authenticated encryption schemes and … encryption schemes and cryptanalysis jérémy jean...

Authenticated Encryption Schemes and Cryptanalysis

Jérémy Jean

Laboratoire Crypto

Agence Nationale de la Sécurité des Systèmes d’Information

26 avril 2017

[email protected]

mailto:[email protected]

Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions

Outline

1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline

2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure

3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions

4 Conclusions

1/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis


Outline




4 Conclusions



Authenticated Encryption | CAESAR Competition | Outline |

Generalities

Alice Bob

Eve

Listen Modify

Channel of communication

01010....001

Confidentiality

Eve passively listens themessage sent

Need for encryption

Integrity

Eve actively listens andmodifies

Bob cannot know whether Evechanged anything

Need for integrity (notnecessarily encrypted)




Authenticated Encryption: Security and Composition

Security Goals

Confidentiality of messages exchanged

Integrity of messages exchanged

Adversarial Model

Adversary can tamper with the channel (read, write, delete,etc.)

Adversary can query both chosen plaintexts and ciphertexts

Generic Composition

Encryption: We know some secure schemes (e.g., AES-CBC, AES-CTR)

Authentication: We know some secure MAC (e.g., HMAC, CMAC)

Natural question: Can we combine them to get AE? Yes, we can.(well, sort of)




Authenticated Encryption: Generic Composition

Let Kenc and Kmac two keys, and m the message to consider.

Encrypt-and-MAC (E&M)

c EKenc (m)

� MACKmac (m)

Return (c; � )

MAC-then-Encrypt (MtE)

� MACKmac (m)

c EKenc (m jj� )Return c

Encrypt-then-MAC (EtM)

c EKenc (m)

� MACKmac (c)Return (c; � )

E&M Security

Used in SSH

No integrity on c

MtE Security

Used in TLS

Susceptible to paddingoracle attacks

EtM Security

Best composition

Used in IPSec




Authenticated Encryption (AE) with a Single Primitive

Motivations

Reach AE with one primitive and a single key

Few dedicated ciphers and modes (e.g., AES-GCM) achieves AE

Focus on this topic with the CAESAR competition since 2013

Regular Encryption

(M;K) �! C

AE

(M;K) �! (C; T )

AEAD

(A;M;K) �! (A; C; T )

M: plaintextC: ciphertextK: key

T : authentication tagA: optional associated data

AEAD: Authenticated Encryption with Associated Data




Some Known AEAD

GCM

Designed by Viega and McGrew

AES-GCM is probably the most widely used AE

Approved by NIST

Limitations:

Not so simple to implement

Not so fast

Completely insecure under nonce repetition

Limit on the plaintext length: about 239 bits (64GB)

OCB

Designed by Rogaway

Conceptually much simpler: basically ECB with a differentpermutation for each block

Fast but still insecure under nonce repetition




CAESAR Competition: An Overview

Competition for Authenticated Encryption: Security, Applicability,and Robustness

Announced in 2013

Process similar to AES and SHA-3 competitions

Held by Dan Bernstein

Internal analysis by a committee of 18 cryptographers

Aim at selecting a portfolio of algorithms:That offer advantages over AES-GCM

Are suitable for widespread adoption

Notes

Algorithms should be AEAD: (A;M;K) �! (A; C; T )

Handles byte strings (not bitstrings)

Current tentative date for the announcement of final portfolio:December 15, 2017




CAESAR Competition: Entering Round 1

57 algorithms submitted (March 2014)

++AE

ACORN

AEGIS

AES-CMCC

AES-COBRA

AES-COPA

AES-CPFB

AES-OTR

AEZ

Artemia

Ascon

AVALANCHE

Calico

CBA

CBEAM

CLOC

Deoxys

ELmD

Enchilada

FASER

HKC

HS1-SIV

ICEPOLE

iFeed[AES]

JAMBU

Joltik

Julius

Ketje

Keyak

KIASU

LAC

Marble

McMambo

Minalpher

MORUS

NORX

OCB

OMD

PAEQ

PAES

PANDA

�-Cipher

POET

POLAWIS

Prøst

PRIMATEs

Raviyoyla

Sablier

SCREAM

SHELL

SILC

Silver

STRIBOB

Tiaoxin

TriviA-ck

Wheesht

YAES




CAESAR Competition: During Round 1

Notable events

Attacks on (non exhaustive):COBRA (Nandi, 2014)

iFEED (Schroé, Mennink, and Andreeva, 2014)

LAC [DK16]

Marble [FLS15]

PAES [JNSW14]

PANDA [SW14]

Cryptanalysis of XLS constructions [Nan14]

