Embed Size (px)
Citation preview
RastaA cipher with lowANDdepth and fewANDs per bit
ChristophDobraunig, Maria Eichlseder, Lorenzo Grassi,Virginie Lallemand, Gregor Leander, Eik List, FlorianMendel,Christian RechbergerCrypto 2018
Rasta
Motivation
1 / 26
Rasta
Motivation
Several designs minimize number of multiplicationsFLIP [MJSC16]Kreyvium [CCFLNPS16]LowMC [ARSTZ15]MiMC [AGRRT16]
New optimization goals enable/require new design strategies
2 / 26
Rasta
Motivation
2 4 8 16 32 64 128 256 512 10240
5
10
15
20
25
ANDs per bit
ANDdepth
FLIPKreyviumLowMC
3 / 26
Rasta
Motivation
2 4 8 16 32 64 128 256 512 10240
5
10
15
20
25
ANDs per bit
ANDdepth
FLIPKreyviumLowMCRasta
3 / 26
Rasta
Challenges
4 / 26
Rasta
Challenges for Rasta
How tominimize ANDdepth and ANDs per bit at the same time?
Especially low ANDdepth seems challenging
How to analyze the outcome?
5 / 26
Rasta
Why dowe have a high ANDdepth?I
K
O
Function
6 / 26
Rasta
Why dowe have a high ANDdepth?I
K
O
6 / 26
Rasta
Why dowe have a high ANDdepth?
Evaluated for varying inputs
Part of the input potentially public
Need high algebraic degree (ANDdepth) for protectionAgainst higher-order differentials, cube-like attacks, . . .
O1 = I1K1K3 + I2I3K4 + I1I2K2 + I1I2 + I4K1 + K2
O1 = I1I2(K2 + 1) + I1K1K3 + I2I3K4 + I4K1 + K2
7 / 26
Rasta
Why dowe have a high ANDdepth?
Evaluated for varying inputs
Part of the input potentially public
Need high algebraic degree (ANDdepth) for protectionAgainst higher-order differentials, cube-like attacks, . . .
O1 = I1K1K3 + I2I3K4 + I1I2K2 + I1I2 + I4K1 + K2
O1 = I1I2(K2 + 1) + I1K1K3 + I2I3K4 + I4K1 + K2
7 / 26
Rasta
TheDesign
8 / 26
Rasta
RastaStream cipher based on family of public permutations PN,i
Each permutation evaluated onceDifferent permutations to generate key streamChoice of permutation depends solely on public parameters
Public nonceNBlock counter i
key stream
PN,1
K
PN,2
K
· · ·
9 / 26
Rasta
Rastapublic
key-dependent
XOFN, i· · ·
K A0,N,i A1,N,i Ar,N,iS S S· · · ⊕ KN,i
Seed extendable output function (XOF) with public values“Randomly” generates invertible matricesMj,N,i
“Randomly” generates round constants cj,N,iTo get affine layer Aj,N,i(x) = Mj,N,i · x⊕ cj,N,i
Use of χ [Dae95] as non-linear function S10 / 26
Rasta
Rastapublic
key-dependent
XOFN, i· · ·
K A0,N,i A1,N,i Ar,N,iS S S· · · ⊕ KN,i
High-level idea tomake relevant computations of the cipher independent of thekey was first used in Flip [MJSC16]
XOF does not influence relevant ANDmetric
10 / 26
Rasta
Design Rationale
Changing affine layers againstDifferential and impossible-differential attacksCube and higher-order differential attacksIntegral attacks
Block size, key size� security level againstAttacks based on linear approximationsAttacks targeting polynomial system of equations
11 / 26
Rasta
Choosing parametersParameterizable problem regarding
Block sizeNumber of rounds
RastaBase parameters on bounds and argumentsConservative approach
AgrastaAggressive parameter set of Rasta design strategyBase parameters on best known attacksChallenge for cryptanalysts
12 / 26
Rasta
Choosing parametersParameterizable problem regarding
Block sizeNumber of rounds
RastaBase parameters on bounds and argumentsConservative approach
AgrastaAggressive parameter set of Rasta design strategyBase parameters on best known attacksChallenge for cryptanalysts
