Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based symmetric cryptographyand Keccak
Joan Daemen1
joint work withGuido Bertoni1, Michaël Peeters2 and Gilles Van Assche1
1STMicroelectronics 2NXP Semiconductors
Ecrypt II, Crypto for 2020, Tenerife, January 22 to 24, 2013
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Symmetric crypto: what textbooks and intro’s say
Symmetric cryptographic primitives:
Block ciphersStream ciphers
SynchronousSelf-synchronizing
Hash functionsNon-keyedKeyed: MAC functions
And their modes-of-use
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
The hash function cliché
Hash functions:
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
The hash function cliché
Hash functions:
But MD5, SHA-1, etc.: just block ciphers in some mode
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
You can do everything with a block cipher
Block encryption: ECB, CBC, …Stream encryption:
synchronous: counter mode, OFB, …self-synchronizing: CFB
MAC computation: CBC-MAC, C-MAC, …
Hashing and its modes HMAC, MGF1, …
Authenticated encryption: OCB, GCM, CCM …
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Seems like this is closer to the truth nowadays
Block cipher:
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Block cipher operation
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Block cipher operation: the inverse
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
When do you need the inverse?
Indicated in red:
Hashing and its modes HMAC, MGF1, …
Block encryption: ECB, CBC, …Stream encryption:
synchronous: counter mode, OFB, …self-synchronizing: CFB
MAC computation: CBC-MAC, C-MAC, …Authenticated encryption: OCB, GCM, CCM …
Most schemes with misuse-resistant claims
So for most uses you don’t need the inverse!
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Internals of a typical block cipher
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Hashing use case: Davies-Meyer compression function
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Removing unnecessary diffusion restriction
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Simplifying the view: iterated permutation
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Mainstream symmetric cryptography
Where can you plug in a permutation?
In all modes but those in red:
Hashing and its modes HMAC, MGF1, …
Block encryption: ECB, CBC, …Stream encryption:
synchronous: counter mode, OFB, …self-synchronizing: CFB
MAC computation: CBC-MAC, C-MAC, …
Authenticated encryption: OCB, GCM, CCM …
But also nice opportunity to clean up the modes!
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
The sponge construction
f: a b-bit permutation with b = r+ cefficiency: processes r bits per call to fsecurity: provably resists generic attacks up to 2c/2
Flexibility in trading rate r for capacity c or vice versa
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
What can we say about sponge security
Proof of security against generic attacks:assuming f has been chosen randomlytight: as sound as theoretically possiblelimitation: inner collisions in c-bit inner part
Security for a specific choice of fsecurity proof is infeasibledesign f with attacks in mindassurance by absence of attacks despite public scrutiny
Security claim: target for attackstight claim: no attacks better than generic attacksHermetic Sponge Strategyweaker claims relax conditions on f
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Regular hashing
Pre-sponge permutation-based hash functionsTruncated permutation as compression function: Snefru[Merkle ’90], FFT-Hash [Schnorr ’90], …MD6 [Rivest et al. 2007]Streaming-mode: Subterranean, Panama, RadioGatún,Grindahl [Knudsen, Rechberger, Thomsen, 2007], …
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Message authentication codes
Pre-sponge (partially) permutation-based MAC function:Pelican-MAC [Daemen, Rijmen 2005]
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Stream encryption
Similar to block cipher modes:Long keystream per IV: like OFBShort keystream per IV: like counter mode
Independent permutation-based stream ciphers: Salsa andChaCha [Bernstein 2007]
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Mask generating function
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Authenticated encryption: MAC generation
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Authenticated encryption: encryption
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
Authenticated encryption: just do them both?
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
The duplex construction
Object: D = duplex[f,pad, r]
Requesting ℓ-bit output Z = D.duplexing(σ, ℓ)
Generic security provably equivalent to that of sponge
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
SpongeWrap authenticated encryption
Single-pass authenticated encryption
Processes up to r bits per call to f
Functionally similar to (P)helix [Lucks, Muller, Schneier, Whiting,
2004]
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Permutation-based cryptography
What textbooks and intro’s should say from now on:-)
Symmetric cryptographic primitives:
Permutations
Block ciphers
Stream ciphersHash functions
Non-keyedKeyed: MAC functions
And their modes-of-use
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Efficiency: working memory required for hashing
Assume security strength c/2Davies-Meyer block cipher based hash (“narrow pipe”)
chaining value (block size): n ≥ cinput block size (key length): typically k ≥ nfeedforward (block size): ntotal state ≥ 3c
Sponge (“huge state”)permutation width: c+ rr can be made arbitrarily small, e.g. 1 bytetotal state ≥ c+ 8
Similar arguments apply to other use cases
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Efficiency: speed of keyed permutation modes
One cryptographic expert’s opinion:
“The sponge construction is a pretty poor way to encrypt. Oneeither gets high-speed but low security or low-speed and highsecurity.”