9 algorithms were withdrawn

Decision

The committee selected 29 algorithms to advance to the next round





29 algorithms selected to enter Round 2 (June 2015)

ACORN

AEGIS

AES-OTR

AEZ

Ascon

CLOC & SILC

AES-COPA

ELmD

Deoxys

JAMBU

Ketje

Keyak

MORUS

NORX

OCB

Tiaoxin

HS1-SIV

ICEPOLE

Joltik

Minalpher

OMD

PAEQ

�-Cipher

POET

PRIMATEs

SCREAM

SHELL

STRIBOB

TriviA-ck




CAESAR Competition: During Round 2

Notable events

Key Recovery of 2.5-round �-Cipher [BCL+16]

Forgery of ICEPOLE [HTW15]

Weak-key analysis of POET [GJPL14, ABT14]

Decision

The committee selected 15 algorithms to advance to the next round





15 algorithms selected to enter Round 3 (August 2016)

ACORN

AEGIS

AES-OTR

AEZ

Ascon

CLOC & SILC

COLM

Deoxys

JAMBU

Ketje

Keyak

MORUS

NORX

OCB

Tiaoxin

Notable events

The submitters were asked to choose between three use casesLightweight applications (constrained environments)High-performance applications (high-end platforms)Defense in depth (e.g., security despite nonce misuse)

Cryptanalytic results:Nonce-repeating observations on AEZ [CG16]Cryptanalysis of full NORX [CFG+17a]Cube Attack on Round-Reduced Ascon [LDW17]Observations on the initialization in Ketje Sr. [DLWQ17]




CAESAR Competition: Several Classifications of Candidates

Type

BCGCMOCBCOLMOTRCLOC & SILC

JAMBUAEZDeoxys (TBC)AEGISTiaoxin

SpongeKetjeKeyakNORXAscon

StreamACORNMORUS

Security

Nonce may repeat:COLMAEZDeoxysJAMBU ([PSWZ15])

Nonce must not repeat:

all the others

Other comparisons: RUP security, online-ness, inverse-free-ness,software performances, hardware, etc.




In the Rest of this Talk

Cryptanalysis of two AE algorithms

First Part

Itai Dinur and JJ

Cryptanalysis of FIDES

In Carlos Cid and Christian Rechberger, editors, FSE 2014, volume 8540 of LNCS,pages 224--240, London, UK, March 3--5, 2015. Springer, Heidelberg, Germany.

Second Part

C. Chaigneau, T. Fuhr, H. Gilbert, JJ, and J.-R. Reinhard

Cryptanalysis of NORX v2.0

IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.



Outline




4 Conclusions



Specifications | State Recovery | Forgery | Partial Countermeasure |

Description of FIDES (1/2)

FIDES

Designed by Bilgin et al. and published at CHES 2013Nonce-based lightweight AEAD (N)Key sizes: 80 and 96 bits (K)Handle optional associated data (A)Leak-extraction structure similar to the duplex spongeconstructionPermutation: application of an unkeyed AES roundNot submitted to the CAESAR competition

16R

ound

s

K||N

16c

K||0

A0

1R

ound

A1

1R

ound

• • •

1R

ound

Av−1

1R

ound

C0 M0

1R

ound

• • •

1R

ound

Cn−1 Mn−1

16R

ound

s

Trun

cate

T




Description of FIDES (2/2)

Internal state:Total size: 4� 8� c bitsWord size c:

c = 5 bits for FIDES-80c = 6 bits for FIDES-96

One Round of the Internal Permutation:Extract 2c-bit mask ��2c-bit message injection ��AES-like operations: SubBytes,ShiftRows, MixColumns, AddRoundKeySuboptimal diffusion matrix (non MDS)

Internal state

c bits

Diffusion Matrix

M =

0@

0 1 1 11 0 1 11 1 0 11 1 1 0

1A

Inj

Mi

SB

SR MC AC

RCi




Leakage and Security Claims

Leakage

The same positions are used to leak and inject nibbles

2c out of 32c bits are leaked before each round

Security Claims

Nonce-respecting adversary assumption

Attack scenarios: state recovery, key recovery and forgery

FIDES advertises 16c-bit security against all scenarios

Our Attack

State recovery can be done in 215c operations

We can forge any message after a state recovery




Similar designs

FIDES is reminiscent of other AES-based design usingleak-extraction

LEX [Bir07]

128-bit key stream cipher

4/16 leaked nibbles per round

No injection (stream cipher)

Broken [DK13, BDF11]

Alpha-MAC [DR05]

128-bit MAC

4 nibbles injected per round

No extraction

Broken [YWJ+09, BDF11]

ALE [BMR+13]

128-bit AE cipher


Inject 16 nibbles every 4 rnds

Broken [KR14]

ASC-1 [JK12]

128-bit AE cipher


Inject 16 nibbles every 4 rnds

Whitening key before leakage




Results on FIDES

Results

Cipher Data Time Memory Generic Ref

FIDES-80 1 KP 275 215 280 [DJ15]

FIDES-96 1 KP 290 218 296 [DJ15]

Notes:Guess-and-determine attacks

Recover the internal state

Allow to forge arbitrary messages




Preliminaries (1/2)

How many leaked nibbles are needed to recover the state faster thanexhaustive search?

