authenticated encryption - pmf• iso/iec specifies six ae modes for block ciphers ... •...
TRANSCRIPT
![Page 1: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/1.jpg)
AUTHENTICATED ENCRYPTION
Florian Mendel
Central European Conference on Cryptology June 24 - 26, 2020
![Page 2: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/2.jpg)
GOALS
• Confidentiality
• as provided by block cipher modes
• Authenticity, integrity
• as provided by message authentication codes
![Page 3: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/3.jpg)
INTERFACE
• Encryption & Authentication
• (K, M) ⇒ (C, T)
• Decryption & Verification
• (K, C, T) ⇒ {M, ⊥}
Channel A: high capacity but insecureC, T
Alice Bob
![Page 4: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/4.jpg)
INTERFACE
• Encryption & Authentication
• (K, N, A, M) ⇒ (C, T)
• Decryption & Verification
• (K, N, A, C, T) ⇒ {M, ⊥}
Channel A: high capacity but insecureN, A, C, T
Alice Bob
![Page 5: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/5.jpg)
GENERIC COMPOSITIONS
• Encrypt-and-MAC (E&M)
• C = E∗(M), T = MAC(M)
• Encrypt-then-MAC (EtM)
• C = E∗(M), T = MAC(C)
• MAC-then-Encrypt (MtE)
• C||T = E∗(M || MAC(M))
E*
MACM
C
T
E*
MAC
M C
T
MAC
E*M
C||T
![Page 6: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/6.jpg)
GENERIC COMPOSITIONS• Encrypt-and-MAC (E&M)
• e.g., in SSH• security depends on E∗ and MAC details
• Encrypt-then-MAC (EtM)
• e.g., in IPSec; standard ISO/IEC 19772:2009 • provably secure
• MAC-then-Encrypt (MtE)
• e.g., in SSL/TLS• security depends on E∗ and MAC details
![Page 7: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/7.jpg)
STANDARDISED SCHEMES
• ISO/IEC specifies six AE modes for block ciphers
• EtM, CCM, EAX, GCM, OCB, SIV
![Page 8: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/8.jpg)
• MtE with CTR encryption mode and CBC-MAC
CCM – CTR AND CBC-MAC
1� 1� 1X 8
2!�� · X · · ·)/ )/ )/
2!� 2!� 2!X 2!X��
)/ )/ )/ )/
'� '� ' X ' X��
Image: Maria Eichlseder
![Page 9: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/9.jpg)
✓Secure for ideal cipher EK
✓Needs no DK (decryption)
✗Two block cipher calls per block
✗Two-pass, not online (need length in advance)
✗CBC-MAC not parallelizable
CCM PROPERTIES
![Page 10: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/10.jpg)
• EtM with CTR and Carter-Wegman MAC
GCM – GALOIS/CTR MODE
Image: Maria Eichlseder
2!� 2!� 2!X
)/ )/ )/
1� 1� 1X
'� '� ' X
· · ·
", ", ", ",
· · ·
X
8
2!�
)/
�
)/
,
![Page 11: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/11.jpg)
✓EK parallelizable
✓Needs no DK (decryption)
✓one block cipher call per block
✗Harder to implement (nasty multiplications)
✗ Some weak keys due to MAC properties
GCM PROPERTIES
![Page 12: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/12.jpg)
COMPETITIONS
•CAESAR (2014 - 2019)
•NIST LWC (ongoing)
![Page 13: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/13.jpg)
CAESAR
Goal: Select portfolio of authenticated ciphers
Timeline: 2014 - 2019, 4 rounds
Categories:
• Lightweight applications
• High-performance applications
• Defense in depth
![Page 14: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/14.jpg)
CAESAR PORTFOLIO
• Lightweight applications
• Ascon and ACORN
• High-performance applications
• AEGIS and OCB
• Defense in depth
• Deoxys-II and COLM
![Page 15: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/15.jpg)
NIST LWC
Goal: Select authenticated ciphers for standardisation
Timeline: 2018 - now
Category:
• Lightweight applications ?
