Periodic Reporting for period 4 - ESCADA (Energy-optimized Symmetric Cryptography by Algebraic Duality Analysis)
Reporting period: 2023-04-01 to 2024-09-30
The main scientific contribution of this project will be a breakthrough in the understanding of cryptanalytic and side channel attacks of symmetric cryptosystems. The main real-world impact is that we will build cryptosystems that are much more efficient than those used today while having the same strength. Depending on the platform, higher efficiency translates to lower energy/power (in-body sensors, contactless payment cards etc.), but also lower latency (authentication for, e.g. car brakes or airbags) and/or lower heat dissipation (on-the-fly encryption of high bandwidth data streams). In a software implementation it simply means less CPU cycles per byte.
We build our cryptosystems as modes based on constructions that in turn used permutations or block ciphers. For these primitives we adopt the classical technique of iterating a simple round function (more rounds means more security but less efficiency). We focus on round functions of algebraic degree 2. Their relative simplicity will allow a unification of all cryptanalytic attacks that exploit propagation of affine varieties and polynomial ideals (their dual) through the rounds and to precisely estimate their success rates. Moreover, we will design modes that strongly restrict the exposure of the primitive(s) to attackers and that permit mathematically sound security reductions to specific properties of the underlying primitive(s). In comparison to the classical pseudorandom and ideal permutation models, this will allow reducing the number of rounds while preserving security with high assurance. We will also study side channel attacks of our round functions and ways to defend against them.
We build our cryptosystems as modes based on constructions that in turn used permutations or block ciphers. For these primitives we adopt the classical technique of iterating a simple round function (more rounds means more security but less efficiency). We focus on round functions of algebraic degree 2. Their relative simplicity will allow a unification of all cryptanalytic attacks that exploit propagation of affine varieties and polynomial ideals (their dual) through the rounds and to precisely estimate their success rates. Moreover, we will design modes that strongly restrict the exposure of the primitive(s) to attackers and that permit mathematically sound security reductions to specific properties of the underlying primitive(s). In comparison to the classical pseudorandom and ideal permutation models, this will allow reducing the number of rounds while preserving security with high assurance. We will also study side channel attacks of our round functions and ways to defend against them.
(1) New techniques and software for trail search.
First we refactored and cleaned up the existing code for generating trail bounds for Xoodoo, introducing non-ambiguous terminology. Then we generalized the code to Xoodoo variants with a different linear layer. Subsequently we addressed differential trail search for the Subterranean permutation and variant Koala and both linear and differential trail search for the Ascon permutation (providing best trail bounds to date). These require different approaches due to the big-circle chi non-linear layer on the one hand and the different linear layer on the other. Results that use insights related to Xoodoo are published in [9] and the results on Subterranean are reported in [13].
(2) Investigation of interaction between the linear and non-linear layer in round functions, especially related to alignment.
We defined histogram-based interaction metrics and the implications for trail clustering, the key-dependence of differential trail probability and the effectiveness of linear layer computations and experimentally verified these for 4 representative ciphers. We report on this work in [12].
(3) Investigation of the security of keyed hashing.
We built a framework for describing and reasoning about collision-resistance of keyed hashing for the two common constructions using fixed-length functions: serial and parallel. We express collision-resistance as a function of the differential probabilities of the underlying fixed-length functions. Most important result in this context was published in [15] and [17].
(4) Definition of the low-energy cipher suite Subterranean 2.0.
For the NIST lightweight competition we defined a cipher suite aimed at low energy, combining a round function and a construction in a novel way. It has the best energy efficiency of all candidates according to 3rd party benchmarks. We report on this work in [13] and further investigations in [28].
(5) Investigation of summing attacks.
In a first phase we have built the framework for description and analysis of these attacks connecting to the relevant areas of discrete mathematics. In a second phase we have experimentally conducted the attack on a novel function called Koala. We report on this work in [46].
(6) Investigation of expansion phase of farfalle-based deck function Xoofff
We conducted this attack as a first study to understand interaction between the rolling function and permutation in Farfalle, leading to new insights on how to co-design them. This work is published in [10].
(7) Definition of deck function Ciminion and encryption scheme Friet.
Modern applications require functions working over large finite fields. Other use cases benefit from encryption schemes that offer resistance against fault attacks. For both we did the exercise resulting in Ciminion and Friet, both with a simple round function of algebraic degree 2. We subjected these functions to the analysis as defined in the WPs of the ESCADA project. Ciminion has been published in [11] and Friet in [6].
(8) Definition of circuit abstraction model to reason about resistance against differential power analysis.
We defined an abstraction model between the specification and implementation levels to address describing resistance against DPA. We report on this in a paper where we also address fault attacks, namely [7]. Work performed on first-order DPA in the beginning of the project was finally published in [44].
(9) Definition of symmetry classes in Xoodoo and AES and partial state diagram construction of the round functions
We undertook this to understand invariant subset attacks. We have substantial material but still lack the explanation of some observed phenomena. This is still work in progress.
(10) Investigation of order and invertibility of linear mappings with high degree of symmetry.
This work allows answering many questions, e.g. is (1+x+y) mod (1+x^n,1+x^n) with x and y in K for some finite field invertible for given K and n. We report on this work in [41] and [45].
(11) A considerable portfolio of round functions for permutations (and ciphers), complementing Keccak, Ascon and Xoodoo, by Subterranean 2.0 [13], its variant Koala [46], Gaston [14], Friet [6] and BipBip [22]. In the area of primitives operating over large finite fields, we proposed Ciminion [11], Past [34], Hydra [35] and reinforced concrete [40].