Information Theoretic Argument

The state consists of 32 nibblesKnown-plaintext scenario15 rounds would leak a total (15 + 1)� 2 = 32 state nibblesUniquely determine the stateBut analyzing 15 consecutive AES-like rounds is difficult

Init

ializ

atio

n

K||N

2c

1R

ound

2c

1R

ound

2c

1R

ound

2c1

Rou

nd2c

1R

ound

2c

1R

ound

2c

1R

ound

2c

1R

ound

2c

16R

ound

s

Trun

cate

T




Preliminaries (2/2)

With n 2 [0; 14] rounds:

Reduce the analysis to n consecutive AES-like rounds

A total of (n + 1)� 2 state nibbles are leaked

Unicity of the state no longer true: about 2(32�2n�2)�c differentinitial states would leak the same sequence

Goal: Generating all of them in less than 216c computations

32� 2n � 2 < 16 =) n � 8

Our Attack

We use the knowledge of 18 leaked nibbles, in 9 consecutivestates linked by n = 8 rounds (in fact, only 17 nibbles)

Data: less than 16 bytes of a single known plaintext

Time: about 215c computations to enumerate the 2(32�17)c = 215c

state candidates

Check: additional leaked bytes, or authentication tag T




Preliminaries (2/2)

With n 2 [0; 14] rounds:

Reduce the analysis to n consecutive AES-like rounds

A total of (n + 1)� 2 state nibbles are leaked

Unicity of the state no longer true: about 2(32�2n�2)�c differentinitial states would leak the same sequence

Goal: Generating all of them in less than 216c computations

32� 2n � 2 < 16 =) n � 8

Our Attack

We use the knowledge of 18 leaked nibbles, in 9 consecutivestates linked by n = 8 rounds (in fact, only 17 nibbles)

Data: less than 16 bytes of a single known plaintext

Time: about 215c computations to enumerate the 2(32�17)c = 215c

state candidates

Check: additional leaked bytes, or authentication tag T23/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis



High-Level Overview of the State-Recovery Attack

N2

X

T1

X

T2

N1

1R 1R 1R 1R 1R 1R 1R 1R

X0 X1 X2 X3 X4 X5 X6 X7 X8

Steps of the Guess-and-determine Procedure

1. Guess the 12 nibbles in the set N1

2. Determine other nibble values (N 0

1)

3. Construct two tables T1 and T2 (independently)

4. Guess the 3 nibbles in the set N2

5. Determine new nibble values (N 0

2)

6. Use the tables T1 and T2 to fully recover a middle state




Main Property

ObservationThe guess-and-determine algorithm relieson the MixColumns binary matrix M thathas a branching number of 4 (non MDS,AES: 5).

M =

0BB@

0 1 1 11 0 1 11 1 0 11 1 1 0

1CCA

Let x = [x0; x1; x2; x3] and y = [y0; y1; y2; y3].There are linear dependencies between 4 nibbles of x and y = Mx.

Property 1

For all i ; j 2 f0; 1; 2; 3g such that i 6= j : xi � xj = yi � yj .

Property 2

For all i 2 f0; 1; 2; 3g : yi = xi+1 � xi+2 � xi+3 (addition mod 4)

xi = yi+1 � yi+2 � yi+3




Final Step: Post-Filtering

Guess-and-Determine Algorithm

Requires 2(12+3)c = 215c computations

Generates 215c possible internal states

We post-filter all those states against extra variables

We expect only the correct state to remain

Attack Complexity

Data: 17 consecutive leaked nibbles of a KP + additional values

Memory: 23c elements in tables T1 and T2

Time: 215c operations (simpler than a full encryption)




Forgery after the State Recovery

Finalization

The initialization of FIDES does not depend on the message.The finalization of FIDES does not depend on the key.

