Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security...
Transcript of Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security...
![Page 1: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/1.jpg)
Simon: NSA-designed Cipher in the
Post-snowden World
Tomer Ashur
KU Leuven
28/12/2015
![Page 2: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/2.jpg)
The SIMON and SPECK Families of Lightweight Block
Ciphers
◮ Two families of lightweight block ciphers (10 variants foreach)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 3: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/3.jpg)
The SIMON and SPECK Families of Lightweight Block
Ciphers
◮ Two families of lightweight block ciphers (10 variants foreach)
◮ Desgined by the NSA
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 4: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/4.jpg)
The SIMON and SPECK Families of Lightweight Block
Ciphers
◮ Two families of lightweight block ciphers (10 variants foreach)
◮ Desgined by the NSA
◮ Released in 2013
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 5: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/5.jpg)
Simon
◮ Hardware oriented
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 6: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/6.jpg)
Simon
◮ Hardware oriented
◮ Fesitel structure
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 7: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/7.jpg)
Simon - Structure
Xi+1 Y i+1
Ki⊕
F⊕
Xi Y i
Xi+1 = F (Xi)⊕ Y i ⊕Ki
Y i+1 = Xi
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 8: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/8.jpg)
Simon - Variants
Block size Key size No. rounds
32 64 32
48 72 3696 36
64 96 42128 44
96 96 52144 54
128 128 68192 69256 72
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 9: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/9.jpg)
Simon - Round Function
≪2
&≪8
≪1
Y i⊕
Xi
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 10: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/10.jpg)
Simon - Key schedule
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 11: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/11.jpg)
Simon - Performance
Figure: Performance figures from the original paper (eprint 2013/404)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 12: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/12.jpg)
Simon - Performance
Figure: Performance figures from the NIST workshop (eprint2015/585)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 13: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/13.jpg)
Simon - Security
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 14: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/14.jpg)
Simon - Security
◮ “ ...SIMON and SPECK have been designed to providesecurity against traditional adversaries who can adaptivelyencrypt and decrypt large amounts of data. We concedethat (as is the case with other algorithms) there will bewhat amount to highly optimized ways to exhaust the keythat reduce the cost of a naive exhaust by a small factor.We have also made a reasonable effort to provide securityagainst adversaries who can flip key bits, and our aim isthat there should be no related-key attacks... ” (eprint2013/404)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 15: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/15.jpg)
Simon - Security
◮ “The development process culminated in the publication ofthe algorithm specifics in June 2013 [9]. Prior to this,Simon and Speck were analyzed by NSA cryptanalysts andfound to have security commensurate with their keylengths; i.e., no weaknesses were found. Perhaps moreimportantly, the algorithms have been pretty heavilyscrutinized by the international cryptographic communityfor the last two years (see, e.g., [2], [3], [5], [4], [1], [6], [15],[16], [20], [27], [29], [37], [47], [51], [53], [56], [59], [62], [60],[30], [7], [25], [42], [24]).” (eprint 2015/585)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 16: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/16.jpg)
Linear Cryptanalysis
Xi&Yi =
0 p = 3
4; ǫ = 1
4
Xi p = 3
4; ǫ = 1
4
Yi p = 3
4; ǫ = 1
4
Xi ⊕ Yi ⊕ 1 p = 3
4; ǫ = 1
4
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 17: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/17.jpg)
Linear Cryptanalysis - Data Complexity
◮ Data complexity ≥ ǫ−2
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 18: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/18.jpg)
Linear Cryptanalysis - Data Complexity
◮ Data complexity ≥ ǫ−2
◮ Data complexity ≤ 2n
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 19: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/19.jpg)
Multiple Linear Cryptanalysis
◮ Using more than one linear approximation to reduce thedata complexity
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 20: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/20.jpg)
Multiple Linear Cryptanalysis
◮ Using more than one linear approximation to reduce thedata complexity
◮ Using more than one linear approximation to extend theattack
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 21: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/21.jpg)
The NIST Workshop
◮ “ ...For example, the bias calculated in section 5 should be2−8.34×2 × 2−1 = 217.64, not 2−8.34×2 × 2 = 2−15.68. Thiserror was propagated throughout the paper... ”(Anonymous reviewer for the NIST)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 22: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/22.jpg)
