Permutation-based symmetric cryptography and Keccak
advertisement
Permutation-based symmetric cryptography and Keccak Permutation-based symmetric cryptography and Keccak Joan Daemen1 joint work with Guido Bertoni1 , Michaël Peeters2 and Gilles Van Assche1 1 STMicroelectronics 2 NXP Semiconductors Ecrypt II, Crypto for 2020, Tenerife, January 22 to 24, 2013 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Symmetric crypto: what textbooks and intro’s say Symmetric cryptographic primitives: Block ciphers Stream ciphers Synchronous Self-synchronizing Hash functions Non-keyed Keyed: MAC functions And their modes-of-use .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography The hash function cliché Hash functions: .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography The hash function cliché Hash functions: But MD5, SHA-1, etc.: just block ciphers in some mode .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography You can do everything with a block cipher Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Hashing and its modes HMAC, MGF1, … Authenticated encryption: OCB, GCM, CCM … .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Seems like this is closer to the truth nowadays Block cipher: .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Block cipher operation .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Block cipher operation: the inverse .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … Most schemes with misuse-resistant claims So for most uses you don’t need the inverse! .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Internals of a typical block cipher .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Hashing use case: Davies-Meyer compression function .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Removing unnecessary diffusion restriction .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Simplifying the view: iterated permutation .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Mainstream symmetric cryptography Where can you plug in a permutation? In all modes but those in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … But also nice opportunity to clean up the modes! .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography The sponge construction f: a b-bit permutation with b = r + c efficiency: processes r bits per call to f security: provably resists generic attacks up to 2c/2 Flexibility in trading rate r for capacity c or vice versa .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography What can we say about sponge security Proof of security against generic attacks: assuming f has been chosen randomly tight: as sound as theoretically possible limitation: inner collisions in c-bit inner part Security for a specific choice of f security proof is infeasible design f with attacks in mind assurance by absence of attacks despite public scrutiny Security claim: target for attacks tight claim: no attacks better than generic attacks Hermetic Sponge Strategy weaker claims relax conditions on f .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Regular hashing Pre-sponge permutation-based hash functions Truncated permutation as compression function: Snefru [Merkle ’90], FFT-Hash [Schnorr ’90], …MD6 [Rivest et al. 2007] Streaming-mode: Subterranean, Panama, RadioGatún, Grindahl [Knudsen, Rechberger, Thomsen, 2007], … .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Message authentication codes Pre-sponge (partially) permutation-based MAC function: Pelican-MAC [Daemen, Rijmen 2005] .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Stream encryption Similar to block cipher modes: Long keystream per IV: like OFB Short keystream per IV: like counter mode Independent permutation-based stream ciphers: Salsa and ChaCha [Bernstein 2007] .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Mask generating function .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Authenticated encryption: MAC generation .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Authenticated encryption: encryption .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography Authenticated encryption: just do them both? .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography The duplex construction Object: D = duplex[f, pad, r] Requesting ℓ-bit output Z = D.duplexing(σ, ℓ) Generic security provably equivalent to that of sponge .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography SpongeWrap authenticated encryption Single-pass authenticated encryption Processes up to r bits per call to f Functionally similar to (P)helix [Lucks, Muller, Schneier, Whiting, 2004] .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Permutation-based cryptography What textbooks and intro’s should say from now on:-) Symmetric cryptographic primitives: Permutations Block ciphers Stream ciphers Hash functions Non-keyed Keyed: MAC functions And their modes-of-use .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Efficiency: working memory required for hashing Assume security strength c/2 Davies-Meyer block cipher based hash (“narrow pipe”) chaining value (block size): n ≥ c input block size (key length): typically k ≥ n feedforward (block size): n total state ≥ 3c Sponge (“huge state”) permutation width: c + r r can be made arbitrarily small, e.g. 1 byte total state ≥ c + 8 Similar arguments apply to other use cases .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Efficiency: speed of keyed permutation modes One cryptographic expert’s opinion: “The sponge construction is a pretty poor way to encrypt. One either gets high-speed but low security or low-speed and high security.” Keccak showed that sponge can be secure and fast Not significantly slower than block cipher modes But very fast dedicated primitives exist for: MAC computation stream encryption, well at least for long cleartexts .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Boosting keyed permutation modes 1 Keyed modes have higher generic security level generic security strength level c − a instead of c/2 with 2a ranging from 1 to the data complexity allows increasing the rate by c/2 − a bits 2 Keyed modes seem harder to attack in keyed modes attacker has less power allows decreasing number of rounds in permutation 3 Introducing functionally optimized constructions donkeySponge: MAC computation monkeyDuplex: nonce-imposing (authenticated) encryption .