Consequence

Once the state is recovered:we know the state Init(K jjN ) after the 16-round initializationwe can simulate the encryption of any arbitrary message andproduce a valid tag

16R

ound

s

K||N

16c

K||0

A0

1R

ound

A1

1R

ound

• • •

1R

ound

Av−1

1R

ound

C0 M0

1R

ound

• • •

1R

ound

Cn−1 Mn−1

16R

ound

s

Trun

cate

T




Countermeasure Against (State Recovery ) Forgery)

Simple Idea

Make both the initialization and the finalization key-dependent

Example of Ascon (CAESAR candidate, Round 3)

By: C.Dobraunig, M.Eichlseder, F.Mendel, M.Schläffer“(...) Ascon uses a stronger keyed initialization and keyed finalization phase. The result is that evenan entire state recovery is not sufficient to recover the secret key or to allow universal forgery.”

IVkKkN320

pa

�

0�kK

c

�r

A1

pb�

As

c

pb

�

0�k1

c

�r

P1 C1

pbc

�

Pt�1 Ct�1

pb�

Pt Ct

r

�

Kk0�

c

pa

�

K

k

T

Initialization Associated Data Plaintext Finalization

Note: Also the case of NORX, another CAESAR candidate



Outline




4 Conclusions



Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |

NORX: a CAESAR Candidate

Three Main Versions

Designed by Aumasson, Jovanovic, Neves

History in the CAESAR competition:

Initial submission: NORX v1 (selected for Round 2)

August 2015: NORX v2.0 (selected for Round 3)

September 2016: NORX v3.0

Main Features of NORX v2.0

Two word sizes: w = 32 or 64 bits) NORX32 and NORX64 instances

Key and tag sizes: jK j = jT j = 4w (128 or 256 bits)

Claimed security level: 4w bits

Sponge-based construction (MonkeyDuplex)

State permutation P: inspired from ARX primitives (e.g., ChaCha)




Security Analysis: Published Results

Security Proofs of the Mode

[JLM14]: security proofs in sponge-based AE modes beyond 2c=2

Provides arguments for decreasing the capacity from 6w bitsto 4w bits between NORX v1.0 and v2.0

Reduced-Round Attacks

[BHJ+16]: Key-recovery for reduced version of NORX v2.0Half the number of rounds of the underlying permutation PDue to slow backward diffusion of P

Analysis of the Permutation

[AJN14, AJN15]: differential and rotational properties

[DMM15]: Higher-order differential propertiesDistinguishers for 3.5-round NORX32 and full-round NORX64

[BUV17]: Symmetries inside the internal permutationSimilar to what we present




Our Results

Our Attack

Ciphertext-only forgery attack on full NORX v2.0

Trivial known-plaintext key recovery once a forgery is achieved

Version Key size Tag size Data Time

NORX v2.0 128 128 266 266

NORX v2.0 CAESAR 128 128 272 272

NORX v2.0 256 256 2130 2130

NORX v2.0 CAESAR 256 256 2136 2136

Note: CAESAR NORX handles only byte strings

FSE/ToSC 2017

C. Chaigneau, T. Fuhr, H. Gilbert, JJ, and J.-R. Reinhard

Cryptanalysis of NORX v2.0

IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.




Description of NORX v2.0: NORX32 Instance

Parameters

Word size: w = 32 bits

Key K: 128 bits

Rate r: 384 bits

State size: r + c = 512 bits

Nonce N: 64 bits

Tag T: 128 bits

Capacity c: 128 bits

0

0

init(K,N,w, l, t)

P P

01

P

A0

01

/r

/c

P

Aa−1

02

P

M0C0

02

P

Mm−1Cm−1

04

P

Z0

04

P

Zz−1

08

P

T/t

Security Claims

Model: Nonce-respecting adversary

Data limitation: at most 264 messages processed per key

Security claimed: 128 bits (capacity size)




NORX Mode of Operation

Based on the MonkeyDuplex mode [BDPV12]

This talk: focus on NORX32 (128-bit key, 128-bit tag)

Out of scope: parallel mode, authenticated trailer

Encryption

0

0

init(K,N,w, l, t)

P P

01

P

A0

01

/r

/c

P

Aa−1

02

P

M0C0

02

P

Mm−1Cm−1

04

P

Z0

04

P

Zz−1

08

P

T/t

Decryption

0

0

init(K,N,w, l, t)

P P

01

P

A0

01

/384

/128

P

Aa−1

02

P

M0

C0

02

P

Mm−1

Cm−1

04

P

Z0

04

P

Zz−1

08

P

T?/128




NORX Internal State and Permutation P

Permutation Inspired by ChaCha stream cipher [Ber08]

Operates on a 512-bit state S

State represented as a 4� 4 matrix of 32-bit words

Internal State

s0

s1

s2

s3

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

S =

Rate part

Capacity part

Permutation PP: state permutation over f0; 1g16�32

P = F 4 (4 rounds of F)

