Post on 17-Jun-2020
Introduction to sponge-based cryptography Part 2: Keyed modes
Introduction to sponge-based cryptographyPart 2: Keyed modes
Joan Daemen
STMicroelectronics and Radboud University
SPACE 2016Hyderabad, India, December 14, 2016
1 / 59
Introduction to sponge-based cryptography Part 2: Keyed modes
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
2 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
3 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
RadioGatún [Keccak team, NIST 2nd hash workshop 2006]
XOF: eXtendable Output FunctionProblem: expressing security claimSearch for random oracle but then with inner collisions
4 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
(Early) Sponge at Dagstuhl, January 2007
Screenshot:
5 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
Generic security of Sponge [KT, Ecrypt hash, September 2007 ]
Random sponges:T-sponge: f is random transformationP-sponge: f is random permutation
Theorem: if no inner collisions, output is uniformly randominner collision: different inputs leading to same inner stateProbability of inner collision:
M2
2c+1 with M : # calls to f
6 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
Promoting sponge from reference to usage (2007-2008)
RadioGatún cryptanalysis (1st & 3rd party): not promisingNIST SHA-3 deadline approaching …U-turnSponge with strong permutation f: Keccak [KT, SHA-3, 2008]
M pad trunc Z
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
7 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
Distinguishing random sponge from random oracle
Distinguishing advantage: 2−c−1M2
Problem: in real world, adversary has access to f
8 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesSponge
Differentiating random sponge from random oracle
Indifferentiability framework [Maurer, Renner & Holenstein, 2004]Applied to hashing [Coron, Dodis, Malinaud & Puniya, 2005]Random oracle augmented with simulator for sake of proofDifferentiating advantage: M2/2c+1 [KT, Eurocrypt 2008]
9 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
10 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Message authentication codes
0 f f
Key
…
Padded message
f ff
MAC
11 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Stream encryption
0 f f
Key IV
f
Key stream
Long output stream per IV: similar to OFB modeShort output stream per IV: similar to counter mode
12 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Authenticated encryption: spongeWrap [KT, SAC 2011]
0 f f
Key
…
Padded messageIV
f
Key stream
ff
MAC
Adopted by several CAESAR candidatesBut this is no longer sponge
13 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
The duplex construction [KT, SAC 2011]
0
0
r
c
outerinner
initialize
pad trunc
f
duplexing
σ0 Z0
pad trunc
f
duplexing
σ1 Z1
pad trunc
f
duplexing
σ2 Z2
…
Generic security equivalent to that of sponge
14 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Generating duplex responses with a sponge
Z0 = sponge(σ0, ℓ0)
15 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Generating duplex responses with a sponge
Z1 = sponge(pad(σ0)||σ1, ℓ1)
16 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Generating duplex responses with a sponge
Z2 = sponge(pad(σ0)||pad(σ1)||σ2, ℓ2)
17 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge
Keyed sponge: distinguishing setting
Straightforward bound: M2/2c+1 + M/2k
Security strength s: expected complexity of succesful attackstrength s means attack complexity 2s
bounds can be converted to security strength statementsHere: s ≤ min(c/2, k)
e.g., s = 128 requires c = 256 and k = 128c/2: birthday bound
18 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
19 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
More fine-grained attack complexity
Splitting attack complexity:queries to construction: data complexity Mqueries to f or f−1: computational complexity N
Our ambition around 2010: M2/2c+1 + NM/2c + N/2k
If we limit data complexity M ≤ 2a ≪ 2c/2:s ≤ min(c− a, k)e.g., s = 128 and a = 64 require c = 192 and k = 128
20 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Intuition behind NM/2c
success probability per guess: 1/2c
21 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Intuition behind NM/2c
µ ≤ M instances with same partial r-bit inputsuccess probability per guess: µ/2c
22 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Intuition behind NM/2c
µ ≤ M instances with same partial r-bit inputsuccess probability per guess: µ/2c
22 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Intuition behind NM/2c
µ ≤ M instances with same partial r-bit inputsuccess probability per guess: µ/2c
22 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
An initial attempt [KT, SKEW 2011]
bound: M2/2c+1 + NM/2c−1 + N/2k
Problems and limitationsbound did not cover multi-target (key) attacksproof did not convince reviewersnew variant (a.o. in CAESAR): inner-keyed sponge:
M pad trunc Z
outerinner
0
K
r
c
f f f f f f
absorbing squeezing
23 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
[Andreeva, Daemen, Mennink, Van Assche, FSE 2015]
Inner/outer-keyed, multi-target (n), multiplicity µ
Modular proof using Patarin’s H-coefficient techniqueBound: M2/2c+1 + µN/2c−1 + nN/2k + . . .
