Authenticated Encryption Schemes and Cryptanalysis
Jérémy Jean
Laboratoire Crypto
Agence Nationale de la Sécurité des Systèmes d’Information
26 avril 2017
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Outline
1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline
2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure
3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions
4 Conclusions
1/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Outline
1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline
2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure
3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions
4 Conclusions
2/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
Generalities
Alice Bob
Eve
Listen Modify
Channel of communication
01010....001
Confidentiality
Eve passively listens themessage sent
Need for encryption
Integrity
Eve actively listens andmodifies
Bob cannot know whether Evechanged anything
Need for integrity (notnecessarily encrypted)
3/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
Authenticated Encryption: Security and Composition
Security Goals
Confidentiality of messages exchanged
Integrity of messages exchanged
Adversarial Model
Adversary can tamper with the channel (read, write, delete,etc.)
Adversary can query both chosen plaintexts and ciphertexts
Generic Composition
Encryption: We know some secure schemes (e.g., AES-CBC, AES-CTR)
Authentication: We know some secure MAC (e.g., HMAC, CMAC)
Natural question: Can we combine them to get AE? Yes, we can.(well, sort of)
4/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
Authenticated Encryption: Generic Composition
Let Kenc and Kmac two keys, and m the message to consider.
Encrypt-and-MAC (E&M)
c EKenc (m)
� MACKmac (m)
Return (c; � )
MAC-then-Encrypt (MtE)
� MACKmac (m)
c EKenc (m jj� )Return c
Encrypt-then-MAC (EtM)
c EKenc (m)
� MACKmac (c)Return (c; � )
E&M Security
Used in SSH
No integrity on c
MtE Security
Used in TLS
Susceptible to paddingoracle attacks
EtM Security
Best composition
Used in IPSec
5/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
Authenticated Encryption (AE) with a Single Primitive
Motivations
Reach AE with one primitive and a single key
Few dedicated ciphers and modes (e.g., AES-GCM) achieves AE
Focus on this topic with the CAESAR competition since 2013
Regular Encryption
(M;K) �! C
AE
(M;K) �! (C; T )
AEAD
(A;M;K) �! (A; C; T )
M: plaintextC: ciphertextK: key
T : authentication tagA: optional associated data
AEAD: Authenticated Encryption with Associated Data
6/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
Some Known AEAD
GCM
Designed by Viega and McGrew
AES-GCM is probably the most widely used AE
Approved by NIST
Limitations:
Not so simple to implement
Not so fast
Completely insecure under nonce repetition
Limit on the plaintext length: about 239 bits (64GB)
OCB
Designed by Rogaway
Conceptually much simpler: basically ECB with a differentpermutation for each block
Fast but still insecure under nonce repetition
7/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: An Overview
Competition for Authenticated Encryption: Security, Applicability,and Robustness
Announced in 2013
Process similar to AES and SHA-3 competitions
Held by Dan Bernstein
Internal analysis by a committee of 18 cryptographers
Aim at selecting a portfolio of algorithms:That offer advantages over AES-GCM
Are suitable for widespread adoption
Notes
Algorithms should be AEAD: (A;M;K) �! (A; C; T )
Handles byte strings (not bitstrings)
Current tentative date for the announcement of final portfolio:December 15, 2017
8/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: Entering Round 1
57 algorithms submitted (March 2014)
++AE
ACORN
AEGIS
AES-CMCC
AES-COBRA
AES-COPA
AES-CPFB
AES-OTR
AEZ
Artemia
Ascon
AVALANCHE
Calico
CBA
CBEAM
CLOC
Deoxys
ELmD
Enchilada
FASER
HKC
HS1-SIV
ICEPOLE
iFeed[AES]
JAMBU
Joltik
Julius
Ketje
Keyak
KIASU
LAC
Marble
McMambo
Minalpher
MORUS
NORX
OCB
OMD
PAEQ
PAES
PANDA
�-Cipher
POET
POLAWIS
Prøst
PRIMATEs
Raviyoyla
Sablier
SCREAM
SHELL
SILC
Silver
STRIBOB
Tiaoxin
TriviA-ck
Wheesht
YAES
9/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: During Round 1
Notable events
Attacks on (non exhaustive):COBRA (Nandi, 2014)
iFEED (Schroé, Mennink, and Andreeva, 2014)
LAC [DK16]
Marble [FLS15]
PAES [JNSW14]
PANDA [SW14]
Cryptanalysis of XLS constructions [Nan14]
9 algorithms were withdrawn
Decision
The committee selected 29 algorithms to advance to the next round
10/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: Entering Round 2
29 algorithms selected to enter Round 2 (June 2015)
ACORN
AEGIS
AES-OTR
AEZ
Ascon
CLOC & SILC
AES-COPA
ELmD
Deoxys
JAMBU
Ketje
Keyak
MORUS
NORX
OCB
Tiaoxin
HS1-SIV
ICEPOLE
Joltik
Minalpher
OMD
PAEQ
�-Cipher
POET
PRIMATEs
SCREAM
SHELL
STRIBOB
TriviA-ck
11/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: During Round 2
Notable events
Key Recovery of 2.5-round �-Cipher [BCL+16]
Forgery of ICEPOLE [HTW15]
Weak-key analysis of POET [GJPL14, ABT14]