The NIST Workshop
◮ “ ...For example, the bias calculated in section 5 should be2−8.34×2 × 2−1 = 217.64, not 2−8.34×2 × 2 = 2−15.68. Thiserror was propagated throughout the paper... ”(Anonymous reviewer for the NIST)
◮ “ ...The first comment, dealing with the right bias whencombining two linear approximations is clearly wrong. Thejoint bias when combining approximations is given by thepiling up lemma and is equal to (for three approximations)e0 × e1 × e2 × 22...” (my response to the NIST review)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 23: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/23.jpg)
The Plot Thickens
◮ Three days after sending this, I got an email from DougShors
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 24: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/24.jpg)
The Plot Thickens
◮ Three days after sending this, I got an email from DougShors
◮ “We are preparing to post a paper to the eprint archive;one thing we’ve done in the paper is summarize the currentstate of the SIMON and SPECK cryptanalysis... ” (DougShors, 24/05/2015)
◮ “ ...Right now we’re not seeing how it could work asclaimed... ” (Doug Shors, 24/05/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 25: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/25.jpg)
The Plot Thickens
◮ Three days after sending this, I got an email from DougShors
◮ “We are preparing to post a paper to the eprint archive;one thing we’ve done in the paper is summarize the currentstate of the SIMON and SPECK cryptanalysis... ” (DougShors, 24/05/2015)
◮ “ ...Right now we’re not seeing how it could work asclaimed... ” (Doug Shors, 24/05/2015)
◮ “ ...I understand that implementing the full attack is out ofreach. But is it possible to restrict the keys in some way, orto do the 22- or 23-round version of the attack, and getsome useful information?” (Doug Shors, 26/05/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 26: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/26.jpg)
Verifying the Attack on 20 Rounds
◮ Doug: “ ...Combining a bunch of random biases (2−n/2 israndom), if it worked, would allow you to attack anynumber of rounds of any block cipher... ” (Doug Shors,26/05/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 27: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/27.jpg)
Verifying the Attack on 20 Rounds
◮ Doug: “ ...Combining a bunch of random biases (2−n/2 israndom), if it worked, would allow you to attack anynumber of rounds of any block cipher... ” (Doug Shors,26/05/2015)
◮ Tomer: “ ...Combining enough linear approximationstogether - even if the bias for each individual one is below2−n/2 - can improve an attack both in terms of the numberof required plaintexts and/or the length of thedistinguisher... ” (Tomer Ashur, 26/06/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 28: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/28.jpg)
Verifying the Attack on 20 Rounds
◮ Doug: “ ...Combining a bunch of random biases (2−n/2 israndom), if it worked, would allow you to attack anynumber of rounds of any block cipher... ” (Doug Shors,26/05/2015)
◮ Tomer: “ ...Combining enough linear approximationstogether - even if the bias for each individual one is below2−n/2 - can improve an attack both in terms of the numberof required plaintexts and/or the length of thedistinguisher... ” (Tomer Ashur, 26/06/2015)
◮ Doug: “ ...Actually, I do not disagree with this statement,but you really have to consider what happens in the wrongcase, which I don’t think is done in the paper...” (DougShors, 26/06/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 29: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/29.jpg)
Direct Email Exchange with the NSA
◮ “ ...Just as a friendly comment, I think there are somemisconceptions in the paper which will be apparent toexperts reading it, and so it’s probably in your interest tofix them... ” (Doug Shors, 01/06/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 30: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/30.jpg)
Direct Email Exchange with the NSA
◮ “ ...Just as a friendly comment, I think there are somemisconceptions in the paper which will be apparent toexperts reading it, and so it’s probably in your interest tofix them... ” (Doug Shors, 01/06/2015)
◮ “I come originally from the mathematics world, wherethere’s a pretty high standard regarding the veracity ofpublished results, and I’m often disappointed by thestandard for crypto publications, where opinion, wishfulthinking, marketing of tweaks to existing methods asfundamental breakthroughs, etc., etc., are all tolerated. I’maddressing the situation in general; not your paper inparticular. Of course there is also a lot of very high-qualitywork out there” (Doug Shors, 26/06/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 31: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/31.jpg)
Parseval’s Theorem
◮ “ ...there’s the 19th-century mathematics that underliesthis subject. I would urge you to review Parseval’sTheorem if you have the belief that aggregating the datafor all 22n approximations will lead somewhere... ”
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 32: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/32.jpg)
Parseval’s Theorem
◮ “ ...there’s the 19th-century mathematics that underliesthis subject. I would urge you to review Parseval’sTheorem if you have the belief that aggregating the datafor all 22n approximations will lead somewhere... ”
◮
∫∞−∞ |x(t)|2 dt =
∫∞−∞ |X(f)|2 df .