A
...
KSK1
KSK2
KSKn
f ?...
RO1
RO2
ROn
f
24 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015]
Absorbing on full permutation width does not degrade boundsWe decided to use that insight in Keyak v2But proven bounds had some limitations and problems:
term µN/2k rather than µN/2c
no multi-key securitymultiplicity µ only known a posteriori
25 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesBeyond birthday-bound security
Full-state absorbing! [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015]
Absorbing on full permutation width does not degrade boundsWe decided to use that insight in Keyak v2But proven bounds had some limitations and problems:
term µN/2k rather than µN/2c
no multi-key securitymultiplicity µ only known a posteriori
25 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
26 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
The new core: (full-state) keyed duplex
±
Kf
iv
Z ¾
f
Z ¾
f
Z ¾
…
Full-state absorbing, no padding: |σ| = bInitial state: concatenation of key k and IVMulti-key: k selected from an array K with index δ
Re-phased: f,Z, σ instead of σ, f,Z≈ all keyed sponge functions are modes of this
27 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
Generic security of keyed duplex: the setup
±
Kf
IV
Z ¾
f
Z ¾
f
Z ¾
… f
x y
?
(±, IV)
Path
¾
RO
Z
f
x y
Ideal function: Ideal eXtendable Input Function (IXIF)RO-based object with duplex interfaceIndependent outputs Z for different paths
Further refine adversary’s capabilityL: # queries to keyed duplex/RO with repeated pathqIV : maxIV # init queries with different keys
28 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
Generic security of keyed duplex: the bound
±
Kf
IV
Z ¾
f
Z ¾
f
Z ¾
… f
x y
?
(±, IV)
Path
¾
RO
Z
f
x y
L2/2c+1 + (L + 2ν)N/2c + qIVN/2k + . . .
with ν: chosen such that probability of ν-wise multi-collision in setof M r-bit values is negligible
Joint work with Gilles Van Assche and Bart Mennink, in submission29 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
Application: counter-like stream cipher
Only init calls, each taking Z as keystream blockIV is nonce, so L = 0Assume M ≪ 2r/2: ν = 1
Bound:(2ν)N/2c + qIVN/2k + . . .
Strength:s ≤ min(c− 1, k− log2(qIV))
30 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyed sponge, refactored
Application: lightweight MAC
Message padded and fed via IV and σ blockst-bit tag, squeezed in chunks of r bits: c = b− radversary chooses IV so L ≈ M = 2a
qIV is total number of keys n
Bound:M2/2c+1 + MN/2c−1 + nN/2k + . . .
Strength:s ≤ min(b− a− r− 1, k− log2(n))
Imposes a minimum width of the permutation:
b > s + a + r
31 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
32 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
What is authenticated encryption (AE)?
Messages and cryptogramsM = (AD,P) message with associated data and plaintextMc = (AD,C,T) cryptogram with assoc. data, ciphertext andtag
All of M is authenticated but only P is encryptedwrapping: M to Mcunwrapping: Mc to M
Symmetric cryptography: same key used for both operationsAuthentication aspect
unwrapping includes verification of tag Tif not valid, it returns an error ⊥
Note: this is usually called AEAD
33 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
The CAESAR competition
Public competition for AE schemesconsortium from academia and industryaims for portfolio instead of single winnerCAESAR committee (secretary Dan Bernstein)
Timelinesubmission deadline: March 15, 2014end of round 1: July 7, 2015end of round 2: August 15, 2016target end date: December 2017
Status:Round 1: 57 candidatesRound 2: 29Round 3: 15 left
http://competitions.cr.yp.to/caesar-submissions.html34 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Limitations of AE
No protection against traffic analysisAE does not hide length and number of messagesto be addressed separately: random padding and dummymessages
Determinism: equal messages lead to equal cryptogramsinformation leakageconcern of replay attackssolution: ensure message uniqueness at wrapping endinclude nonce N in input when wrapping
wrapping becomes statefula simple message counter suffices