(12) We have proposed multiple primitive-aware constructions in the spirit of Xoofff [4], to build a construction around a permutation such that its weaknesses are not exploitable. Prominent examples of this are Subterranean-XOF, -DECK and -SAE [13], the tweakable block cipher BipBip [22] and the PRF Koala [46].
First we refactored and cleaned up the existing code for generating trail bounds for Xoodoo, introducing non-ambiguous terminology. Then we generalized the code to Xoodoo variants with a different linear layer. Subsequently we addressed differential trail search for the Subterranean permutation and variant Koala and both linear and differential trail search for the Ascon permutation (providing best trail bounds to date). These require different approaches due to the big-circle chi non-linear layer on the one hand and the different linear layer on the other. Results that use insights related to Xoodoo are published in [9] and the results on Subterranean are reported in [13].
(2) Investigation of interaction between the linear and non-linear layer in round functions, especially related to alignment.
We defined histogram-based interaction metrics and the implications for trail clustering, the key-dependence of differential trail probability and the effectiveness of linear layer computations and experimentally verified these for 4 representative ciphers. We report on this work in [12].
(3) Investigation of the security of keyed hashing.
We built a framework for describing and reasoning about collision-resistance of keyed hashing for the two common constructions using fixed-length functions: serial and parallel. We express collision-resistance as a function of the differential probabilities of the underlying fixed-length functions. Most important result in this context was published in [15] and [17].
(4) Definition of the low-energy cipher suite Subterranean 2.0.
For the NIST lightweight competition we defined a cipher suite aimed at low energy, combining a round function and a construction in a novel way. It has the best energy efficiency of all candidates according to 3rd party benchmarks. We report on this work in [13] and further investigations in [28].
(5) Investigation of summing attacks.
In a first phase we have built the framework for description and analysis of these attacks connecting to the relevant areas of discrete mathematics. In a second phase we have experimentally conducted the attack on a novel function called Koala. We report on this work in [46].
(6) Investigation of expansion phase of farfalle-based deck function Xoofff
We conducted this attack as a first study to understand interaction between the rolling function and permutation in Farfalle, leading to new insights on how to co-design them. This work is published in [10].
(7) Definition of deck function Ciminion and encryption scheme Friet.
Modern applications require functions working over large finite fields. Other use cases benefit from encryption schemes that offer resistance against fault attacks. For both we did the exercise resulting in Ciminion and Friet, both with a simple round function of algebraic degree 2. We subjected these functions to the analysis as defined in the WPs of the ESCADA project. Ciminion has been published in [11] and Friet in [6].
(8) Definition of circuit abstraction model to reason about resistance against differential power analysis.
We defined an abstraction model between the specification and implementation levels to address describing resistance against DPA. We report on this in a paper where we also address fault attacks, namely [7]. Work performed on first-order DPA in the beginning of the project was finally published in [44].
(9) Definition of symmetry classes in Xoodoo and AES and partial state diagram construction of the round functions
We undertook this to understand invariant subset attacks. We have substantial material but still lack the explanation of some observed phenomena. This is still work in progress.
(10) Investigation of order and invertibility of linear mappings with high degree of symmetry.
This work allows answering many questions, e.g. is (1+x+y) mod (1+x^n,1+x^n) with x and y in K for some finite field invertible for given K and n. We report on this work in [41] and [45].
(11) A considerable portfolio of round functions for permutations (and ciphers), complementing Keccak, Ascon and Xoodoo, by Subterranean 2.0 [13], its variant Koala [46], Gaston [14], Friet [6] and BipBip [22]. In the area of primitives operating over large finite fields, we proposed Ciminion [11], Past [34], Hydra [35] and reinforced concrete [40].
(12) We have proposed multiple primitive-aware constructions in the spirit of Xoofff [4], to build a construction around a permutation such that its weaknesses are not exploitable. Prominent examples of this are Subterranean-XOF, -DECK and -SAE [13], the tweakable block cipher BipBip [22] and the PRF Koala [46].
(for the progress we refer to the answer to the previous question.)
The major results can be summarized in a number of items.
- A portfolio of permutation or transformation round functions addressing low energy and/or low latency, hardware-oriented and/or software-oriented. All have a strong mixing layer and a nonlinear layer of algebraic degree 2.
- A set of constructions to build deck functions using these permutations/transformations where attacks on these constructions can be expressed in terms of propagation properties of the underlying permutations/transformations. We target constructions for parallelism and serial constructions for low resource requirements.
- Strong trail bounds for several round functions in our portfolio
- Confirmation of absence of significant clustering for Xoodoo and tools to do the same for the other functions
- Clear understanding of propagation properties of round functions in our portfolio relevant in the constructions we envisage.
- Better understanding of DPA and fault attack resistance of our constructions and the round functions.
The major results can be summarized in a number of items.
- A portfolio of permutation or transformation round functions addressing low energy and/or low latency, hardware-oriented and/or software-oriented. All have a strong mixing layer and a nonlinear layer of algebraic degree 2.
- A set of constructions to build deck functions using these permutations/transformations where attacks on these constructions can be expressed in terms of propagation properties of the underlying permutations/transformations. We target constructions for parallelism and serial constructions for low resource requirements.
- Strong trail bounds for several round functions in our portfolio
- Confirmation of absence of significant clustering for Xoodoo and tools to do the same for the other functions
- Clear understanding of propagation properties of round functions in our portfolio relevant in the constructions we envisage.
- Better understanding of DPA and fault attack resistance of our constructions and the round functions.