![Page 16: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/16.jpg)
ROUND 2 CANDIDATES
ACE Ascon COMET DryGASCON
Elephant ESTATE ForkAE GIFT-COFB
Gimli Grain-128AEAD HYENA ISAP
KNOT LOTUS & LOCUS mixFeed ORANGE
Oribatida PHOTON-Beetle Pyjamask Romulus
SAEAES Saturnin SKINNY SPARKLE
SPIX SpoC Spook Subterranean 2.0
SUNDAE-GIFT TinyJambu WAGE Xoodyak
![Page 17: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/17.jpg)
ASCONAUTHENTICATED ENCRYPTION AND HASHING
![Page 18: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/18.jpg)
• Christoph Dobraunig
• Maria Eichlseder
• Florian Mendel
• Martin Schläffer
ASCON TEAM
![Page 19: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/19.jpg)
ASCON FAMILY
• Authenticated encryption (CAESAR)
• Ascon-128
• Ascon-128a
• Hashing (NEW)
• Ascon-Hash
• Ascon-Xof (eXtendable output function)
![Page 20: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/20.jpg)
MAIN DESIGN GOALS
• Security
• Efficiency
• Simplicity
• Scalability
• Online
• Single pass
• Lightweight
• Side-Channel Robustness
![Page 21: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/21.jpg)
• Nonce-based AE scheme
• Sponge construction
ASCON-128 ASCON-128a
Security 128 bits 128 bitsState size 320 bits 320 bitsCapacity 256 bits 192 bitsRate (r) 64 bits 128 bits
AUTHENTICATED ENCRYPTION
![Page 22: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/22.jpg)
WORKING PRINCIPLE
The encryption process is split into four phases:
• Initialisation
• Associated Data Processing
• Plaintext Processing
• Finalisation
![Page 23: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/23.jpg)
• Initialisation: updates the 320-bit state with the key K and nonce N
INITIALISATION
IV kKkN b pa
0⇤kK
c
r
![Page 24: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/24.jpg)
• Associated Data Processing: updating the 320-bit state with associated data blocks Ai
ASSOCIATED DATA
c
r
A1
pb
As
cpb
0⇤k1
c
r
![Page 25: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/25.jpg)
ENCRYPTION
• Plaintext Processing: inject plaintext blocks Pi in the state and extract ciphertext blocks Ci
c
r
P1 C1
pbc
Pt�1 Ct�1
pb
Pt Ct
r
c
![Page 26: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/26.jpg)
• Finalisation: inject the key K and extracts a tag T for authentication
FINALISATION
r
Kk0⇤
c
pa
K
kT
![Page 27: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/27.jpg)
PERMUTATION
• SP-Network:
• S-Layer:
• P-Layer:
x4x3x2x1x0x1
x4x3x2x1x0
![Page 28: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/28.jpg)
• Algebraic Degree 2
• Ease TI (3 shares)
• Branch Number 3
• Good Diffusion
• Bit-sliced Impl.