From now on we always include a nonce N
35 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Functional behaviour
Wrapping:state: K and past nonces Ninput: M = (N,AD,P)output: C,T or ⊥processing:
if (N ∈ N ) return ⊥else add N to N and return C,T←Wrap[K](N,AD,P)
Unwrapping:state: Kinput: Mc = (N,AD,C,T)output: P or ⊥processing:
return Unwrap[K](N,AD,C,T): P if valid and ⊥ otherwise
36 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Sessions
Session: tag in cryptogram authenticates also previousmessages
full sequence of messages since the session startedAdditional protection against:
insertion,omission,re-ordering of messages within a session
Attention point: last message of sessionAlternative views:
split of a long cryptogram in shorter onesintermediate tags
See [Bellare, Kohno and Namprempre, ACM 2003], [Keccak Team, SAC2011], [Boldyreva, Degabriele, Paterson, Stam, EC 2012] and [Hoang,Reyhanitabar, Rogaway and Vizár, 2015]
37 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Functional behaviour, with sessions
K, N1 AD(1) P(1)
C(1) T(1)
AD(2) P(2)
C(2) T(3)
AD(3) P(3)
C(3) T(2)
Session start: creation of stateful session object Dif (N ∈ N ) (past nonces) return ⊥else add N to N and create D with State← Start(K,N)
Wrappingreturn C(i),T(i) ← D.Wrap(AD(i),P(i))this updates State
Unwrappingreturn D.Unwrap(AD(i),C(i),T(i)): P(i) or ⊥in case of no error, this updates State
38 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Why (session-based) authenticated encryption?
Convenienceoften both are confidentiality and integrity are neededone scheme to choose instead of two
Efficiencycombination can be more efficient than sum of the two, e.g.,CBC encryption and CMAC: 2 block cipher calls per inputblockOCB3 AE: 1 block cipher call per input blocksponge-based AE: 1 permutation call per input block
Reduction of attack surfacedifferential attacks limited to session setup due to noncechosen ciphertext attacks ineffective due to ⊥
Increase of robustness against fault attacksin wrap due to nonce requirementin unwrap due to ⊥
39 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
An ideal AE scheme
Underlying primitive: random oracle ROoutput length ℓ implied by the contextROe(·) = RO(·||1) for encryptionROa(·) = RO(·||0) for tag computation
Wrappingif (N ∈ N ) it return ⊥C← ROe(K||N||AD)⊕ PT← ROa(K||N||AD||P)
UnwrappingP← ROe(K||N||AD)⊕ CT′ ← ROa(K||N||AD||P)If (T′ ̸= T) return ⊥, else return P
Note: RO input shall be uniquely decodable in K, N AD & P
40 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Ideal AE scheme, now supporting sessions
Starting the sessionif (N ∈ N ) it return ⊥History← K||N
Wrapping of M(i) = (AD(i),P(i))
History← History||AD(i)||1 and C(i) ← RO(History)⊕ P(i)
History← History||P(i)||0 and T(i) ← RO(History)return (C(i),T(i))
Unwrapping of M(i)c = (AD(i),C(i),T(i))
save current state in case of error: S′ ← HistoryHistory← History||AD(i)||1 and P(i) ← RO(History)⊕ C(i)
History← History||P(i)||0 and τ ← RO(History)if (τ = T(i)) return P(i),else History← S′ and return ⊥
Note: History shall be uniquely decodable in K, N AD(i) & P(i)
41 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Security of the ideal AE scheme
Attack model: adversary can adaptively query:Start, respecting nonce uniqueness (not counted),D.Wrap (qw times) and D.Unwrap (qu times)RO(x): n times
Input to RO(K||·) never repeats: outputs are uniformlyrandom
intra-session: each input to RO is longer than previous oneinter-session: first part of RO input (N,K) never repeatedSo cryptograms C(i) and tags T(i) are uniformly random
42 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Security of our ideal AE scheme (cont’d)
Forgery:building sequence of valid cryptograms M(1)
c . . . M(ℓ)c
not obtained from calls to wrap for some M(1) . . . M(ℓ)
Privacy break:learning on plaintext bits of M(ℓ)
cwithout unwrapping all of M(1)
c . . . M(ℓ)c
Complete security breakdown: key recoverysingle target key: getting one specific keymultiple target: getting one key out of m target keys
