Embed Size (px)
Citation preview
Similarities between encryption
and decryption: how far can we go?
Anne Canteaut
Inria, France and DTU, Denmark
http://www-rocq.inria.fr/secret/Anne.Canteaut/
SAC 2013
based on a joint work with Lars Knudsen and Gregor Leander
Outline
• Low-latency and lightweight ciphers
• Minimizing the overhead of decryption: involutional ciphers and
involutional building-blocks
• Minimizing the overhead of decryption: re�ection ciphers
• PRINCE
1
Iterated block ciphers
F (1) - F (2) -
e ee... F (r) ---
key schedule
? ? ?
?
k1 k2 kr
plaintext x y ciphertext
K master key
where each F (i) is a keyed permutation of Fn2 .
2
Lightweight block ciphers
AES [Daemen-Rijmen 98][FIPS PUB 197]
• blocksize: 128 bits
• Sbox operates on 8 bits
• linear di�usion layer is a linear permutation of(F28
)4To make it smaller in hardware:
• blocksize: 64 bits
• smaller Sbox, on 3 or 4 bits
• linear di�usion layer over a smaller alphabet
• simpli�ed key-schedule
3
The usual design strategy: PRESENT [Bogdanov et al. 07]
S S S S S S S S S S S S S S S S
ski
64 bits
31 rounds (+ a key addition)
4
Lightweight but secure...
Increase the number of rounds!
• PRESENT [Bogdanov et al. 07]. 31 rounds
• LED [Guo et al. 11]:
LED-64: 32 rounds, LED-128: 48 rounds
• SPECK [Beaulieu et al. 13]:
SPECK64/128: 27 rounds, SPECK128/256: 34 rounds
• SIMON [Beaulieu et al. 13]:
SIMON64/128: 44 rounds, SIMON128/256: 72 rounds
5
Does lightweight mean �light + wait�? [Kneºevi¢ et al. 12]
6
Does lightweight mean �light + wait�? [Kneºevi¢ et al. 12]
7����������/
oSSSSSSSSSSw� -
SECURITY
SPEED AREA
Low-latency encryption.
• Memory encryption
• VANET (Vehicular ad-hoc network)
• encryption for high-speed networking...
7
How can we design a fast and lightweight cipher?
Unrolled implementation.
• small number of rounds;
• each round of encryption and decryption should have
a low implementation cost;
• the rounds do not need to be similar.
Related open problem.
Is it possible to provide security arguments for a cipher iterating
very di�erent rounds?
8
Minimizing the overhead of decryption:
involutional building-blocks
9
When lightweight encryption was really an issue...
http://www.nsa.gov/museum/enigma.html
10
Scherbius' solution: add a re�ector
A
B
C
D
E
F
�
�A
B
C
D
E
F
�
�
�
�B
D
A
B
C
D
E
F
A
C
E
F
B
D
A
B
C
D
E
F
A
C
E
F
B
D
A
B
C
D
E
F
A
C
E
F
keyboard re�ectorlampboard
EK = F−1K ◦M ◦ FK where M = M−1
11
Can EK be an involution?
Fixed points.[Youssef-Tavares-Heys 96]
• A random permutation of Fn2 has 1 �xed point on average;
• A random involution of Fn2 has 2n2 +O(1) �xed points.
In particular, for EK = F−1K ◦M ◦ FK
EK has the same cycle structure (and the same number of �xed
points) as M .
• Enigma: the re�ector has no �xed points;
• DES with a weak key: M is the swapping of the 2 halves
→ It has 232 �xed points [Coppersmith 85].
12
Add some whitening keys [Rivest 84]
FX construction
� ��+ --
?
k0
� ��+ --
?
k2
F?
k1
cm
Slide attack with complexity 2n+1
2
[Youssef-Tavares-Heys 96][Dunkelman et al. 12]
� ��+ --? � ��+ --
? cF?
k1k0
yx
k2
m
� ��+ --? � ��+ --
?F?
k1k0
y x
k2
m′ c′
If (m, c) and (m′, c′) satisfy m⊕ c = m′ ⊕ c′,then check whether k0 ⊕ k2 = m′ ⊕ c .
13
Using involutional building-blocks
Examples:
• Feistel ciphers
• involutional SPNs [Youssef-Tavares-Heys 96]
• Khazad [Barreto-Rijmen 00]
• ANUBIS [Barreto-Rijmen 00]
• NOEKEON [Daemen et al. 00]
• ICEBERG [Standaert et al. 04]...
