CAESAR & NORX
The Future of Authenticated Encryption?

Hamburg, 2014-12-29

Who

Jean-Philippe Aumasson (@veorq)
Cryptographer at Kudelski Security, Switzerland
Philipp Jovanovic (@daeinar)
PhD student at University of Passau, Germany
Samuel Neves (@sevenps)
PhD student at University of Coimbra, Portugal
Nearly all of the symmetric encryption modes you learned about in school, textbooks, and Wikipedia are (potentially) insecure.
Matthew Green

Block Cipher Modes Failures (1/3)
ECB

Bad ECB
Picture credit: @angealbertini

Block Cipher Modes Failures (2/3)
CBC with constant IV

Bad CBC
Picture credit: @angealbertini

Block Cipher Modes Failures (3/3)
CTR with reused nonce

Bad CTR
Picture credit: @angealbertini

Block Cipher Modes

From the 70s: ECB, CBC, CFB, OFB, CTR

Concern of the time: error propagation

Status quo until late 90s:
A third consideration is fault-tolerance. Some applications need to parallelize encryption or decryption, while others need to be able to preprocess as much as possible. In still others it is important that the decrypting process be able to recover from bit errors in the ciphertext stream, or dropped or added bits.
Bruce Schneier, in Applied Cryptography (1996)

Block Cipher Modes Failures

Exploiting malleability
Chosen-boundary attacks

Authenticated Encryption

Authenticated Encryption (AE)

Input: key, nonce, message

Output: ciphertext, authentication tag

Protects Confidentiality, Integrity, Authenticity

Protects traffic in IPsec, SSH, TLS, etc.

Authenticated Encryption
with Additional Data (AEAD)

Input: message, additional data, key, nonce

Ouput: ciphertext, authentication tag

Integrity & Authenticity covers cleartext data

Useful to protect datagram parts that need remain in clear (such as headers including routing data)

AE(AD) Constructions
Generic Composition

Combine a symmetric cipher and a MAC

Options:

Examples:

AE(AD) Constructions
Dedicated Methods

Authenticated block cipher modes Dedicated authenticated ciphers: Sponge functions...

Common Risks with Authenticated Encryption

Interaction between cipher and MAC (key reuse, etc.)

Sec(cipher+MAC) ≤ Min( Sec(Cipher), Sec(MAC) )

Custom ciphers/modes if no suitable standard

"Misuse" (constant/repeated nonces, etc.)

Bad parameters choice (such as GCM tag size)

Led to some problems...

Crypto Failures

Padding Oracle Attacks

2002: on MAC-then-encrypt CBC-mode ciphers

2002–2014: Repeatedly exploited to mount attacks on TLS (BEAST, Lucky Thirteen, etc.)

Latest variant: POODLE
Padding Oracle On Downgraded Legacy Encryption
(vs. SSLv3 & TLS)

WEP

2007: key recovery within minutes from a few thousand intercepted messages

Exploits biases in RC4 and "misuse"

Download aircrack-ng and try this at home

TLS (and RC4)

2013: RC4 biases shown to be usable against TLS

Exploits weaknesses in RC4 (again)

RC4

Insecure, but fast in Swift!

Competition for

Authenticated

Encryption:

Security,

Applicability, and

Robustness

CAESAR

Identify a portfolio of authenticated ciphers that offer advantages over AES-GCM (the current de-facto standard) and are suitable for widespread adoption.

March 15 2014 – End of 2017

Led by DJB, with a committee of 22 cryptographers

Sponsored by but not organized/controlled by NIST

http://competitions.cr.yp.to/caesar.html

AES-GCM Everywhere

The AE standard:

What's Wrong with AES-GCM?

Unnecessarily complex (to implement)

Fast only if AES/Galois field arithmetic HW support is available, like AES-NI

Without HW support: Constant-time implementations even more complicated

Auth key recovery if nonce is reused

What's Wrong with AES? Nothing

If NSA isn't interested in cryptanalysis, then who is?

Academics also find new "attacks" on AES every year

Don't worry, AES won't (can't?) be broken
(At least for any reasonable definition of "broken")

CAESAR's 57 submissions

ACORN ++AE AEGIS AES-CMCC AES-COBRA
AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ
Artemia Ascon AVALANCHE Calico CBA
CBEAM CLOC Deoxys ELmD Enchilada
FASER HKC HS1-SIV ICEPOLE iFeed[AES]
Joltik Julius Ketje Keyak KIASU
LAC Marble McMambo Minalpher MORUS
NORX OCB OMD PAEQ PAES
PANDA Π-Cipher POET POLAWIS PRIMATEs
Prøst Raviyoyla Sablier SCREAM SHELL
SILC Silver STRIBOB Tiaoxin TriviA-ck
Wheesht YAES

CAESAR's 57 submissions

ACORN ++AE AEGIS AES-CMCC AES-COBRA
AES-COPA AES-CPFB AES-JAMBU AES-OTR AEZ
Artemia Ascon AVALANCHE Calico CBA
CBEAM CLOC Deoxys ELmD Enchilada
FASER HKC HS1-SIV ICEPOLE iFeed[AES]
Joltik Julius Ketje Keyak KIASU
LAC Marble McMambo Minalpher MORUS
NORX OCB OMD PAEQ PAES
PANDA Π-Cipher POET POLAWIS PRIMATEs
Prøst Raviyoyla Sablier SCREAM SHELL
SILC Silver STRIBOB Tiaoxin TriviA-ck
Wheesht YAES
Flaws: none 39, major 13, minor 5