Decision
The committee selected 15 algorithms to advance to the next round
12/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: Entering Round 3
15 algorithms selected to enter Round 3 (August 2016)
ACORN
AEGIS
AES-OTR
AEZ
Ascon
CLOC & SILC
COLM
Deoxys
JAMBU
Ketje
Keyak
MORUS
NORX
OCB
Tiaoxin
Notable events
The submitters were asked to choose between three use casesLightweight applications (constrained environments)High-performance applications (high-end platforms)Defense in depth (e.g., security despite nonce misuse)
Cryptanalytic results:Nonce-repeating observations on AEZ [CG16]Cryptanalysis of full NORX [CFG+17a]Cube Attack on Round-Reduced Ascon [LDW17]Observations on the initialization in Ketje Sr. [DLWQ17]
13/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
CAESAR Competition: Several Classifications of Candidates
Type
BCGCMOCBCOLMOTRCLOC & SILC
JAMBUAEZDeoxys (TBC)AEGISTiaoxin
SpongeKetjeKeyakNORXAscon
StreamACORNMORUS
Security
Nonce may repeat:COLMAEZDeoxysJAMBU ([PSWZ15])
Nonce must not repeat:
all the others
Other comparisons: RUP security, online-ness, inverse-free-ness,software performances, hardware, etc.
14/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Authenticated Encryption | CAESAR Competition | Outline |
In the Rest of this Talk
Cryptanalysis of two AE algorithms
First Part
Itai Dinur and JJ
Cryptanalysis of FIDES
In Carlos Cid and Christian Rechberger, editors, FSE 2014, volume 8540 of LNCS,pages 224--240, London, UK, March 3--5, 2015. Springer, Heidelberg, Germany.
Second Part
C. Chaigneau, T. Fuhr, H. Gilbert, JJ, and J.-R. Reinhard
Cryptanalysis of NORX v2.0
IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.
15/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Outline
1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline
2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure
3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions
4 Conclusions
16/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Description of FIDES (1/2)
FIDES
Designed by Bilgin et al. and published at CHES 2013Nonce-based lightweight AEAD (N)Key sizes: 80 and 96 bits (K)Handle optional associated data (A)Leak-extraction structure similar to the duplex spongeconstructionPermutation: application of an unkeyed AES roundNot submitted to the CAESAR competition
16R
ound
s
K||N
16c
K||0
A0
1R
ound
A1
1R
ound
• • •
1R
ound
Av−1
1R
ound
C0 M0
1R
ound
• • •
1R
ound
Cn−1 Mn−1
16R
ound
s
Trun
cate
T
17/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Description of FIDES (2/2)
Internal state:Total size: 4� 8� c bitsWord size c:
c = 5 bits for FIDES-80c = 6 bits for FIDES-96
One Round of the Internal Permutation:Extract 2c-bit mask ��2c-bit message injection ��AES-like operations: SubBytes,ShiftRows, MixColumns, AddRoundKeySuboptimal diffusion matrix (non MDS)
Internal state
c bits
Diffusion Matrix
M =
0@
0 1 1 11 0 1 11 1 0 11 1 1 0
1A
Inj
Mi
SB
SR MC AC
RCi
18/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Leakage and Security Claims
Leakage
The same positions are used to leak and inject nibbles
2c out of 32c bits are leaked before each round
Security Claims
Nonce-respecting adversary assumption
Attack scenarios: state recovery, key recovery and forgery
FIDES advertises 16c-bit security against all scenarios
Our Attack
State recovery can be done in 215c operations
We can forge any message after a state recovery
19/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Similar designs
FIDES is reminiscent of other AES-based design usingleak-extraction
LEX [Bir07]
128-bit key stream cipher
4/16 leaked nibbles per round
No injection (stream cipher)
Broken [DK13, BDF11]
Alpha-MAC [DR05]
128-bit MAC
4 nibbles injected per round
No extraction
Broken [YWJ+09, BDF11]
ALE [BMR+13]
128-bit AE cipher
4/16 leaked nibbles per round
Inject 16 nibbles every 4 rnds
Broken [KR14]
ASC-1 [JK12]
128-bit AE cipher
4/16 leaked nibbles per round
Inject 16 nibbles every 4 rnds
Whitening key before leakage
20/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Similar designs
FIDES is reminiscent of other AES-based design usingleak-extraction
LEX [Bir07]
128-bit key stream cipher
4/16 leaked nibbles per round
No injection (stream cipher)
Broken [DK13, BDF11]
Alpha-MAC [DR05]
128-bit MAC
4 nibbles injected per round
No extraction
Broken [YWJ+09, BDF11]
ALE [BMR+13]
128-bit AE cipher
4/16 leaked nibbles per round
Inject 16 nibbles every 4 rnds
Broken [KR14]
ASC-1 [JK12]
128-bit AE cipher
4/16 leaked nibbles per round
Inject 16 nibbles every 4 rnds
Whitening key before leakage
20/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Results on FIDES
Results
Cipher Data Time Memory Generic Ref
FIDES-80 1 KP 275 215 280 [DJ15]
FIDES-96 1 KP 290 218 296 [DJ15]
Notes:Guess-and-determine attacks
Recover the internal state
Allow to forge arbitrary messages
21/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Preliminaries (1/2)
How many leaked nibbles are needed to recover the state faster thanexhaustive search?
