 Welcome to my presentation on the tightness of the suffix keyed sponge bound. This is a joint work with Christoph de Braunig. One of the most efficient ways of building in a MAC function, or a PRF, is using the full state keyed sponge. The idea is that you take a sponge function, and the sponge function uses a b-bit permutation. And you can absorb data with b-bits at a time. The idea is that you initialize the state with a k-bit key and filled with zeros. Then you permute the state using this permutation, and then you can absorb plaintext b-bits at a time. So you absorb the first plaintext block you permute, you absorb the second plaintext block you permute, etc. Then to the last plaintext block, then you make one more permutation call and you output the tag. So this is a very efficient PRF or MAC design. It has received quite some research, quite some analysis has been done on this function, and it is very efficient because you compress with b-bits at a time, where b is the size of the permutation. On the downside, this function in general does not offer mode level protection against side channel attacks. This construction is not leakage resilient, as you would say. As a matter of fact, the attacker can be quite powerful because if you have the key and filled with zeros you permute, you permute, you get a secret state and the attacker has full freedom to add values to the secret state. Namely, the block P1 can be chosen by the attacker and the attacker has full freedom to manipulate the state and this way it can enable DPA, the difference of power analysis. One way to solve this is to somehow limit the power that the attacker has over evaluating secret states. In this case, a secret state here can potentially be evaluated up to 2 to the b times for 2 to the b different messages. If we limit this, a typical approach to do is using the GTM-like construction. Here we start with a key and then we have some initial value or a nonce. And we look at this nonce bitwise. If the first bit is a zero, you evaluate the block cipher, a block cipher on the key and zero. If the first bit is one, you evaluate the block cipher on the key and then coding of one. And you go on like this. So then you look at the second bit, third bit up to the last bit and suppose the last bit appears here. So it's a one. Then you evaluate the last block cipher, coding of the key and the one. And this gives you something you can do a key stream with or attack. So far so good, but can we do this with a permutation? And one way to do this with a permutation is by using an approach that was described by Taha and Schumann. In general, the idea also appears in the ISAP authenticated encryption scheme. The idea is as before, we have a B bit permutation B. We initialize the state with a key bit key and filled with zeros. Then you permute and then you absorb a nonce. But this nonce is not absorbed all at once, but you absorb it bit by bit. So you absorb the first bit, you permute, second bit, permute. Up to the last bit, you permute. And if the nonce is always unique, very likely the state after absorbing the nonce is different for different nonces. And this means that at this point you can absorb with a higher rate. Here we do it with r bits at a time. But you can absorb with a higher rate starting from this point. And the trick here is basically that in the first part, the power of the attacker to evaluate states, secret states, multiple times is limited because it can only absorb one bit at a time. And here we typically don't have a state that repeats a lot. As a matter of fact, the leakage resilience of this scheme follows from the leakage resilience of the duplex that Christof and I proved three years ago. But on the downside, the side channel resistance actually relies on the uniqueness of the nonce. If the nonce would be repeated, then you could have repeated states here and the attacker again has its power back. Okay, one alternative way of doing this is the hash 10 PRF construction. Or more general, it's called hash 10 MAC. But if you take a hash function here, the idea is very simple. So the plain text is of arbitrary size. It can be hashed to get a digits of 2k bits. And then you evaluate the function g that should be leakage resilient on input of the secret key and this 2k bit state to get a tag t. Now, why do we need 2k here? Because we aim for k bit security. And a hash function allows for collisions. So if the attacker now makes 2 to the power k evaluations, it likely finds a collision here. But if you take only a k bit state here, it only needs to make 2 to the k over 2 evaluations to find a collision. So now, leakage resilient wise or side channel protection wise, this is quite nice because the first part is not keyed. The only part that needs to protect it is the function g on a bit of 2k bit input at k bit key and output of a t bit tag. Okay, only the last part needs to be protected. And if we map this idea to the sponge, we end up with what we call suffix keyed sponge or SUCKS. SUCKS was proposed in general in the context of leakage resilience by the Browning et al. for ISAP-V1. The idea is that the plain text is first hashed using a sponge. So just a plain sponge to process the plain text. This gives you a state u at the end and only the outer k bits are then transformed using a leakage resilient p-ref g. On the input of a k bit key, k outermost bits are transformed to get a k bit replacement basically for the outer part. The inner b-minus k bits they continue and due to this you don't need to have a 2k bit input to the function g but only a k bit input. You make one more permutation call and then you get the tag. And three years ago we proved that SUCKS is leakage resilient under the assumption that g and the last evaluation of p do not leak too much information about the secret data. Now in this work we focus not necessarily on leakage resilience but really on black box security. And in black box security g can be a very simple function. It can even be the XOR. But it could be a more evolved function as well. So what's actually the security of SUCKS? If we take a simple case where g is an XOR and where k is a smaller than r then this is a well-known construction. Bartoni had already described it a long time ago. And