F: uses a permutation G of f0; 1g4�32




NORX Internal State and Permutation P

Permutation PP = F 4 = (Gdiag �Gcol)4

Gcol

s0

s4

s8

s12

G

s1

s5

s9

s13

G

s2

s6

s10

s14

G

s3

s7

s11

s15

G

Gdiag

s0

s5

s10

s15

s1

s6

s11

s2

s7

s8

s13

s3

s4

s9

s14s12

G

G

G

G

G operates on f0; 1g4�32




Permutation G

Permutation Ga

b

c

d

a′

b′

c′

d′≫ 16

≫ 12

≫ 8

≫ 7

Mimic ARX (no modular addition)

x � y = (x � y)� ((x ^ y)� 1)

Gcol

G(s0; s4; s8; s12)G(s1; s5; s9; s13)G(s2; s6; s10; s14)G(s3; s7; s11; s15)

Gdiag

G(s0; s5; s10; s15)G(s1; s6; s11; s12)G(s2; s7; s8; s13)G(s3; s4; s9; s14)

P: 4 rounds of Gcol then Gdiag

Words of Row i = i-th input of G37/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis



A First Property of P

[AJN15]

The designers observe the existence of weak states

a

b

c

d

a

b

c

d

a

b

c

d

a

b

c

d

P

a′

b′

c′

d′

a′

b′

c′

d′

a′

b′

c′

d′

a′

b′

c′

d′

Property

If: all columns of S 2 f0; 1g16�32 are equal

Then: all columns of Gcol(S), of Gdiag(S) and therefore of P(S)are equal

Note: There are 2128 such weak states




A Stronger Property of P

[CFG+17b] and independently in [BUV17]

The permutation P commutes with column rotation S ! S≪1

s0

s1

s2

s3

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

≪ 1

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

s0

s1

s2

s3

Property

8i 2 f1; 2; 3g; P(S)≪i = P(S≪i )

Notes

Generalizes the previous prop.: S≪1 = S =) P(S≪1) = P(S)

Proof: Rotation commutes with Gcol, Gdiag hence with PIn the sequel, we use rotation by 2




Proof: Commuting Permutation Property of Gcol

s0

s1

s2

s3

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

≪ 1

Gcol

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

s0

s1

s2

s3

Gcol

s′0s′1s′2s′3

s′4s′5s′6s′7

s′8s′9s′10s′11

s′12s′13s′14s′15

≪ 1

s′4s′5s′6s′7

s′8s′9s′10s′11

s′12s′13s′14s′15

s′0s′1s′2s′3




Proof: Commuting Permutation Property of Gdiag

s0

s1

s2

s3

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

≪ 1

Gdiag

s4

s5

s6

s7

s8

s9

s10

s11

s12

s13

s14

s15

s0

s1

s2

s3

Gdiag

s′0s′1s′2s′3

s′4s′5s′6s′7

s′8s′9s′10s′11

s′12s′13s′14s′15

≪ 1

s′4s′5s′6s′7

s′8s′9s′10s′11

s′12s′13s′14s′15

s′0s′1s′2s′3




Forgery Attack Without Padding (1/2)

Without loss of generality:No associated or trailer dataOne-block message

Known Ciphertext: (N ; C0; T )

0

0

init(K,N,w, l, t)

P P

01

P

M0C0

08

X

P

T/t

/r

/c

Forgery Attempt: (N ; AD ; C≪20 ; T≪2)

0

0

init(K,N,w, l, t)

P P

01

P

C≪20

08

X ′ P 2(X ′)

P

T ′/t

/r

/c

Details

If X 0 = X≪2 then

�P2(X 0) = P2(X≪2)

= P2(X )≪2 thus T 0 = T≪2

How to ensure X 0 = X≪2 ?




Forgery Attack Without Padding (2/2)

Forgery attack:Get a known ciphertext (C0;T )

Try to forge (C≪20 ;T≪2)

Success: 2�64

Why it works:If the capacity is symmetric(Xc = X≪2

c ), then the forgeryattempt succeeds


0

0

init(K,N,w, l, t)

P P

01

P

C≪20

08

X ′ P 2(X ′)

P

T ′/t

/r

/c

C0

Xc

Rate can be controlled

) Apply ≪ 2

Capacity cannot

be controlled

C≪2

0

Xc

X X0




Forgery Attack on Full NORX v2.0 With Padding

Encryption with padding

Padding: pad(M ) = M jj 10�1

Ciphertext: only jC j = jM j bits of the state returned

Impact on the forgery attack

` more conditions for ` � 64 padding bits

General case: Pr[forgery] = 2�64�` for ` padding bits

Best case: 2 padding bits ) Pr[forgery] = 2�66

CAESAR version: works on byte level ) Pr[forgery] = 2�72

Complexity of the Forgery Attack

Pr[forgery] � 1=2for 266 or 272 forgery attempts




Extension: Key-Recovery Attack on Full NORX v2.0

Known Plaintext: (N ; C0; T )