Information Theoretic Argument
The state consists of 32 nibblesKnown-plaintext scenario15 rounds would leak a total (15 + 1)� 2 = 32 state nibblesUniquely determine the stateBut analyzing 15 consecutive AES-like rounds is difficult
Init
ializ
atio
n
K||N
2c
1R
ound
2c
1R
ound
2c
1R
ound
2c1
Rou
nd2c
1R
ound
2c
1R
ound
2c
1R
ound
2c
1R
ound
2c
16R
ound
s
Trun
cate
T
22/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Preliminaries (2/2)
With n 2 [0; 14] rounds:
Reduce the analysis to n consecutive AES-like rounds
A total of (n + 1)� 2 state nibbles are leaked
Unicity of the state no longer true: about 2(32�2n�2)�c differentinitial states would leak the same sequence
Goal: Generating all of them in less than 216c computations
32� 2n � 2 < 16 =) n � 8
Our Attack
We use the knowledge of 18 leaked nibbles, in 9 consecutivestates linked by n = 8 rounds (in fact, only 17 nibbles)
Data: less than 16 bytes of a single known plaintext
Time: about 215c computations to enumerate the 2(32�17)c = 215c
state candidates
Check: additional leaked bytes, or authentication tag T
23/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Preliminaries (2/2)
With n 2 [0; 14] rounds:
Reduce the analysis to n consecutive AES-like rounds
A total of (n + 1)� 2 state nibbles are leaked
Unicity of the state no longer true: about 2(32�2n�2)�c differentinitial states would leak the same sequence
Goal: Generating all of them in less than 216c computations
32� 2n � 2 < 16 =) n � 8
Our Attack
We use the knowledge of 18 leaked nibbles, in 9 consecutivestates linked by n = 8 rounds (in fact, only 17 nibbles)
Data: less than 16 bytes of a single known plaintext
Time: about 215c computations to enumerate the 2(32�17)c = 215c
state candidates
Check: additional leaked bytes, or authentication tag T23/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
High-Level Overview of the State-Recovery Attack
N2
X
T1
X
T2
N1
1R 1R 1R 1R 1R 1R 1R 1R
X0 X1 X2 X3 X4 X5 X6 X7 X8
Steps of the Guess-and-determine Procedure
1. Guess the 12 nibbles in the set N1
2. Determine other nibble values (N 0
1)
3. Construct two tables T1 and T2 (independently)
4. Guess the 3 nibbles in the set N2
5. Determine new nibble values (N 0
2)
6. Use the tables T1 and T2 to fully recover a middle state
24/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Main Property
ObservationThe guess-and-determine algorithm relieson the MixColumns binary matrix M thathas a branching number of 4 (non MDS,AES: 5).
M =
0BB@
0 1 1 11 0 1 11 1 0 11 1 1 0
1CCA
Let x = [x0; x1; x2; x3] and y = [y0; y1; y2; y3].There are linear dependencies between 4 nibbles of x and y = Mx.
Property 1
For all i ; j 2 f0; 1; 2; 3g such that i 6= j : xi � xj = yi � yj .
Property 2
For all i 2 f0; 1; 2; 3g : yi = xi+1 � xi+2 � xi+3 (addition mod 4)
xi = yi+1 � yi+2 � yi+3
25/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Final Step: Post-Filtering
Guess-and-Determine Algorithm
Requires 2(12+3)c = 215c computations
Generates 215c possible internal states
We post-filter all those states against extra variables
We expect only the correct state to remain
Attack Complexity
Data: 17 consecutive leaked nibbles of a KP + additional values
Memory: 23c elements in tables T1 and T2
Time: 215c operations (simpler than a full encryption)
26/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Forgery after the State Recovery
Finalization
The initialization of FIDES does not depend on the message.The finalization of FIDES does not depend on the key.
