingreturn C(i),T(i) ← D.Wrap(AD(i),P(i))this updates State

Unwrappingreturn D.Unwrap(AD(i),C(i),T(i)): P(i) or ⊥in case of no error, this updates State

38 / 59


Why (session-based) authenticated encryption?

Convenienceoften both are confidentiality and integrity are neededone scheme to choose instead of two

Efficiencycombination can be more efficient than sum of the two, e.g.,CBC encryption and CMAC: 2 block cipher calls per inputblockOCB3 AE: 1 block cipher call per input blocksponge-based AE: 1 permutation call per input block

Reduction of attack surfacedifferential attacks limited to session setup due to noncechosen ciphertext attacks ineffective due to ⊥

Increase of robustness against fault attacksin wrap due to nonce requirementin unwrap due to ⊥

39 / 59


An ideal AE scheme

Underlying primitive: random oracle ROoutput length ℓ implied by the contextROe(·) = RO(·||1) for encryptionROa(·) = RO(·||0) for tag computation

Wrappingif (N ∈ N ) it return ⊥C← ROe(K||N||AD)⊕ PT← ROa(K||N||AD||P)

UnwrappingP← ROe(K||N||AD)⊕ CT′ ← ROa(K||N||AD||P)If (T′ ̸= T) return ⊥, else return P

Note: RO input shall be uniquely decodable in K, N AD & P

40 / 59


Ideal AE scheme, now supporting sessions

Starting the sessionif (N ∈ N ) it return ⊥History← K||N

Wrapping of M(i) = (AD(i),P(i))

History← History||AD(i)||1 and C(i) ← RO(History)⊕ P(i)

History← History||P(i)||0 and T(i) ← RO(History)return (C(i),T(i))

Unwrapping of M(i)c = (AD(i),C(i),T(i))

save current state in case of error: S′ ← HistoryHistory← History||AD(i)||1 and P(i) ← RO(History)⊕ C(i)

History← History||P(i)||0 and τ ← RO(History)if (τ = T(i)) return P(i),else History← S′ and return ⊥

Note: History shall be uniquely decodable in K, N AD(i) & P(i)

41 / 59


Security of the ideal AE scheme

Attack model: adversary can adaptively query:Start, respecting nonce uniqueness (not counted),D.Wrap (qw times) and D.Unwrap (qu times)RO(x): n times

Input to RO(K||·) never repeats: outputs are uniformlyrandom

intra-session: each input to RO is longer than previous oneinter-session: first part of RO input (N,K) never repeatedSo cryptograms C(i) and tags T(i) are uniformly random

42 / 59


Security of our ideal AE scheme (cont’d)

Forgery:building sequence of valid cryptograms M(1)

c . . . M(ℓ)c

not obtained from calls to wrap for some M(1) . . . M(ℓ)

Privacy break:learning on plaintext bits of M(ℓ)

cwithout unwrapping all of M(1)

c . . . M(ℓ)c

Complete security breakdown: key recoverysingle target key: getting one specific keymultiple target: getting one key out of m target keys

43 / 59


Security of our ideal AE scheme (cont’d 2)

Forgerybest strategy: send random but well-formatted cryptogramssuccess probability for qu attempts: qu2−|T|

Privacy breakbest strategy: unwrap cryptograms with modified Ci or Tisuccess probability for qu attempts: qu2−|T|

Key retrievalbest strategy: exhaustive key searchsingle target: success prob. for n key guesses ≈ n2−|K|multi-target: success prob. for n key guesses ≤ (m + 1)n2−|K|Remedy against multi-target security erosion: global nonce

Summary:1-of-m key recovery after 2|K|−log2(m+1) offline calls to RO(·)single privacy break/forgery after 2|T| online calls to D.Unwrap

44 / 59


Instantiating our ideal AE scheme

Replace RO by full-state keyed duplex calling e.g. Keccak-fDue to distinguishing bound :

key recovery: min(2|K|−log2 m, 2c−ϵ) offline calls to fprivacy break/forgery: min(2|T|, 2c/2) online calls to f. . . assuming f (i.e., Keccak-f) has no exploitable properties

Practical scheme?History includes all previous messagesstoring it may require huge buffer

Practical scheme!keyed duplex is hard to distinguish from ROit compresses all History in its b-bit state Sat any point S: keyed hash of Historyinstantiations: our CAESAR submission Keyak (and Ketje)

45 / 59


Instantiating our ideal AE scheme

Replace RO by full-state keyed duplex calling e.g. Keccak-fDue to distinguishing bound :

key recovery: min(2|K|−log2 m, 2c−ϵ) offline calls to fprivacy break/forgery: min(2|T|, 2c/2) online calls to f. . . assuming f (i.e., Keccak-f) has no exploitable properties

Practical scheme?History includes all previous messagesstoring it may require huge buffer

Practical scheme!keyed duplex is hard to distinguish from ROit compresses all History in its b-bit state Sat any point S: keyed hash of Historyinstantiations: our CAESAR submission Keyak (and Ketje)

45 / 59


Advantages of sponge-based AE

Smaller surface for cryptanalysis than block-cipher modesthere are no round keysevolving state during session: moving target

Cheaper protection against side channel attacksDPA and DEMA limited to session setup due to nonce unicitymoving target during session

Optimization of ratio security strength vs memory usage

46 / 59


Wish for being online

Online: being able to wrap or unwrap a message on-the-flyAvoid having to buffer long messagesOnline unwrapping implies returning unverified plaintext

but security of our scheme relies on ittwo ways to tackle this problem

Tolerating Release of Unverified Plaintext (RUP)catastrophic fragmentation attack [Albrecht et al., IEEE S&P2009]add security notions and attacks [Andreeva et al., ASIACRYPT2014]try to satisfy (some of) these: costly

