### CAESAR candidate ICEPOLE

#### Pawel Morawiecki<sup>1,2</sup>, Kris Gaj<sup>3</sup>, Ekawat Homsirikamol<sup>3</sup>, Krystian Matusiewicz<sup>4</sup>, Josef Pieprzyk<sup>5,6</sup>, **Marcin Rogawski**<sup>7</sup>, Marian Srebrny<sup>1,2</sup>, and Marcin Wojcik<sup>8</sup>

Polish Academy of Sciences, Poland<sup>1</sup>; University of Commerce, Poland<sup>2</sup>; George Mason University, USA<sup>3</sup>; Intel, Gdansk, Poland<sup>4</sup>; Queensland University of Technology, Australia<sup>5</sup>; Macquarie University, Australia<sup>6</sup>; Cadence Design Systems, USA<sup>7</sup>; University of Bristol, United Kingdom<sup>8</sup>

#### DIAC 2014: Directions in Authenticated Ciphers





Marcin Rogawski

CAESAR candidate ICEPOLE

<ロト <回ト < 注ト < 注ト

Э





2 Icepole Design

3 Security Analysis

4 HW and SW Performance



<ロト <回ト < 三ト < 三ト

#### Introduction and Motivation

- Multiple Internet protocols require authenticated encryption: IPSec/TLS/SSL etc.
- High-speed hardware-oriented cipher with authentication, more efficient that AES-GCM
- Existing frameworks/strategies for provably secure cryptographic schemes (e.g.: Sponge Construction etc.)
- CAESAR competition

< <p>O > < <p>O >

- E - - E -



ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

- based on duplex framework introduced by Bertoni et al. "Duplexing the sponge: (...)" Cryptology ePrint archive 2011/499
- high-speed hardware-oriented ICEPOLE permutation is the heart of our design
- family of authenticated encryption schemes with three parameters: key, nonce and SMN
- primary recommendation: ICEPOLE-128: 128-bit key and 128-bit nonce

<ロト <回ト < 臣ト < 臣ト

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

### Encryption and Tag Generation - Overview



イロト イヨト イヨト イヨト

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

## **ICEPOLE** Internal State Organization

- 1280-bit internal state S
- organized into dwo-dimensional array S[4][5]
- each element of array is a 64-bit word
- S[x][y][z] refers to the bit z in the row x and the column y
- the mapping between a vector V and the S: V[64(x+4y)+z] = S[x][y][z]

イロト イポト イヨト イヨト

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

### ICEPOLE Round and P6, P12 Permutations

# $R=\kappa\circ\psi\circ\pi\circ\rho\circ\mu$

#### **ICEPOLE** Permutations

- P6 6 rounds of ICEPOLE permutation
- P12 12 rounds of ICEPOLE permutation

<ロト <回ト < 臣ト < 臣ト

#### Transformation: $\mu$

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View



$$\begin{pmatrix} 2 & 1 & 1 & 1 \\ 1 & 1 & 18 & 2 \\ 1 & 2 & 1 & 18 \\ 1 & 18 & 2 & 1 \end{pmatrix} \begin{pmatrix} Z_0 \\ Z_1 \\ Z_2 \\ Z_3 \end{pmatrix} = \begin{pmatrix} 2Z_0 + Z_1 + Z_2 + Z_3 \\ Z_0 + Z_1 + 18Z_2 + 2Z_3 \\ Z_0 + 2Z_1 + Z_2 + 18Z_3 \\ Z_0 + 18Z_1 + 2Z_2 + Z_3 \end{pmatrix}$$

• GF(2<sup>5</sup>) multiplication modulo  $x^5 + x^2 + 1$ 

DIAC, August 23-24, 2014

CAESAR candidate ICEPOLE



ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

# $R = \kappa \circ \psi \circ \pi \circ \rho \circ \mu$

DIAC, August 23-24, 2014

CAESAR candidate ICEPOLE

イロト イヨト イヨト イヨト

10 / 29

E

#### **ICEPOLE** 101 Basic Ingredients of ICEPOLE High Level View

### Transformation: $\rho$



for all 
$$(0 \le x \le 3), (0 \le y \le 4)$$

 $S[x][y] := S[x][y] \ll \text{offsets}[x][y]$ 

| offsets[0][2] := 3  | offsets[0][3] := 41    |
|---------------------|------------------------|
| offsets[1][1] := 44 | offsets $[1][2] := 10$ |
| offsets[2][0] := 62 | offsets[2][1] := 6     |
| offsets[2][4] := 61 | offsets[3][0] := $28$  |
| offsets[3][3] := 21 | offsets[3][4] := 56    |

| offsets[0][0] := 0  | offsets[0][1] := 36   |
|---------------------|-----------------------|
| offsets[0][4] := 18 | offsets[1][0] := 1    |
| offsets[1][3] := 45 | offsets[1][4] := 2    |
| offsets[2][2] := 43 | offsets[2][3] := 15   |
| offsets[3][1] := 55 | offsets[3][2] := $25$ |

- E - D



ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

# $R = \kappa \circ \psi \circ \pi \circ \rho \circ \mu$

DIAC, August 23-24, 2014

CAESAR candidate ICEPOLE

イロト イヨト イヨト イヨト

E

#### ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

#### Transformation: $\pi$



$$\begin{array}{l} x' := (x+y) \ mod \ 4 \\ y' := (((x+y) \ mod \ 4) + y + 1) \ mod \ 5 \end{array}$$