43 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Security of our ideal AE scheme (cont’d 2)
Forgerybest strategy: send random but well-formatted cryptogramssuccess probability for qu attempts: qu2−|T|
Privacy breakbest strategy: unwrap cryptograms with modified Ci or Tisuccess probability for qu attempts: qu2−|T|
Key retrievalbest strategy: exhaustive key searchsingle target: success prob. for n key guesses ≈ n2−|K|multi-target: success prob. for n key guesses ≤ (m + 1)n2−|K|Remedy against multi-target security erosion: global nonce
Summary:1-of-m key recovery after 2|K|−log2(m+1) offline calls to RO(·)single privacy break/forgery after 2|T| online calls to D.Unwrap
44 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Instantiating our ideal AE scheme
Replace RO by full-state keyed duplex calling e.g. Keccak-fDue to distinguishing bound :
key recovery: min(2|K|−log2 m, 2c−ϵ) offline calls to fprivacy break/forgery: min(2|T|, 2c/2) online calls to f. . . assuming f (i.e., Keccak-f) has no exploitable properties
Practical scheme?History includes all previous messagesstoring it may require huge buffer
Practical scheme!keyed duplex is hard to distinguish from ROit compresses all History in its b-bit state Sat any point S: keyed hash of Historyinstantiations: our CAESAR submission Keyak (and Ketje)
45 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Instantiating our ideal AE scheme
Replace RO by full-state keyed duplex calling e.g. Keccak-fDue to distinguishing bound :
key recovery: min(2|K|−log2 m, 2c−ϵ) offline calls to fprivacy break/forgery: min(2|T|, 2c/2) online calls to f. . . assuming f (i.e., Keccak-f) has no exploitable properties
Practical scheme?History includes all previous messagesstoring it may require huge buffer
Practical scheme!keyed duplex is hard to distinguish from ROit compresses all History in its b-bit state Sat any point S: keyed hash of Historyinstantiations: our CAESAR submission Keyak (and Ketje)
45 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Advantages of sponge-based AE
Smaller surface for cryptanalysis than block-cipher modesthere are no round keysevolving state during session: moving target
Cheaper protection against side channel attacksDPA and DEMA limited to session setup due to nonce unicitymoving target during session
Optimization of ratio security strength vs memory usage
46 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Wish for being online
Online: being able to wrap or unwrap a message on-the-flyAvoid having to buffer long messagesOnline unwrapping implies returning unverified plaintext
but security of our scheme relies on ittwo ways to tackle this problem
Tolerating Release of Unverified Plaintext (RUP)catastrophic fragmentation attack [Albrecht et al., IEEE S&P2009]add security notions and attacks [Andreeva et al., ASIACRYPT2014]try to satisfy (some of) these: costly
This can be addressed with sessionssplit long cryptogram into short ones, each with tagshorten cryptograms til they fit the unwrap buffer
47 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Wish for surviving sloppy nonce management
Our assumption: K,N is unique per (wrapping) Session Startusers/implementers do not always respect thiswish to limit consequences of nonce violation
All online AE schemes leak in case of nonce violationequality of first messages of session leaks in any case
stream encryption: re-use of keystreamblock encryption: just equality of block(s) leaks
low entropy plaintexts become an issuesuccessful active attacks for quasi all proposed schemes
Consensus among experts on following:ideal security in case of nonce misuse hard to defineuser shall be warned to not allow nonce violation
Just avoid nonce violation
48 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Wish for parallelism
Many CAESAR submissions use AESModern CPUs have dedicated AES instruction, e.g. AES-NIon Intel
pipelining: 1 cycle per round but latency of 8 to 16 cyclesperforming a single AES: 80 cyclesperforming 8 independent AES: 88 cycles
Expoiting the pipeline requires ability to parallelizeAlso non-AES based schemes can benefit from parallelism,e.g.