This can be addressed with sessionssplit long cryptogram into short ones, each with tagshorten cryptograms til they fit the unwrap buffer

47 / 59


Wish for surviving sloppy nonce management

Our assumption: K,N is unique per (wrapping) Session Startusers/implementers do not always respect thiswish to limit consequences of nonce violation

All online AE schemes leak in case of nonce violationequality of first messages of session leaks in any case

stream encryption: re-use of keystreamblock encryption: just equality of block(s) leaks

low entropy plaintexts become an issuesuccessful active attacks for quasi all proposed schemes

Consensus among experts on following:ideal security in case of nonce misuse hard to defineuser shall be warned to not allow nonce violation

Just avoid nonce violation

48 / 59


Wish for parallelism

Many CAESAR submissions use AESModern CPUs have dedicated AES instruction, e.g. AES-NIon Intel

pipelining: 1 cycle per round but latency of 8 to 16 cyclesperforming a single AES: 80 cyclesperforming 8 independent AES: 88 cycles

Expoiting the pipeline requires ability to parallelizeAlso non-AES based schemes can benefit from parallelism,e.g.

pipelined architecturessuperscalar architecturesSIMD instructions

Parallelism can be supported, e.g., Keyak

49 / 59


Wish for lightweightWhole world of buzzwords:

IoT, Smart Grid, RFID, ad-hoc sensor and body area network,…

Strongly constrained resourceslow area: reduce chip costlow power: RF poweredlow energy: battery-life

Specific conditionsshort messagestransaction time, …

Compromising ontarget security strengthprovable security of modeconsequences of improper usage, …

Hence: Ketje is dedicated for lightweight50 / 59


The Motorist mode of use

0 SUV1

T(0)

SUV = Secret and Unique ValuePlaintext absorbed in outer part, AD in inner part alsoTag and keystream from same output block ZiSpecified in three layers:

Piston: Π of them, each one an FSKDEngine: finite state machine steering the Piston(s)Motorist: session starting and (un)-wrapping, using the Engine

51 / 59



0 SUV1

T(0)

A(1)P(1)

C(1) T(1)



51 / 59



0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)



51 / 59



0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)

A(3)

T(3)



51 / 59


Generic security of Motorist AE session mode

0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)

A(3)

T(3)

Used in Keyak v2 [KT & Ronny Van Keer, 2015]

Plaintext absorbed in outer part, AD in inner part alsoUsed in Keyak with c = 256 and b = 1600 or b = 800Rate 544 or 1344 so we can take ν = 1bounds:

nonce-respecting: N/2c−1 + qIVN/2k + . . .nonce-violating: MN/2c + qIVN/2k + . . .

52 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje

Outline

1 Sponge

2 Keyed sponge




6 Keyak and Ketje

53 / 59


Keyak [Keccak team + Ronny Van Keer]

AE scheme submitted to CAESAR (tweaked for round 2)Permutation-based mode called MotoristMakes use of Keccak-p permutations

Keccak-p: reduced-round version of Keccak-fKeccak-f: permutations underlying Keccakall 6 functions in SHA-3 based on Keccak-f[1600] (24rounds)

Generic definition with 5 parametersc capacityτ tag lengthb width of Keccak-p

nr number of rounds in Keccak-pΠ degree of parallelism

54 / 59


Keyak named instances

5 named instances with c = 256, τ = 128, nr = 12Efficiency:

Short messages: Π calls to Keccak-pLong messages: twice as fast as SHAKE128

Name Width b Parallelism ΠRiver Keyak 800 1Lake Keyak 1600 1Sea Keyak 1600 2Ocean Keyak 1600 4Lunar Keyak 1600 8

55 / 59


Ketje [Keccak team + Ronny Van Keer]

AE scheme submitted to CAESAR (made it to round 2)Two instancesFunctionally similar to KeyakLightweight:

using reduced-round Keccak-f[400] or Keccak-f[200]small footprintlow computation for short messages

How?96-bit or 128-bit security (incl. multi-target)more ad-hoc: monkeyDuplex instead of FSKDreliance on nonce uniqueness for key protection

56 / 59


Ketje instances and lightweight features

feature Ketje Jr Ketje Srstate size 25 bytes 50 bytesblock size 2 bytes 4 bytes

processing computational costsession start per session 12 rounds 12 roundswrapping per block 1 round 1 round8-byte tag comp. per message 9 rounds 7 rounds

More on Ketje and Keyak:http://ketje.noekeon.orghttp://keyak.noekeon.org

57 / 59

http://ketje.noekeon.org

http://keyak.noekeon.org


Safety margin of Keyak and Ketje

S. Huang, M. Wang, X. Wang and J. Zhao, Conditional cubeattack on reduced-round keccak sponge function [IACR eprint2016/790]

Best current cryptanalysis of keyed Keccak-f modesCube attack

exploits low algebraic degree of permutationn rounds has degree 2n

summing over inputs in affine space acts as differentiationattack requires summing over around 2n inputssmart tricks allow peeling off rounds

Most powerful attacks on Keyak (12 rounds)7-round variant: requires 242 blocks of chosen data8-round variant: requires 274 blocks of chosen data

58 / 59

Introduction to sponge-based cryptography Part 2: Keyed modesConclusion

Conclusion

Permutations: good alternative for block ciphers

http://sponge.noekeon.org/http://keccak.noekeon.org/

59 / 59

http://sponge.noekeon.org/

http://keccak.noekeon.org/

Documents

Introduction to sponge-based cryptography Part 2: Keyed modesmath-sa-sara0050/space16/... · Introduction to sponge-based cryptography Part 2: Keyed modes Beyond birthday-bound security