ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015

Size: px

Start display at page:

Download "ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015"

Herbert Carpenter
5 years ago
Views:

1 S C I E N C E P A S S I O N T E C H N O L O G Y ASCON: A Submission to CAESAR Graz University of Technology

2 The Team Christoph Dobraunig Maria Eichlseder Florian Mendel Martin Schläffer 2

3 Overview CAESAR Design of ASCON Security analysis Implementations 3

4 CAESAR CAESAR: Competition for Authenticated Encryption Security, Applicability, and Robustness Inspired by AES SHA-3 estream 4

5 CAESAR Candidates ACORN ++AE AEGIS AES-CMCC AES-COBRA AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ Artemia Ascon AVALANCHE Calico CBA CBEAM CLOC Deoxys ELmD Enchilada FASER HKC HS1-SIV ICEPOLE ifeed[aes] Joltik Julius Ketje Keyak KIASU LAC Marble McMambo Minalpher MORUS NORX OCB OMD PAEQ PAES PANDA π-cipher POET POLAWIS PRIMATEs Prøst Raviyoyla Sablier SCREAM SHELL SILC Silver STRIBOB Tiaoxin TriviA-ck Wheesht YAES 5

6 CAESAR Candidates ACORN ++AE AEGIS AES-CMCC AES-COBRA AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ Artemia Ascon AVALANCHE Calico CBA CBEAM CLOC Deoxys ELmD Enchilada FASER HKC HS1-SIV ICEPOLE ifeed[aes] Joltik Julius Ketje Keyak KIASU LAC Marble McMambo Minalpher MORUS NORX OCB OMD PAEQ PAES PANDA π-cipher POET POLAWIS PRIMATEs Prøst Raviyoyla Sablier SCREAM SHELL SILC Silver STRIBOB Tiaoxin TriviA-ck Wheesht YAES 6

7 ASCON Design Goals Security Online Efficiency Single pass Lightweight Scalability Simplicity Side-Channel Robustness 7

8 ASCON General Overview Nonce-based AE scheme Sponge inspired P 1 C 1 P 2 C 2 P t C t IV K N 256 p p 6 p p T 0 K 1 K 0 K Processing Initialization Plaintext Finalization 8

9 ASCON Permutation Iterative application of round function One round Constant addition Substitution layer Linear layer 9

10 ASCON Round Substitution layer x 0 x 1 x 2 x 3 x 4 Linear layer x 0x1 x 1 x 2 x 3 x 4 10

11 ASCON Round x 4 x 4 x 4 (x 4 7) (x 4 41) x 4 x 3 x 3 x 3 (x 3 10) (x 3 17) x 3 x 2 x 2 x 2 (x 2 1) (x 2 6) x 2 x 1 x 1 x 1 (x 1 61) (x 1 39) x 1 x 0 S-box x 0 x 0 (x 0 19) (x 0 28) x 0 Linear transformation 11

12 Analysis ASCON [DEMS15] Attacks on round-reduced versions of ASCON-128 Key-recovery Forgery Analysis of the building blocks Permutation 12

13 Key-recovery Idea Target initialization Choose nonce Observe key-stream Deduce information about the secret key rounds time method ASCON / cube-like 5 / / differential-linear 4 /

14 Key-recovery Idea Target initialization Choose nonce Observe key-stream Deduce information about the secret key rounds time method ASCON / cube-like 5 / / differential-linear 4 /

15 Forgery Idea P 1 C 1 P 2 C 2 P t C t = p 6 p 6 p T = K 0 K 14

16 Forgery ASCON-128 3/12 rounds finalization probability 2 33 input difference after 1 round after 2 rounds after 3 rounds x ???????????????? x ???????????????? x d ???????????????? x c5aa02140 x c084 4/12 rounds finalization probability input difference after 4 rounds x ???????????????? x ???????????????? x ???????????????? x ec6a0e9024 x eb2541b2a0e438b0 15

17 Analysis Permutation Zero-sum distinguisher 12 rounds with complexity Search for differential and linear characteristics Proof on minimum number of active S-boxes result rounds differential linear proof heuristic > 64 > 64 16

18 Implementation ASCON Software 64-bit Intel platforms ARM NEON 8-bit ATmega128 Hardware [GWDE15] High-speed Low-area Threshold implementations 17

