“Speck (cipher)”的意思、由来-开放百科全书

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013.^[3] Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

The NSA began working on the Simon and Speck ciphers in 2011. The agency anticipated some agencies in the US federal government would need a cipher that would operate well on a diverse collection of Internet of Things devices while maintaining an acceptable level of security.^[4]

Cipher description

Speck supports a variety of block and key sizes. A block is always two words, but the words may be 16, 24, 32, 48 or 64 bits in size. The corresponding key is 2, 3 or 4 words. The round function consists of two rotations, adding the right word to the left word, xoring the key into the left word, then and xoring the left word to the right word. The number of rounds depends on the parameters selected, as follows:^[3]

Reference code

The following is the designers' reference implementation, written in C, of the Speck variant with a 128-bit block size and key, where key = (K[1], K[0]). It is adapted from their IACR ePrint.^[3]

Note that this code computes the round keys (key schedule) on-demand. In practice, as with other block ciphers it is common for implementations to compute the round keys just once and cache them, rather than recomputing them for every block encrypted or decrypted.

For 16-bit words (Speck32), the rotates are 7 bits right and 2 bits left; for all other word sizes, they are 8 and 3 as shown here.

If the key is more than 2 words long, there are 2 or 3 a values, which are used in rotation.

Endianness

The original Speck paper does not explicitly state the endianness of bytes when the plaintext block is interpreted as the two words used in the cipher algorithm. The test vectors given in the paper suggest big-endian order. However, the authors of the algorithm have advised some implementers^[5] that little-endian byte order is to be used for keys, plaintext, and ciphertext, and the practice was accepted by others.^[6]

Performance

According to ECRYPT's stream cipher benchmarks (eBASC), Speck is one of the fastest ciphers available, both for long as well as short messages. Some median performances for long messages (128-bit, 128-block size version) are: 1.99 cycles per byte (cpb) on an AMD Ryzen 7 1700; 1.27 cpb on an Intel Core i5-6600; 15.96 cpb on a Broadcom BCM2836 Cortex A7.^[7] For example, on the ARMv7 platform, Speck is about 3 times faster than AES.^[8]

When implemented on 8-bit AVR microcontroller, Speck encryption with 64-bit blocks and 128-bit key consumes 192 bytes of Flash, temporary variables consume 112 bytes of RAM, and takes 164 cycles to encrypt each byte in the block.^[9]

Security

Cryptanalysis

The designers claim that Speck, though a "lightweight" cipher, is designed to have the full security possible for each block and key size, against standard chosen-plaintext (CPA) and chosen-ciphertext (CCA) attacks. Resistance against related-key attacks was also stated as a goal, though a less crucial one as attacks in that model are not relevant for typical use cases.^[15]{{rp|2}} No effort was made to resist attacks in the known-key distinguishing attack model, nor did the designers evaluate Speck for use as a hash function.^[3]{{rp|8}}

As of 2018, no successful attack on full-round Speck of any variant is known. Due to interest in Simon and Speck, about 70 cryptanalysis papers have been published on them.^[15]{{rp|10}} As is typical for iterated ciphers, reduced-round variants have been successfully attacked. The best published attacks on Speck in the standard attack model (CPA/CCA with unknown key) are differential cryptanalysis attacks; these make it through about 70–75% of the rounds of most variants, though these best attacks are only marginally faster than brute-force.^[1]^[2]^[15]{{rp|12}} The design team states that while designing Speck, they found differential attacks to be the limiting attacks, i.e. the type of attack that makes it through the most rounds; they then set the number of rounds to leave a security margin similar to AES-128's at approximately 30%.^[15]{{rp|12–13}}

Speck has been criticized for having too small a security margin, i.e. too few rounds between the best attacks and the full cipher, in comparison to more conservative ciphers such as ChaCha20.^[16]