this construction, the security of this construction follows from the indifferenceability of the sponge hash function. Meaning that if the permutation is strong enough and the mode is indifferenceable from a random oracle then we can use this result to prove that this function SUCKS is a p-ref. However this result does not work if g is a p-ref itself or if the key k is a larger than r. And in this case two years ago, three years ago we proved that SUCKS is a secure p-ref. In detail we proved the following bound until a couple of times later on in this presentation. As well it consists of three terms. This one basically corresponds to a problem if the attacker finds an inner collision in the hashing part because n is the number of permutation evaluations that the attacker can make. And up to the birthday pound in approximately 2 to the c over 2 evaluations it could find an inner collision on the hash part. And if the attacker finds an inner collision on the hash part then we're doomed because the attacker can find a full collision for the value u and hence create a forgery. The second part roughly corresponds to problems where the attacker guesses the outer part of v and the last term of the bound roughly corresponds to a problem if the attacker guesses the inner part of w. And this result holds under the assumption that g is 2 to the minus delta uniform meaning that for any input the probability that it goes to a fixed output for a random key is the most 2 to the minus delta and g should be 2 to the minus epsilon universal meaning that for any two inputs to g the probability that they collide taken over the randomness of the key is the most 2 to the minus epsilon. And this mu term is a bit of a scary term maybe but it roughly corresponds to the probability that the most likely largest multicollision so mu b minus kk or in general mu b minus cc is the smallest natural number x such that the probability that you have a multicollision of size more than x is at most x over 2 to the c and here the attacker makes q random drawings so the probability that after q drawings you have a multicollision of size larger than x is at most x over 2 to the c and here the idea of the denominator 2 to the c or in this case in the bound 2 to the k is that this loss is negligible compared to the term where the multicollision is used ok it's a scary term but in practice it's not that big so if you look at oscon like parameters so in oscon we have a permutation of size b 320 bits we have a capacity of 256 and a rate of 64 we take a key and attack of 128 in this case we can take the xor sg so the key is just absorbed by xor running into the outer part it's 2 to the minus k uniform and zero universal and we get a bound of this form so 2n squared divided by 2 to the 256 plus 5n divided by 2 to the 128 plus 67n divided by 2 to the 1992 if you take a prfsg and a prfs2 to the minus k uniform and to the minus k universal we get a comparable bound now we see that this multicollision term is 5 here and 67 there we would like to note that the first two terms in the bound are typically dominant also in this example the third term gets a bigger term mu but it has a huge denominator so this term is not dominant in the bound now the question is how good is this bound how good is the bound that we derived 3 years ago can we find the tags in both cases can we find the tags that match these bounds or can we maybe improve the bound of 3 years ago and in this work we investigate this problem and in detail we find the tags matching the bounds so in this work we look at the tightness of this bound first for the first term it's not surprising that this term is here it corresponds to intercollisions in the hash part and if the attacker fights an intercollision which it can fight with 2 to the c over 2 evaluations then it can form a full collision after hashing and it can use to break the scheme so that term is not surprising now the second and third term are maybe more confusing due to these multicollisions and in this work we investigate the tightness of these terms by mounting attacks first we look at the case where we take the X or SG and we derived 2 attacks one is a multicollision attack that matches the third term and one is a multicollision attack that matches the second term now we look at the general case where we have a PRF SG and we mount a multicollision based attack that matches the second term noting that the third term is kind of independent of the function G it doesn't use G let's start with the first attack so we take the X or SG this is the picture that we've seen before with the difference that the last part is highlighted now G is an X or so you simply X or the key into the state and the attack goes as follows so first we make Q construction queries for different plaintext and this results in different tags TI and it results in different states after hashing UI so if Q construction queries for different messages this likely gives different UIs and it gives tags TI now among these Q queries we try to find a multicollision in the tags let's call it T so we have new evaluations, new messages that lead to the same T but with a different inner part of W now what we're going to do is we're going to make inverse queries for mutation, for guessing the inner part of W so we make inverse queries to P on input of the tag and we vary the inner part of W we call it CJ here and at some point we will get a match at some point we will get an answer of this which is of the form Y which is the outer part of V and write B minus K UI so at some point we get a hit between the inverse here and the inner part of U because the inner part stays unchanged here and once we have this hit what we learned now is we learned the outer part of V for this message, for this plain text that was fed through the socks construction so we found a match, this means that we found we recovered the outer K bits of V we already know the outer K bits of U and then we can do the X or we get the key and once you get the key the scheme is of course broken and roughly the idea here is that the multicollision in the tag gives a speed up of factor mu in searching the rightmost B minus T bits of W and once you find the rightmost B minus T bits of W you recovered the