PERMUTATION: S-LAYERx0 x1 x2 x3 x4
5 5 5 5 5
5x0 x1 x2 x3 x4
![Page 29: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/29.jpg)
• Branch Number 4
PERMUTATION: P-LAYER
⌃0(x0) = x0 � (x0 o 19)� (x0 o 28)
⌃1(x1) = x1 � (x1 o 61)� (x1 o 39)
⌃2(x2) = x2 � (x2 o 1)� (x2 o 6)
⌃3(x3) = x3 � (x3 o 10)� (x3 o 17)
⌃4(x4) = x4 � (x4 o 7)� (x4 o 41)
![Page 30: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/30.jpg)
• Differential and Linear Cryptanalysis
Rounds Differen>al Linear
1 1 12 4 43 15 134 44 43
… >64 >64
SECURITY ANALYSIS
Asiacrypt 2015
![Page 31: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/31.jpg)
Method Rounds Complexity
cube-like6/12 266
7/12 2104
Differential-Linear
4/12 218
5/12 236
SECURITY ANALYSIS
• Analysis of round-reduced versions
CT-RSA 2015, FSE 2017
![Page 32: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/32.jpg)
OTHER ANALYSIS
Achiya Bar-On, Orr Dunkelman, Nathan Keller, Ariel Weizman. DLCT: A New Tool for Differential-Linear Cryptanalysis. EUROCRYPT 2019
Gregor Leander, Cihangir Tezcan, Friedrich Wiemer. Searching for Subspace Trails and Truncated Differentials. FSE 2018
Zheng Li, Xiaoyang Dong, Xiaoyun Wang. Conditional Cube Attack on Round-Reduced ASCON. IACR Transactions on Symmetric Cryptology 2017
Yanbin Li, Guoyan Zhang, Wei Wang, Meiqin Wang. Cryptanalysis of round-reduced ASCON. Science China Information Sciences 2017
![Page 33: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/33.jpg)
OTHER ANALYSIS
Ashutosh Dhar Dwivedi, Miloš Klouček, Pawel Morawiecki, Ivica Nikolič, Josef Pieprzyk, Sebastian Wójtowicz. SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition. 2017
Faruk Göloglu, Vincent Rijmen, Qingju Wang. On the division property of S-boxes. 2016
Cihangir Tezcan. Truncated, Impossible, and Improbable Differential Analysis of Ascon. ICISSP 2016
Yosuke Todo. Structural Evaluation by Generalized Integral Property. EUROCRYPT 2015
![Page 34: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/34.jpg)
OTHER ANALYSIS
Christoph Dobraunig, Maria Eichlseder, Florian Mendel. Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates. ASIACRYPT 2015
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Cryptanalysis of Ascon. CT-RSA 2015
![Page 35: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/35.jpg)
• Hash Function and Xof
• Sponge construction
ASCON-Hash ASCON-Xof
Hash size 256 bits variableState size (b) 320 bits 320 bitsCapacity (c) 256 bits 256 bitsRate (r) 64 bits 64 bits
HASHING
![Page 36: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/36.jpg)
• Absorbing: updates the 320-bit state with the data block Mi
HASHING
0 pac
r
M1
pa
Ms
c
pac
r
![Page 37: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/37.jpg)
• Squeezing: extracts the final hash value
HASHING
c
r
H1
pa
c
r
Ht�1
pa
Ht
r
c
![Page 38: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/38.jpg)
SECURITY ANALYSIS
Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer. Preliminary Analysis of Ascon-Xof and Ascon-Hash. 2019
Rui Zong and Xiaoyang Dong and Xiaoyun Wang. Collision Attacks on Round-Reduced Gimli-Hash, Ascon-Xof and Ascon-Hash. 2019
Rounds Complexity
Ascon-Hash 2/12 2105
Ascon-Xof (64 bits)
2/12 215
6/12 263.3
![Page 39: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/39.jpg)
IMPLEMENTATION
• Software
• Intel Xeon
• ARM Cortex-A53
• Hardware
• High-speed
• Low-area
![Page 40: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/40.jpg)
• Intel Xeon
64 512 1024 4096ASCON-128 (cycles/byte)
17.3 12.9 10.8 10.5
ASCON-128a (cycles/byte)
14.1 9.7 7.3 6.9
SOFTWARE