0

0

init(K,N,w, l, t)

P P

01

P

M0C0

08X = Xr||Xc

P

T/t

/r

/c


0

0

init(K,N,w, l, t)

P P

01

P

C≪20

08X≪2

P

T≪2/t

/r

/c

Details about the Key-Recovery Attack

Known plaintext scenario

Assume that the forgery attack succeeds

The capacity part Xc of X is symmetric

The rate part Xr of X is known: Xr = C0

Hence: There are only 264 possible values for Xc (and for X )

Guess Xc, compute backwards and retrieve the key (discardwrong guesses by filtering on nonce and constants)

Complexity: 264 operations




Other NORX Versions

NORX v1.0: Not affected due to its moreconservative capacity of 6w bits

NORX v3.0: While the two propertiesleveraged in v2.0 remain, v3.0 appearsto be immune due to the additional keyadditions to the capacityChange v2.0 ! v3.0: similar to FIDES

State in NORX v1.0

Rate

Capacity

NORX v3.0

0

0

init(K,N,w, l, t)

P P

K 01

P

A0

01

/r

/c

P

Aa−1

02

P

M0C0

02

P

Mm−1Cm−1

04

P

Z0

04

P

Zz−1

08

P

K

T

K

/t

NORX8 and NORX16: Appear to be immune though their features arequite similar to those of NORX v2.0



Outline




4 Conclusions



Conclusions

FIDES: What went wrong?

Hard to rely on leak-extraction

Choice of non-MDS matrix

Absence of keyed finalization

State recovery ) Key recovery

NORX v2.0: What went wrong?

Choice of a permutation P with strong distinguishers (stillpresent in NORX v3.0)

Sponge capacity set to the limit given by the proof of the mode,despite the ideal assumtion on PAbsence of keyed finalization (added in NORX v3.0)

CAESAR

Ongoing competition in need for external cryptanalysis!



Conclusions

Thank you for your attention!

Questions?


FIDES: Tables from the Attack Références

Outline

5 FIDES: Tables from the Attack



Step 1

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8

N1 (# = 12)

X3[0; 0]; X3[0; 1]; X3[0; 2]; X3[3; 1];

X4[1; 0]; X4[1; 1]; X4[1; 2];

X5[0; 0]; X5[0; 1]; X5[0; 2];

X6[0; 0]; X6[3; 1]

Legend

Guessed

Directly deduced



Step 1

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8

Propagate(N1) =) N0

1

N 0

1

X1[0; 1] X1[2; 4] X2[0; 1] X2[0; 2] X2[0; 3]

X2[1; 2] X2[1; 3] X2[1; 4] X2[2; 3] X2[2; 4]

X2[2; 5] X2[3; 1] X3[0; 3] X3[1; 1] X3[1; 2]

X3[1; 3] X3[1; 4] X3[2; 1] X3[2; 2] X3[2; 3]

X3[2; 4] X3[2; 5] X3[3; 3] X3[3; 7] X4[0; 0]

X4[0; 1] X4[0; 2] X4[0; 3] X4[0; 4] X4[0; 7]

X4[1; 3] X4[1; 4] X4[1; 5] X4[1; 7] X4[2; 0]

X4[2; 1] X4[2; 2] X4[2; 3] X4[2; 4] X4[2; 5]

X4[3; 1] X4[3; 3] X4[3; 7] X5[0; 3] X5[1; 0]

X5[1; 1] X5[1; 2] X5[1; 3] X5[2; 0] X5[2; 1]

X5[2; 2] X5[2; 3] X5[2; 4] X5[3; 1] X5[3; 3]

X5[3; 7] X6[0; 1] X6[0; 2] X6[1; 0] X6[1; 1]

X6[1; 2] X6[2; 0] X6[2; 1] X6[2; 2] X7[0; 2]

X7[2; 1]



Step 2: Construction of T1 and T2

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8 T1

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8 T24/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis


Step 3

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8

N2 (# = 3)

X1[0; 3];

X1[1; 3];

X3[2; 7]



Step 3

SB

SRX0 MC

SB

SRX1 MC

SB

SRX2 MC

SB

SRX3 MC

SB

SRX4 MC

SB

SRX5 MC

SB

SRX6 MC

SB

SRX7 MC

X8

Propagate(N2) =) N0

2

N 0

2

X1[2; 3]; X2[2; 1]; X1[1; 2]; X2[1; 1]; X2[2; 2];

