STRIBOB : Authenticated Encryption from GOST R

STRIBOB : Authenticated Encryption
from GOST R 34.11-2012 LPS or Whirlpool
Markku-Juhani O. Saarinen
mjos@item.ntnu.no
Norwegian University of Science and Technology
Directions in Authentication Ciphers '14
24 August 2014, Santa Barbara USA
1 / 19
STRIBOB Ideas
▶
Security bounds derived from Sponge Theory.
▶
Well-understood fundamental permutation: Security reduction to
Streebog or Whirlpool, with rounds increased 10 → 12.
Recyclable hardware components.
▶
▶
▶
▶
▶
STRIBOBr1: Streebog LPS.
STRIBOBr2d1: Streebog LPS.
STRIBOBr2d2: Whirlpool LPS - "WhirlBob".
Flexible, extensible domain separation with the BLNK Mode
["Beyond Modes: Building a Secure Record Protocol from a
Cryptographic Sponge Permutation", CT-RSA 2014.]
▶
▶
▶
"Explicit Domain Separation".
Fully adjustable security parameters.
MAC-then-continue / sessions, Half-duplex protocols..
Fairly conservative design..
2 / 19
History & Real World Crypto
Stewed beef, GOST 5284-84
GOST Spam
a.k.a. Tushonka
▶
28149-89 Block Cipher (KGB, 1970s)
▶
R 34.11-94 was a hash (based on
28149-89) for R 34.10-94 signatures.
▶
Cryptanalysis by F. Mendel et al (2008):
2105 collision, 2192 preimage.
▶
R 34.11-2012 "Streebog" hash
algorithm proposed in 2009.
▶
Since January 1, 2013, the Russian
Federation has mandated the use of R
34.11-2012 (with R 34.10-2012).
▶
AES "monoculture" is not universally
trusted in some parts of the world.
▶
STRIBOB builds a sponge AEAD
algorithm from Streebog, perhaps
acceptable in those markets.
3 / 19
GOST R 34.11-2012 "Streebog"
Streebog is a (non-keyed) hash function that produces a 256-bit or
512-bit message digest for a bit string of arbitrary length.
Streebog is Clearly AES & Whirlpool-inspired. Intended for Digital
Signatures (R 34.10-2012). Also used in HMAC mode.
Standard security claims:
▶ Collision resistance:
n
m1 and m2 , h(m1 ) = h(m2 ) requires 2 2 effort.
▶ Pre-image resistance:
m for given h in h = H(m) requires 2n effort.
▶ Second pre-image resistance:
2n
m2 for given m1 with h(m1 ) = h(m2 ) requires |m
effort.
2|
Not a Sponge, but a Miyaguchi–Preneel - inspired construction:
hi = Eg(Hi−1 ) (mi ) ⊕ hi−1 ⊕ mi .
4 / 19
GOST Streebog: Computing h(M )
Pn
i=0
=0
g0
h=0
g512
g1024
mi (mod 2512 )
g512n
g0
g0
total length
“checksum”
h(M )
|M |
M=
m0
m1
m2
···
mn pad
Padded message M is processed in 512-bit blocks
M = m0 | m1 | · · · | mn by a compression function h′ = gN (h, mi ).
Chaining variable h has 512 bits. N is the bit offset of the block.
There are finalization steps involving two invocations of g, first on
the total bit length of M , and then on checksum ϵ, which is computed
over all input blocks mod 2512 .
5 / 19
Streebog: The Compression Function gN (h, m)
N
h0 = gN (h, m)
C1
h
LPS
C2
LPS
K1
m
C3
LPS
K2
LPS
K3
LPS
C12
LPS
4, 5, · · · , 11 K12
LPS
LPS
h0
LPS
N : bit offset h: chaining value m: 512-bit message block
The compression function is built form a 512 × 512 - bit keyless
permutation LPS and XOR operations. All data paths are 512 bits.
The 12 random round constants Ci are given in the standard spec.
One can see the upper "line" (kinda) keying the lower line via Ki .