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 33: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/33.jpg)
The Central Limit Theorem
◮ “We didn’t do random case runs, because we think weunderstand that case, basically by the central limittheorem (more precisely using Berry-Esseen type resultsthat tolerate local dependence, and bound the L∞ distancebetween the wrong case distribution and the appropriatenormal distribution)... ”
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 34: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/34.jpg)
The Central Limit Theorem
◮ “We didn’t do random case runs, because we think weunderstand that case, basically by the central limittheorem (more precisely using Berry-Esseen type resultsthat tolerate local dependence, and bound the L∞ distancebetween the wrong case distribution and the appropriatenormal distribution)... ”
◮ |Fn(x)− Φ(x)| ≤ Cρσ3
√n
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 35: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/35.jpg)
”Trust Us”
◮ “ ...And I certainly don’t have the chutzpah to think I’m sosmart that I could pull something over on the likes ofShamir, Dinur, Biham, Wang, Leander, et al., that theywould never discover...” (Doug Shors, 29/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 36: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/36.jpg)
”Trust Us”
◮ “ ...And I certainly don’t have the chutzpah to think I’m sosmart that I could pull something over on the likes ofShamir, Dinur, Biham, Wang, Leander, et al., that theywould never discover...” (Doug Shors, 29/09/2015)
◮ “ ...We have an Information Assurance Directorate and aSignals Intelligence Directorate. We (the SIMON andSPECK designers) work in the former. I’m sure just aboutevery nation has something like this, and has to resolveissues that arise... ” (Doug Shors, 30/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 37: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/37.jpg)
”Trust Us”
◮ “ ...And I certainly don’t have the chutzpah to think I’m sosmart that I could pull something over on the likes ofShamir, Dinur, Biham, Wang, Leander, et al., that theywould never discover...” (Doug Shors, 29/09/2015)
◮ “ ...We have an Information Assurance Directorate and aSignals Intelligence Directorate. We (the SIMON andSPECK designers) work in the former. I’m sure just aboutevery nation has something like this, and has to resolveissues that arise... ” (Doug Shors, 30/09/2015)
◮ “ ...I know that I have really outstanding Ph.D.statisticians here that I consult when I need assistance withstatistics... ” (Doug Shors, 01/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 38: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/38.jpg)
”Stop Embarrassing Yourself”
◮ “ ...I suspect that you’re sufficiently convinced thatsomething’s wrong with SIMON that you’re unable toreview your own work with a critical eye. If I wanted to bepreachy, I’d say it’s dangerous in science to ”know” whatthe answer is before you look at the data, because you caneasily end up fooling yourself... ” (Doug Shors,29/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 39: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/39.jpg)
”Stop Embarrassing Yourself”
◮ “ ...I suspect that you’re sufficiently convinced thatsomething’s wrong with SIMON that you’re unable toreview your own work with a critical eye. If I wanted to bepreachy, I’d say it’s dangerous in science to ”know” whatthe answer is before you look at the data, because you caneasily end up fooling yourself... ” (Doug Shors,29/09/2015)
◮ “ ...In fact I’m very careful in my work, and I’ve spent wellover a year working to attack SIMON, so I that could be assure as I possibly could be that it was secure. So I knowwhat’s possible. I’m not apt to accept something that Iknow doesn’t work... ” (Doug Shors, 30/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 40: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/40.jpg)
”You’re out of your League”
◮ “ ...Is there anyone at your venerable institution that cancarefully and critically review your work before you seek topublish it? I assure you that this is in your own bestinterest... ” (Doug Shors, 29/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 41: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/41.jpg)
”You’re out of your League”
◮ “ ...Is there anyone at your venerable institution that cancarefully and critically review your work before you seek topublish it? I assure you that this is in your own bestinterest... ” (Doug Shors, 29/09/2015)
