Lightweight Cryptography Mar´ıaNaya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik,ˇ Croatia - June 15 2018 Outline I Symmetric lightweight primitives I Most used cryptanalysis • Impossible Differential Attacks • Meet-in-the-middle • Dedicated attacks I Conclusions and remarks Symmetric Lightweight Primitives Lightweight Primitives I Lightweight primitives designed for constrained environments, like RFID tags, sensor networks. I Real need ) an enormous amount of proposals in the last years (block and stream ciphers, hash functions): PRESENT, LED, KATAN/KTANTAN, KLEIN, PRINCE, PRINTcipher, LBLOCK, TWINE, XTEA, mCrypton, Iceberg, HIGHT, Piccolo, SIMON, SPECK, SEA, DESL... I NIST competition to start around december 2018, comments on call close the 28 June! 1/60 Draft: NIST competition AEAD and hash functions. (Some) requirements: I Efficient for short messages. I Compact HW and embedded SW implementations with low RAM/ROM. I Key preprocessing efficient. I Different strategies: low energy/low power/low latency. I Performant in different microcontroller architectures... Better in constrained environments than existing standards. 2/60 Lightweight Primitives I Any attack better than the generic one is considered a \break". I Cryptanalysis of lightweight primitives: a fundamental task, responsibility of the community. I Importance of cryptanalysis (especially on new proposals): the more a cipher is analyzed, the more confidence we can have in it... I ...or know which algorithms are not secure to use. 3/60 Lightweight Primitives I Lightweight: more 'risky' design, lower security margin, simpler components. I Often innovative constructions: dedicated attacks I Types of attacks: single-key/related-key, distinguisher/key- recovery, weak-keys,... I Importance of attacks on reduced versions. I High complexities: ugly properties or security margin determined. 4/60 Main Objectives of this talk I Perform a (non-exhaustive) survey of proposals and their security status. I Provide the intuition of the \most useful attacks" against LW ciphers. I Conclusions and remarks (link with hash functions). 5/60 Survey of Proposals 1 I Feistel Networks - best external analysis DESLX - none ITUbee - self-similarity (8/20r) LBlock - imposs. diff. (24/32r) SEA - none SIMON and SPECK - imposs. diff., diff, 0-correl. XTEA - mitm (23/64r) CLEFIA - imposs. diff. (13/18r) HIGHT - 0-correlation (27/32r) TWINE - mitm,imposs. diff.,0-corr (25/36r) 1mainly from https://cryptolux.org/index.php/Lightweight Block Ciphers 6/60 Survey of Proposals I Substitution-Permutation Network KLEIN - dedicated attack (full round) LED - EM generic attacks (8/12r, 128K) Zorro - diff. (full round) mCrypton - mitm (9/12r, 128K) PRESENT - mult. dim. lin. (27/31r) PRINTcipher - invariant-wk (full round) PRIDE - diff (18/20r) PRINCE - mult. diff (10/12r) Fantomas/Robin -none/invariant-wk (full round) 7/60 Survey of Proposals I FSR-based KTANTAN/KATAN - mitm (153/254r) Grain - correl./ cube attacks (some full) Trivium - cube attacks (800/1152) - Sprout - guess-and-determine (full round) Quark -condit. diff (25%) Fruit - divide and conquer (full) Lizard - guess-and-det. (full) 8/60 Survey of Proposals I ARX Chaskey - diff-lin (7/8r) Hight - 0-correl (27/32r) LEA - diff. (14/24r) RC5 - diff. (full round) Salsa20 - diff (8/20r) Sparx - imposs. diff. (15/24r) Speck - diff. (17/32r) 9/60 More Proposals For more details, primitives, classifications, see: State of the Art in Lightweight Symmetric Cryptography, by Alex Biryukov and Leo Perrin https://eprint.iacr.org/2017/511 10/60 Most Successful Attacks Families of attacks I Impossible differentials (Feistel) I Mitm / guess and determine (SPN, FSR) I Dedicated: (differential/linear...) 11/60 Impossible Differential Attacks Classical Differential Attacks [BS'90] Given an input difference between two plaintexts, some output differences occur more often than others. ′ ′ X EK Y ∆X ∆Y ′′ ′′ X EK Y A differential is a pair (∆X; ∆Y ). 12/60 Differential path: example "# "! "$ 0 0 0 !0 !0 "0 0 0 0 0 0 !# !# "1 1 1 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 !%! ! !%$% ! ! 13/60 Truncated Differential Attacks [K 94] A truncated path predicts only parts of the differences. Let's see a simple example: 14/60 Truncated path: example "# "! "$ XX XXX XXX 0 0 0 X X X?? 0 0 0 0 0 0 XX 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ! ! ! ! ! ! ! 