The SKINNY Family of Lightweight Tweakable Block Ciphers Jérémy Jean joint work with:

Christof Beierle Stefan Kölbl Gregor Leander Amir Moradi Thomas Peyrin Yu Sasaki Pascal Sasdrich Siang Meng Sim

Université de Rennes 1 - Crypto Seminar June 3, 2016

Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion

1/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications Rationale Security Analysis Implementations MANTIS Conclusion

Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion

2/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications Rationale Security Analysis Implementations MANTIS Conclusion

Block Cipher Primitive k∈K m∈M

E

c∈M

Three variables: A secret key k form the set of all keys K A plaintext from the set M Its corresponding ciphertext: c = Ek (m ) Properties For every key k , Ek is a permutation over M For a fixed unknown key k and a given set f(mi ; Ek (mi ))g, recovering k should be hard $ For k K drawn uniformily at random from K, Ek should be indistinguishable from a random permutation 3/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications Rationale Security Analysis Implementations MANTIS Conclusion

Tweakable Block Cipher Primitive k∈K m∈M

E

c∈M

t∈T

Four variables: A secret key k form the set of all keys K A tweak input t form the set of all tweaks A plaintext from the set M Its corresponding ciphertext: c = Ekt (m )

T

Properties For every key k and every tweak t , Ekt is a permutation over 4/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

M

June 3, 2016

Introduction

Specifications Rationale Security Analysis Implementations MANTIS Conclusion

Tweakable Block Cipher Having a tweakable block cipher has many applications: Authenticated encryption Disk/memory encryption Hashing: block counter as tweak for HAIFA-like CF There are have been many proposed constructions Most of which rely on a block cipher, and generically introduce the tweak (XEX, XTS, etc.) Very few direct constructions: Hasty Pudding Cipher, Threefish, BLAKE2 TWEAKEY framework [JNP14]: as a designer, key and tweak seem like they have to be handled in the same way by the primitive, with a ‘‘tweakey schedule’’

5/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications Rationale Security Analysis Implementations MANTIS Conclusion

TWEAKEY Framework [JNP14] High-Level Overview Bring key and tweak schedules together Extend key-alternating strategy Fully linear scheduling (h ’ : cell permutation) Provide bounds in terms of number of active Sboxes in related-key/related-tweak Trick: linear code due to small field multiplications (2 and 4) to bound the number of cancellations in the XORs This allows the usage of automated tools to find bounds Example of the TK3 construction: jKT j = jK j + jT j = 3
jP j h0

h0

4

h0

KT

h0

XOR

P = s0

6/53

4

h0

2

2

h0

C0

XOR

f

C1

XOR

f

h0

...

h0

h0

...

h0

h0

...

h0

C2

XOR

...

The SKINNY Family of Lightweight Tweakable Block Ciphers

4 2

XOR

Cr−1

f

Cr

sr = C

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion

7/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

SKINNY: Specifications Specifications SKINNY has a state of either 64 bit (s = 4) or 128 bits (s = 8). Internal state IS : viewed as a 4  4 matrix of s-bit elements. ) jIS j = n = 16s 2 f64; 128g. The tweakey size can be n, 2n or 3n.

IS

=

2 66 4

m0 m4 m8 m12

m1 m5 m9 m13

m2 m6 m10 m14

m3 m7 m11 m15

3 77 5

Number of Rounds Block size n

n

Tweakey size 2n

3n

64 128

32 40

36 48

40 56

Comparison: SKINNY-64-128 has 36 rounds, SIMON-64-128 has 44 rounds. 8/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

SKINNY: Specifications General Overview SKINNY follows the TWEAKEY framework, however: It generalizes the STK construction (three tweakey words TKi ) Only half the tweakey state is extracted and injected in the internal state The field multiplications are replaced by a LFSR The round function f is an AES-like SPN The round constants Ci are produced by a LFSR STK Construction h0

h0

4

h0

KT

h0

XOR

P = s0

9/53

4

h0

2

2

h0

C0

XOR

f

C1

XOR

f

h0

...

h0

h0

...

h0

h0

...

h0

C2

XOR

...