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Reducing rounds for keyed modes MD5 hash function [Rivest 1992] unkeyed: constructing fake certificates [Stevens et al. 2009] keyed: very little progress in 1st pre-image generation Panama hash and stream cipher [Clapp, Daemen 1998] unkeyed: instantaneous collisions [Daemen, Van Assche 2007] keyed: stream cipher unbroken till this day Keccak crypto contest with reduced-round challenges unkeyed: 4-round collisions [Dinur, Dunkelman, Shamir 2012] keyed: pre-image up to 2 rounds only [Morawiecki 2011] In keyed modes use a permutation with less rounds e.g. for Keccak: speedup factor up to 3 while still offering a comfortable safety margin .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography Introducing functionally optimized constructions Sponge and duplex are generic modes flexible and multi-purpose do not exploit mode-specific features MAC computation before squeezing adversary has no information about state relaxes requirements on f during absorbing Authenticated encryption in presence of nonces nonce can be used to decorrelate computations .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak On the efficiency of permutation-based cryptography The donkeySponge MAC construction Usage of full state width b during absorbing, as in [Pelican-MAC] nabsorb determined by max DP over nabsorb rounds of f Spectacular speedup especially for small b .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Requirements for the permutation Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Requirements for the permutation Desired cryptographic properties of the permutation Classical LC/DC criteria absence of large differential propagation probabilities absence of large input-output correlations study trail weights and clustering Immunity to integral cryptanalysis algebraic attacks slide and symmetry-exploiting attacks … Infeasibility of the CICO problem .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Requirements for the permutation The CICO problem Given partial input and output, determine remaining parts Important in many attacks Generalization: multi-target Pre-image generation in hashing .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Requirements for the permutation The CICO problem Given partial input and output, determine remaining parts Important in many attacks Generalization: multi-target State recovery in stream encryption .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Keccak-f: the permutations in Keccak Operates on 3D state: y state z x (5 × 5)-bit slices 2ℓ -bit lanes param. 0 ≤ ℓ < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2ℓ for b = 2ℓ 25 12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600] By default: r = 1024, c = 576 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Keccak-f: the permutations in Keccak Operates on 3D state: y row z x (5 × 5)-bit slices 2ℓ -bit lanes param. 0 ≤ ℓ < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2ℓ for b = 2ℓ 25 12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600] By default: r = 1024, c = 576 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Keccak-f: the permutations in Keccak Operates on 3D state: y column z x (5 × 5)-bit slices 2ℓ -bit lanes param. 0 ≤ ℓ < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2ℓ for b = 2ℓ 25 12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600] By default: r = 1024, c = 576 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Keccak-f: the permutations in Keccak Operates on 3D state: y slice z x (5 × 5)-bit slices 2ℓ -bit lanes param. 0 ≤ ℓ < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2ℓ for b = 2ℓ 25 12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600] By default: r = 1024, c = 576 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Keccak-f: the permutations in Keccak Operates on 3D state: y lane z x (5 × 5)-bit slices 2ℓ -bit lanes param. 0 ≤ ℓ < 7 Round function with 5 steps: θ: mixing layer ρ: inter-slice bit transposition π: intra-slice bit transposition χ: non-linear layer ι: round constants # rounds: 12 + 2ℓ for b = 2ℓ 25 12 rounds in Keccak-f[25] 24 rounds in Keccak-f[1600] By default: r = 1024, c = 576 .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak The χ non-linear layer Convolutional transformation rather than S-box Finding simpler/cheaper would be hard .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak The θ mixing layer + column parity = θ effect combine Much cheaper than MDS and still good average diffusion Bad worst-case diffusion: kernel Addressed in bit transpositions ρ and π .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak The θ mixing layer θ Much cheaper than MDS and still good average diffusion Bad worst-case diffusion: kernel Addressed in bit transpositions ρ and π .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Keccak Some distinguishing Keccak features Strong symmetry enabling different implementation options lane-wise, slice-wise bit interleaving see [Keccak 1001 ways] and [Keccak implementation overview] Lightweight mixing and non-linear layers global approach instead of local optimization Different from both ARX and AES-based rebound/truncated no applicable thanks to weak alignment no complexity due to carry propagation challenge: improve trail weight bounds of [Daemen, Van Assche, FSE 2012] .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Conclusions Outline 1 Mainstream symmetric cryptography 2 Permutation-based cryptography 3 On the efficiency of permutation-based cryptography 4 Requirements for the permutation 5 Keccak 6 Conclusions .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Conclusions Conclusions Iterated permutations are versatile and efficient cryptographic primitives allow cleaner and more flexible modes Cryptanalysis of iterated permutations no more key schedule or message expansion introducing the CICO problem Keccak may inspire new designs: lightweight, weakly aligned, symmetric, … new research: trail weight bound techniques, … new attacks: no assurance without scrutiny! .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. . Permutation-based symmetric cryptography and Keccak Conclusions Questions? Thanks for your attention! Q? More information on http://keccak.noekeon.org/ http://sponge.noekeon.org/ .. . .. . .. . . . . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. . .. . .. . .. . .. .
