[PPT] - Basic Idea Guess And Determine Determine partial internal state by PowerPoint Presentation

SLIDE 1

Gain:

Practical Key-Recovery Attacks on Round-Reduced PAEQ

Dhiman Saha Sourya Kakarla Srinath Mandava Dipanwita Roy Chowdhury

Crypto Research Lab, Department of Computer Science and Engineering, IIT Kharagpur, India {dhimans,skakarla,smandava,drc}@cse.iitkgp.ernet.in

SPACE 2016

Hyderabad, India

SLIDE 2

Basic Idea Guess And Determine

Determine partial internal state by guessing Use this to reduce state space of some other part

◮ Exploits limited diffusion ◮ Build upon guessing strategy to mount key-recovery or forgery ◮ Our motivation: Use this strategy on Authenticated

Encryption Schemes

◮ Demonstrated by Boura et al. in FSE 2016 on π−cipher

We look at CAESAR submission PAEQ

SLIDE 3

Authenticated Encryption

Confidentiality + Authenticity

Two at the cost of One!

SLIDE 4

Preliminaries Authenticated Encryption

◮ Conventionally,

◮ Encryption scheme → confidentiality ◮ Message Authentication Code (MAC) → authentication and

message integrity

Authenticated Cipher

Tries to merge both these primitives preferably at the cost of one.

◮ Many attempts to build AE schemes ◮ Serious attacks on OpenSSL and TLS exploiting AE!!!

◮ Lack of proper understanding of the problem ◮ Inspired CAESAR competition

SLIDE 5

Preliminaries CAESAR

CAESAR

Competition for Authenticated Encryption: Security, Applicability, and Robustness

◮ A multi-year competition announced in 2014 ◮ Select final portfolio of AE schemes

◮ Possible standardization

◮ Benchmark: AES-GCM ◮ 57 accepted submissions

◮ Round 2 → 30 Candidates ◮ Round 3 → 15 Candidates (On-going)

PAEQ was a Round 2 candidate at the time of this work

SLIDE 6

PAEQ Bio

PAEQ ↔ Parallelizable Authenticated Encryption based on Quadrupled AES

◮ Introduced by Biryukov and Khovratovich in ISC 2014 ◮ Along with a new generic mode of operation PPAE

◮ Parallelizable Permutation-based Authenticated Encryption

◮ And an AES based permutation AESQ ◮ Security level up to 128 bits & higher, equal to the key length ◮ Third-party Cryptanalysis

◮ Fault Attack - Saha and Roy Chowdhury (CHES 2016) ◮ Rebound attack - Bagheri et al. (ACISP 2016)

SLIDE 7

Different PAEQ variants

PAEQ |Key| |Nonce| |Tag| Security Extra Features Primary sets paeq-64 64 64 64 64-bit paeq-80 80 80 80 80-bit paeq-128 128 96 128 128-bit Secondary sets paeq-64-t 64 64 512 64-bit Quick Tag Update paeq-64-tnm 64 128 512 64-bit Nonce-misuse + Tag Update paeq-128-t 128 128 512 128-bit Quick Tag Update paeq-128-tnm 128 256 512 128-bit Nonce-misuse + Tag Update paeq-192 192 128 128 128-bit paeq-160 160 128 160 160-bit paeq-256 256 128 128 128-bit

SLIDE 8

PAEQ Focus of Current Attack

PAEQ |Key| |Nonce| |Tag| Security Extra Features Primary sets paeq-64 64 64 64 64-bit paeq-80 80 80 80 80-bit paeq-128 128 96 128 128-bit Secondary sets paeq-64-t 64 64 512 64-bit Quick Tag Update paeq-64-tnm 64 128 512 64-bit Nonce-misuse + Tag Update paeq-128-t 128 128 512 128-bit Quick Tag Update paeq-128-tnm 128 256 512 128-bit Nonce-misuse + Tag Update paeq-192 192 128 128 128-bit paeq-160 160 128 160 160-bit paeq-256 256 128 128 128-bit

PAEQ paeq-64 paeq-80 paeq-128 paeq-64-t

SLIDE 9

AESQ The Internal Permutation

◮ Internal state size of 512 bits ◮ Comprises of 4 sub-states of 128 bits each ◮ Sub-states correspond to AES state matrix

SLIDE 10

Inside AESQ

SB SRMC 1 SB SRMC 5 SB SRMC 2 SB SRMC 6 SB SRMC 3 SB SRMC 7 SB SRMC 4 SB SRMC 8 SB SRMC 9 SB SRMC 13 SB SRMC 10 SB SRMC 14 SB SRMC 11 SB SRMC 15 SB SRMC 12 SB SRMC 16

4 Rounds of AESQ

Fig. Source: PAEQ submission document

◮ Composition of 20 round

functions

◮ Shuffle operation after every

2 rounds

◮ Basically a Column

permutation

◮ Round function almost

similar to AES

◮ SubBytes ◮ ShiftRows ◮ MixColumns ◮ AddRoundConstants

SLIDE 11

PAEQ Encryption

SLIDE 12

PAEQ Authentication

SLIDE 13

PAEQ Handling Associated Data

SLIDE 14

PAEQ Final Tag Generation

SLIDE 15

PAEQ Focus of This Work

SLIDE 16

Input/Output of f PAEQ Encryption (ith Branch)

◮ Look at input of

permutation

◮ 3 out of 4 inputs known ◮ Also Pi ⊕ Ci gives partial

utput of f

Note: We have to deal with partially specified states

Our Intuition

Can we guess part of f output to recover the internal state?