Ciphers with small security margins are more likely to be broken by future advances in cryptanalysis. Speck's design team counters that there is a real-world cost to unnecessarily large security margins, especially on lightweight devices, that cryptanalysis during the design phase allowed the number of rounds to be set appropriately, and that they targeted AES's security margin.^[15]{{rp|17}}

Speck includes a round counter in the key schedule. The designers state this was included to block slide and rotational cryptanalysis attacks.^[15]{{rp|16}} Still, rotational-XOR cryptanalysis has been used to find distinguishers against reduced-round versions of Speck.^[17] Though the authors don't describe standard key-recovery attacks based on their distinguishers, their best distinguishers on Speck32 and Speck48 in the known-key distinguishing attack model for certain weak key classes make it through slightly more rounds than the best differential distinguishers. One of the authors has said that his research was resource-constrained and that rotational-XOR distinguishers on more rounds are probably possible.^[18] However, this type of cryptanalysis assumes the related-key or even the known-key attack models^[17], which are not a concern in typical cryptographic protocols and solutions.^[19]{{rp|8}} The designers also state that Speck was not designed to resist known-key distinguishing attacks (which do not directly compromise the confidentiality of ciphers).^[3]{{rp|8}}

The designers state that NSA cryptanalysis found the algorithms to have no weaknesses, and security commensurate with their key lengths.^[4]{{rp|2}} The design team says that their cryptanalysis included linear and differential cryptanalysis using standard techniques such as Matsui's algorithm and SAT/SMT solvers, though a full list of techniques used is not given.^[15]{{rp|10}} Speck's designers have been criticized for not providing more details on NSA cryptanalysis of the ciphers.^[18]

The NSA has approved Simon128/256 and Speck128/256 for use in U.S. National Security Systems, though AES-256 is still recommended for non-constrained applications.^[20]

Side-channel attacks

Being an ARX cipher, Speck does not use S-boxes or other lookup tables; it is therefore naturally immune to cache-timing attacks.^[4]{{rp|12}} This contrasts with ciphers that use lookup tables such as AES, which have been shown to be vulnerable to such attacks. However, like most block ciphers (including AES) Speck is vulnerable to power analysis attacks unless hardware countermeasures are taken.^[21]^[4]{{rp|12}}

Block and key sizes

Although the Speck family of ciphers includes variants with the same block and key sizes as AES (Speck128/128, Speck128/192, and Speck128/256), it also includes variants with block size as low as 32 bits and key size as low as 64 bits. These small block and key sizes are insecure for general use, as they can allow birthday attacks and brute-force attacks, regardless of the formal security of the cipher.^[22] The designers state that these block and key sizes were included for highly resource-constrained devices where nothing better is possible, or where only very small amounts of data are ever encrypted, e.g. in RFID protocols.^[4]{{rp|2–3}} Only the variant with a 128-bit block size and 256-bit key size is approved for use in U.S. National Security Systems.^[20]

Standardization efforts and controversies

Initial attempts to standardise Simon and Speck failed to meet International Organization for Standardization super-majority required by the process and the ciphers were not adopted.^[23]^[18] Expert delegates to the ISO from several countries including Germany, Japan and Israel opposed the efforts by the NSA to standardise the Simon and Speck ciphers, citing concerns that the NSA is pushing for their standardisation with knowledge of exploitable weaknesses in the ciphers. The position was based on partial evidence of weaknesses in the ciphers, lack of clear need for standardisation of the new ciphers, and the NSA's previous involvement in the creation and promotion of the backdoored Dual_EC_DRBG cryptographic algorithm.^[24]

In response to concerns, the NSA stated that more than 70 security analysis papers from some of the world's leading cryptographers support NSA's conclusion that the algorithms are secure and NSA affirmed that it is not aware of any cryptanalytic techniques that would allow them or anyone else to exploit Simon or Speck.{{fact|date=January 2019}}