X3[1; 0]; X3[2; 0]; X4[2; 7]; X3[3; 6]; X2[0; 0];

X2[3; 7]; X3[0; 7]; X2[3; 6]; X2[0; 7]; X3[1; 7];

X2[1; 0]; X1[2; 2]; X1[0; 2]; X1[3; 1]; X1[1; 4];

X1[2; 5]; X2[3; 3]; X3[0; 4]; X3[1; 5]; X3[2; 6];

X4[3; 4]; X3[1; 6]; X2[0; 6]; X0[0; 1]; X0[0; 2];

X0[1; 3]; X0[2; 4]; X0[3; 1]



References I

Mohamed Ahmed Abdelraheem, Andrey Bogdanov, and Elmar Tischhauser.

Weak-Key Analysis of POET.Cryptology ePrint Archive, Report 2014/226, 2014.http://eprint.iacr.org/2014/226.

Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves.

NORX: Parallel and Scalable AEAD.In Miroslaw Kutylowski and Jaideep Vaidya, editors, Computer Security - ESORICS 2014 - 19th EuropeanSymposium on Research in Computer Security, Wroclaw, Poland, September 7-11, 2014. Proceedings, Part II,volume 8713 of Lecture Notes in Computer Science, pages 19--36. Springer, 2014.

Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves.

Analysis of NORX: Investigating Differential and Rotational Properties.In Diego F. Aranha and Alfred Menezes, editors, LATINCRYPT 2014, volume 8895 of LNCS, pages 306--324,Florianópolis, Brazil, September 17--19, 2015. Springer, Heidelberg, Germany.

Christina Boura, Avik Chakraborti, Gaëtan Leurent, Goutam Paul, Dhiman Saha, Hadi Soleimany, and Valentin

Suder.Key Recovery Attack Against 2.5-Round \pi -Cipher.In Thomas Peyrin, editor, Fast Software Encryption - 23rd International Conference, FSE 2016, Bochum,Germany, March 20-23, 2016, Revised Selected Papers, volume 9783 of Lecture Notes in Computer Science,pages 535--553. Springer, 2016.

Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque.

Automatic Search of Attacks on Round-Reduced AES and Applications.In Phillip Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 169--187, Santa Barbara, CA, USA,August 14--18, 2011. Springer, Heidelberg, Germany.


http://eprint.iacr.org/2014/226


References II

Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche.

Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications.In Ali Miri and Serge Vaudenay, editors, SAC 2011, volume 7118 of LNCS, pages 320--337, Toronto, Ontario,Canada, August 11--12, 2012. Springer, Heidelberg, Germany.

Daniel J. Bernstein.

ChaCha, a variant of Salsa20, 2008.

Nasour Bagheri, Tao Huang, Keting Jia, Florian Mendel, and Yu Sasaki.

Cryptanalysis of Reduced NORX.In Thomas Peyrin, editor, FSE 2016, volume 9783 of LNCS, pages 554--574, Bochum, Germany, March 20--23,2016. Springer, Heidelberg, Germany.

Alex Biryukov.

The Design of a Stream Cipher LEX.In Eli Biham and Amr M. Youssef, editors, SAC 2006, volume 4356 of LNCS, pages 67--75, Montreal, Canada,August 17--18, 2007. Springer, Heidelberg, Germany.

Andrey Bogdanov, Florian Mendel, Francesco Regazzoni, Vincent Rijmen, and Elmar Tischhauser.

ALE: AES-Based Lightweight Authenticated Encryption.In FSE, Lecture Notes in Computer Science, 2013.to appear.

Alex Biryukov, Aleksei Udovenko, and Vesselin Velichkov.

Analysis of the NORX Core Permutation.Cryptology ePrint Archive, Report 2017/034, 2017.http://eprint.iacr.org/2017/034.




References III

Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, and Jean-René Reinhard.

Cryptanalysis of NORX v2.0.IACR Trans. Symmetric Cryptol., 2017(1):156--174, 2017.

Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, and Jean-René Reinhard.

Cryptanalysis of NORX v2.0.IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.

Colin Chaigneau and Henri Gilbert.

Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?IACR Trans. Symmetric Cryptol., 2016(1):114--133, 2016.

Itai Dinur and Jérémy Jean.

Cryptanalysis of FIDES.In Carlos Cid and Christian Rechberger, editors, FSE 2014, volume 8540 of LNCS, pages 224--240, London,UK, March 3--5, 2015. Springer, Heidelberg, Germany.

Orr Dunkelman and Nathan Keller.

