Intro Security Examples Conclusions Does Lightweight Cryptography Imply Slightsecurity? Orr Dunkelman Computer Science Department University of Haifa 7th March, 2014 ? Orr Dunkelman Lightweight ⇒ Slightsecurity 1/ 35 Intro Security Examples Conclusions Outline 1 Introduction Lightweight Cryptography Lightweight Cryptography Primitives 2 The Path to Security 3 A Few Examples The MISTY1 to KASUMI Transition The AES to LED Transition The KTANTAN Block Cipher ZORRO 4 Conclusions/Discussions ? Orr Dunkelman Lightweight ⇒ Slightsecurity 2/ 35 Intro Security Examples Conclusions LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 3/ 35 Intro Security Examples Conclusions LWC Primitives Lightweight Cryptography ◮ Targets constrained environments. ◮ Tries to reduce the computational efforts needed to obtain security. ◮ Optimization targets: size, power, energy, time, code size, RAM/ROM consumption, etc. Why now? ? Orr Dunkelman Lightweight ⇒ Slightsecurity 3/ 35 Intro Security Examples Conclusions LWC Primitives Lightweight Cryptography is All Around Us ◮ Constrained environments today are different than constrained environments 10 years ago. ◮ Ubiquitous computing – RFID tags, sensor networks. ◮ Low-end devices (8-bit platforms). ◮ Stream ciphers do not enjoy the same “foundations” as block ciphers. ◮ Failure of previous solutions (KeeLoq, Mifare) to meet required security targets. ◮ Good research direction. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 4/ 35 Intro Security Examples Conclusions LWC Primitives Some Lightweight Primitives Block Ciphers Stream Ciphers Hash Functions MACs HIGHT Grain H-PRESENT SQUASH mCrypton Trivium PHOTON DESL Mickey QUARK PRESENT F-FCSR-H Armadillo KATAN WG-7 SpongeNT KTANTAN CAZAD GLOUN PRINTcipher Keccak-f∗ SEA Klein LBlock GOST ZORRO TWINE LED PRINCE Simon Speck ? Orr Dunkelman Lightweight ⇒ Slightsecurity 5/ 35 Intro Security Examples Conclusions LWC Primitives Some Lightweight Primitives Block Ciphers Stream Ciphers Hash Functions MACs HIGHT Grain H-PRESENT SQUASH mCrypton Trivium PHOTON DESL Mickey QUARK PRESENT F-FCSR-H Armadillo KATAN WG-7 SpongeNT KTANTAN CAZAD GLOUN PRINTcipher Keccak-f∗ SEA Klein LBlock GOST ZORRO TWINE LED PRINCE Simon Speck ? Orr Dunkelman Lightweight ⇒ Slightsecurity 5/ 35 Intro Security Examples Conclusions Security Challenges ◮ Lightweight ⇒ pick the point on the security/performance curve with as little security margins as possible. ◮ Use best-of-the-art approaches: ◮ Count the number of active S-boxes (wide trail), ◮ Scale-down “known” ciphers (Misty1 → KASUMI, AES→ LED, Zorro, DES→ DESL, . ) ◮ Use “secure structures” (GFNs/AES-like/etc.) ? Orr Dunkelman Lightweight ⇒ Slightsecurity 6/ 35 Intro Security Examples Conclusions Security Challenges ◮ Lightweight ⇒ pick the point on the security/performance curve with as little security margins as possible. ◮ Use best-of-the-art approaches: ◮ Count the number of active S-boxes (wide trail), ◮ Scale-down “known” ciphers (Misty1 → KASUMI, AES→ LED, Zorro, DES→ DESL, . ) ◮ Use “secure structures” (GFNs/AES-like/etc.) ◮ Ignore related-key attacks. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 6/ 35 Intro Security Examples Conclusions Security Challenges ◮ Lightweight ⇒ pick the point on the security/performance curve with as little security margins as possible. ◮ Use best-of-the-art approaches: ◮ Count the number of active S-boxes (wide trail), ◮ Scale-down “known” ciphers (Misty1 → KASUMI, AES→ LED, Zorro, DES→ DESL, . ) ◮ Use “secure structures” (GFNs/AES-like/etc.) ◮ Ignore related-key attacks. ◮ Use provable approaches: ◮ Even-Mansour (1-Key/Multiple Key) ? Orr Dunkelman Lightweight ⇒ Slightsecurity 6/ 35 Intro Security Examples Conclusions Security Challenges ◮ Lightweight ⇒ pick the point on the security/performance curve with as little security margins as possible. ◮ Use best-of-the-art approaches: ◮ Count the number of active S-boxes (wide trail), ◮ Scale-down “known” ciphers (Misty1 → KASUMI, AES→ LED, Zorro, DES→ DESL, . ) ◮ Use “secure structures” (GFNs/AES-like/etc.) ◮ Ignore related-key attacks. ◮ Use provable approaches: ◮ Even-Mansour (1-Key/Multiple Key) ◮ As usual . pray. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 6/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO MISTY1 ◮ Introduced by Matsui in 1997. ◮ 64-bit block, 128-bit key. ◮ Recursive structure — 8 Feistel rounds, each round function is a 3-round Feistel function. ◮ Each of these semi-round functions is a 3-round Feistel on its own. ◮ Uses 7-bit and 9-bit S-boxes for maximal nonlinearity. ◮ Every two rounds there is an FL-layer. ◮ Cryptrec-approved, NESSIE-portfolio, RFC, ISO. ◮ Predecessor of KASUMI. