Permutation-based cryptography for the Internet of Things

Transcription

1 Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 Joint work with Guido Bertoni, Joan Daemen 1,2, Seth Hoffert, Michaël Peeters 1 and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University RIOT Summit 2017 Berlin, September 25-26, / 56

2 Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 2 / 56

3 Parameters for the IoT Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 3 / 56

4 Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time efficiency on the high-end server? protections against side-channel attacks? 4 / 56

5 Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time efficiency on the high-end server? protections against side-channel attacks? 4 / 56

6 Parameters for the IoT On the cost of cryptography for the IoT code size memory usage execution time efficiency on the high-end server? protections against side-channel attacks? 4 / 56

7 Parameters for the IoT What are side-channel attacks? Leakage from the device Time, electrical consumption, EM radiation simple power analysis (SPA) vs differential power analysis (DPA) Picture by oskay on Flickr 5 / 56

8 Parameters for the IoT What are side-channel attacks? Inducing faults in the device Glitch, laser pulse Picture by ViaMoi on Flickr 6 / 56

9 Parameters for the IoT Usage and ownership Actors: Key owner Device owner Actual user Usually, these are the same person, but 7 / 56

10 Parameters for the IoT Usage and ownership When key owner = device owner Banking card DRM But hopefully the same person in open-source contexts! 8 / 56

11 Parameters for the IoT Usage and ownership When key/device owner = actual user Not always controlling the device E.g., devices spread over a large area E.g., on-site personnel E.g., lost device Distant eavesdropping Protections against SCA can be needed. 9 / 56

12 Permutations! Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 10 / 56

13 Permutations! Symmetric crypto: what textbooks and intro s say Symmetric cryptographic primitives: Block ciphers Stream ciphers Hash functions And their modes-of-use Picture by GlasgowAmateur 11 / 56

14 Permutations! Examples of permutations In Salsa, Chacha, Grindhal In SHA-3 candidates: CubeHash, Grøstl, JH, MD6, In CAESAR candidates: Ascon, Icepole, Norx, π-cipher, Primates, Stribob, And of course in Keccak 12 / 56

15 Permutations! The sponge construction input output r c 0 0 outer inner f f f f f f absorbing squeezing Calls a permutation f The capacity c determines the generic security: Hashing: 2 c/2 Authentication, encryption: 2 c ϵ 13 / 56

16 Permutations! Keccak-f The seven permutation army: 25, 50, 100, 200, 400, 800, 1600 bits toy, lightweight, fastest standardized in [FIPS 202] Repetition of a simple round function that operates on a 3D state (5 5) lanes up to 64-bit each 14 / 56

17 Permutations! Keccak-f in pseudo-code KECCAK-F[b](A) { forall i in 0 nr-1 A = Round[b](A, RC[i]) return A } Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0 4 D[x] = C[x-1] xor rot(c[x+1],1), forall x in 0 4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0 4,0 4) ρ and π steps B[y,2*x+3*y] = rot(a[x,y], r[x,y]), χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0 4,0 4) forall (x,y) in (0 4,0 4) ι step A[0,0] = A[0,0] xor RC return A } 15 / 56

18 Permutations! Bit interleaving = + ROT 64 2 ROT / 56

19 Permutations! The unbearable lightness of permutations Example: hashing with target security strength 2 c/2 Davies-Meyer block cipher based hash chaining value (block size): n c input block size ( key length): typically k n feedforward (block size): n total state 3c Sponge permutation width: c + r r can be made arbitrarily small, e.g., 1 byte total state c / 56

20 Permutations! Cost of primitives and modes together [Yalla, Homsirikamol, Kaps, DIAC 2014] 18 / 56

21 Permutations! Symmetric crypto: a more correct picture Symmetric cryptographic primitives: Block ciphers Key stream generators Permutations And their modes-of-use Picture by Sébastien Wiertz 19 / 56

22 Keyed applications Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 20 / 56

23 Keyed applications Use Sponge for MACing Key Padded message MAC 0 f f f f f 21 / 56

24 Keyed applications Use Sponge for (stream) encryption Key IV 0 f f f Key stream 22 / 56

25 Keyed applications Single pass authenticated encryption Key IV Padded message MAC 0 f f f f f Key stream But this is no longer the sponge 23 / 56

26 Keyed applications The duplex construction Generic security provably equivalent to that of sponge Applications: authenticated encryption, reseedable pseudorandom generator 24 / 56

27 Strobe Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 25 / 56

28 Strobe What is Strobe? Layer above the duplex construction Safe and easy syntax, to achieve, e.g., secure channels signatures over a complete session Very compact implementation Mechanism to prevent side-channel attacks [Mike Hamburg 26 / 56

29 Strobe Operations and data flow in Strobe figure courtesy of Mike Hamburg 27 / 56

30 Example: key derivation Strobe KEY(master shared key K) RATCHET derived key 1 PRF(16 bytes) RATCHET derived key 2 PRF(16 bytes) 28 / 56

31 Strobe Example: protocol KEY(shared key K) AD[nonce](sequence number i) AD[auth-data](client IP address server IP address) send_enc( GET file ) send_mac(128 bits) recv_enc(buffer) recv_mac(128 bits) 29 / 56