The SKINNY Family of Lightweight Tweakable Block Ciphers

4 2

XOR

Cr−1

f

Cr

sr = C

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Round Function AES-like Round Function SubCells (SC): Application of a s-bit Sbox to all 16 cells AddConstants (AC): Inject round constants in the state AddRoundTweakey (ART): Extract and inject the subtweakeys to half the state ShiftRows (SR): Right-rotate line i by i positions MixColumns (MC): Multiply the state by a binary matrix ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

10/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Round Function ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

11/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

4-bit Sbox MSB

LSB

S4 :

4-bit Sbox for SKINNY-64-

Almost PICCOLO Sbox [SIH+ 11] Implementation: 4 NOR and 4 XOR Hardware cost: 12 GE

Properties 2

Maximal diff. probability: 2 Maximal abs. linear bias: 2

2

deg(S4 ) = deg(S4 1 ) = 3 One fixed point: MSB

12/53

LSB

S4 0xF (

) =

0xF

Branch number: 2

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

8-bit Sbox MSB

LSB

S8 :

8-bit Sbox for SKINNY-128-

Generalize the

S4

construction

Implementation: 8 NOR and 8 XOR Hardware cost: 24 GE Properties 2

Maximal diff. probability: 2 Maximal abs. linear bias: 2 MSB

LSB

2

deg(S8 ) = deg(S8 1 ) = 6 One fixed point:

S8 0xFF (

) =

0xFF

Branch number: 2

13/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Round Function ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

14/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Round Constants

rc5 rc4 rc3 rc2 rc1 rc0

1

6-bit LFSR The round constants are produced with a LFSR State: (rc5 jjrc4 jjrc3 jjrc2 jjrc1 jjrc0 ) Initial value 0, clocked before injection Hardware cost: 1 XNOR

2rc krc ksrc k4rc 0 0 03 66 03k 02krc51krc40 0 0 077 4 0x2 0 0 05 =

0 15/53

000

2 0k 0k 0k 0ksrc k8rc krc krc 0 0 03 66 0k 0k 0k 0k 03k 02krc51krc40 0 0 077 4 0x2 0 0 05 =

0

The SKINNY Family of Lightweight Tweakable Block Ciphers

0 0 0 June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Round Function ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

16/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Add Round Tweakey and TWEAKEY schedule LFSR LFSR PT

Extracted 8s-bit subtweakey

TWEAKEY Schedule Similar to the STK construction Subtweakey: first and second rows of all tweakey words are injected in the internal state Then, the tweakey words TK 2 and TK 3 are updated independently: The cells are reordered with a permutation PT Each cell is individually updated with an LFSR

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 17/53

PT

9 15 8 13 10 14 12 11 0 1 2 3 4 5 6 7

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

Add Round Tweakey and TWEAKEY schedule LFSR for TK 2 when s

=

4

x3 x2 x1 x0

LFSR for TK 3 when s

x3 x2 x1 x0

18/53

LFSR for TK 2 when s

=

8

x7 x6 x5 x4 x3 x2 x1 x0

=

4

LFSR for TK 3 when s

=

8

x7 x6 x5 x4 x3 x2 x1 x0

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

ShiftRows ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

Similar to the ShiftRows in the AES However, the lines are rotated to the right

19/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

MixColumns ART

ShiftRows

>>> 1 SC

AC

>>> 2

MC

>>> 3

20/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction

Specifications

Rationale Security Analysis Implementations MANTIS Conclusion

MixColumns MixColumns Matrix multiplication performed as in the MixColumns of the AES However: The matrix M is binary It has branch number 2: M  (0; ; 0; 0)> = (0; 0; ; 0)>

M=

01 BB 1 @0 1

0 0 1 0

1 0 1 1

1 0 0 0

1 CC A

Implementation Using 3 XORs

21/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction Specifications

Rationale

Security Analysis Implementations MANTIS Conclusion

Plan 1 Introduction 2 Specifications 3 Rationale 4 Security Analysis 5 Implementations 6 MANTIS 7 Conclusion

22/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction Specifications

Rationale

Security Analysis Implementations MANTIS Conclusion

Rationale General Goals Cipher well-suited for most lightweight applications Efficient hardware implementation Do not waste any operations: only keep vital components Removing any operations from SKINNY results in an unsecure cipher Good micro-controllers performances as second criteria Hardware Area Estimation NOR/NAND gate: 1 GE OR/AND gate: 1.33 GE XOR/XNOR gate: 2.67 GE

Hardware Implementations Low-latency: one cipher call takes one cycle

NOT gate: 0.67 GE

Round-based: one round takes one cycle

One memory bit: 6 GE (using scan flip-flop)

Bit-serial: the datapath is reduced to a single bit

23/53

The SKINNY Family of Lightweight Tweakable Block Ciphers

June 3, 2016

Introduction Specifications

Rationale

Security Analysis Implementations MANTIS Conclusion

Generalities: Feistel or SPN? yi

xi

SIMON