DIAC, August 23-24, 2014



ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

# $R = \kappa \circ \psi \circ \pi \circ \rho \circ \mu$

DIAC, August 23-24, 2014

Marcin Rogawski CA

CAESAR candidate ICEPOLE

イロト イヨト イヨト イヨト

E

#### Transformation $\psi$

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View



for all  $(0 \le k \le 4)$  $Z_k = M_k \oplus (\neg M_{k+1}M_{k+2}) \oplus (M_0M_1M_2M_3M_4) \oplus (\neg M_0 \neg M_1 \neg M_2 \neg M_3 \neg M_4)$ 





ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

# $R = \kappa \circ \psi \circ \pi \circ \rho \circ \mu$

DIAC, August 23-24, 2014

CAESAR candidate ICEPOLE

イロト イヨト イヨト イヨト

E

#### Transformation: $\kappa$

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

 $S[0][0] := S[0][0] \oplus \text{constant}[\text{numberOfRound}]$ 

#### **ICEPOLE** Constants

- The constant values are taken as the output of a simple 64-bit maximum-cycle Linear Feedback Shift Register (LFSR).
- The polynomial representation of LFSR is  $x^{64} + x^{63} + x^{61} + x^{60} + 1$ .
- The LFSR seed 0123456789ABCDEF
- each cycle generates a subsequent constant.

<ロト <回ト < 三ト < 三ト

ICEPOLE 101 Basic Ingredients of ICEPOLE High Level View

#### Decryption and Tag Generation



イロト イヨト イヨト イヨト

Э

**ICEPOLE Security** 

## **ICEPOLE** Security (Parameters)

- ICEPOLE is based on the duplex construction parameters: r (bitrate) and c (capacity)
- ICEPOLE-128: r=1026 bits and c=256 bits (up to 2<sup>126</sup> blocks)
- ICEPOLE-256: r=962 bits and c=318 bits (up to 2<sup>62</sup> blocks)
- Security level proven, unless permuation is unsecure

SKEW'11: Bertoni et al. in "On the security of the keyed sponge construction" proved that if the data complexity is limited to  $2^a$  *r*-bit blocks, the keyed mode withstands generic attacks with time complexity up to  $2^{c-a}$  calls of the underlying permutation. If a < c/2, this results in an increase of the security strength from c/2 to c - a.

イロト イポト イヨト イヨト

### Nonce Requirement

- ICEPOLE requires a nonce
- In case of nonce reuse, some level of intermediate robustness provided by secret message number and associated data (if distinct)
- In case of violating all nonce-like mechanisms (nonce reused, secret message number reused, the same associated data), security claims do not hold (recent analysis by Tao Huang, Hongjun Wu, Ivan Tjuawinata)

DIAC, August 23-24, 2014

イロト イロト イヨト

**ICEPOLE Security** 

**ICEPOLE Security** 

## **ICEPOLE** Security Analysis

- Differential cryptanalysis (with aid of a SAT solver, we provide a bound on differential trail probability for 12 rounds, probability  $\leq 2^{-84}$ )
- Linear cryptanalysis (good linear profile of s-box, propagation of linear masks very similar to differential analysis, expecting similar security margin. Rigorous analysis to be done)
- **Rotational cryptanalysis** (good selection of round constants and pseudo-random initial state prevent this kind of attack)
- **SAT-based cryptanalysis** (experimentally verified, the attack reaches only 3 rounds)
- Techniques exploiting low algebraic degree (algebraic degree of a single round is 4, then for 4 rounds a degree is 256, making the attacks infeasible)

Hardware Architecture Software Implementation

#### **Basic Iterative Architecture**





Hardware Architecture Software Implementation

## FPGA Implementation Results

#### Xilinx Virtex-6

- Throughput: 41364 Mbps
- Area: 1501 Slices
- Throughput/Area: 27.56 Mbps/Slice

#### Altera Stratix-IV

- Throughput: 38779 Mbps
- Area: 4564 ALUTs
- Throughput/Area: 8.50 Mbps/ALUT

Hardware Architecture Software Implementation

#### FPGA Implementation - Area



#### Source:

 Keyak and Keccak (multi-purpose mode) from anonymous submission to anonymous conference :)
Thanks for sharing!

DIAC, August 23-24, 2014

Hardware Architecture Software Implementation

#### FPGA Implementation - Throughput



< □ > < □ > < □

3.0

Hardware Architecture Software Implementation

#### FPGA Implementation - Throughput/Area



Hardware Architecture Software Implementation

### Software Implementation

- straightforward C implementation compiled for speed
- no beyond-C optimization
- 9 cycles per byte on Intel Ivy Bridge (i5-3320M)
- 8 cycles per byte on Haswell (Intel Xeon E3 1275)

イロト イポト イヨト イヨト



Conclusions Questions

- $\bullet$  duplex construction + very efficient permutation = ICEPOLE
- highly efficient in modern FPGAs
- very-high speed in modern FPGAs
- good software performance

イロト イポト イヨト イヨト



Conclusions Questions

# Thank you!

# Questions?



DIAC, August 23-24, 2014

Marcin Rogawski

CAESAR candidate ICEPOLE

**Questions?** 

(ロ) (日) (日) (日)

I I I