Consequence
Once the state is recovered:we know the state Init(K jjN ) after the 16-round initializationwe can simulate the encryption of any arbitrary message andproduce a valid tag
16R
ound
s
K||N
16c
K||0
A0
1R
ound
A1
1R
ound
• • •
1R
ound
Av−1
1R
ound
C0 M0
1R
ound
• • •
1R
ound
Cn−1 Mn−1
16R
ound
s
Trun
cate
T
27/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Specifications | State Recovery | Forgery | Partial Countermeasure |
Countermeasure Against (State Recovery ) Forgery)
Simple Idea
Make both the initialization and the finalization key-dependent
Example of Ascon (CAESAR candidate, Round 3)
By: C.Dobraunig, M.Eichlseder, F.Mendel, M.Schläffer“(...) Ascon uses a stronger keyed initialization and keyed finalization phase. The result is that evenan entire state recovery is not sufficient to recover the secret key or to allow universal forgery.”
IVkKkN320
pa
�
0�kK
c
�r
A1
pb�
As
c
pb
�
0�k1
c
�r
P1 C1
pbc
�
Pt�1 Ct�1
pb�
Pt Ct
r
�
Kk0�
c
pa
�
K
k
T
Initialization Associated Data Plaintext Finalization
Note: Also the case of NORX, another CAESAR candidate
28/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Outline
1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline
2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure
3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions
4 Conclusions
29/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
NORX: a CAESAR Candidate
Three Main Versions
Designed by Aumasson, Jovanovic, Neves
History in the CAESAR competition:
Initial submission: NORX v1 (selected for Round 2)
August 2015: NORX v2.0 (selected for Round 3)
September 2016: NORX v3.0
Main Features of NORX v2.0
Two word sizes: w = 32 or 64 bits) NORX32 and NORX64 instances
Key and tag sizes: jK j = jT j = 4w (128 or 256 bits)
Claimed security level: 4w bits
Sponge-based construction (MonkeyDuplex)
State permutation P: inspired from ARX primitives (e.g., ChaCha)
30/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Security Analysis: Published Results
Security Proofs of the Mode
[JLM14]: security proofs in sponge-based AE modes beyond 2c=2
Provides arguments for decreasing the capacity from 6w bitsto 4w bits between NORX v1.0 and v2.0
Reduced-Round Attacks
[BHJ+16]: Key-recovery for reduced version of NORX v2.0Half the number of rounds of the underlying permutation PDue to slow backward diffusion of P
Analysis of the Permutation
[AJN14, AJN15]: differential and rotational properties
[DMM15]: Higher-order differential propertiesDistinguishers for 3.5-round NORX32 and full-round NORX64
[BUV17]: Symmetries inside the internal permutationSimilar to what we present
31/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Our Results
Our Attack
Ciphertext-only forgery attack on full NORX v2.0
Trivial known-plaintext key recovery once a forgery is achieved
Version Key size Tag size Data Time
NORX v2.0 128 128 266 266
NORX v2.0 CAESAR 128 128 272 272
NORX v2.0 256 256 2130 2130
NORX v2.0 CAESAR 256 256 2136 2136
Note: CAESAR NORX handles only byte strings
FSE/ToSC 2017
C. Chaigneau, T. Fuhr, H. Gilbert, JJ, and J.-R. Reinhard
Cryptanalysis of NORX v2.0
IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.
32/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Description of NORX v2.0: NORX32 Instance
Parameters
Word size: w = 32 bits
Key K: 128 bits
Rate r: 384 bits
State size: r + c = 512 bits
Nonce N: 64 bits
Tag T: 128 bits
Capacity c: 128 bits
0
0
init(K,N,w, l, t)
P P
01
P
A0
01
/r
/c
P
Aa−1
02
P
M0C0
02
P
Mm−1Cm−1
04
P
Z0
04
P
Zz−1
08
P
T/t
Security Claims
Model: Nonce-respecting adversary
Data limitation: at most 264 messages processed per key
Security claimed: 128 bits (capacity size)
