Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Portfolio of optimized cryptographic functionsbased on Keccak
Guido Bertoni1 Joan Daemen1,2 Michaël Peeters1Gilles Van Assche1 Ronny Van Keer1
1STMicroelectronics2Radboud University
FOSDEM, Brussels, February 4-5, 2017
1 / 41
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
2 / 41
Timeline
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
3 / 41
Timeline
Crisis!
By Marcel Germain (flickr.com)
2004: SHA-0 broken (Joux et al.)2004: MD5 broken (Wang et al.)2005: practical attack on MD5(Lenstra et al., and Klima)2005: SHA-1 theoretically broken(Wang et al.)2006: SHA-1 broken further(De Cannière and Rechberger)2007: NIST calls for SHA-3
4 / 41
Timeline
The SHA-3 competition (2008-2012)
ARIRANG
AURORA
BLAKEBlender
BOOLE
CHI
CRUNCHCubeHash
DCH
EDON-R
EnRUPT
ESSENCE FSB
Fugue
Grøstl
JH
LANE
Lesamnta
Luffa
MCSSHA3
MD6
Sgàil
Shabal
SHAMATA
SIMD
Skein
StreamHash
SWIFFTX
Tangle
TIB3
Twister
Vortex
WaMM
HASH 2X
Maraca
Ponic
ZK-Crypt
Waterfall
Sarmal
BMW
SANDstorm
Spectral Hash
DynamicSHA
NKS2D
Abacus
MeshHash
DynamicSHA 2
Khichidi-1
ECOH
LUX
NaSHA
Hamsi
Keccak
SHAvite-3
ECHOCheetah
2005 2006 2007 2008 2009 2010 2011 2012
16/06/2009
[courtesy of Christophe De Cannière]
5 / 41
Timeline
Our candidate: Keccak
Keccak is a sponge function …
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
… that uses the Keccak-f permutation6 / 41
Timeline
Standardization
By @Doug88888 (flickr.com)
2012: Keccak selected by NIST for SHA-32014: 3GPP adopts Keccak in TUAK2015: NIST’s FIPS 202
Of course: SHA3-{224, 256, 384, 512}But also: SHAKE{128, 256}
2016: NIST’s SP 800-185cSHAKEKMACTupleHashParallelHash
7 / 41
Timeline
More designs building on Keccak
2014: Ketje and Keyaksubmitted to the CAESAR competition
2016: KangarooTwelve2017: Kravatte
… again using the Keccak-f permutation
8 / 41
Security foundations
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
9 / 41
Security foundations
Analyzing the sponge construction
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
10 / 41
Security foundations
Analyzing the sponge construction
input output
outerinner
0
0
r
c
absorbing squeezing
10 / 41
Security foundations
Generic security of the sponge construction
[EuroCrypt 2008]
Theorem, explained
Pr[attack] ≤ N2
2c+1 (or so)
⇒ if N≪ 2c/2, then the probability is negligible
11 / 41
Security foundations
Generic security of the sponge construction
[EuroCrypt 2008]
Theorem, explained
Pr[attack] ≤ N2
2c+1 (or so)
⇒ if N≪ 2c/2, then the probability is negligible
11 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
Security foundations
Inside the permutation
f = …
rounds
13 / 41
Security foundations
Status of Keccak
Kecc
ak-f
[160
0]
0
3
6
9
12
15
18
21
24
Practical (collision) attacks up to 5 roundsTheoretical collision attacks up to 6 rounds[Qiao, Song, Liu, Guo 2016]Theoretical attack up to 9 rounds (2256 time…)[Dinur, Morawiecki, Pieprzyk, Srebrny, Straus 2014]
Round function unchanged since 2008
14 / 41
Unkeyed applications
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
15 / 41
Unkeyed applications
Cryptographic hash functions
h : {0, 1}∗ → {0, 1}n
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
16 / 41
Unkeyed applications
Impact of parallelism
Keccak-f[1600]× 1 1070 cyclesKeccak-f[1600]× 2 1360 cyclesKeccak-f[1600]× 4 1410 cycles
CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD
17 / 41
Unkeyed applications
Tree hashing
Example: ParallelHash [SP 800-185]
