APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

Size: px

Start display at page:

Download "APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography"

Todd Nicholson
5 years ago
Views:

1 APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda KU Leuven, UTwente, DTU, NTT FSE 2014 March 3, / 14

2 Authenticated Encryption for Lightweight Cryptography Authenticated Encryption Privacy Authenticity 2 / 14

3 Authenticated Encryption for Lightweight Cryptography Authenticated Encryption Privacy Authenticity Lightweight Constrained environments Online Nonce-reuse 2 / 14

4 Authenticated Encryption for Lightweight Cryptography Authenticated Encryption Privacy Authenticity Lightweight Constrained environments Online Nonce-reuse Primitive Block cipher Permutation 2 / 14

5 Authenticated Encryption for Lightweight Cryptography Authenticated Encryption Privacy Authenticity Lightweight Constrained environments Online Nonce-reuse Primitive Block cipher Permutation 2 / 14

6 Misuse Resistance M 1 M 1 M 3 N 1 AE K N 2 AE K N 3 AE K C 1 C 2 C 3. Nonce Counter or random number Requires non-volatile memory or hardware randomness 3 / 14

7 Misuse Resistance M 1 M 1 M 3 N AE K N AE K N AE K C 1 C 2 C 3. Nonce Counter or random number Requires non-volatile memory or hardware randomness 3 / 14

8 Misuse Resistance M 1 M 1 M 3 N AE K N AE K N AE K C 1 C 1 C 3. Nonce Counter or random number Requires non-volatile memory or hardware randomness Misuse Resistance 3 / 14

9 Misuse Resistance M 1 M 2a M 1 M 2b M 3 N AE K N AE K N AE K C 1 C 2a C 1 C 2b C 3. Nonce Counter or random number Requires non-volatile memory or hardware randomness Misuse Resistance Online misuse resistance Security up to common prex 3 / 14

10 State of the Art nonce-dependent misuse resistant IAPM `00, OCB `01 SIV `06, BTM `09 block cipher XECB `01, CCM `03 McOE-G `11, COPA '13 GCM `04, CLOC `14 POET '14, COBRA '14 SpongeWrap `11 permutation Keyak&Ketje '14 NORX '14 4 / 14

11 State of the Art nonce-dependent misuse resistant IAPM `00, OCB `01 SIV `06, BTM `09 block cipher XECB `01, CCM `03 McOE-G `11, COPA '13 GCM `04, CLOC `14 POET '14, COBRA '14 SpongeWrap `11 permutation Keyak&Ketje '14 APE NORX '14 4 / 14

12 5 / 14. APE C[1] C[2] C[3] C[4] M[1] M[2] M[3] M[4] 0 K p p p p K + + T

13 6 / 14. APE: Associated Data A[1] A[2] A[3] A[4] 0 K p p p p IV r IV c C[1] C[2] C[3] C[4] M[1] M[2] M[3] M[4] IV r IV c p p p p K + + T

14 APE: Decryption and Verication M[1] M[2] M[3] M[4] C[1] + C[2] + C[3] + C[4] 1 K? + p 1 p 1 p 1 p 1 K + T 7 / 14

15 APE: Fractional Messages and Associated Data A[1] A[2] A[3] A[4] 10 0 K p p p + p IV r IV c C[1] C[2] C[3], M[4] C[4] M[1] M[2] M[3] M[4] 10 IV r p p p + p K IV c + + T. 8 / 14

16 APE: Security C[1] C[2] C[3] C[4] M[1] M[2] M[3] M[4] 0 K p p p p K + + T Ideal Permutation Model 9 / 14

17 APE: Security C[1] C[2] C[3] C[4] M[1] M[2] M[3] M[4] 0 K p p p p K + + T Ideal Permutation Model Privacy: 2 c/2 Integrity: 2 c/2 9 / 14

18 APE: Security C[1] C[2] C[3] C[4] M[1] M[2] M[3] M[4] p p p p K K K K K K K K T Ideal Permutation Model Privacy: 2 c/2 Integrity: 2 c/2 Standard Cipher Model E := 0 K p 0 K Privacy: 2 c/2 + sprp(e) Integrity: 2 c/2 + sprp(e) 9 / 14

19 APE: Hardware Implementation Two platforms Faraday Standard Cell Library on UMC 180nm Open-cell 45nm NANGATE library 10 / 14

20 APE: Hardware Implementation Two platforms Faraday Standard Cell Library on UMC 180nm Open-cell 45nm NANGATE library Permutation Permutation from Photon/Quark/Spongent APE enc/dec 10 / 14

21 APE: Hardware Implementation Two platforms Faraday Standard Cell Library on UMC 180nm Open-cell 45nm NANGATE library Permutation Permutation from Photon/Quark/Spongent APE enc/dec Parameters Security: 80, 128 bits Rate: 16, 32 bits 10 / 14

22 APE: Implementation Results APE enc/dec 1309 GE: smallest impl. with 80-bit security 2104 GE: smallest impl. with 128-bit security 11 / 14

23 APE: Implementation Results APE enc/dec 1309 GE: smallest impl. with 80-bit security 2104 GE: smallest impl. with 128-bit security Decryption overhead Implement both p and p 1 45nm: overhead 283 GE 11 / 14

24 APE: Implementation Results APE enc/dec 1309 GE: smallest impl. with 80-bit security 2104 GE: smallest impl. with 128-bit security Decryption overhead Implement both p and p 1 45nm: overhead 283 GE Area comparison ALE ASC-1 A, ASC-1 B, AES-CCM 11 / 14

25 Conclusions Features First permutation-based online misuse-resistant AE Easy processing of fractional data Ideal for lightweight Ideal model security proof Standard model security proof 12 / 14

26 Thank you for your attention! Questions? 13 / 14

27 Supporting Slides Supporting Slides 14 / 14

28 How to Securely Release Unveried Plaintext in Authenticated Encryption Elena Andreeva Andrey Bogdanov Atul Luykx Bart Mennink Nicky Mouha Kan Yasuda KU Leuven, iminds, DTU, NTT eprint.iacr.org/2014/ / 14

29 APE on UMC 180 nm APE on UMC 180 nm CMOS 100 khz Design Security Rate Latency Throughput Area (bits) (bits) (cycles) (kbps) (GE) Photon Photon-196 e/d Quark Quark-176 e/d Spongent Spongent-176 e/d Photon Photon-288 e/d Quark Quark-256 e/d Spongent Spongent-272 e/d / 14

30 APE on NANGATE 45 nm APE on NANGATE 45 nm CMOS 100 khz Design Security Rate Latency Throughput Area (bits) (bits) (cycles) (kbps) (GE) Photon Photon-196 e/d Quark Quark-176 e/d Spongent Spongent-176 e/d Photon Photon-288 e/d Quark Quark-256 e/d Spongent Spongent-272 e/d / 14

31 Other AE Schemes on ST 65 nm Other AE schemes on ST 65 nm CMOS LP-HVT 20 MHz Design Security Latency Throughput Area (bits) (cycles) (kbps) (GE) ALE ALE e/d ASC-1 A ASC-1 A e/d ASC-1 B ASC-1 B e/d AES-CCM AES-CCM e/d / 14

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers Ahmed Ferozpuri Abstract Lightweight devices used for encrypted communication require a scheme that can operate in a low resource