The SKINNY Family of Lightweight Tweakable Block Ciphers Jérémy Jean joint work with: Christof Beierle Stefan Kölbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim Université de Rennes 1 - Crypto Seminar June 3, 2016 Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion 1/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion 2/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Block Cipher Primitive k ∈ K m E c ∈ M ∈ M Three variables: A secret key k form the set of all keys K A plaintext from the set M Its corresponding ciphertext: c = Ek (m) Properties For every key k, Ek is a permutation over M For a fixed unknown key k and a given set f(mi ; Ek (mi ))g, recovering k should be hard $ For k K drawn uniformily at random from K, Ek should be indistinguishable from a random permutation 3/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Tweakable Block Cipher Primitive k ∈ K m E c ∈ M ∈ M t ∈ T Four variables: A secret key k form the set of all keys K A tweak input t form the set of all tweaks T A plaintext from the set M = t ( ) Its corresponding ciphertext: c Ek m Properties t M For every key k and every tweak t, Ek is a permutation over 4/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Tweakable Block Cipher Having a tweakable block cipher has many applications: Authenticated encryption Disk/memory encryption Hashing: block counter as tweak for HAIFA-like CF There are have been many proposed constructions Most of which rely on a block cipher, and generically introduce the tweak (XEX, XTS, etc.) Very few direct constructions: Hasty Pudding Cipher, Threefish, BLAKE2 TWEAKEY framework [JNP14]: as a designer, key and tweak seem like they have to be handled in the same way by the primitive, with a ‘‘tweakey schedule’’ 5/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion TWEAKEY Framework [JNP14] High-Level Overview Bring key and tweak schedules together Extend key-alternating strategy Fully linear scheduling (h ’: cell permutation) Provide bounds in terms of number of active Sboxes in related-key/related-tweak Trick: linear code due to small field multiplications (2 and4) to bound the number of cancellations in the XORs This allows the usage of automated tools to find bounds Example of the TK3 construction: jKTj = jK j + jTj = 3 ¡ jPj ... h0 4 h0 4 h0 h0 4 ... KT h0 2 h0 2 h0 h0 2 ... h0 h0 h0 h0 XOR C0 XOR C1 XOR C2 XOR Cr 1 XOR Cr − P = s0 f f ... f sr = C 6/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion 7/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion SKINNY: Specifications Specifications SKINNY has a state of either 64 bit (s = 4) or 128 bits (s = 8). Internal state IS: viewed as a 4 ¢ 4 matrix of s-bit elements. ) jISj = n = 16s 2 f64; 128g. The tweakey size can be n, 2n or 3n. 2 3 m0 m1 m2 m3 6 7 6 m4 m5 m6 m7 7 IS = 4 5 m8 m9 m10 m11 m12 m13 m14 m15 Number of Rounds Tweakey size Block size n n 2n 3n 64 32 36 40 128 40 48 56 Comparison: SKINNY-64-128 has 36 rounds, SIMON-64-128 has 44 rounds. 8/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion SKINNY: Specifications General Overview SKINNY follows the TWEAKEY framework, however: It generalizes the STK construction (three tweakey words TKi ) Only half the tweakey state is extracted and injected in the internal state The field multiplications are replaced by a LFSR The round function f is an AES-like SPN The round constants Ci are produced by a LFSR STK Construction ... h0 4 h0 4 h0 h0 4 ... KT h0 2 h0 2 h0 h0 2 ... h0 h0 h0 h0 XOR C0 XOR C1 XOR C2 XOR Cr 1 XOR Cr − P = s0 f f ... f sr = C 9/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Round Function AES-like Round Function SubCells (SC): Application of a s-bit Sbox to all 16 cells AddConstants (AC): Inject round constants in the state AddRoundTweakey (ART): Extract and inject the subtweakeys to half the state ShiftRows (SR): Right-rotate line i by i positions MixColumns (MC): Multiply the state by a binary matrix ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 10/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Round Function ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 11/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion 4-bit Sbox MSB LSB £ S4: 4-bit Sbox for SKINNY-64- Almost PICCOLO Sbox [SIH+11] Implementation: 4 NOR and 4 XOR Hardware cost: 12 GE Properties Maximal diff. probability: 2 2 Maximal abs. linear bias: 2 2 (S ) = (S 1) = deg 4 deg 4 3 One fixed point: S4(0xF) = 0xF MSB LSB Branch number: 2 12/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion 8-bit Sbox MSB LSB £ S8: 8-bit Sbox for SKINNY-128- Generalize the S4 construction Implementation: 8 NOR and 8 XOR Hardware cost: 24 GE Properties Maximal diff. probability: 2 2 Maximal abs. linear bias: 2 2 (S ) = (S 1) = MSB LSB deg 8 deg 8 6 One fixed point: S8(0xFF) = 0xFF Branch number: 2 13/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Round Function ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 14/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Round Constants rc5 rc4 rc3 rc2 rc1 rc0 1 6-bit LFSR The round constants are produced with a LFSR State: (rc5jjrc4jjrc3jjrc2jjrc1jjrc0) Initial value 0, clocked before injection Hardware cost: 1 XNOR = = 2 s 4 3 2 s 8 3 rc3krc2krc1krc0 0 0 0 0k 0k 0k 0krc3krc2krc1krc0 0 0 0 6 7 6 7 6 0k 0krc5krc4 0 0 07 6 0k 0k 0k 0k 0k 0krc5krc4 0 0 07 4 0x2 0 0 05 4 0x2 0 0 05 0 0 0 0 0 0 0 0 15/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Round Function ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 16/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Add Round Tweakey and TWEAKEY schedule LFSR LFSR PT Extracted 8s-bit subtweakey TWEAKEY Schedule Similar to the STK construction Subtweakey: first and second rows of all tweakey words are injected in the internal state Then, the tweakey words TK 2 and TK 3 are updated independently: The cells are reordered with a permutation PT Each cell is individually updated with an LFSR 0 1 2 3 9 15 8 13 4 5 6 7 PT 10141211 8 9 1011 0 1 2 3 12131415 4 5 6 7 17/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Add Round Tweakey and TWEAKEY schedule LFSR for TK 2 when s = 4 LFSR for TK 2 when s = 8 x3 x2 x1 x0 x7 x6 x5 x4 x3 x2 x1 x0 LFSR for TK 3 when s = 4 LFSR for TK 3 when s = 8 x3 x2 x1 x0 x7 x6 x5 x4 x3 x2 x1 x0 18/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion ShiftRows ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 Similar to the ShiftRows in the AES However, the lines are rotated to the right 19/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion MixColumns ART ShiftRows >>> 1 SC AC MC >>> 2 >>> 3 20/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion MixColumns MixColumns Matrix multiplication performed as in the MixColumns of the AES However: The matrix M is binary It has branch number 2: M ¢ (0; ; 0; 0)> = (0; 0; ; 0)> 0 1 1 0 1 1 B 1 0 0 0 C M = B C @ 0 1 1 0 A 1 0 1 0 Implementation Using 3 XORs 21/53 The SKINNY Family of Lightweight Tweakable Block Ciphers June 3, 2016 Introduction Specifications Rationale Security Analysis Implementations MANTIS Conclusion Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion 22/53 The SKINNY