pipelined architecturessuperscalar architecturesSIMD instructions
Parallelism can be supported, e.g., Keyak
49 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Wish for lightweightWhole world of buzzwords:
IoT, Smart Grid, RFID, ad-hoc sensor and body area network,…
Strongly constrained resourceslow area: reduce chip costlow power: RF poweredlow energy: battery-life
Specific conditionsshort messagestransaction time, …
Compromising ontarget security strengthprovable security of modeconsequences of improper usage, …
Hence: Ketje is dedicated for lightweight50 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
The Motorist mode of use
0 SUV1
T(0)
SUV = Secret and Unique ValuePlaintext absorbed in outer part, AD in inner part alsoTag and keystream from same output block ZiSpecified in three layers:
Piston: Π of them, each one an FSKDEngine: finite state machine steering the Piston(s)Motorist: session starting and (un)-wrapping, using the Engine
51 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
The Motorist mode of use
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
SUV = Secret and Unique ValuePlaintext absorbed in outer part, AD in inner part alsoTag and keystream from same output block ZiSpecified in three layers:
Piston: Π of them, each one an FSKDEngine: finite state machine steering the Piston(s)Motorist: session starting and (un)-wrapping, using the Engine
51 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
The Motorist mode of use
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
SUV = Secret and Unique ValuePlaintext absorbed in outer part, AD in inner part alsoTag and keystream from same output block ZiSpecified in three layers:
Piston: Π of them, each one an FSKDEngine: finite state machine steering the Piston(s)Motorist: session starting and (un)-wrapping, using the Engine
51 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
The Motorist mode of use
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
A(3)
T(3)
SUV = Secret and Unique ValuePlaintext absorbed in outer part, AD in inner part alsoTag and keystream from same output block ZiSpecified in three layers:
Piston: Π of them, each one an FSKDEngine: finite state machine steering the Piston(s)Motorist: session starting and (un)-wrapping, using the Engine
51 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesFocus on authenticated encryption
Generic security of Motorist AE session mode
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
A(3)
T(3)
Used in Keyak v2 [KT & Ronny Van Keer, 2015]
Plaintext absorbed in outer part, AD in inner part alsoUsed in Keyak with c = 256 and b = 1600 or b = 800Rate 544 or 1344 so we can take ν = 1bounds:
nonce-respecting: N/2c−1 + qIVN/2k + . . .nonce-violating: MN/2c + qIVN/2k + . . .
52 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Outline
1 Sponge
2 Keyed sponge
3 Beyond birthday-bound security
4 Keyed sponge, refactored
5 Focus on authenticated encryption
6 Keyak and Ketje
53 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Keyak [Keccak team + Ronny Van Keer]
AE scheme submitted to CAESAR (tweaked for round 2)Permutation-based mode called MotoristMakes use of Keccak-p permutations
Keccak-p: reduced-round version of Keccak-fKeccak-f: permutations underlying Keccakall 6 functions in SHA-3 based on Keccak-f[1600] (24rounds)
Generic definition with 5 parametersc capacityτ tag lengthb width of Keccak-p
nr number of rounds in Keccak-pΠ degree of parallelism
54 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Keyak named instances
5 named instances with c = 256, τ = 128, nr = 12Efficiency:
Short messages: Π calls to Keccak-pLong messages: twice as fast as SHAKE128
Name Width b Parallelism ΠRiver Keyak 800 1Lake Keyak 1600 1Sea Keyak 1600 2Ocean Keyak 1600 4Lunar Keyak 1600 8
55 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Ketje [Keccak team + Ronny Van Keer]
AE scheme submitted to CAESAR (made it to round 2)Two instancesFunctionally similar to KeyakLightweight:
using reduced-round Keccak-f[400] or Keccak-f[200]small footprintlow computation for short messages
How?96-bit or 128-bit security (incl. multi-target)more ad-hoc: monkeyDuplex instead of FSKDreliance on nonce uniqueness for key protection
56 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Ketje instances and lightweight features
feature Ketje Jr Ketje Srstate size 25 bytes 50 bytesblock size 2 bytes 4 bytes
processing computational costsession start per session 12 rounds 12 roundswrapping per block 1 round 1 round8-byte tag comp. per message 9 rounds 7 rounds
More on Ketje and Keyak:http://ketje.noekeon.orghttp://keyak.noekeon.org
57 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesKeyak and Ketje
Safety margin of Keyak and Ketje
S. Huang, M. Wang, X. Wang and J. Zhao, Conditional cubeattack on reduced-round keccak sponge function [IACR eprint2016/790]
Best current cryptanalysis of keyed Keccak-f modesCube attack
exploits low algebraic degree of permutationn rounds has degree 2n
summing over inputs in affine space acts as differentiationattack requires summing over around 2n inputssmart tricks allow peeling off rounds
Most powerful attacks on Keyak (12 rounds)7-round variant: requires 242 blocks of chosen data8-round variant: requires 274 blocks of chosen data
58 / 59
Introduction to sponge-based cryptography Part 2: Keyed modesConclusion
Conclusion
Permutations: good alternative for block ciphers
http://sponge.noekeon.org/http://keccak.noekeon.org/
59 / 59