After initial attempts to standardise the ciphers failed, the ISO standardised Simon and Speck in other working groups. As of October 2018, the Simon and Speck ciphers have been standardized by ISO as a part of the RFID air interface standard, International Standard ISO/29167-21 (for Simon) and International Standard ISO/29167-22 (for Speck), making them available for use by commercial entities.{{fact|date=January 2019}}

References

1. ^¹²³⁴⁵⁶⁷⁸{{cite web | title=Automatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA | first1=Song | last1=Ling | first2=Zhangjie | last2=Huang | first3=Qianqian | last3=Yang | url=https://eprint.iacr.org/2016/209.pdf | date=2016-06-30 | accessdate=2018-05-06 }}
2. ^¹²³⁴{{cite journal | title=Calculating the Approximate Probability of Differentials for ARX-Based Cipher Using SAT Solver | first1=HoChang | last1=Lee | first2=Seojin | last2=Kim | first3=HyungChul | last3=Kang | first4=Deukjo | last4=Hong | first5=Jaechul | last5=Sung | first6=Seokhie | last6=Hong | journal=Journal of the Korea Institute of Information Security and Cryptology | date=February 2018 | volume=28 | number=1 | pages=15–24 | language=Korean | doi=10.13089/JKIISC.2018.28.1.15 | url=http://koreascience.or.kr/article/ArticleFullRecord.jsp?cn=JBBHCB_2018_v28n1_15 }}
3. ^¹²³⁴{{cite web| title=The SIMON and SPECK Families of Lightweight Block Ciphers| first1=Ray| last1=Beaulieu| first2=Douglas| last2=Shors| first3=Jason| last3=Smith| first4=Stefan| last4=Treatman-Clark| first5=Bryan| last5=Weeks| first6=Louis| last6=Wingers| url=https://eprint.iacr.org/2013/404| date=2013-06-19| accessdate=2016-09-20}}
4. ^¹²³⁴{{cite web | title=Simon and Speck: Block Ciphers for the Internet of Things | first1=Ray | last1=Beaulieu | first2=Douglas | last2=Shors | first3=Jason | last3=Smith | first4=Stefan | last4=Treatman-Clark | first5=Bryan | last5=Weeks | first6=Louis | last6=Winger | url=https://csrc.nist.gov/csrc/media/events/lightweight-cryptography-workshop-2015/documents/papers/session1-shors-paper.pdf | date=2015-07-09 | accessdate=2017-11-23}}
5. ^{{Cite web|url=https://www.spinics.net/lists/arm-kernel/msg633602.html|title=Re: [PATCH 0/5] crypto: Speck support|last=|first=|date=|website=www.mail-archive.com|language=en|archive-url=|archive-date=|dead-url=|access-date=2018-04-12}}
6. ^{{Cite web|url=https://www.cryptopp.com/wiki/SPECK|title=SPECK – Crypto++ Wiki|website=www.cryptopp.com|language=en|access-date=2018-04-12}}
7. ^{{Cite web|url=https://bench.cr.yp.to/results-stream.html|title=ECRYPT Benchmarking of Stream Ciphers|access-date=22 June 2017}}
8. ^{{Cite web|url=https://www.spinics.net/lists/linux-crypto/msg33000.html|title=Linux Cryptography — Re: [PATCH v2 0/5] crypto: Speck support|website=www.spinics.net|access-date=2018-08-06}}
9. ^{{Cite web|url=https://eprint.iacr.org/2014/947.pdf|title=The Simon and Speck Block Ciphers on AVR 8-bit Microcontrollers|access-date=25 September 2017}}
10. ^{{Cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da7a0ab5b4babbe5d7a46f852582be06a00a28f0|title=crypto: speck – add support for the Speck block cipher|date=2018-02-14|access-date=2019-01-11|language=en-US}}
11. ^{{Cite news|url=https://itsfoss.com/nsas-encryption-algorithm-in-linux-kernel-is-creating-unease-in-the-community/|title=NSA’s Encryption Algorithm in Linux Kernel 4.17 Leaves Users Miffed {{!}} It's FOSS|date=2018-08-04|work=It's FOSS|access-date=2018-08-06|language=en-US}}