14
AES superbox
S S S S
k+?
k+?
k+?
k+?
S S S S
????
L
?
?
? ?
? ? ?
? ? ??
?
- - - -K
S is a permutation over Fm2
The di�usion layer is linear over F2m and has maximal branch number.
15
Involutional Sboxes with an SPN
Maximal expected probability for a two-round di�erential:
MEDP2 = maxa6=0,b
Prx,K[∆EK(x) = b|∆x = a]
For the AES Sbox S(x) = `(x254):
MEDP2 = 53× 2−34 [Keliher-Sui 07]
For the naive Sbox S(x) = x254:
MEDP2 = 79× 2−34 [Daemen-Rijmen 06]
→ Highest possible value for a function having similar values in its
di�erence table [Park et al. 03]
16
A new bound (particular case) [C.-Roué 13]
Consider an SPN with a nonlinear layer composed of t parallel appli-
cations of a function S over F2m and with an MDS linear di�usion
layer over F2m, if S(x) = `(xs) or S(x) = (`(x))s where ` is an a�ne
permutation of Fm2 , we have
MEDP2 ≤ 2−m(t+1) max1≤u≤t
maxα,β 6=0
∑γ∈F∗2m
δ(α, γ)uδ(γ, β)t+1−u
where δ(a, b) = #{x ∈ Fm2 , S(x+ a) + S(x) = b}.
Moreover, the bound is tight for all MDS linear layers if one of the
following conditions holds:
• S(x) = xs;
• S(x) = `(xs) and the maximum is attained for u = 1.
17
Di�erence table of the inverse function over F16
1 ζ ζ2 ζ3 ζ4 ζ5 ζ6 ζ7 ζ8 ζ9 ζ10 ζ11 ζ12 ζ13 ζ14
1 4 0 0 0 0 2 0 2 0 0 2 2 0 2 2
ζ 0 0 0 0 2 0 2 0 0 2 2 0 2 2 4
ζ2 0 0 0 2 0 2 0 0 2 2 0 2 2 4 0
ζ3 0 0 2 0 2 0 0 2 2 0 2 2 4 0 0
ζ4 0 2 0 2 0 0 2 2 0 2 2 4 0 0 0
ζ5 2 0 2 0 0 2 2 0 2 2 4 0 0 0 0
ζ6 0 2 0 0 2 2 0 2 2 4 0 0 0 0 2
ζ7 2 0 0 2 2 0 2 2 4 0 0 0 0 2 0
ζ8 0 0 2 2 0 2 2 4 0 0 0 0 2 0 2
ζ9 0 2 2 0 2 2 4 0 0 0 0 2 0 2 0
ζ10 2 2 0 2 2 4 0 0 0 0 2 0 2 0 0
ζ11 2 0 2 2 4 0 0 0 0 2 0 2 0 0 2
ζ12 0 2 2 4 0 0 0 0 2 0 2 0 0 2 2
ζ13 2 2 4 0 0 0 0 2 0 2 0 0 2 2 0
ζ14 2 4 0 0 0 0 2 0 2 0 0 2 2 0 2
18
MEDP2 for AES and variants
2−m(t+1) max1≤u≤t
maxα,β 6=0
∑γ∈F∗2m
δ(α, γ)uδ(γ, β)t+1−u
AES Sbox S(x) = `(x254).
→MEDP2=53× 2−34
Naive Sbox S(x) = x254.
δ(a, b) = δ(b, a)
maxα,β 6=0
∑γ∈F∗2m
δ(α, γ)uδ(γ, β)t+1−u = maxα,β 6=0
∑γ∈F∗2m
δ(α, γ)uδ(β, γ)t+1−u
= maxα6=0
∑γ∈F∗2m
δ(α, γ)t+1
→MEDP2=79× 2−34
19
Minimizing the overhead of decryption:
re�ection ciphers
20
Re�ection ciphers
De�nition. A block cipher E is a re�ection cipher if there exists a
permutation P of the key space such that, for all K,
(EK)−1 = EP (K)
Examples.
• Feistel cipher with independent round keys:
P (k1, . . . , kr) = (kr, . . . , k1)
• RSA:
P = inversion modulo (p− 1)(q − 1).
21
Properties of the coupling permutation
(EK)−1 = EP (K)
implies
EK = EP 2(K)
Choice of P .
P should be an involution.
Example:
P (K) = K ⊕ α
22
Iterated re�ection cipher with P (K) = K ⊕ α
Encryption:
F1-
?