function instruction set cycles/byteKeccak[c = 256]× 1 x86_64 6.29Keccak[c = 256]× 2 AVX2 4.32Keccak[c = 256]× 4 AVX2 2.31CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD
18 / 41
Unkeyed applications
KangarooTwelve: a variant of Keccak
Safety margin: from rock-solid to comfortableSame round function, 12 instead of 24⇒ cryptanalysis since 2008 still valid
“Embarassingly” parallel modeProven generic security
[IACR ePrint 2016/770]
19 / 41
Unkeyed applications
KangarooTwelve’s mode
S0 110* CV CV CV … CV CV n-1 FFFF 01
S1
110
S2
110
S3
110
Sn-2
110
Sn-1
110
Final node growing with kangaroo hopping and Sakura coding[ACNS 2014]
20 / 41
Unkeyed applications
KangarooTwelve performance
Short input Long inputIntel® Core™ i5-4570 (Haswell) 4.15 c/b 1.44 c/bIntel® Core™ i5-6500 (Skylake) 3.72 c/b 1.22 c/bIntel® Xeon Phi™ 7250 (Knights Landing)∗ (4.56 c/b) 0.74 c/b
∗ Thanks to Romain Dolbeau
21 / 41
Keyed applications
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
22 / 41
Keyed applications
Pseudo-random function (PRF)
input
…
23 / 41
Keyed applications
Stream cipher
nonce
plaintext = ciphertext
24 / 41
Keyed applications
Message authentication code (MAC)
plaintext
plaintext
25 / 41
Keyed applications
Authenticated encryption
nonce
plaintext = ciphertext
plaintext
26 / 41
Keyed applications
Incrementality
packet #1
packet #1
27 / 41
Keyed applications
Incrementality
packet #1 packet #2
packet #1 packet #2
27 / 41
Keyed applications
Incrementality
packet #1 packet #2 packet #3
packet #1 packet #2 packet #3
27 / 41
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
A(3)
T(3)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
Keyed applications
Ketje in a nutshell
An authenticated-encryption scheme submitted to CAESAR
Similar to Keyak, but …mainly targeted at lightweight applications (e.g., IoT)also using smaller permutations (400 or 200 bits)
29 / 41
Keyed applications
Kravatte with the new Farfalle constructionAn incremental and parallel pseudo-random function …
k f
M0
k f
M1
ik f
Mi
… …
f
k
Z0
f
k
Z1
f
k
j Zj
f
… using the Keccak-f permutation[IACR ePrint 2016/1188 — soon to be updated!]
30 / 41
Keyed applications
Kravatte for many purposes
Kravatte-PRF AuthenticationKravatte-SAE Session authenticated encryptionKravatte-SIV Synthetic-IV authenticated encryptionKravatte-WBC Wide block cipher, authenticated en-
cryption with minimal expansion
31 / 41
Keccak code package
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
32 / 41
Keccak code package
The Keccak code package
https://github.com/gvanas/KeccakCodePackage
33 / 41
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
SnP
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
Inventory
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
36 / 41
Inventory
Hash and extendable-output functions
Standard, rock-solid: [FIPS 202, SP 800-185]SHA3-{224, 256, 384, 512}SHAKE{128, 256} or cSHAKE{128, 256}TupleHashParallelHash
Mature:KangarooTwelve [IACR ePrint 2016/770]
37 / 41
Inventory
Pseudo-random number generation
Rock-solid:KeccakPRG [SAC 2011, implemented in KCP]
reseedable at any timeforward secrecy
38 / 41
Inventory
Authentication
Standard, rock-solid:KMAC [SP 800-185]HMAC with SHA-3 is suboptimal!
Mature:Keyak [CAESAR competition]
Cutting edge:Kravatte-PRF [IACR ePrint 2016/1188]
39 / 41
Inventory
Authenticated encryption
Mature:KetjeKeyak [CAESAR competition]
Cutting edge:Kravatte-SAEKravatte-SIVKravatte-WBC [IACR ePrint 2016/1188]
40 / 41
Conclusions
Thanks for your attention!
Any questions?
Q?http://keccak.noekeon.org/
@KeccakTeam
41 / 41