Keccak showed that sponge can be secure and fast
Not significantly slower than block cipher modesBut very fast dedicated primitives exist for:
MAC computationstream encryption, well at least for long cleartexts
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Boosting keyed permutation modes
1 Keyed modes have higher generic security levelgeneric security strength level c− a instead of c/2with 2a ranging from 1 to the data complexityallows increasing the rate by c/2− a bits
2 Keyed modes seem harder to attackin keyed modes attacker has less powerallows decreasing number of rounds in permutation
3 Introducing functionally optimized constructionsdonkeySponge: MAC computationmonkeyDuplex: nonce-imposing (authenticated) encryption
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Reducing rounds for keyed modes
MD5 hash function [Rivest 1992]
unkeyed: constructing fake certificates [Stevens et al. 2009]keyed: very little progress in 1st pre-image generation
Panama hash and stream cipher [Clapp, Daemen 1998]
unkeyed: instantaneous collisions [Daemen, Van Assche 2007]keyed: stream cipher unbroken till this day
Keccak crypto contest with reduced-round challengesunkeyed: 4-round collisions [Dinur, Dunkelman, Shamir 2012]keyed: pre-image up to 2 rounds only [Morawiecki 2011]
In keyed modes use a permutation with less roundse.g. for Keccak: speedup factor up to 3while still offering a comfortable safety margin
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
Introducing functionally optimized constructions
Sponge and duplex are generic modesflexible and multi-purposedo not exploit mode-specific features
MAC computationbefore squeezing adversary has no information about staterelaxes requirements on f during absorbing
Authenticated encryption in presence of noncesnonce can be used to decorrelate computations
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
On the efficiency of permutation-based cryptography
The donkeySponge MAC construction
Usage of full state width b during absorbing, as in[Pelican-MAC]
nabsorb determined by max DP over nabsorb rounds of f
Spectacular speedup especially for small b
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Requirements for the permutation
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Requirements for the permutation
Desired cryptographic properties of the permutation
Classical LC/DC criteriaabsence of large differential propagation probabilitiesabsence of large input-output correlationsstudy trail weights and clustering
Immunity tointegral cryptanalysisalgebraic attacksslide and symmetry-exploiting attacks…
Infeasibility of the CICO problem
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Requirements for the permutation
The CICO problem
Given partial input and output, determine remaining parts
Important in many attacks
Generalization: multi-target
Pre-image generation in hashing
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Requirements for the permutation
The CICO problem
Given partial input and output, determine remaining parts
Important in many attacks
Generalization: multi-target
State recovery in stream encryption
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Keccak-f: the permutations in Keccak
Operates on 3D state:
x
y zstate
(5× 5)-bit slices
2ℓ-bit lanes
param. 0 ≤ ℓ < 7
Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants
# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]
By default: r = 1024, c = 576
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Keccak-f: the permutations in Keccak
Operates on 3D state:
x
y zrow
(5× 5)-bit slices
2ℓ-bit lanes
param. 0 ≤ ℓ < 7
Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants
# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]
By default: r = 1024, c = 576
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Keccak-f: the permutations in Keccak
Operates on 3D state:
x
y zcolumn
(5× 5)-bit slices
2ℓ-bit lanes
param. 0 ≤ ℓ < 7
Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants
# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]
By default: r = 1024, c = 576
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Keccak-f: the permutations in Keccak
Operates on 3D state:
x
y zslice
(5× 5)-bit slices
2ℓ-bit lanes
param. 0 ≤ ℓ < 7
Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants
# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]
By default: r = 1024, c = 576
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Keccak-f: the permutations in Keccak
Operates on 3D state:
x
y zlane
(5× 5)-bit slices
2ℓ-bit lanes
param. 0 ≤ ℓ < 7
Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants
# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]
By default: r = 1024, c = 576
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
The χ non-linear layer
Convolutional transformation rather than S-box
Finding simpler/cheaper would be hard
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
The θ mixing layer
+ =
column parity θ effect
combine
Much cheaper than MDS and still good average diffusionBad worst-case diffusion: kernel
Addressed in bit transpositions ρ and π
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
The θ mixing layer
θ
Much cheaper than MDS and still good average diffusionBad worst-case diffusion: kernel
Addressed in bit transpositions ρ and π
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Keccak
Some distinguishing Keccak features
Strong symmetry enabling different implementationoptions
lane-wise, slice-wisebit interleavingsee [Keccak 1001 ways] and [Keccak implementation overview]
Lightweight mixing and non-linear layersglobal approach instead of local optimization
Different from both ARX and AES-basedrebound/truncated no applicable thanks to weak alignmentno complexity due to carry propagationchallenge: improve trail weight bounds of [Daemen, VanAssche, FSE 2012]
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Conclusions
Outline
1 Mainstream symmetric cryptography
2 Permutation-based cryptography
3 On the efficiency of permutation-based cryptography
4 Requirements for the permutation
5 Keccak
6 Conclusions
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Conclusions
Conclusions
Iterated permutationsare versatile and efficient cryptographic primitivesallow cleaner and more flexible modes
Cryptanalysis of iterated permutationsno more key schedule or message expansionintroducing the CICO problem
Keccak may inspirenew designs: lightweight, weakly aligned, symmetric, …new research: trail weight bound techniques, …new attacks: no assurance without scrutiny!
..........
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
.....
.....
......
.....
......
.....
.....
.
Permutation-based symmetric cryptography and Keccak
Conclusions
Questions?
Thanks for your attention!
Q?More information on
http://keccak.noekeon.org/http://sponge.noekeon.org/