6 / 19
Streebog: LPS = L ◦ P ◦ S = L(P (S(x)))
S
P
L
S
S
S
S
S
S
S
S
0
S
S
S
S
S
S
S
S
1
S
S
S
S
S
S
S
S
2 10 18 26 34 42 50 58
S
3
S
( 8 × 8-bit S-Box )
8 16 24 32 40 48 56
L
9 17 25 33 41 49 57
L
( byte transpose )
59
S
4
S
S
S
S
S
S
S
S
5 13 21 29 37 45 53 61
L
S
S
S
S
S
S
S
S
6 14 22 30 38 46 54 62
L
S
S
S
S
S
S
S
S
7 15 23 31 39 47 55 63
L
S
60
L
( 64 × 64-bit matrix )
L◦P◦S
S : ("Substitution") An 8 × 8 - bit S-Box applied to each one of 64
bytes (8 × 64 = 512 bits).
P : ("Permutation") Transpose of 8 × 8 - byte matrix.
L : ("Linear") Mixing of rows with a 64 × 64 binary matrix.
[KaKa13] L is actually an 8 × 8 MDS Matrix in GF(28 )
7 / 19
vs.. Sponge Construction for Hashing (SHA3)
▶
Built from a b-bit permutation f (π) with b = r + c
▶
▶
▶
r bits of rate, related to hashing speed
c bits of capacity, related to security
More general than traditional hash: arbitrary-length output
8 / 19
vs.. Sponge-based Authenticated Encryption Æ
d0
p0 c0
d···
p1 c1
p··· c···
h0
h···
r
π
IV
π
π
π
π
π
π
c
absorbtion phase
1.
2.
3.
4.
encryption phase
squeezing phase
Absorption. Key, nonce, and associated data (di ) are mixed.
Encryption. Plaintext pi is used to produce ciphertext ci .
Squeezing. Authentication Tag hi is squeezed from the state.
Why not use that final state as IV for reply and go straight to
Step 2 ? (feature called "sessions" in Ketje and Keyak)
[Sa14a] BLNK mode defines "explicit domain separation" and
applies that to build ultra-light weight half-duplex protocols.
9 / 19
DuplexWrap (basic Sponge Æ Scheme) Bounds
Theorem
The DuplexWrap and BLNK authenticated encryption modes satisfy
the following privacy and authentication security bounds:
M 2 + 4M N
2c+1
2
M + 4M N
−k
Advauth
+
sbob (A) < (M + N )2
2c+1
−k
Advpriv
+
sbob (A) < (M + N )2
$
against any single adversary A if K ← {0, 1}k , tags of l ≥ t bits are
used, and π is a randomly chosen permutation. M is the data
complexity (total number of blocks queried) and N is the time
complexity (in equivalents of π).
Proof.
Theorem 4 of [KeyakV1]. See also [AnMePr10,BeDaPeAs11].
10 / 19
STRIBOB: Sponge Permutation π
For some vector of twelve 512-bit subkeys Ci we define a 512-bit
permutation πC (X1 ) = X13 with iteration
xi+1 = LPS(Xi ⊕ Ci ) for 1 ≤ i ≤ 12.
We adopt 12 rounds of LPS as the Sponge permutation with:
b Permutation size b = r + c = 512, the LPS permutation size.
r Rate r = 256 bits.
c Capacity c = 256 bits.
As π satisfies the indistinguishability criteria, we may choose:
k Key size k = 192 bits.
t Authentication tag (MAC) size t = 128 bits.
k Nonce (IV) size t = 128 bits.
11 / 19
Easy Security Reduction
Theorem
If πC (x) can be effectively distinguished from a random permutation
for some Ci , so can gN (h, x) for any h and N .
Proof.
If h is known, so are all of the subkeys Ki as those are a function of h
alone. We have the equivalence
gN (h, x) ⊕ x ⊕ h = πK (x ⊕ N ).
Assuming that the round constants Ci offer no advantage over known
round keys Ki , πC is as secure as πK and any distinguisher should
have the same complexity.
We see that a generic powerful attack against π is also an attack on g.
A distinguishing attack against g does not imply a collision attack
against Streebog as a whole.
12 / 19
Security Reduction Explained
STRIBOB: Just replace C with K in π:
x0 = πK (x)
K1
x
K2
LPS
K3
K12
LPS
LPS
LPS
x0
Streebog: We have gN (h, x) ⊕ x ⊕ h = πK (x ⊕ N ):
N
h0 = gN (h, m)
C1
h
LPS
C2
LPS
K1
m
C3
LPS
K2
LPS
K3
LPS
C12
LPS
4, 5, · · · , 11 K12
LPS
LPS
h0
LPS
13 / 19
WHIRLBOB Variant (STRIBOBr2d2)
Whirlpool is a NESSIE final portfolio algorithm and an ISO
standard. If STRIBOB is accepted to R2, we will add a variant which
is more directly based on Whirlpool [RiBa00] v3.0 [RiBa03].