leftmost K bits of V and from this you can recover the key because you also know the leftmost K bits of U the attack is not very efficient but it does match the term in the bound so if you take an example with B256 K128 the attack has a complexity close to generic so it's a huge online and offline complexity but what I said usually B is much more than 2K anyway so this term is never dominating in the bound now the second attack is the multicollision on the rightmost B minus K bits of U and this is a more interesting attack because in this case we make offline evaluations of the permutation for different plane tags so we vary the plane tags here to get a mu fold collision in the rightmost B minus K bits of U so in this part we get a mu fold collision we call it U star they all have a different in our outer part leftmost K bits here so we get mu different plane tags that result in the same inner part here but the different outer part here what we're gonna do now is we're gonna make a forward query to the permutation here for this value U star but for varying ZJ and we make these evaluations but we also made the construction queries for this mu fold collision so we can see if we find a match in the tag so we found the value U star we know the mu values T and then we're gonna vary the leftmost K bits of V we permute and hopefully we get a colliding tag and in this case we very likely found the outer part of V the inner part, now the outer part of V and once we found this it's the same as before so we recovered the outer part of V we already know the outer part of U so you can add them and you get the key so also here the idea is that the mu fold collision on the rightmost B minus K bits of U gives a speed up of mu in searching the leftmost bits of V and once the leftmost K bits of V and once you have this you can recover the key and now if you take a typical example of say 272 or maybe B is 320 bits with an aim of 128 bit security we get an online complexity of roughly 6 or 2 and an offline complexity is still close to generic so it really matches the corresponding term in the bound 16n over 21, 28 or 5n over 21, 20 so of course there is a very small loss but that's due to a bound in the mu fold collision so far so good these tags worked the G is an XOR the idea is that you make evaluations that give you the outer part of U and then you do the multi collision attack to find the outer part of V and because G is an XOR you can add them and you get the key now if G is a PRF the attacks don't work anymore the reason is that if G is a PRF or in general if G is hard to invert even if you have U and V you cannot necessarily recover the key still it turns out that these multi collisions they can be used to mount a forgery against socks and the idea is as follows and the idea is slightly more complex so the first step is as before we try to find a multi collision on the inner B minus K bits of U so we try to find mu evaluations mu plain text B and we make offline evaluations so just permutation calls of these plain texts let's find a multi collision a mu fold collision on the right most B minus K bits of U for each of these mu plain texts independently we try to find a collision on the outer K bits the left most K bits of U possibly with a different inner part ok so we have a mu collision on the inner part and for each of these plain texts in this mu collision we try to find a separate collision on the outer part we're gonna use that collision later on now for this mu construction queries of the multi collision we compute the corresponding texts so we compute the corresponding texts we know that these are mu different texts very likely but we know that they all had the same inner part here the same right most B minus K bits what we're gonna do now is we're gonna recover the left most K bits of V so we're gonna vary the left most K bits of V we call it C J here we evaluate the permutation until we get a match against T and in this case we found for one of the plain texts in this mu fold collision we recovered the left most part of V but the cool thing now is that we go back to the individual collision that we found in step 2 so for this plain text we recovered the left most K bits of V but we also know a different plain text that happens to have an identical left most part of U and because G is hard to invert we cannot recover the key but still we know that for this colliding message it has the same left part hence it will have the same right part left part of that's the same left part of U hence it will have the same left part of V and the right part where we can compute it because we can make this evaluation offline and hence we already know what tag this plain text will give so we mount the forgery so the trick is that we have a multi-collision using this multi-collision we recover the value of V for one of them and for this one we have the normal collision on the out part of U and hence we can find a forgery this is in general the collision structure that we have so on the left part of the slide you see the multi-collision so we have mu evaluations P1, P2 up to P mu that all collide on the right most B minus K bits it says B minus S but in general it's B minus K and for each of these plain texts we find a separate collision on the left most bits and in general if you look at the attack it turns out that I'm going to go over it quickly we get the same numbers as the attack that we had for the XOR of G and this corresponds to the fact that the finding the separate collisions don't add too much work to conclude we prove tightness of the attacks it turns out that the attack complexity is similar if G is an XOR or if G is a PRF the multi-collisions that we saw in the security pound that we found in our security proof there are no artifacts of the proof they actually have a meaning because our attacks that match these multi-collision terms in the paper we elaborate in more detail into the attack complexity so we actually compute a success probability of the attack there is still a very small loss in the bound due to the bounding of multi-collisions in general this is only a very small constant loss but still it will be interesting to see how we can improve this this concludes my presentation thank you for watching