NORX

NO(T A)RX

NORX Design Goals

High security

High speed (in SW and HW)

Simplicity (of specs and code)

Online / one-pass

Scalability (parallelism, unrolling)

High key agility (no "key schedule")

Side-channel leaks robustness (esp. timings)

NORX Parameters and Proposed Instances

Word Bit Size Number of Rounds
W ∈ {32, 64}1 ≤ R ≤ 63
  
Parallelism Degree Tag Bit Size
0 ≤ D ≤ 255|A| ≤ 10W
NORX[W-R-D] Nonce (2W) Key (4W) Tag (4W)
NORX64-4-1 128 256 256
NORX32-4-1 64 128 128
NORX64-6-1 128 256 256
NORX32-6-1 64 128 128
NORX64-4-4 128 256 256

R=6: higher security margin
D=4: high throughput on parallel architectures

NORX Mode

NORX in Sequential Mode (D = 1)

"Monkey duplex" construction (from Keccak/SHA3)

Process header, payload, and trailer data in one pass

Data expansion via multirate padding: 10*1

NORX Mode

NORX in Parallel Mode (D = 2)

State

Initialisation

Initialisation

Load nonce, key and constants into S:

Parameter integration (v1):

s14 = s14 ^ (R<<26) ^ (D<<18) ^ (W<<10) ^ |A|

Apply round permutation: S = FR(S)

Initialisation

Load nonce, key and constants into S:

Parameter integration (v2):

s12 = s12 ^ W
s13 = s13 ^ R
s14 = s14 ^ D
  s15 = s15 ^ |A|

Apply round permutation: S = FR(S)

Absorb Header / Trailer

Absorb Header / Trailer

Integrate domain separation constant:

s15 = s15 ^ {0x01,0x04}

Apply round permutation: S = FR(S)

Absorb data:

Encrypt Payload

Encrypt Payload

Integrate domain separation constant:

s15 = s15 ^ 0x02

Apply round permutation: S = FR(S)

Absorb data:

Set new ciphertext block: c = (z0,...,z9)

Generate Tag

Generate Tag

Integrate domain separation constant:

s15 = s15 ^ 0x08

Apply round permutation twice:

S = FR(S)
S = FR(S)

Set tag: t = (s0,s1,s2,s3)

The Permutation FR

FR = R iterations of the permutation F

F runs G on state's columns, then diagonals

The Permutation G(a,b,c,d)

1. a = H(a,b) 5. a = H(a,b)
2. d = ROTR(a^d,R0) 6. d = ROTR(a^d,R2)
3. c = H(c,d) 7. c = H(c,d)
4. b = ROTR(b^c,R1) 8. b = ROTR(b^c,R3)
with:

Properties of FR/F/G

Inspired from BLAKE(2)/ChaCha

H is almost integer addition: + is replaced by ^ in

x+y = (x^y)+((x&y)<<1)

Only bit-wise ops, no carries; no S-boxes

Only constant-time operations

Hardware friendly: horizontal and vertical folding

Software friendly: direct use of SIMD instructions

Is NORX Secure?

Main threat: differential cryptanalysis, so let's prove resistance to some basic attacks (ongoing work)

Performance

Software Speed (x86/amd64)

NORX64-4-1 (single-core)

Platform Implementation cpb MiBps
Ivy Bridge: i7 3667U @ 2.0GHz AVX 3.37 593
Haswell: i7 4770K @ 3.4GHz AVX2 2.51 1390
Note: The NORX software package includes benchmark utilities.

Software Speed (ARMv7, ARMv8-A)

NORX64-4-1 (single-core)

Platform Implementation cpb MiBps
BBB: Cortex-A8 @ 1.0GHz NEON 8.96 111
iPad Air: Apple-A7 @ 1.4GHz Ref 4.07 343
Note: The NORX software package includes benchmark utilities.

Software Speed (SUPERCOP)

Source: http://www1.spms.ntu.edu.sg/~syllab/speed

NORX among the fastest CAESAR candidates

Fastest sponge-based scheme

Reference code has competitive speed, too

NORX vs. AES-GCM (x86/amd64)

AES-GCM "standard": OpenSSL 1.0.1j compiled with no-asm flag.
> openssl speed -evp aes-{128,256}-gcm

NORX vs. AES-GCM (ARMv7)

AES-GCM "standard": OpenSSL 1.0.1j compiled with no-asm flag.
> openssl speed -evp aes-{128,256}-gcm

Hardware Efficiency (ASIC)

NORX chip, source: http://asic.ee.ethz.ch/2013/CronorX.html

Designed by students from ETH Zürich
(supervised by F. Gürkaynak)

180nm UMC @125MHz, area &approx; 59kGE

NORX64-4-1 throughput: ≈ 10Gbps

Conclusion

CAESAR

Crypto competition 2014–2017

About authenticated encryption

57 submissions received

2nd-round candidates announced on Jan 15, 2015

http://competitions.cr.yp.to/
https://aezoo.compute.dtu.dk
http://www1.spms.ntu.edu.sg/~syllab/speed

PS: Another competition https://password-hashing.net

NORX

CAESAR candidate (one of the unbroken ones)

Innovative not-ARX core and parallelisable mode

Minimizes side-channel leaks (timing, padding)

No dependency on AES instructions/accelerators

Straightforward to implement, very fast in SW / HW


https://norx.io/

Code available in C, C++, Go, Python, Rust

No patents, free for everyone, code under CC0

One last thing

Do not use NORX in production

At least for now...



Thank you!