33/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
NORX Mode of Operation
Based on the MonkeyDuplex mode [BDPV12]
This talk: focus on NORX32 (128-bit key, 128-bit tag)
Out of scope: parallel mode, authenticated trailer
Encryption
0
0
init(K,N,w, l, t)
P P
01
P
A0
01
/r
/c
P
Aa−1
02
P
M0C0
02
P
Mm−1Cm−1
04
P
Z0
04
P
Zz−1
08
P
T/t
Decryption
0
0
init(K,N,w, l, t)
P P
01
P
A0
01
/384
/128
P
Aa−1
02
P
M0
C0
02
P
Mm−1
Cm−1
04
P
Z0
04
P
Zz−1
08
P
T?/128
34/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
NORX Internal State and Permutation P
Permutation Inspired by ChaCha stream cipher [Ber08]
Operates on a 512-bit state S
State represented as a 4� 4 matrix of 32-bit words
Internal State
s0
s1
s2
s3
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
S =
Rate part
Capacity part
Permutation PP: state permutation over f0; 1g16�32
P = F 4 (4 rounds of F)
F: uses a permutation G of f0; 1g4�32
35/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
NORX Internal State and Permutation P
Permutation PP = F 4 = (Gdiag �Gcol)4
Gcol
s0
s4
s8
s12
G
s1
s5
s9
s13
G
s2
s6
s10
s14
G
s3
s7
s11
s15
G
Gdiag
s0
s5
s10
s15
s1
s6
s11
s2
s7
s8
s13
s3
s4
s9
s14s12
G
G
G
G
G operates on f0; 1g4�32
36/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Permutation G
Permutation Ga
b
c
d
a′
b′
c′
d′≫ 16
≫ 12
≫ 8
≫ 7
Mimic ARX (no modular addition)
x � y = (x � y)� ((x ^ y)� 1)
Gcol
G(s0; s4; s8; s12)G(s1; s5; s9; s13)G(s2; s6; s10; s14)G(s3; s7; s11; s15)
Gdiag
G(s0; s5; s10; s15)G(s1; s6; s11; s12)G(s2; s7; s8; s13)G(s3; s4; s9; s14)
P: 4 rounds of Gcol then Gdiag
Words of Row i = i-th input of G37/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
A First Property of P
[AJN15]
The designers observe the existence of weak states
a
b
c
d
a
b
c
d
a
b
c
d
a
b
c
d
P
a′
b′
c′
d′
a′
b′
c′
d′
a′
b′
c′
d′
a′
b′
c′
d′
Property
If: all columns of S 2 f0; 1g16�32 are equal
Then: all columns of Gcol(S), of Gdiag(S) and therefore of P(S)are equal
Note: There are 2128 such weak states
38/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
A Stronger Property of P
[CFG+17b] and independently in [BUV17]
The permutation P commutes with column rotation S ! S≪1
s0
s1
s2
s3
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
≪ 1
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
s0
s1
s2
s3
Property
8i 2 f1; 2; 3g; P(S)≪i = P(S≪i )
Notes
Generalizes the previous prop.: S≪1 = S =) P(S≪1) = P(S)
Proof: Rotation commutes with Gcol, Gdiag hence with PIn the sequel, we use rotation by 2
39/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Proof: Commuting Permutation Property of Gcol
s0
s1
s2
s3
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
≪ 1
Gcol
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
s0
s1
s2
s3
Gcol
s′0s′1s′2s′3
s′4s′5s′6s′7
s′8s′9s′10s′11
s′12s′13s′14s′15
≪ 1
s′4s′5s′6s′7
s′8s′9s′10s′11
s′12s′13s′14s′15
s′0s′1s′2s′3
40/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Proof: Commuting Permutation Property of Gdiag
s0
s1
s2
s3
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
≪ 1
Gdiag
s4
s5
s6
s7
s8
s9
s10
s11
s12
s13
s14
s15
s0
s1
s2
s3
Gdiag
s′0s′1s′2s′3
s′4s′5s′6s′7
s′8s′9s′10s′11
s′12s′13s′14s′15
≪ 1
s′4s′5s′6s′7
s′8s′9s′10s′11
s′12s′13s′14s′15
s′0s′1s′2s′3
41/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Forgery Attack Without Padding (1/2)
Without loss of generality:No associated or trailer dataOne-block message
Known Ciphertext: (N ; C0; T )
0
0
init(K,N,w, l, t)
P P
01
P
M0C0
08
X
P
T/t
/r
/c
Forgery Attempt: (N ; AD ; C≪20 ; T≪2)
0
0
init(K,N,w, l, t)
P P
01
P
C≪20
08
X ′ P 2(X ′)
P
T ′/t
/r
/c
Details
If X 0 = X≪2 then
�P2(X 0) = P2(X≪2)
= P2(X )≪2 thus T 0 = T≪2
How to ensure X 0 = X≪2 ?