SLIDE 17

Handling Partial States Byte-Entropy

Notion of Byte-Entropy (E)

The number of unknown bytes in the state/sub-state

◮ Byte-Entropy

◮ Unchanged under

SubBytes (β), ShiftRows (ρ), AddRoundConstants (α)

◮ Might increase under

Mixcolumns (µ)

SLIDE 18

Some Observations on PAEQ

SLIDE 19

Observation 1

Look at first two rounds of AESQ

SLIDE 20

Observation 1 Limited Key Diffusion

◮ Recall: Round function works on individual substates ◮ Propagate permutation inputs forward for 2 Rounds ◮ Key diffusion limited to fourth substate

SLIDE 21

Observation 2

How far can we go forward from the input?

SLIDE 22

Observation 2 Propagate forward input of ith branch

SLIDE 23

Observation 2 Apply Shuffle

SLIDE 24

Observation 2 Apply SubBytes, ShiftRows

SLIDE 25

Observation 2 Three-Fourth Rule

Three-Fourth Rule

Three-fourth of every column known before Mix-Columns of Round 3

SLIDE 26

Observation 3

How far can one invert if one of the substates is known?

SLIDE 27

Observation 3 Propagate Backward

Assumption

Attacker has knowledge of single substate after Rn

SLIDE 28

Observation 3 Invert Rn, Rn−1

Assumption

Attacker has knowledge of single substate after Rn

SLIDE 29

Observation 3 Apply Inverse Shuffle

Assumption

Attacker has knowledge of single substate after Rn

SLIDE 30

Observation 3 Invert Rn−2 and αn−3

Assumption

Attacker has knowledge of single substate after Rn

SLIDE 31

Observation 3 One-Fourth Inversion

Implication

Using one substate one can invert up to the state after Rn−3 Mix-Columns

One-Fourth Inversion

One-Fourth of every column known after inversion

SLIDE 32

Meet-in-the-middle

When do Observations 2 and 3 converge?

SLIDE 33

Meet-in-the-middle

Theorem (Meet-in-the-middle)

For n = 6, the Three-fourth Rule and One-Fourth Inversion strategy converge at the input and output of µ3 respectively which results in a unique solution for input of µ3.

◮ Main result used in all attacks here

SLIDE 34

Gain − (G)uess (A)nd (In)vert

Key Recovery Attacks

SLIDE 35

Gain

Primary Aim

How can we make the assumption in One-Fourth Inversion true from the observable part of output?

◮ Recall: At least one substate in output of Round 6 must be

known/determined

Strategy

◮ Identify which bytes to guess ◮ Combine Guess-and-Invert steps

SLIDE 36

Note What Attacker Actually Observes

SLIDE 37

6 - Round Attack

Just Guess and Invert

SLIDE 38

Guess and Invert Gain - 6 Rounds

◮ Guess substate with minimum Byte-Entropy ◮ Invert and apply MITM Theorem ◮ Recover internal state =

⇒ Key Recovery

◮ Complexity?

SLIDE 39

7 - Round Attack

Invert last round first

SLIDE 40

Invert-Guess-Invert Gain - 7 Rounds

◮ Invert last round first ◮ Note: Uniform Byte-Entropy for each PAEQ variant ◮ Next apply 6 round attack ◮ Complexity?

SLIDE 41

8 - Round Attack

Guess, invert and repeat

SLIDE 42

Guess-Invert-Guess-Invert Gain - 8 Rounds

◮ Note: Last Shuffle has to be dropped for this to work ◮ Guess first then invert ◮ We get same Byte-Entropy for all PAEQ variants ◮ Next apply 6 round attack ◮ Complexity?

SLIDE 43

Complexities Gain

PAEQ Gain Complexities Variant Security Level 6-Rounds 7-Rounds 8-Rounds paeq-64 64-bit 1 224 248 paeq-80 80-bit 216 232 248 paeq-128 128-bit 232 240 248

SLIDE 44

Epilogue Gain

◮ Made some interesting observations on PAEQ ◮ Developed a meet-in-the-middle scenario using them ◮ Devised guess-and-determine strategies to satisfy the scenario ◮ Got Key-Recovery for up to 8 out of 20 rounds ◮ Practical complexities ◮ Current strategy cannot be extended beyond 8 rounds ◮ No other key-recovery attacks known

News: 15th Aug 2016

PAEQ did not make it to Round 3!!!

SLIDE 45