Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages... 7 Authenticated Encryption [BN00] Encrypt-and-MAC Message EK MACK0 Ciphertext Tag 8 Authenticated Encryption [BN00] MAC-then-Encrypt Message MACK0 Message Tag EK Ciphertext 9 Authenticated Encryption [BN00] Encrypt-then-MAC Message EK Ciphertext MACK0 Ciphertext Tag 10 Authenticated Encryption You have to be careful! CTR-Mode CBC-MAC N jj 1 N jj 2 N jj 3 M1 M2 Mi 0 E E E EK EK EK K K K M1 M2 M3 T C1 C2 C3 11 Authenticated Encryption Authenticated Encryption with Associated Data (AEAD) A1;:::; Am T M1;:::; Ml AE N C1;:::; Cm • Associcated Data A (e.g. packet header) • Nonce N (unique number) 12 Authenticated Encryption Galois/Counter Mode (GCM) 0 Njj1 Njj2 Njjl Njj0 EK EK EK … EK EK M1 M2 Ml jj A1;:::; Am C1 C2 Cl m l H T ×H ×H ×H ×H ×H 13 0 Njj0 EK EK A1;:::; Am m jj l H T ×H ×H ×H ×H ×H Authenticated Encryption Galois/Counter Mode (GCM) Njj1 Njj2 Njjl EK EK … EK M1 M2 Ml C1 C2 Cl 13 Authenticated Encryption Galois/Counter Mode (GCM) 0 Njj1 Njj2 Njjl Njj0 EK EK EK … EK EK M1 M2 Ml jj A1;:::; Am C1 C2 Cl m l H T ×H ×H ×H ×H ×H 13 Authenticated Encryption AES-GCM • Widely used (TLS) • Reusing nonce compromises security • Weak keys for ×H • Hardware support for AES + PCLMULQDQ • AES-GCM-SIV? 14 Authenticated Encryption CAESAR1: Competition for Authenticated Encryption: Security, Applicability, and Robustness • Initially 57 submissions. • Third round: 15 Submissions left • Goal is to have a portfolio of AE schemes Summary Most applications need Authenticated Encryption! 1 https://competitions.cr.yp.to/caesar.html 15 Quantum Attacks Quantum Attacks Attack Model • Attacker listens to communication over classical channel. • Can query a classic blackbox with the secret key. • Attacker has large quantum computer. • Only limited set of quantum algorithms available. 16 Quantum Attacks Encryption / MACs • Recover Key in O(2k=2) with Grover’s. Hash Function • Find Preimage in O(2n=2) with Grover’s. • Find Collisions in O(2n=3) [BHT97] ... but needs O(2n=3) hardware. 17 Quantum Attacks The costs are not so simple • Costs of quantum operation vs. classic operations • Collision finding not really faster [Ber09]. There is some work on better understanding this: • Preimage SHA-256: 2166 logical-qubit-cycles [Amy+16]. • Preimage SHA3-256: 2166 logical-qubit-cycles [Amy+16]. 18 Quantum Attacks Even-Mansour • Two keys k1; k2. • Uses public permutation π. k1 k2 p π c Classic Security • D queries to E • T queries to π • Proof for upper bound on attack success O(DT=2n) 19 Quantum Attacks Quantum Oracle Access to encryption algorithm jxi jxi EK j0i jEK(x)i • Very strong model for adversary. 20 Quantum Attacks Simon’s Algorithm Given f : f0; 1gn ! f0; 1gn with promise that there exists s 2 f0; 1gn such that 8(x; y) 2 f0; 1gn : f(x) = f(y) () x ⊕ y 2 f0n; sg Output: s Only needs O(n) quantum queries. 21 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) j0nij0ni 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 p jxij0ni n 2 x 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 p jxijf(x)i n 2 x 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) 1 1 p jzi + p jz ⊕ si 2 2 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 1 · · p p (−1)y z(1 + (−1)y s)jyi n 2 2 y 22 Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 1 · · p p (−1)y z(1 + (−1)y s)jyi n 2 2 y Result One steps finds a vector such that y · s = 0. 22 Recover k1 with O(n) quantum queries. Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x ⊕ k1 ⊕ k1) ⊕ k2 ⊕ π(x ⊕ k1) 23 Recover k1 with O(n) quantum queries. Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x) ⊕ k2 ⊕ π(x ⊕ k1) 23 Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) Recover k1 with O(n) quantum queries. 23 Goal Construct f such that f(x) = f(x ⊕ s) for some secret s. Quantum Attacks Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks 24 Quantum Attacks Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks Goal Construct f such that f(x) = f(x ⊕ s) for some secret s. 24 Current Directions in Symmetric Key Cryptography Symmetric Key Cryptography Lightweight Cryptography • Resource constraint Server • Chip area Laptop / Desktop • Memory Smartphones Standard • Computing Power Smart devices • Power/Energy Microcontrollers 5 • NIST Project FPGA Computing Power Lightweight • Many designs exists ASIC RFID / Sensor Networks 1 https://beta.csrc.nist.gov/projects/lightweight-cryptography 25 Symmetric Key Cryptography Hash-based Signatures: • Many calls to a hash function... • ...but only very short inputs. • No collision resistance required Current Designs: • Often slow on short inputs. • Too conservative for this restricted setting? f f f • Designs: ChaCha in SPHINCS, Haraka [Köl+] 26 Symmetric Key Cryptography Multiparty Computation, Zero Knowledge, Fully Homomorphic Encryption • Multiplications in primitives very costly for these applications. • Signature size directly relates to number of ANDs (for ZK). Symmetric Key Primitives which: • Minimize number of ANDs • Minimize circuit depth • Examples: LowMC [Alb+15], MiMC [Alb+16], Kreyvium [Can+16], Flip [Méa+16] 27 Conclusion Symmetric Key Cryptography • Encryption: AES-CTR • Hash: SHA-2, SHA-3 • Authenticated Encryption: AES-GCM, ChaCha20-Poly1305, CAESAR Quantum Attacks • Mostly fine with double the parameter sizes. • Improve cryptanalytic attacks with quantum algorithms. 1 Thanks to https://www.iacr.org/authors/tikz/ for some of the figures. 28 Questions? 28 References i Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. “Plaintext Recovery Attacks against SSH”. In: 30th IEEE Symposium on Security and Privacy (S&P 2009). 2009, pp. 16–26. Martin R. Albrecht et al. “Ciphers for MPC and FHE”. In: Advances in Cryptology - EUROCRYPT 2015. 2015, pp. 430–454. Martin R. Albrecht et al. “MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity”. In: Advances in Cryptology - ASIACRYPT 2016. 2016, pp. 191–219. Matthew Amy et al. Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. Cryptology ePrint Archive, Report 2016/992. http://eprint.iacr.org/2016/992. 2016. Gilles Brassard, Peter Høyer, and Alain Tapp. “Quantum cryptanalysis of hash and claw-free functions”. In: SIGACT News 28.2 (1997), pp. 14–19. 29 References ii Mihir Bellare and Chanathip Namprempre. “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm”. In: Advances in Cryptology - ASIACRYPT 2000.