◮ “I can’t believe that Prof. Rijmen didn’t identify the issuesI’ve identified; I’m guessing he didn’t carefully work thoughthe paper. (I know my advisor wouldn’t have...) ” (DougShors, 30/09/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 42: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/42.jpg)
”NSA Runs”
◮ “ ...We’ve now generated a lot of data – 1024 trials for 30rounds SIMON, and 1024 random case trials (for which weused the full SPECK algorithm and your approximations).In short, there’s nothing there; the two distributions arenot distinguishable by any test we can conceive of... ”(Doug Shors, 18/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 43: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/43.jpg)
”NSA Runs”
◮ “ ...We’ve now generated a lot of data – 1024 trials for 30rounds SIMON, and 1024 random case trials (for which weused the full SPECK algorithm and your approximations).In short, there’s nothing there; the two distributions arenot distinguishable by any test we can conceive of... ”(Doug Shors, 18/10/2015)
◮ “ ...Interestingly, for 18 rounds, it appears that there islikely a distinguisher. However, it’s not a slam dunk... ”(Doug Shors, 18/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 44: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/44.jpg)
Moving Forward
◮ “ ...then I would like to ask you to retract the claims in theISO Belgium expert contribution that there are weaknessesin the Simon cipher... ” (Louis Wingers, 16/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 45: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/45.jpg)
Moving Forward
◮ “ ...then I would like to ask you to retract the claims in theISO Belgium expert contribution that there are weaknessesin the Simon cipher... ” (Louis Wingers, 16/10/2015)
◮ “ ...Thus, if Tomer could provide us (Doug or myself) withhis results and whether you would like to retract yourclaim by the 21st of October, I would greatly appreciateit... ” (Louis Wingers, 16/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 46: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/46.jpg)
Moving Forward
◮ “ ...then I would like to ask you to retract the claims in theISO Belgium expert contribution that there are weaknessesin the Simon cipher... ” (Louis Wingers, 16/10/2015)
◮ “ ...Thus, if Tomer could provide us (Doug or myself) withhis results and whether you would like to retract yourclaim by the 21st of October, I would greatly appreciateit... ” (Louis Wingers, 16/10/2015)
◮ “ ...then at the Study Period session in Jaipur, asRapporteur, I will address Tomers work in detail, includinghis previous ePrint paper which has been largelydiscredited by X. Wang (who will be in attendance)... ”(Louis Wingers, 16/10/2015)
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 47: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/47.jpg)
Summary
◮ Simon has been somehow based on Parseval’s Theorem forits design
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 48: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/48.jpg)
Summary
◮ Simon has been somehow based on Parseval’s Theorem forits design
◮ The NSA are pushing Simon and Speck really hard asstandards
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 49: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/49.jpg)
Summary
◮ Simon has been somehow based on Parseval’s Theorem forits design
◮ The NSA are pushing Simon and Speck really hard asstandards
◮ The NSA can run 210 experiemnts each evaluating 232 · 214
linear equations in less than one night.
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 50: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/50.jpg)
Summary
◮ Simon has been somehow based on Parseval’s Theorem forits design
◮ The NSA are pushing Simon and Speck really hard asstandards
◮ The NSA can run 210 experiemnts each evaluating 232 · 214
linear equations in less than one night.
◮ The NSA does not understand the level of doubt academicshave toward their work.
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World
![Page 51: Simon: NSA-designedCipherinthe Post-snowdenWorldbiham/Workshops/.../Slides/... · Simon-Security “The development process culminated in the publication of the algorithm specifics](https://reader034.fdocuments.net/reader034/viewer/2022050405/5f82673bc938bb49a7179dcf/html5/thumbnails/51.jpg)
Lesson Learnd
◮ It seems that as far as crypto standards go, thepost-snowden world looks pretty much like thepre-Snowden world
Tomer Ashur Simon: NSA-designed Cipher in the Post-snowden World