▶
▶
▶
STRIBOBr1
STRIBOBr2d1 = STRIBOBr1
STRIBOBr2d2 a.k.a. WHIRLBOB
S
E −1
E
R
E
E −1
S-Box structure saves hardware gates & makes bitslicing faster.
Current constant-time (timing attack resistant) bitsliced version runs
at about 35 % of table lookup -based implementation.
14 / 19
STRIBOB Software Performance
STRIBOB requires 12 LPS invocations per 256 bits processed
whereas Streebog requires 25 LPS invocations per 512 bits:
STRIBOB is faster. Also the runtime memory requirement is cut
down to 25 %. WHIRLBOB performance is equal to STRIBOB.
Implementation techniques are similar to AES. 64-bit "rows" are
better suited for 64-bit architectures (AES is from 90s, 32-bit era).
Algorithm
AES - 128 / 192 / 256
SHA - 256 / 512
GOST 28147-89
GOST R 34.11-1994
GOST R 34.11-2012
STRIBOB
( bitsliced WHIRLBOB )
Throughput
109.2 / 90.9 / 77.9 MB/s
212.7 / 328.3 MB/s
53.3 MB/s
20.8 MB/s
109.4 MB/s
115.7 MB/s
> 40 MB/s -- w. current S-Boxes
..as measured on my few years old Core i7 @ 2.80.
15 / 19
Briefly about FPGA Implementations
Total logic on Xilinx Artix-7: WHIRLBOB: 4,946, Keyak 7,972
Report on these & a Proposal for CAESAR HW/SW API:
"Simple AEAD Hardware Interface (SÆHI) in a SoC: Implementing
an On-Chip Keyak/WhirlBob Coprocessor", ePrint 2014/575.
16 / 19
Mikko Hypponen, CRO of F-Secure, 29 Apr 2014.
▶
▶
▶
▶
Implementation of secure links over TCP using the BLNK
protocol. Can be used as a secure replacement for netcat.
File encryption and decryption using an authenticated chunked
file format; you can efficiently encrypt a backup stream up to
terabytes in size.
Hashing of files and streams. StriCat can also do 256- and
512-bit standard-compliant GOST Streebog hashes.
Portable, self-contained, open source, POSIX compliant,
relatively small (couple of thousand lines).
17 / 19
Originally written to debug real-world BLNK..
$ ./stricat -h
stricat: STRIBOB / Streebog Cryptographic Tool.
(c) 2013-4 Markku-Juhani O. Saarinen <mjos@iki.fi>. See LICENSE.
stricat [OPTION].. [FILE]..
-h
This help text
-t
Quick self-test and version information
Shared secret key (use twice to verify):
-q
Prompt for key
-f <file> Use file as a key
-k <key>
Specify key on command line
Files:
-e
-d
-s
-g
-G
Encrypt stdin or files (add .sb1 suffix)
Decrypt stdin or files (must have .sb1 suffix)
Hash stdin or files in STRIBOB BNLK mode (optionally keyed)
GOST R 34.11-2012 unkeyed Streebog hash with 256-bit output
GOST R 34.11-2012 unkeyed Streebog hash with 512-bit output
Communication via BLNK protocol:
-p <port> Specify TCP port (default 48879)
-c <host> Connect to a specific host (client)
-l
Listen to incoming connection (server)
http://www.stribob.com/stricat
18 / 19
References..
Sa14a "Beyond Modes: Building a Secure Record Protocol from a
Cryptographic Sponge Permutation" CT-RSA 2014, IACR ePrint
2013/772.
Sa14b "STRIBOB: Authenticated Encryption from GOST R
34.11-2012 LPS Permutation (Extended Abstract)" CTCrypt '14,
IACR ePrint 2014/271.
Sa14c "Lighter, Faster, and Constant-Time: WHIRLBOB, the
Whirlpool variant of STRIBOB", Submitted for publication,
ePrint 2014/501.
Sa14d "Simple AEAD Hardware Interface (SÆHI) in a SoC:
Implementing an On-Chip Keyak/WhirlBob Coprocessor",
Submitted for publication, IACR ePrint 2014/575.
http://www.stribob.com http://www.mjos.fi
19 / 19