Cryptanalysis of the Stream Cipher LEX.Des. Codes Cryptography, 67(3):357--373, 2013.

Orr Dunkelman and Liam Keliher, editors.

Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August12-14, 2015, Revised Selected Papers, volume 9566 of Lecture Notes in Computer Science. Springer, 2016.

Xiaoyang Dong, Zheng Li, Xiaoyun Wang, and Ling Qin.

Cube-like Attack on Round-Reduced Initialization of Ketje Sr.IACR Trans. Symmetric Cryptol., 2017(1):259--280, 2017.



References IV

Sourav Das, Subhamoy Maitra, and Willi Meier.

Higher Order Differential Analysis of NORX.Cryptology ePrint Archive, Report 2015/186, 2015.

Joan Daemen and Vincent Rijmen.

A New MAC Construction ALRED and a Specific Instance ALPHA-MAC.In Henri Gilbert and Helena Handschuh, editors, FSE 2005, volume 3557 of LNCS, pages 1--17, Paris,France, February 21--23, 2005. Springer, Heidelberg, Germany.

Thomas Fuhr, Gaëtan Leurent, and Valentin Suder.

Collision Attacks Against CAESAR Candidates - Forgery and Key-Recovery Against AEZ and Marble.In Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of LNCS, pages 510--532,Auckland, New Zealand, November 30 -- December 3, 2015. Springer, Heidelberg, Germany.

Jian Guo, Jérémy Jean, Thomas Peyrin, and Wang Lei.

Breaking POET Authentication with a Single Query.Cryptology ePrint Archive, Report 2014/197, 2014.http://eprint.iacr.org/2014/197.

Tao Huang, Ivan Tjuawinata, and Hongjun Wu.

Differential-Linear Cryptanalysis of ICEPOLE.In Gregor Leander, editor, FSE 2015, volume 9054 of LNCS, pages 243--263, Istanbul, Turkey, March 8--11,2015. Springer, Heidelberg, Germany.

Goce Jakimoski and Samant Khajuria.

ASC-1: An Authenticated Encryption Stream Cipher.In Ali Miri and Serge Vaudenay, editors, SAC 2011, volume 7118 of LNCS, pages 356--372, Toronto, Ontario,Canada, August 11--12, 2012. Springer, Heidelberg, Germany.




References V

Philipp Jovanovic, Atul Luykx, and Bart Mennink.

Beyond 2c=2 Security in Sponge-Based Authenticated Encryption Modes.In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS, pages 85--104,Kaoshiung, Taiwan, R.O.C., December 7--11, 2014. Springer, Heidelberg, Germany.

Jérémy Jean, Ivica Nikolic, Yu Sasaki, and Lei Wang.

Practical Cryptanalysis of PAES.In Antoine Joux and Amr M. Youssef, editors, SAC 2014, volume 8781 of LNCS, pages 228--242, Montreal, QC,Canada, August 14--15, 2014. Springer, Heidelberg, Germany.

Dmitry Khovratovich and Christian Rechberger.

The LOCAL Attack: Cryptanalysis of the Authenticated Encryption Scheme ALE.In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 174--184,Burnaby, BC, Canada, August 14--16, 2014. Springer, Heidelberg, Germany.

Zheng Li, Xiaoyang Dong, and Xiaoyun Wang.

Conditional Cube Attack on Round-Reduced ASCON.IACR Trans. Symmetric Cryptol., 2017(1):175--202, 2017.

Mridul Nandi.

XLS is Not a Strong Pseudorandom Permutation.In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS, pages 478--490,Kaoshiung, Taiwan, R.O.C., December 7--11, 2014. Springer, Heidelberg, Germany.

Thomas Peyrin, Siang Meng Sim, Lei Wang, and Guoyan Zhang.

Cryptanalysis of JAMBU.In Gregor Leander, editor, FSE 2015, volume 9054 of LNCS, pages 264--281, Istanbul, Turkey, March 8--11,2015. Springer, Heidelberg, Germany.



References VI

Yu Sasaki and Lei Wang.

A Forgery Attack against PANDA-s.Cryptology ePrint Archive, Report 2014/217, 2014.http://eprint.iacr.org/2014/217.

Zheng Yuan, Wei Wang, Keting Jia, Guangwu Xu, and Xiaoyun Wang.

New Birthday Attacks on Some MACs Based on Block Ciphers.In Shai Halevi, editor, CRYPTO 2009, volume 5677 of LNCS, pages 209--230, Santa Barbara, CA, USA,August 16--20, 2009. Springer, Heidelberg, Germany.



authenticated encryption schemes and … encryption schemes and cryptanalysis jérémy jean...

Documents