42/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Forgery Attack Without Padding (2/2)
Forgery attack:Get a known ciphertext (C0;T )
Try to forge (C≪20 ;T≪2)
Success: 2�64
Why it works:If the capacity is symmetric(Xc = X≪2
c ), then the forgeryattempt succeeds
Forgery Attempt: (N ; AD ; C≪20 ; T≪2)
0
0
init(K,N,w, l, t)
P P
01
P
C≪20
08
X ′ P 2(X ′)
P
T ′/t
/r
/c
C0
Xc
Rate can be controlled
) Apply ≪ 2
Capacity cannot
be controlled
C≪2
0
Xc
X X0
43/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Forgery Attack on Full NORX v2.0 With Padding
Encryption with padding
Padding: pad(M ) = M jj 10�1
Ciphertext: only jC j = jM j bits of the state returned
Impact on the forgery attack
` more conditions for ` � 64 padding bits
General case: Pr[forgery] = 2�64�` for ` padding bits
Best case: 2 padding bits ) Pr[forgery] = 2�66
CAESAR version: works on byte level ) Pr[forgery] = 2�72
Complexity of the Forgery Attack
Pr[forgery] � 1=2for 266 or 272 forgery attempts
44/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Extension: Key-Recovery Attack on Full NORX v2.0
Known Plaintext: (N ; C0; T )
0
0
init(K,N,w, l, t)
P P
01
P
M0C0
08X = Xr||Xc
P
T/t
/r
/c
Forgery Attempt: (N ; AD ; C≪20 ; T≪2)
0
0
init(K,N,w, l, t)
P P
01
P
C≪20
08X≪2
P
T≪2/t
/r
/c
Details about the Key-Recovery Attack
Known plaintext scenario
Assume that the forgery attack succeeds
The capacity part Xc of X is symmetric
The rate part Xr of X is known: Xr = C0
Hence: There are only 264 possible values for Xc (and for X )
Guess Xc, compute backwards and retrieve the key (discardwrong guesses by filtering on nonce and constants)
Complexity: 264 operations
45/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Generalities | Specifications | Analysis of P | Forgery Attack | Key-Recovery Attack | NORX Versions |
Other NORX Versions
NORX v1.0: Not affected due to its moreconservative capacity of 6w bits
NORX v3.0: While the two propertiesleveraged in v2.0 remain, v3.0 appearsto be immune due to the additional keyadditions to the capacityChange v2.0 ! v3.0: similar to FIDES
State in NORX v1.0
Rate
Capacity
NORX v3.0
0
0
init(K,N,w, l, t)
P P
K 01
P
A0
01
/r
/c
P
Aa−1
02
P
M0C0
02
P
Mm−1Cm−1
04
P
Z0
04
P
Zz−1
08
P
K
T
K
/t
NORX8 and NORX16: Appear to be immune though their features arequite similar to those of NORX v2.0
46/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Outline
1 Introductiona. Authenticated Encryptionb. CAESAR Competitionc. Outline
2 Cryptanalysis of FIDESa. Specificationsb. State Recoveryc. Forgeryd. Partial Countermeasure
3 Cryptanalysis of NORX v2.0a. Generalitiesb. Specificationsc. Analysis of Pd. Forgery Attacke. Key-Recovery Attackf. NORX Versions
4 Conclusions
47/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Conclusions
FIDES: What went wrong?
Hard to rely on leak-extraction
Choice of non-MDS matrix
Absence of keyed finalization
State recovery ) Key recovery
NORX v2.0: What went wrong?
Choice of a permutation P with strong distinguishers (stillpresent in NORX v3.0)
Sponge capacity set to the limit given by the proof of the mode,despite the ideal assumtion on PAbsence of keyed finalization (added in NORX v3.0)
CAESAR
Ongoing competition in need for external cryptanalysis!
48/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
Introduction Cryptanalysis of FIDES Cryptanalysis of NORX v2.0 Conclusions
Conclusions
Thank you for your attention!
Questions?
49/49 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Outline
5 FIDES: Tables from the Attack
1/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Step 1
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8
N1 (# = 12)
X3[0; 0]; X3[0; 1]; X3[0; 2]; X3[3; 1];
X4[1; 0]; X4[1; 1]; X4[1; 2];
X5[0; 0]; X5[0; 1]; X5[0; 2];
X6[0; 0]; X6[3; 1]
Legend
Guessed
Directly deduced
2/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Step 1
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8
Propagate(N1) =) N0
1
N 0
1
X1[0; 1] X1[2; 4] X2[0; 1] X2[0; 2] X2[0; 3]
X2[1; 2] X2[1; 3] X2[1; 4] X2[2; 3] X2[2; 4]
X2[2; 5] X2[3; 1] X3[0; 3] X3[1; 1] X3[1; 2]
X3[1; 3] X3[1; 4] X3[2; 1] X3[2; 2] X3[2; 3]
X3[2; 4] X3[2; 5] X3[3; 3] X3[3; 7] X4[0; 0]
X4[0; 1] X4[0; 2] X4[0; 3] X4[0; 4] X4[0; 7]
X4[1; 3] X4[1; 4] X4[1; 5] X4[1; 7] X4[2; 0]
X4[2; 1] X4[2; 2] X4[2; 3] X4[2; 4] X4[2; 5]
X4[3; 1] X4[3; 3] X4[3; 7] X5[0; 3] X5[1; 0]
X5[1; 1] X5[1; 2] X5[1; 3] X5[2; 0] X5[2; 1]
X5[2; 2] X5[2; 3] X5[2; 4] X5[3; 1] X5[3; 3]
X5[3; 7] X6[0; 1] X6[0; 2] X6[1; 0] X6[1; 1]
X6[1; 2] X6[2; 0] X6[2; 1] X6[2; 2] X7[0; 2]
X7[2; 1]
3/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Step 2: Construction of T1 and T2
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8 T1
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8 T24/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Step 3
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8
N2 (# = 3)
X1[0; 3];
X1[1; 3];
X3[2; 7]
5/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
Step 3
SB
SRX0 MC
SB
SRX1 MC
SB
SRX2 MC
SB
SRX3 MC
SB
SRX4 MC
SB
SRX5 MC
SB
SRX6 MC
SB
SRX7 MC
X8
Propagate(N2) =) N0
2
N 0
2
X1[2; 3]; X2[2; 1]; X1[1; 2]; X2[1; 1]; X2[2; 2];
X3[1; 0]; X3[2; 0]; X4[2; 7]; X3[3; 6]; X2[0; 0];
X2[3; 7]; X3[0; 7]; X2[3; 6]; X2[0; 7]; X3[1; 7];
X2[1; 0]; X1[2; 2]; X1[0; 2]; X1[3; 1]; X1[1; 4];
X1[2; 5]; X2[3; 3]; X3[0; 4]; X3[1; 5]; X3[2; 6];
X4[3; 4]; X3[1; 6]; X2[0; 6]; X0[0; 1]; X0[0; 2];
X0[1; 3]; X0[2; 4]; X0[3; 1]
6/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References I
Mohamed Ahmed Abdelraheem, Andrey Bogdanov, and Elmar Tischhauser.