![Page 41: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/41.jpg)
• ARM Cortex-A53
64 512 1024 4096ASCON-128 (cycles/byte)
18.3 14.4 11.3 11.0
ASCON-128a (cycles/byte)
15.1 11.2 7.6 7.3
SOFTWARE
![Page 42: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/42.jpg)
Variant 1 Variant 2 Variant 3Area (kGE)
7.1 24.9 2.6
Throughput (MByte/s)
5 524 13 218 14
HARDWARE
• Unprotected Implementations
![Page 43: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/43.jpg)
Variant 1 Variant 2 Variant 3Area (kGE)
28.6 123.5 7.9
Throughput (MByte/s)
3 774 9 018 14
HARDWARE
• Threshold Implementations
![Page 44: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/44.jpg)
ASCON FEATURES
• Small hardware area
• Efficiency in software
• Natural side-channel protection
• Limited damage in misuse settings
• Low overhead for short messages
• …
![Page 45: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/45.jpg)
SUMMARY
• Security
• Well analysed/understood
• Large security margin
• Efficiency
• Efficient on constraint devices in HW and SW
• Natural side-channel protection
• Fast on modern CPUsIoT
![Page 47: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/47.jpg)
ISAPLIGHTWEIGHT AUTHENTICATED ENCRYPTION
![Page 48: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/48.jpg)
• Christoph Dobraunig
• Maria Eichlseder
• Stefan Mangard
• Florian Mendel
• Bart Mennink
• Thomas Unterluggauer
• Robert Primas
ISAP TEAM
![Page 49: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/49.jpg)
MOTIVATION
• Problem: side-channel attacks
• Countermeasures: hiding, masking, TI, …
• Reduce overhead of countermeasures
• ASCON, KETJE/KEYAK,Gimli, Xoodyak, . . .
• Can we do more?
![Page 50: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/50.jpg)
RELATED WORK
C. Dobraunig, M. Eichlseder, S. Mangard, F. Mendel, and T. Unterluggauer: ISAP - Towards Side-Channel Secure Authenticated Encryption FSE 2017
G. Barwell, D. P. Martin, E. Oswald, and M. Stam: Authenticated Encryption in the Face of Protocol and Side Channel Leakage ASIACRYPT 2017
F. Berti, O. Pereira, T. Peters, and F.-X. Standaert: On Leakage-Resilient Authenticated Encryption with Decryption Leakages FSE 2018
![Page 51: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/51.jpg)
ISAP
• Robustness against DPA on algorithmic level for
• Encryption
• Decryption
• Solely based on the sponge construction
• Limits the attack surface against SPA
![Page 52: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/52.jpg)
SPA AND DPA
• Simple Power Analysis (SPA)
• Observe device processing the same or a few inputs • Techniques directly interpreting measurements
• Differential Power Analysis (DPA)
• Observe device processing many different inputs • Allows for the use of statistical techniques
![Page 53: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/53.jpg)
IS DPA A THREAT ?
A. Moradi and T. Schneider: Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series COSADE 2016
E. Ronen, A. Shamir, A. Weingarten, and C. O’Flynn: IoT Goes Nuclear : Creating a ZigBee Chain Reaction S&P 2017
![Page 54: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/54.jpg)
FRESH RE-KEYING
g
E
N
K
P
K⇤
Tag
E�1
Reader
PC
gK
K⇤
![Page 55: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/55.jpg)
FRESH RE-KEYING
E
Na
P
Party 1
E�1
Party 2
PC
Nb
gK
K⇤
gK
K⇤
![Page 56: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/56.jpg)
• Encryption still fine • Decryption might be critical
WHAT ABOUT STORAGE ?
EP
Device
Storage
C
gK
K⇤
N
![Page 57: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/57.jpg)
HOW TO PROTECT DECRYPTION ?