K
F2-
?
K
Fr-
?
K
F−12
-
?
K⊕α
F−11
-
?
K⊕α
- -M- F−1r
--
?
K⊕α
m c
Decryption:
F1-
?
K⊕α
F2-
?
K⊕α
Fr-
?
K⊕α
F−12
-
?
K
F−11
-
?
K
- -M- F−1r
--
?
K
c m
where M is an involution.
23
Example of a re�ection cipher with P (k1, k2) = (k2 ⊕ α, k1 ⊕ α)
F1-
?
k1
F2-
?
k2
Fr-
?
k1
F−12
-
?
k1⊕α
F−11
-
?
k2⊕α
- -M- F−1r
--
?
k2⊕α
m c
(E(k1,k2)
)−1= E(k2⊕α,k1⊕α)
For all keys with k2 = k1 ⊕ α, the cipher is an involution,
and it has the same number of �xed points as M .
→ Large class of weak keys.
24
Fixed points of the coupling permutation
Fixed points of P .
The keys for which the encryption function is an involution can be
detected with O(2n2 ) plaintext-ciphertext pairs.
Choice of P .
P should be an involution without �xed points.
Example:
P (K) = K ⊕ α
25
On related-key distinguishers for re�ection ciphers
Trivial related-key distinguishers:
are not considered.
(they may be important in some scenarios, e.g., [Iwata-Kurosawa 03])
Related-key distinguishers:
may have an impact in a single-key model.
A related-key distinguisher for EK involving two keysK andK′ relatedby K′ = P (K) is a distinguisher in the single-key model.
→ Related-key distinguishers may be relevant!
26
On di�erential related-key distinguishers
Distinguishers involving K and K′ = P (K) should be avoided.
Two strategies:
• Choose P such that the existence of such distinguishers is very
unlikely, e.g., such that K ⊕ P (K) has always a high weight;
• Choose P such that such related-key distinguishers can
be exploited for a few K only.
Trade-o� between
minK
wt(K ⊕ P (K)) and maxδ
#{K : K ⊕ P (K) = δ}
For P (K) = K ⊕ α where wt(α) is high, we maximize
the �rst quantity.
27
PRINCE
28
Re�ection cipher with P (K) = K ⊕ α
n+- - -n+- - - n+- n+- - n+- - n+- -M- F−1r
-F2 FrF1 F−12
- F−11
?
k
?
k
?
k
?
k⊕α
?
k⊕α
-?
k⊕α
m c
29
Increasing the key length
FX construction [Rivest 84]
k = (k0||k1)
����+ --
?
k0
����+ --
?
π(k0)
PRINCEcore
?
k1
cm
with π(x) = (x ≫ 1)⊕ (x� 63)
→ (k0 ⊕ k1, π(k0)⊕ k1) takes all possible values when (k0, k1) varies.
30
Security of the FX construction [Kilian-Rogaway 96]
FXk0,k1,k2(m) = Fk1
(m⊕ k0)⊕ k2
FXk F, F−1
6
?
6
?
π F, F−1
6
?
6
?
k0, k1, k2
-
6
A
m (x, k)
The advantage of any adversary who makes D queries to E = FX
and T queries to (F, F−1) is at most
DT2−(κ1+n−1)
31
Impact of the re�ection property on the FX construction
Ideal re�ection cipher with coupling permutation P .
If P is an involution without �xed points, the key space can be
decomposed as
Fκ12 = H ∪ P (H)
where H contains half of the keys.
Let F be an ideal block cipher with key space H.
We extend it by
F̃k(x) =
Fk(x) if k ∈ HF−1P (k)
(x) if k ∈ P (H)
Security of the F̃X construction.
The advantage of any adversary who makes D queries to E = F̃X
and T queries to (F, F−1) is at most
DT2−(κ1+n−2) .
32
Parameters
• Block size: 64 bits
• Key size: 128 bits
• Nb of Sbox layers: 12
Security claim in the single-key model:
126-bit security
There is no attack with time and data complexities are such that
DT � 2126
Best attack.
MitM attack on 8 rounds with DT = 2124
[C. Naya-Plasencia Vayssière 13].
33
Conclusions and open issues
• Involutional building-blocks may introduce some weaknesses in
some cases. How can we use them in secure way?
• Re�ection ciphers considerably reduce the overhead on decryptionon top of encryption for unrolled implementations.
• Find some other key schedules (work in progress).
34
