Portfolio of optimized cryptographic functionsbased on Keccak

Guido Bertoni1 Joan Daemen1,2 Michaël Peeters1Gilles Van Assche1 Ronny Van Keer1

1STMicroelectronics2Radboud University

FOSDEM, Brussels, February 4-5, 2017

1 / 41

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

2 / 41

Timeline

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

3 / 41

Timeline

Crisis!

By Marcel Germain (flickr.com)

2004: SHA-0 broken (Joux et al.)2004: MD5 broken (Wang et al.)2005: practical attack on MD5(Lenstra et al., and Klima)2005: SHA-1 theoretically broken(Wang et al.)2006: SHA-1 broken further(De Cannière and Rechberger)2007: NIST calls for SHA-3

4 / 41

Timeline

The SHA-3 competition (2008-2012)

ARIRANG

AURORA

BLAKEBlender

BOOLE

CHI

CRUNCHCubeHash

DCH

EDON-R

EnRUPT

ESSENCE FSB

Fugue

Grøstl

JH

LANE

Lesamnta

Luffa

MCSSHA3

MD6

Sgàil

Shabal

SHAMATA

SIMD

Skein

StreamHash

SWIFFTX

Tangle

TIB3

Twister

Vortex

WaMM

HASH 2X

Maraca

Ponic

ZK-Crypt

Waterfall

Sarmal

BMW

SANDstorm

Spectral Hash

DynamicSHA

NKS2D

Abacus

MeshHash

DynamicSHA 2

Khichidi-1

ECOH

LUX

NaSHA

Hamsi

Keccak

SHAvite-3

ECHOCheetah

2005 2006 2007 2008 2009 2010 2011 2012

16/06/2009

[courtesy of Christophe De Cannière]

5 / 41

Timeline

Our candidate: Keccak

Keccak is a sponge function …

input output

outerinner

0

0

r

c

f f f f f f

absorbing squeezing

… that uses the Keccak-f permutation6 / 41

Timeline

Standardization

By @Doug88888 (flickr.com)

2012: Keccak selected by NIST for SHA-32014: 3GPP adopts Keccak in TUAK2015: NIST’s FIPS 202

Of course: SHA3-{224, 256, 384, 512}But also: SHAKE{128, 256}

2016: NIST’s SP 800-185cSHAKEKMACTupleHashParallelHash

7 / 41

Timeline

More designs building on Keccak

2014: Ketje and Keyaksubmitted to the CAESAR competition

2016: KangarooTwelve2017: Kravatte

… again using the Keccak-f permutation

8 / 41

Security foundations

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

9 / 41

Security foundations

Analyzing the sponge construction

input output

outerinner

0

0

r

c

f f f f f f

absorbing squeezing

10 / 41

Security foundations

Analyzing the sponge construction

input output

outerinner

0

0

r

c

absorbing squeezing

10 / 41

Security foundations

Generic security of the sponge construction

[EuroCrypt 2008]

Theorem, explained

Pr[attack] ≤ N2

2c+1 (or so)

⇒ if N≪ 2c/2, then the probability is negligible

11 / 41

Security foundations

Generic security of the sponge construction

[EuroCrypt 2008]

Theorem, explained

Pr[attack] ≤ N2

2c+1 (or so)

⇒ if N≪ 2c/2, then the probability is negligible

11 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Two pillars of security in cryptography

Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive

Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties

12 / 41

Security foundations

Inside the permutation

f = …

rounds

13 / 41

Security foundations

Status of Keccak

Kecc

ak-f

[160

0]

0

3

6

9

12

15

18

21

24

Practical (collision) attacks up to 5 roundsTheoretical collision attacks up to 6 rounds[Qiao, Song, Liu, Guo 2016]Theoretical attack up to 9 rounds (2256 time…)[Dinur, Morawiecki, Pieprzyk, Srebrny, Straus 2014]

Round function unchanged since 2008

14 / 41

Unkeyed applications

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

15 / 41

Unkeyed applications

Cryptographic hash functions

h : {0, 1}∗ → {0, 1}n

input output

outerinner

0

0

r

c

f f f f f f

absorbing squeezing

16 / 41

Unkeyed applications

Impact of parallelism

Keccak-f[1600]× 1 1070 cyclesKeccak-f[1600]× 2 1360 cyclesKeccak-f[1600]× 4 1410 cycles

CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD

17 / 41

Unkeyed applications

Tree hashing

Example: ParallelHash [SP 800-185]

function instruction set cycles/byteKeccak[c = 256]× 1 x86_64 6.29Keccak[c = 256]× 2 AVX2 4.32Keccak[c = 256]× 4 AVX2 2.31CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD

18 / 41

Unkeyed applications

KangarooTwelve: a variant of Keccak

Safety margin: from rock-solid to comfortableSame round function, 12 instead of 24⇒ cryptanalysis since 2008 still valid

“Embarassingly” parallel modeProven generic security

[IACR ePrint 2016/770]

19 / 41

Unkeyed applications

KangarooTwelve’s mode

S0 110* CV CV CV … CV CV n-1 FFFF 01

S1

110

S2

110

S3

110

Sn-2

110

Sn-1

110

Final node growing with kangaroo hopping and Sakura coding[ACNS 2014]

20 / 41

Unkeyed applications

KangarooTwelve performance

Short input Long inputIntel® Core™ i5-4570 (Haswell) 4.15 c/b 1.44 c/bIntel® Core™ i5-6500 (Skylake) 3.72 c/b 1.22 c/bIntel® Xeon Phi™ 7250 (Knights Landing)∗ (4.56 c/b) 0.74 c/b