• Rely on implementation countermeasures
• Costly
• Makes re-keying for encryption kind of obsolete
• Limit to one decryption
• Keep track of the nonce
• Re-encrypt data
• Time consuming
• Damaging
![Page 58: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/58.jpg)
MULTIPLE DECRYPTION
Retain principles of fresh re-keying allowing multiple decryption
DPA robustness in storage settings
A. Moradi and T. Schneider: Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series. COSADE 2016
DPA robustness in unidirectional/broadcast settings
E. Ronen, A. Shamir, A. Weingarten, and C. O’Flynn: IoT Goes Nuclear : Creating a ZigBee Chain Reaction. S&P 2017
![Page 59: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/59.jpg)
PRINCIPLE OF DECRYPTION
• “Bind” the session key to the data that is decrypted
g
NkC
H
MAC T
K g
C
N
Dec P
K
![Page 60: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/60.jpg)
BENEFITS OF SPONGES
• Well-studied and analyzed
• Allows to implement a wide range of primitives
• No inverse building blocks (permutation) needed
• No key schedule, key is injected once
• Simple way to model side-channel-leakage
![Page 61: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/61.jpg)
AUTHENTICATION / VERIFICATION
C1
p
Ct
p p
y
p
K⇤A
TN
IV
IV
C1
p
Ct
p p
N
IV
IV
KA
g
![Page 62: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/62.jpg)
AUTHENTICATION / VERIFICATION
C1
p
Ct
p p
y
p
K⇤A
TN
IV
IV
KA
g
![Page 63: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/63.jpg)
AUTHENTICATION / VERIFICATION
• Use suffix MAC instead of hash-then-MAC
NkIV C1
p
Ct
p p
y
KA
p
g
K⇤A
T
![Page 64: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/64.jpg)
• Modular multiplication
• LPL and LWE
• Sponges
ABSORBING THE KEY
p
y
KA
p
g
K⇤A
![Page 65: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/65.jpg)
ABSORBING THE KEY
Idea: Reduce rate to a minimum
Related to the classical GGM construction
yw
p p
KAkIV y1
p
K⇤A
p
y2
![Page 66: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/66.jpg)
ENCRYPTION / DECRYPTION
Nu
p p p p
KEkIV N1
p
P1
C1
Pv
Cv
![Page 67: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/67.jpg)
BENEFITS OF SPONGES
• Well-studied and analyzed
• Allows to implement a wide range of primitives
• No inverse building blocks (permutation) needed
• No key schedule, key is injected once
• Simple way to model side-channel-leakage
![Page 68: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/68.jpg)
SIDE-CHANNEL LEAKAGE
• Modelling side-channel leakage in sponges
p pc 0
r r
‘i + ‘i+1
p pc
r r
‘i ‘i+1
![Page 69: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/69.jpg)
LEAKAGE RESILIENCE
C. Dobraunig and B. Mennink: Leakage Resilience of the Duplex Construction. ASIACRYPT 2019
J.-P. Degabriele, C. Janson and P. Struck: Sponges Resist Leakage - The Case of Authenticated Encryption. ASIACRYPT 2019
C. Guo, O. Pereira, T. Peters and F.-X. Standaert: Towards Low-Energy Leakage-Resistant Authenticated Encryption from the Duplex Sponge Construction. FSE 2020
C. Dobraunig and B. Mennink: Security of the Suffix Keyed Sponge. FSE 2020
C. Dobraunig and B. Mennink: Leakage Resilience of the ISAP Mode - A Vulgarized Summary. NIST Lightweight Cryptography Workshop 2019
![Page 70: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/70.jpg)
INSTANCES
• Keccak-p[400]
• ISAP-K-128A
• ISAP-K-128
• Ascon
• ISAP-A-128A
• ISAP-A-128
![Page 71: AUTHENTICATED ENCRYPTION - PMF• ISO/IEC specifies six AE modes for block ciphers ... • Associated Data Processing: updating the 320-bit state with associated data blocks A i ASSOCIATED](https://reader033.vdocument.in/reader033/viewer/2022052023/60385fcee02a9444b17c59e0/html5/thumbnails/71.jpg)
SUMMARY
• AE scheme following the NIST call
• Provides robustness against DPA on algorithmic level
• Enables several use-cases
• Multiple decryption of stored data
• Unidirectional/Broadcast communication