12. ^{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=Speck-Dropping-Next-Kernel|title=The Controversial Speck Encryption Code Will Indeed Be Dropped From The Linux Kernel – Phoronix|website=www.phoronix.com|date=2018-09-04|access-date=2018-12-08}}
13. ^{{Cite web|url=https://www.phoronix.com/scan.php?page=news_item&px=Adiantum-Crypto-Linux-Coming|title=Adiantum Queued Ahead Of Linux 4.21 As Google's Speck Replacement|website=www.phoronix.com|date=2018-11-29|access-date=2019-01-11}}
14. ^{{Cite web|url=https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git/commit/?anzwix=1&id=578bdaabd015b9b164842c3e8ace9802f38e7ecc|title=kernel/git/herbert/cryptodev-2.6.git – Crypto API Dev|website=git.kernel.org|access-date=2018-12-08}}
15. ^¹²³⁴⁵⁶{{Cite web | date=2018-01-19 | title=Notes on the design and analysis of Simon and Speck | url=https://eprint.iacr.org/2017/560.pdf | accessdate=2018-06-13 }}
16. ^{{cite tweet | user=hashbreaker | number=719889001444839424 | first=Daniel J. | last=Bernstein | date=2016-04-12 | accessdate=2018-06-13 | title=NSA claims that having 70% of Simon+Speck broken is ok. | url=https://twitter.com/hashbreaker/status/719889001444839424}}
17. ^¹{{cite web | title=Rotational-XOR Cryptanalysis of Reduced-round SPECK | first1=Yunwen | last1=Liu | first2=Glenn De | last2=Witte | first3=Adrián | last3=Ranea | first4=Tomer | last4=Ashur | date=2017 | url=https://eprint.iacr.org/2017/1036.pdf | accessdate=2018-06-13}}
18. ^¹²{{cite web |title=[PATCH v2 0/5] crypto: Speck support |first=Tomer |last=Ashur |url=https://www.spinics.net/lists/linux-crypto/msg33291.html}}
19. ^{{Cite web | title=Salsa20 security | first1=Daniel J. | last1=Bernstein | date=2015-04-27 | url=https://cr.yp.to/snuffle/security.pdf | accessdate=2018-06-13}}
20. ^¹{{cite web | title=Algorithms to Support the Evolution of Information Assurance Needs | url=https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/algorithms-support-evolution-ia-needs.cfm | author=National Security Agency | date=2016-11-18}}
21. ^{{cite journal | title=Breaking Speck cryptosystem using correlation power analysis attack | first1=Hasindu | last1=Gamaarachchi | first2=Harsha | last2=Ganegoda | first3=Roshan | last3=Ragel | url=https://jnsfsl.sljol.info/articles/10.4038/jnsfsr.v45i4.8233/galley/6293/download/ | doi=10.4038/jnsfsr.v45i4.8233 | journal=Journal of the National Science Foundation of Sri Lanka | date=2017-07-20 | volume=45 | issue=4 | pages=393–404 | accessdate=2018-06-13}}
22. ^{{cite conference | title=On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN | url=https://sweet32.info/SWEET32_CCS16.pdf | first1=Karthikeyan | last1=Bhargavan | first2=Gaëtan | last2=Leurent | conference=ACM Conference on Computer and Communications Security | conference-url=https://www.sigsac.org/ccs/CCS2016/ | pages=456–467 | doi=10.1145/2976749.2978423 | date=2016}}
23. ^[https://www.spinics.net/lists/linux-crypto/msg33291.html Insights an reasons why Speck and Simon have been rejected from ISO standardization]
24. ^{{cite web|title=Distrustful U.S. allies force spy agency to back down in encryption fight|url=https://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV}}