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 7/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO MISTY1 KO KI KO FL KL1 1, 1 KL2 FL i,1 1 2 L S9 FO1 FIi,1 KIi,1 L L KO , KI 2 2 L FO2 L S7 KOi,2 KL KO KI KL L FL3 3 3, 3 4 FL4 FIi,2 KIi,2 L KIi,j,2 FO3 KIi,j,1 L L L L KO4, KI4 FO4 S9 L KOi,3 L KL KO KI KL FI KI FL5 5 5, 5 6 FL6 i,3 i,3 L FO5 L L KO KI 6, 6 FI function FO6 KOi,4 L L KL KO , KI KL FL7 7 7 7 8 FL8 FO function FO7 L KO8, KI8 FO8 KL L i,1 bitwiseT AND T L S KL KL bitwise OR FL9 9 10 FL10 KLi,2 L S MISTY1 FL function ? Orr Dunkelman Lightweight ⇒ Slightsecurity 8/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO KASUMI KL1 KO1, KI1 KOi,1 L S9 FL1 FO1 L FIi,1 KIi,1 L KO2, KI2 KL2 L FO2 FL2 L S7 KOi,2 L KL3 KO3, KI3 FIi,2 KIi,2 L KIi,j,2 FL3 FO3 KIi,j,1 L L L L KO4, KI4 KL4 S9 FO4 FL4 KOi,3 L L FIi,3 KIi,3 L KL5 KO5, KI5 FL5 FO5 L L S7 KO6, KI6 KL6 L FO6 FL6 FO function L FI function KL7 KO7, KI7 FL7 FO7 L KLi,1 KO8, KI8 KL8 ≪ bitwiseT AND FO8 FL8 T L S L KL , bitwise OR ≪ i 2 ≪ L S rotate left by one bit KASUMI FL function ? Orr Dunkelman Lightweight ⇒ Slightsecurity 9/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO KASUMI — Changes from MISTY1 ◮ Done by ETSI’s SAGE group to fit mobile handsets. ◮ FL functions to be moved from datapath to round-path. ◮ One key addition reduced from the FO function. ◮ Extra S7 in FI (⇒ FO can no longer be divided into 4 parallel functions, but only 2). ? Orr Dunkelman Lightweight ⇒ Slightsecurity 10/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO KASUMI — Changes from MISTY1 ◮ Done by ETSI’s SAGE group to fit mobile handsets. ◮ FL functions to be moved from datapath to round-path. ◮ One key addition reduced from the FO function. ◮ Extra S7 in FI (⇒ FO can no longer be divided into 4 parallel functions, but only 2). ◮ Key schedule changed significantly. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 10/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO KASUMI vs. MISTY1 ◮ In the single-key model: KASUMI ≈ MISTY1: ◮ 6-Round Misty1 [JL12]: 252.5 CPs, 2112.4 time. ◮ 6-Round KASUMI [K12]: 255 CPs, 2100 time. ◮ In the related-key model: MISTY1 ≫ KASUMI. ◮ Practical key recovery attack against the full KASUMI ([DKS10]). ◮ MISTY1: not even close (without FL, [DK13]). ? Orr Dunkelman Lightweight ⇒ Slightsecurity 11/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO The LED Block Cipher ◮ Introduced by [G+11]. ◮ 64-bit block with 64-bit key (LED-64) or 128-bit key (LED-128). ◮ LED-64: 8-Step 1-Key Even-Mansour. ◮ LED-128: 12-Step 2-Key Even-Mansour. ◮ The “public permutation”: 4-round unkeyed AES-like construction. m P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 c L L L L L L L L L L L L L K1 K2 K1 K2 K1 K2 K1 K2 K1 K2 K1 K2 K1 AC SC SR MC ×4 ? Orr Dunkelman Lightweight ⇒ Slightsecurity 12/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO The LED Block Cipher (cont.) ◮ 48-round (12-step LED-128) offer security against differential, linear, meet-in-the-middle, . ? Orr Dunkelman Lightweight ⇒ Slightsecurity 13/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO The LED Block Cipher (cont.) ◮ 48-round (12-step LED-128) offer security against differential, linear, meet-in-the-middle, . ◮ No related-key issues/weakness in key schedule. ? Orr Dunkelman Lightweight ⇒ Slightsecurity 13/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO The LED Block Cipher (cont.) ◮ 48-round (12-step LED-128) offer security against differential, linear, meet-in-the-middle, . ◮ No related-key issues/weakness in key schedule. ◮ As long as the 8-Step 1-Key Even-Mansour secure (LED-64) or 5-Step 1-Key Even-Mansour secure (LED-128). ? Orr Dunkelman Lightweight ⇒ Slightsecurity 13/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO Results on LED (Single-Key) Source Cipher Steps Time Data Memory [IS12] LED-64 2 256 28 CP 28 [D+14] LED-64 2 248 216 CP 217 [D+14] LED-64 2 248 248 KP 248 [D+13] LED-64 3 260.2 249 KP 260 [IS12] LED-128 4 2112 216 CP 219 [M+12] LED-128 4 296 264 KP 264 [NWW13] LED-128 4 296 232 KP 232 [NWW13] LED-128 6 2124.4 259 KP 259 [D+13] LED-128 6 2124.5 245 KP 260 [D+13] LED-128 8 2123.8 249 KP 260 ? Orr Dunkelman Lightweight ⇒ Slightsecurity 14/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO Related-Key Attacks on LED-64 [M+12] ◮ Find iterative characteristic ∆ → ∆ through Pi . ◮ Set key difference to ∆, plaintext difference to 0 . ? Orr Dunkelman Lightweight ⇒ Slightsecurity 15/ 35 Intro Security Examples Conclusions KASUMI LED KTANTAN ZORRO Related-Key Attacks on LED-64 [M+12] ◮ Find iterative characteristic ∆ → ∆ through Pi . ◮ Set key difference to ∆, plaintext difference to 0 . ◮ 3-Step immediate related-key attack on LED-64, can be extended to 4-Step.