15/60 Truncated path: example "# "! "$ XX XXX XXX 0 0 0 X X X 0 0 0 0 0 0 0 0 XX 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 % ! ! ! ! !$ ! 16/60 Impossible Differential Attacks [K,BBS'98] I Impossible differential attacks use a differential with probability 0. I We can find the impossible differential using the Miss-in-the-middle [BBS'98] technique. I Extend it backward and forward ) Active Sboxes transitions give information on the involved key bits. I Generic framework and improvements [BNPS14,BLNPS17] 17/60 Example: LBlock Designed by Wu and Zhang, (ACNS 2011). I 80-bit key and 64-bit state. I 32 rounds. ki <<< 8 F 18/60 Example: LBlock Inside the function F : I add the subkey to the input. I 8 different Sboxes 4 × 4. I a nibble permutation P : Best attack so far: Imp. Diff. on 23 rounds [CFMS'14,BMNPS'14] and RK on 24 rounds [SHS'15]. 19/60 Impossible differential: 14 rounds k14 <<< 8 k5 <<< 8 k10 <<< 8 F F F k15 <<< 8 k6 <<< 8 k11 <<< 8 F F F k16 <<< 8 k7 <<< 8 F F k12 <<< 8 k17 <<< 8 k8 <<< 8 F F F k13 <<< 8 k18 <<< 8 k9 <<< 8 F F F Impossible Differential Attack ∆in rin (cin, kin) ∆X r∆ ∆Y rout (cout, kout) ∆out 21/60 Discarding Wrong Keys I Given one pair of inputs with ∆in that produces ∆out, I all the (partial) keys that produce ∆X from ∆in and ∆Y from ∆out differ from the correct one. I If we consider N pairs verifying (∆in; ∆out) the probability of NOT discarding a candidat key is − − (1 − 2 cin cout)N 22/60 For the Attacks to Work We need, for a state size s and a key size jKj: s Cdata < 2 and jkin[koutj jK|−|kin[koutj jkin[koutj jKj Cdata + 2 CN + 2 P 2 < 2 where Cdata is the data needed for obtaining N pairs (∆in; ∆out), CN is the average cost of testing the pairs per candidate key (early abort technique [LKKD08]) and P is the probability of not discarding a candidate key. 23/60 L1 R1 K First Rounds 1 <<< 8 3 cond. L2 R2 K 2 <<< 8 2 cond. L3 R3 K 3 <<< 8 1 cond. L4 R4 K 4 <<< 8 1 cond. R L5 5 24/60 L19 R19 K19 Last Rounds <<< 8 1 cond. L20 R20 K 20 <<< 8 1 cond. L21 R21 K 21 <<< 8 2 cond. L22 R22 K 22 <<< 8 3 cond. L23 R23 25/60 Impossible Differential on LBlock I For 21 rounds a complexity of 269:5 in time with 263 data, for 22: 271:53 time and 260 data, for 23: 275:36 time and 259 data. I Feistel constructions in general are good targets 26/60 Improvements [BN-PS14,BLN-PS17,B18] I Multiple impossible differentials (related to [JN-PP13]) I Correctly choosing ∆in and ∆out (related to [MRST09]) I State-test technique (related to [MRST09]) I More accurate estimate of the pairs [B18] 27/60 Example: CLEFIA-128 • block size: 4 × 32 = 128 bits • key size: 128 bits • # of rounds: 18 ✐ ✶ ✐ ✶ ✐ ✶ ✐ ✶ P P P P ✸ ✷ ✶ ✵ ❘ ❑ ❘ ❑ ✷✐ ✷ ✷✐ ✶ ❋ ❋ ✵ ✶ ✐ ✐ ✐ ✐ P P P P ✵ ✶ ✷ ✸ 28/60 Multiple Impossible Differentials Formalize the idea of [Tsunoo et al. 08]: CLEFIA has two 9-round impossible differentials ((0; 0; 0;A) 6! (0; 0; 0;B)) and ((0; A; 0; 0) 6! (0; B; 0; 0)) when A and B verify: A B (0; 0; 0; α) (0; 0; β; 0) or (0; β; 0; 0) or (β; 0; 0; 0) (0; 0; α; 0) (0; 0; 0; β) or (0; β; 0; 0) or (β; 0; 0; 0) (0; α; 0; 0) (0; 0; 0; β) or (0; 0; β; 0) or (β; 0; 0; 0) (α; 0; 0; 0) (0; 0; 0; β) or (0; 0; β; 0) or (0; β; 0; 0) 113 113 24 in total: Cdata = 2 becomes Cdata = 2 =24 29/60 State Test Technique Reduce the number of key bits involved. B = ■ ⊕ S0(■ ⊕ ■) ⊕ ■ 30/60 State Test Technique Reduce the number of key bits involved. L 0 0 B = ■ ⊕ S0(■ ⊕ ■) (with B = B ■) jkin [ koutj = 122 bits ) jkin [ koutj = 122−16 +|{z} 8 bits B0 30/60 Applications of Improved Impossible Diff I CLEFIA: best attack on CLEFIA (13 rounds). I Camellia: Improved best attacks for Camellia. I AES: attacks comparable with best mitm ones (7 rounds). I LBlock: best attack (on 24 rounds). 31/60 Meet-in-the-middle attacks Meet-in-the-Middle Attacks I Introduced by Diffie and Hellman in 1977. I Largely applied tool. I Few data needed. I Many improvements: partial matching, bicliques, sieve- in-the-middle... 32/60 Meet-in-the-Middle Attacks [Diffie Hellman 77] Plaintext K F 1 M K=K U K E s 1 2 K K B 2 |K|-s 2|K1| + 2|K2| + 2 Ciphertext 33/60 With Partial Matching [AS'08] Plaintext K F 1 M K=K U K E s' 1 2 K K B 2 |K|-s’ Ciphertext 2|K1| + 2|K2| + 2 34/60 With Bicliques [KRS'11] Plaintext K F 1 K=K U K E 1 2 K s’ K B 2 X |k | |k | k 2 1 + 2 2 + k 2 1 |K|-s’ 2|K1| + 2|K2| + 2 Ciphertext 35/60 Bicliques I Improvement of MITM attacks, but also..