19 Software 64-bit Intel One message per core (Core2Duo) ASCON-128 (c/b) ASCON-96 (c/b)

20 Software 64-bit Intel One message per core (Core2Duo) ASCON-128 (c/b) ASCON-96 (c/b) Four messages per core [Sen15] (Haswell) ASCON-128 (c/b) ASCON-96 (c/b)

21 Hardware Results [GWDE15] Chip Area Throughput Power Energy [kge] [Mbps] [µw] [µj/byte] Unprotected Implementations Fast 1 round Fast 6 rounds Low-area

22 Hardware Results [GWDE15] Chip Area Throughput Power Energy [kge] [Mbps] [µw] [µj/byte] Unprotected Implementations Fast 1 round Fast 6 rounds Low-area

23 Hardware Results [GWDE15] Chip Area Throughput Power Energy [kge] [Mbps] [µw] [µj/byte] Unprotected Implementations Fast 1 round Fast 6 rounds Low-area Threshold Implementations Fast 1 round Fast 6 rounds Low-area

24 ASCON-128 Choice of Parameters Now: (c,r) = (256, 64) Conservative choice Proposed: (c,r) = (192, 128) [BDPA11] Significant speedup (factor 2) Limit on data complexity 2 64 Proposed: (c,r) = (128, 192) [JLM14] Significant speedup (factor 3) More analysis needed 20

25 More Information 21

26 Acknowledgments The work has been supported in part by the Austrian Science Fund (project P26494-N15) and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number (SeCoS). 22

27 Reference I [BDPA11] [CAE14] [DEMS14] [DEMS15] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Duplexing the sponge: Single-pass authenticated encryption and other applications. In Ali Miri and Serge Vaudenay, editors, Selected Areas in Cryptography SAC 2011, volume 7118 of LNCS, pages Springer, CAESAR committee. CAESAR: Competition for authenticated encryption: Security, applicability, and robustness Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Ascon. Submission to the CAESAR competition: Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Cryptanalysis of ascon. In Kaisa Nyberg, editor, Topics in Cryptology - CT-RSA 2015, volume 9048 of LNCS, pages Springer,

28 Reference II [DMP + 15] Itai Dinur, Pawel Morawiecki, Josef Pieprzyk, Marian Srebrny, and Michal Straus. Cube attacks and cube-attack-like cryptanalysis on the round-reduced keccak sponge function. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages Springer, [GWDE15] Hannes Groß, Erich Wenger, Christoph Dobraunig, and Christoph Ehrenhöfer. Suit up! made-to-measure hardware implementations of ascon. IACR Cryptology eprint Archive, 2015:34, to appear on 18th Euromicro Conference on Digital Systems Design. [JLM14] [Sen15] Philipp Jovanovic, Atul Luykx, and Bart Mennink. Beyond 2 c/2 security in sponge-based authenticated encryption modes. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology ASIACRYPT 2014, Part I, volume 8873 of LNCS, pages Springer, Thomas Senfter. Multi-message support for ascon. Bachelors s Thesis,

29 Hardware High-speed [GWDE15] 63 State Registers 0 key_reg [127:64] key_reg [63:0] x 0 p 0 >> 1 >> 6 x 1 p 1 x 2 p 2 >> 61 >> 39 >> 10 >> 17 x 3 p 3 >> 19 >> 28 >> 7 >> 41 x 4 p 4 0 t 0 io_data key_reg [127:64] key_reg [63:0] round_const _ 63 S-Box t 1 t 2 t 3 t 4 Linear Diffusion Layer 24

30 Hardware Low-area [GWDE15] s 0 S-Box x 63 0 State Shift Registers 0 x s 1 s 2 s 3 s 4 x 1 x 2 x 3 x 4 s tmp key_reg [ x 1,2 ] io_data [ x 0 ] round_const x 2 state_sel Linear Diffusion Layer io_data x 0 tmp Temp. Shift Register tmp_sel 25

31 Hardware Comparison [GWDE15] Smaller Faster More Efficient AES-OCB SILCv2 Ascon-fast-6R Chip Area [kge] AES-OCB2 AES-CCM AES-ALE SILCv1 Minalpher-area Minalpher-speed Ascon-fast-3R Ascon-fast-2R Scream-2R Ascon-fast-1R Scream-1R Keccak-MD Throughput [Mbits/sec] 26

Software Benchmarking of the 2 nd round CAESAR Candidates

Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1, Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK October 20, 2016 SPEED-B, Utrecht, The Netherlands