∗ Thanks to Romain Dolbeau

21 / 41

Keyed applications

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

22 / 41

Keyed applications

Pseudo-random function (PRF)

input

…

23 / 41

Keyed applications

Stream cipher

nonce

plaintext = ciphertext

24 / 41

Keyed applications

Message authentication code (MAC)

plaintext

plaintext

25 / 41

Keyed applications

Authenticated encryption

nonce

plaintext = ciphertext

plaintext

26 / 41

Keyed applications

Incrementality

packet #1

packet #1

27 / 41

Keyed applications

Incrementality

packet #1 packet #2

packet #1 packet #2

27 / 41

Keyed applications

Incrementality

packet #1 packet #2 packet #3

packet #1 packet #2 packet #3

27 / 41

Keyed applications

Keyak in a nutshell

An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←

0 SUV1

T(0)

SUV = Secret and Unique ValueWorks in sessions

28 / 41

Keyed applications

Keyak in a nutshell

An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←

0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

SUV = Secret and Unique ValueWorks in sessions

28 / 41

Keyed applications

Keyak in a nutshell

An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←

0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)

SUV = Secret and Unique ValueWorks in sessions

28 / 41

Keyed applications

Keyak in a nutshell

An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←

0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)

A(3)

T(3)

SUV = Secret and Unique ValueWorks in sessions

28 / 41

Keyed applications

Ketje in a nutshell

An authenticated-encryption scheme submitted to CAESAR

Similar to Keyak, but …mainly targeted at lightweight applications (e.g., IoT)also using smaller permutations (400 or 200 bits)

29 / 41

Keyed applications

Kravatte with the new Farfalle constructionAn incremental and parallel pseudo-random function …

k f

M0

k f

M1

ik f

Mi

… …

f

k

Z0

f

k

Z1

f

k

j Zj

f

… using the Keccak-f permutation[IACR ePrint 2016/1188 — soon to be updated!]

30 / 41

Keyed applications

Kravatte for many purposes

Kravatte-PRF AuthenticationKravatte-SAE Session authenticated encryptionKravatte-SIV Synthetic-IV authenticated encryptionKravatte-WBC Wide block cipher, authenticated en-

cryption with minimal expansion

31 / 41

Keccak code package

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

32 / 41

Keccak code package

The Keccak code package

https://github.com/gvanas/KeccakCodePackage

33 / 41

Keccak code package

Using the KCP

Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a

Extracting the source filesmake generic64/libkeccak.a.pack

Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed

34 / 41

Keccak code package

Using the KCP

Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a

Extracting the source filesmake generic64/libkeccak.a.pack

Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed

34 / 41

Keccak code package

Using the KCP

Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a

Extracting the source filesmake generic64/libkeccak.a.pack

Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed

34 / 41

Keccak code package

Inside the KCP: a layered approach

Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive

Sponge Duplex Construction

Hashing MAC PRNG Auth. Enc. Mode

Genericfocus on user

easy to usee.g., message queue

one implementationpointers and arithmetic

Specificfocus on developer

limited scope to optimizeunit tests

tailored implementationspermutationbulk data processing

35 / 41

Keccak code package

Inside the KCP: a layered approach

Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive

Sponge Duplex Construction

Hashing MAC PRNG Auth. Enc. Mode

Genericfocus on user

easy to usee.g., message queue

one implementationpointers and arithmetic

Specificfocus on developer

limited scope to optimizeunit tests

tailored implementationspermutationbulk data processing

35 / 41

Keccak code package

Inside the KCP: a layered approach

Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive

Sponge Duplex Construction

Hashing MAC PRNG Auth. Enc. Mode

Genericfocus on user

easy to usee.g., message queue

one implementationpointers and arithmetic

Specificfocus on developer

limited scope to optimizeunit tests

tailored implementationspermutationbulk data processing

35 / 41

Keccak code package

Inside the KCP: a layered approach

Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive

Sponge Duplex Construction

Hashing MAC PRNG Auth. Enc. Mode

SnP

Genericfocus on user

easy to usee.g., message queue

one implementationpointers and arithmetic

Specificfocus on developer

limited scope to optimizeunit tests

tailored implementationspermutationbulk data processing

35 / 41

Inventory

Outline

1 Timeline

2 Security foundations

3 Unkeyed applications

4 Keyed applications

5 Keccak code package

6 Inventory

36 / 41

Inventory

Hash and extendable-output functions

Standard, rock-solid: [FIPS 202, SP 800-185]SHA3-{224, 256, 384, 512}SHAKE{128, 256} or cSHAKE{128, 256}TupleHashParallelHash

Mature:KangarooTwelve [IACR ePrint 2016/770]

37 / 41

Inventory

Pseudo-random number generation

Rock-solid:KeccakPRG [SAC 2011, implemented in KCP]

reseedable at any timeforward secrecy

38 / 41

Inventory

Authentication

Standard, rock-solid:KMAC [SP 800-185]HMAC with SHA-3 is suboptimal!

Mature:Keyak [CAESAR competition]

Cutting edge:Kravatte-PRF [IACR ePrint 2016/1188]

39 / 41

Inventory

Authenticated encryption

Mature:KetjeKeyak [CAESAR competition]

Cutting edge:Kravatte-SAEKravatte-SIVKravatte-WBC [IACR ePrint 2016/1188]

40 / 41

Conclusions

Thanks for your attention!

Any questions?

Q?http://keccak.noekeon.org/

@KeccakTeam

41 / 41