32 Ketje and Keyak Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 30 / 56

33 Ketje and Keyak Ketje goals Nonce-based AE function 96-bit or 128-bit security (incl. multi-target) Sessions of header-body pairs keeping the state during the session Small footprint Target niche: secure channel protocol on secure chips banking card, ID, (U)SIM, secure element, FIDO, etc. secure chip has strictly incrementing counter Using reduced-round Keccak-f[400] or Keccak-f[200], to allow implementation re-use cryptanalysis re-use reasonable side-channel protections 31 / 56

34 Ketje and Keyak Ketje instances and lightweight features feature Ketje Jr Ketje Sr state size 25 bytes 50 bytes block size 2 bytes 4 bytes processing computational cost initialization per session 12 rounds 12 rounds wrapping per block 1 round 1 round 8-byte tag comp. per message 9 rounds 7 rounds 32 / 56

35 Ketje and Keyak Keyak goals Nonce-based AE function 128-bit security (incl. multi-target) Session of header-body pairs keeping the state during the session Optionally parallelizable Conservative safety margin Using reduced-round Keccak-f[1600] or Keccak-f[800], to allow implementation re-use cryptanalysis re-use reasonable side-channel protections 33 / 56

36 Keyak in a nutshell Ketje and Keyak 0 SUV 1 T (0) SUV = Secret and Unique Value 34 / 56

37 Keyak in a nutshell Ketje and Keyak 0 SUV 1 P(1) A (1) T (0) C (1) T (1) SUV = Secret and Unique Value 34 / 56

38 Keyak in a nutshell Ketje and Keyak 0 SUV 1 P(1) A (1) P (2) T (0) C (1) T (1) C (2) T (2) SUV = Secret and Unique Value 34 / 56

39 Keyak in a nutshell Ketje and Keyak 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) SUV = Secret and Unique Value 34 / 56

40 Leakage robustness Ketje and Keyak 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) SUV = Secret and Unique Value Provided that uniqueness is enforced then the secret state is a moving target [Taha, Schaumont, HOST 2014] 35 / 56

41 Kravatte and the Farfalle construction Outline 1 Parameters for the IoT 2 Permutations! 3 Keyed applications 4 Strobe 5 Ketje and Keyak 6 Kravatte and the Farfalle construction 36 / 56

42 Kravatte and the Farfalle construction The new Farfalle construction K 10 p b c k i+2 c k f m 0 p c e p e z 0 c k k f m 1 p c p d e p e z 1 i c k k j f m i p c j e p e z j [IACR eprint 2016/1188] 37 / 56

43 Kravatte and the Farfalle construction Kravatte for many purposes Kravatte = Farfalle + Keccak-p[1600] Kravatte-PRF Kravatte-SAE Kravatte-SIV Kravatte-WBC Authentication Session authenticated encryption Synthetic-IV authenticated encryption Wide block cipher, authenticated encryption with minimal expansion 38 / 56

44 Conclusions Conclusions Permutations are well suited for IoT devices, especially for code size memory usage Farfalle brings efficiency also on the high-end server Bear in mind protections against side-channel attacks 39 / 56

45 Conclusions Thanks for your attention! Any questions? Q? 40 / 56

46 Backup slides A very classical example RSA: c d mod n = m Implemented using the square & multiply algorithm: 41 / 56

47 Backup slides How to protect against side-channel attacks? Electrical-level countermeasures E.g., balacing the processing of 0 and 1 System-level countermeasures E.g., limit the use of a key Algorithmic countermeasures Randomization E.g., instead of processing x, process y and z s.t. x = y z 42 / 56

48 Backup slides What block cipher are used for? Hashing: Davies-Meyer, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM 43 / 56

49 Backup slides Block cipher operation 44 / 56

50 Backup slides Block cipher operation: the inverse 45 / 56

51 Backup slides When do you need the inverse? Hashing and its modes HMAC, MGF1, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM 46 / 56

52 Block cipher internals Backup slides 47 / 56

53 Backup slides Hashing using Davies-Meyer 48 / 56

54 Backup slides Removing diffusion restrictions 49 / 56

55 Backup slides Simplifying the view: iterated permutation 50 / 56

56 Backup slides Pseudo-random function (PRF) input 51 / 56

57 Backup slides Message authentication code (MAC) plaintext plaintext 52 / 56

58 Backup slides Stream cipher nonce plaintext = ciphertext 53 / 56

59 Backup slides Authenticated encryption nonce plaintext plaintext = ciphertext 54 / 56

60 Backup slides Incrementality packet #1 packet #1 55 / 56

61 Backup slides Incrementality packet #1 packet #2 packet #1 packet #2 55 / 56

62 Backup slides Incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 55 / 56

63 In-place processing Backup slides Store A[x, y] at round i in (x, y ) with ( ) x = y ( ) i ( ) x. y Interacts with π: the output of χ can overwrite its input Matrix of order 4 no performance loss if 4 rounds unrolled [Bertoni et al., Keccak implementation overview] 56 / 56

64 In-place processing Backup slides Store A[x, y] at round i in (x, y ) with ( ) x = y ( ) i ( ) x. y Interacts with π: the output of χ can overwrite its input Matrix of order 4 no performance loss if 4 rounds unrolled [Bertoni et al., Keccak implementation overview] 56 / 56

65 In-place processing Backup slides Store A[x, y] at round i in (x, y ) with ( ) x = y ( ) i ( ) x. y Interacts with π: the output of χ can overwrite its input Matrix of order 4 no performance loss if 4 rounds unrolled [Bertoni et al., Keccak implementation overview] 56 / 56