Weak-Key Analysis of POET.Cryptology ePrint Archive, Report 2014/226, 2014.http://eprint.iacr.org/2014/226.
Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves.
NORX: Parallel and Scalable AEAD.In Miroslaw Kutylowski and Jaideep Vaidya, editors, Computer Security - ESORICS 2014 - 19th EuropeanSymposium on Research in Computer Security, Wroclaw, Poland, September 7-11, 2014. Proceedings, Part II,volume 8713 of Lecture Notes in Computer Science, pages 19--36. Springer, 2014.
Jean-Philippe Aumasson, Philipp Jovanovic, and Samuel Neves.
Analysis of NORX: Investigating Differential and Rotational Properties.In Diego F. Aranha and Alfred Menezes, editors, LATINCRYPT 2014, volume 8895 of LNCS, pages 306--324,Florianópolis, Brazil, September 17--19, 2015. Springer, Heidelberg, Germany.
Christina Boura, Avik Chakraborti, Gaëtan Leurent, Goutam Paul, Dhiman Saha, Hadi Soleimany, and Valentin
Suder.Key Recovery Attack Against 2.5-Round \pi -Cipher.In Thomas Peyrin, editor, Fast Software Encryption - 23rd International Conference, FSE 2016, Bochum,Germany, March 20-23, 2016, Revised Selected Papers, volume 9783 of Lecture Notes in Computer Science,pages 535--553. Springer, 2016.
Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque.
Automatic Search of Attacks on Round-Reduced AES and Applications.In Phillip Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 169--187, Santa Barbara, CA, USA,August 14--18, 2011. Springer, Heidelberg, Germany.
1/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References II
Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche.
Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications.In Ali Miri and Serge Vaudenay, editors, SAC 2011, volume 7118 of LNCS, pages 320--337, Toronto, Ontario,Canada, August 11--12, 2012. Springer, Heidelberg, Germany.
Daniel J. Bernstein.
ChaCha, a variant of Salsa20, 2008.
Nasour Bagheri, Tao Huang, Keting Jia, Florian Mendel, and Yu Sasaki.
Cryptanalysis of Reduced NORX.In Thomas Peyrin, editor, FSE 2016, volume 9783 of LNCS, pages 554--574, Bochum, Germany, March 20--23,2016. Springer, Heidelberg, Germany.
Alex Biryukov.
The Design of a Stream Cipher LEX.In Eli Biham and Amr M. Youssef, editors, SAC 2006, volume 4356 of LNCS, pages 67--75, Montreal, Canada,August 17--18, 2007. Springer, Heidelberg, Germany.
Andrey Bogdanov, Florian Mendel, Francesco Regazzoni, Vincent Rijmen, and Elmar Tischhauser.
ALE: AES-Based Lightweight Authenticated Encryption.In FSE, Lecture Notes in Computer Science, 2013.to appear.
Alex Biryukov, Aleksei Udovenko, and Vesselin Velichkov.
Analysis of the NORX Core Permutation.Cryptology ePrint Archive, Report 2017/034, 2017.http://eprint.iacr.org/2017/034.
2/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References III
Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, and Jean-René Reinhard.
Cryptanalysis of NORX v2.0.IACR Trans. Symmetric Cryptol., 2017(1):156--174, 2017.
Colin Chaigneau, Thomas Fuhr, Henri Gilbert, Jérémy Jean, and Jean-René Reinhard.
Cryptanalysis of NORX v2.0.IACR Trans. Symm. Cryptol., 2017(1):156--174, 2017.
Colin Chaigneau and Henri Gilbert.
Is AEZ v4.1 Sufficiently Resilient Against Key-Recovery Attacks?IACR Trans. Symmetric Cryptol., 2016(1):114--133, 2016.
Itai Dinur and Jérémy Jean.