12 / 26
Rasta
Choosing parametersParameterizable problem regarding
Block sizeNumber of rounds
RastaBase parameters on bounds and argumentsConservative approach
AgrastaAggressive parameter set of Rasta design strategyBase parameters on best known attacksChallenge for cryptanalysts
12 / 26
Rasta
The Road to Rasta
13 / 26
Rasta
Linear approximations
Bound probability that good approximations exist
SM0 SM1 SM2 SM3 M4
︸ ︷︷ ︸ ︸ ︷︷ ︸P1 P2
14 / 26
Rasta
Probability of good approximations
0 256 512 768 1024 1536−600
−400
−200
0
key/block size k (bits)
log2(probability)
128-bit, r = 2128-bit, r = 4128-bit, r = 6
15 / 26
Rasta
Solving non-linear multivariate polynomial equations
General problem of solving non-linear systems ofm equations with k unknowns
Limiting the degree limits possible number of different monomials
Increase k to prevent trivial linearization
16 / 26
Rasta
Maximum number of different monomials
128 256 512 1024 2048 40960
100
200
300
400
key and block size k (bits)
log2(maximumdifferent
monomials)
depth r = 6depth r = 5depth r = 4depth r = 3depth r = 2
17 / 26
Rasta
Instances of Rasta
Security level Rounds2 3 4 5 6
80-bit 221.2 212 327 327 219128-bit 233.2 218 1877 525 351256-bit 265.2 234 218.8 3545 703
18 / 26
Rasta
The Road to Agrasta (Cryptanalysis)
19 / 26
Rasta
Cryptanalysis
SAT solverExhaustive search performs better for more than 1 round
Experiments with toy versionsNo obvious outliersVarious dedicated attacks
For various versions of SASVariants of 2-round Rasta where block size≈ security levelVariants of 3-round Rasta where block size≈ security level
20 / 26
Rasta
Sketch of 3-round analysis
A0 S A1 S A2 S A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Sketch of 3-round analysis
S S SA0 A1 A2 A3K KN,i
21 / 26
Rasta
Cryptanalysis of instances with 80-bit security
80 128 256 512123456
key and block size k (bits)
roundsr
Rasta
22 / 26
Rasta
Cryptanalysis of instances with 80-bit security
80 128 256 512123456
key and block size k (bits)
roundsr
RastaAgrasta
22 / 26
Rasta
Agrasta: More agressive parameters
Security level Rounds Block size80-bit 4 81128-bit 4 129256-bit 5 257
23 / 26
Rasta
Conclusion
24 / 26
Rasta
ConclusionRasta: conservative, based on bounds and arguments
Agrasta: more aggressive, based on attacks
New design approach
Even conservative versions competitive in benchmark (HElib)
Huge gap between known attacks and bounds
25 / 26
Rasta
Bibliography I
[AGRRT16] M. R. Albrecht, L. Grassi, C. Rechberger, A. Roy, and T. TiessenMiMC: Efficient Encryption and Cryptographic Hashing withMinimalMultiplicativeComplexityASIACRYPT 2016
[ARSTZ15] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, andM. ZohnerCiphers forMPC and FHEEUROCRYPT 2015
[CCFLNPS16] A. Canteaut, S. Carpov, C. Fontaine, T. Lepoint, M. Naya-Plasencia, P. Paillier, andR. SirdeyStreamCiphers: A Practical Solution for Efficient Homomorphic-CiphertextCompressionFSE 2016
Rasta
Bibliography II
[Dae95] J. Daemen,Cipher and hash function design – Strategies based on linear and differentialcryptanalysis,http://jda.noekeon.org/JDA_Thesis_1995.pdf,PhD thesis, Katholieke Universiteit Leuven, 1995.
[MJSC16] P.Meaux, A. Journault, F.-X. Standaert, and C. CarletTowards StreamCiphers for Efficient FHEwith Low-Noise CiphertextsEUROCRYPT 2016