Cryptanalysis of FIDES.In Carlos Cid and Christian Rechberger, editors, FSE 2014, volume 8540 of LNCS, pages 224--240, London,UK, March 3--5, 2015. Springer, Heidelberg, Germany.
Orr Dunkelman and Nathan Keller.
Cryptanalysis of the Stream Cipher LEX.Des. Codes Cryptography, 67(3):357--373, 2013.
Orr Dunkelman and Liam Keliher, editors.
Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August12-14, 2015, Revised Selected Papers, volume 9566 of Lecture Notes in Computer Science. Springer, 2016.
Xiaoyang Dong, Zheng Li, Xiaoyun Wang, and Ling Qin.
Cube-like Attack on Round-Reduced Initialization of Ketje Sr.IACR Trans. Symmetric Cryptol., 2017(1):259--280, 2017.
3/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References IV
Sourav Das, Subhamoy Maitra, and Willi Meier.
Higher Order Differential Analysis of NORX.Cryptology ePrint Archive, Report 2015/186, 2015.
Joan Daemen and Vincent Rijmen.
A New MAC Construction ALRED and a Specific Instance ALPHA-MAC.In Henri Gilbert and Helena Handschuh, editors, FSE 2005, volume 3557 of LNCS, pages 1--17, Paris,France, February 21--23, 2005. Springer, Heidelberg, Germany.
Thomas Fuhr, Gaëtan Leurent, and Valentin Suder.
Collision Attacks Against CAESAR Candidates - Forgery and Key-Recovery Against AEZ and Marble.In Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of LNCS, pages 510--532,Auckland, New Zealand, November 30 -- December 3, 2015. Springer, Heidelberg, Germany.
Jian Guo, Jérémy Jean, Thomas Peyrin, and Wang Lei.
Breaking POET Authentication with a Single Query.Cryptology ePrint Archive, Report 2014/197, 2014.http://eprint.iacr.org/2014/197.
Tao Huang, Ivan Tjuawinata, and Hongjun Wu.
Differential-Linear Cryptanalysis of ICEPOLE.In Gregor Leander, editor, FSE 2015, volume 9054 of LNCS, pages 243--263, Istanbul, Turkey, March 8--11,2015. Springer, Heidelberg, Germany.
Goce Jakimoski and Samant Khajuria.
ASC-1: An Authenticated Encryption Stream Cipher.In Ali Miri and Serge Vaudenay, editors, SAC 2011, volume 7118 of LNCS, pages 356--372, Toronto, Ontario,Canada, August 11--12, 2012. Springer, Heidelberg, Germany.
4/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References V
Philipp Jovanovic, Atul Luykx, and Bart Mennink.
Beyond 2c=2 Security in Sponge-Based Authenticated Encryption Modes.In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS, pages 85--104,Kaoshiung, Taiwan, R.O.C., December 7--11, 2014. Springer, Heidelberg, Germany.
Jérémy Jean, Ivica Nikolic, Yu Sasaki, and Lei Wang.
Practical Cryptanalysis of PAES.In Antoine Joux and Amr M. Youssef, editors, SAC 2014, volume 8781 of LNCS, pages 228--242, Montreal, QC,Canada, August 14--15, 2014. Springer, Heidelberg, Germany.
Dmitry Khovratovich and Christian Rechberger.
The LOCAL Attack: Cryptanalysis of the Authenticated Encryption Scheme ALE.In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 174--184,Burnaby, BC, Canada, August 14--16, 2014. Springer, Heidelberg, Germany.
Zheng Li, Xiaoyang Dong, and Xiaoyun Wang.
Conditional Cube Attack on Round-Reduced ASCON.IACR Trans. Symmetric Cryptol., 2017(1):175--202, 2017.
Mridul Nandi.
XLS is Not a Strong Pseudorandom Permutation.In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS, pages 478--490,Kaoshiung, Taiwan, R.O.C., December 7--11, 2014. Springer, Heidelberg, Germany.
Thomas Peyrin, Siang Meng Sim, Lei Wang, and Guoyan Zhang.
Cryptanalysis of JAMBU.In Gregor Leander, editor, FSE 2015, volume 9054 of LNCS, pages 264--281, Istanbul, Turkey, March 8--11,2015. Springer, Heidelberg, Germany.
5/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis
FIDES: Tables from the Attack Références
References VI
Yu Sasaki and Lei Wang.
A Forgery Attack against PANDA-s.Cryptology ePrint Archive, Report 2014/217, 2014.http://eprint.iacr.org/2014/217.
Zheng Yuan, Wei Wang, Keting Jia, Guangwu Xu, and Xiaoyun Wang.
New Birthday Attacks on Some MACs Based on Block Ciphers.In Shai Halevi, editor, CRYPTO 2009, volume 5677 of LNCS, pages 209--230, Santa Barbara, CA, USA,August 16--20, 2009. Springer, Heidelberg, Germany.
6/6 Jérémy Jean (ANSSI) // Authenticated Encryption Schemes and Cryptanalysis