Authenticated Encryption Mode for Beyond the Birthday Bound Security - PowerPoint PPT Presentation

✓ ✏ Authenticated Encryption Mode for Beyond the Birthday Bound Security ✒ ✑ Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008

Blockcipher plaintext M ❄ key K ✲ E ❄ ciphertext C • | M | = | C | = n (block length), | K | = k (key length) • designed to withstand various known attacks (diff. attack, linear attack,...) • indistinguishable from a random permutation even if the adversary obtains 2 n − δ plaintext-ciphertext pairs 2

Blockcipher Modes • privacy: CBC mode, CTR mode,... • authenticity: CBC MAC, CMAC, PMAC,... • privacy and authenticity: GCM, OCB, EAX,... Security Proofs • success probability O ( σ 2 / 2 n ) • birthday bound • σ : amount of data adversary obtains (in blocks) • n : block length of the underlying blockcipher (in bits) 3

Security Proofs with Beyond the Birthday Bound • privacy: CENC, NEMO • authenticity: XOR MAC, RMAC, Poly1305, MACH,... • privacy and authenticity: Generic Composition, CHM 4

Why Beyond the Birthday Bound? • higher security is a valid goal • huge gap between blockcipher security and mode security – blockcipher: 2 n − δ , mode: 2 n/ 2 · · · O ( σ 2 / 2 n ) – The security of the blockcipher is significantly lost once it is plugged into the modes – CTR mode, CMAC, and GCM do not fully inherit the security of the blockcipher • some applications require n = 64 (HIGHT, Present) – 2 32 is small 5

Goal of This Paper • design of an authenticated encryption mode, CIP • CENC with Inner Product hash • beyond the birthday bound security • fix the security issue in the authenticity of CHM and GCM 6

Authenticated Encryption • two security goals: – privacy – authenticity • two design approaches – generic composition: secure encryption + secure MAC (BN00, K01) – one algorithm of dedicated design, more efficient than generic composition 7

Authenticated Encryption Using Blockcipher • IAPM, IACBC (Jutla ’01) • XCBC, XECBS (Gligor, Donescu ’01) • OCB (Rogaway ’01) • GCM (McGrew and Viega ’04, NIST SP 800-38D) • CHM (Iwata ’06) • · · · 8

GCM (McGrew, Viega ’04, NIST SP 800-38D) • blockcipher E • inputs: the key K , nonce N , plaintext M and header A • outputs: the ciphertext C and tag T ( K, N, M, A ) → GCM → ( C, T ) • M is encrypted and authenticated • A is authenticated (and not encrypted) • M and A can be any lengths • | C | = | M | 9

Encryption of GCM N 10 31 inc inc inc inc H ← E K (0 n ) ⊗ : mult. GF(2 n ) E K E K E K E K E K T is truncated M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n T H H H H H H H H len( A ) len( C ) 10

CHM (Iwata, FSE ’06) • CENC with Hash based MAC • beyond the birthday bound security – CENC for encryption – encryption mode, Iwata, FSE ’06 – Parameters of CENC: ∗ blockcipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n ∗ nonce length: ℓ nonce bits, ℓ nonce < n ∗ frame width: w 11

Key Stream Generation of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 � �� � (1 frame) w blocks • L : mask • w : frame width, default: w = 2 8 = 256 • N : nonce, ctr ← N � 0 · · · 0, default: | N | = ℓ nonce = n/ 2 12

Encryption of CENC N � 0 · · · 0 ↓ ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ L L L L L L ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 ❄ ❄ ❄ ❄ ❄ ❄ M 0 M 1 M 2 M 3 M 4 M 5 ✲ ✲ ✲ ✲ ✲ ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ C 0 C 1 C 2 C 3 C 4 C 5 13

Indistinguishability from Random String CENC oracle random oracle ( N ′ , M ′ ) ( N, M ) CENC K ( · , · ) R ( · , · ) ✛ ✲ A ✲ ✛ C ′ = random string C = CENC K ( N, M ) A must not repeat the same nonce � � K ( A CENC K ( · , · ) = 1) − Pr R ( A R ( · , · ) = 1) def Adv priv � � CENC ( A ) = � Pr � 14

Security Theorem of CENC σ 3 CENC ( A ) ≤ w ˆ 2 2 n − 3 + w ˆ σ Adv priv 2 n • A : q queries with total of σ blocks • ˆ σ = σ + qw ( ≈ σ ) • beyond the birthday bound 15

CHM (Iwata, FSE ’06) • CENC with Hash based MAC • S 0 ← E K (1 n − 1 0), S 1 ← E K (1 n ), • use CENC to produce 1 + ⌈| M | /n ⌉ blocks of S ( ⌈| M | /n ⌉ · · · block length of M ) CENC K ( N ) → S ���� � �� � 1 ⌈| M | /n ⌉ S A S C • C ← M ⊕ (first | M | bits of S C ) • T ← Hash S 0 ( C ) ⊕ Hash S 1 ( A ) ⊕ S A (truncate if needed) 16

Encryption of CHM S 0 ← E K (1 n − 1 0) N S 1 ← E K (1 n ) CENC N , A , C : padded M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 1 S 0 S 0 S 0 S 0 17

Security Theorems • privacy σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv priv 2 n • authenticity σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv auth 2 n +(1 + H max + M max ) 2 τ • τ : tag length, τ ≤ n • H max , M max are max. block lengths of header and plaintext 18

Security Issue • T is τ bits CHM ( A ) ≤ · · · + (1 + H max + M max ) Adv auth 2 τ • Consider the case where τ is small, e.g. τ = 32 • with only one message of length 2 22 blocks (64 MBytes), the bound is 1/1024 (not acceptable in general) • “beyond the birthday bound security” has little impact when τ is small • same issue in GCM 19

CIP (This Talk) • fix the security issue in CHM and GCM – can be used even when MAC is short • beyond the birthday bound security • allows parallel computation • Encryption part: CENC • MAC part: Based on Inner Product Hash 20

Inner Product Hash • inputs: x = ( x 1 , . . . , x t ), key k = ( k 1 , . . . , k t ), • output: H k ( x ) = ( x 1 , . . . , x t ) · ( k 1 , . . . , k t ) = x 1 · k 1 ⊕ · · · ⊕ x t · k t multiplication over GF(2 n ) • fully parallelizable • | k | can be large, | x | = | k | – parse x intro a “frame,” (= ̟ blocks) – ̟ : frame width, small constant, default: ̟ = 4 21

Padding for Hash x x 10 · · · 0 � �� � × n bits � �� � � �� � ���� ̟ blocks · · · ̟ ≤ ̟ (1 frame) 22

MAC Part of CIP x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • combines inner product ( x 1 , . . . , x ̟ ) · ( T 1 , . . . , T ̟ ) and E • long (but constant) key size • about | x | /n field multiplications and | x | /̟n E calls 23

MAC Part of CIP x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • frame counter to avoid trivial swap • last block of x is non-zero (by padding) • proof that CIP.Hash is ǫ -AXU 24

CIP.Hash is ǫ -AXU ( ǫ -almost XOR universal) • H is ǫ -AXU if ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ { 0 , 1 } τ , Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ǫ • Proposition ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ { 0 , 1 } τ , Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ℓ + ℓ ′ − 1 + 2 2 τ + Adv prp E ( A ) 2 n – x : ℓ frames, x ′ : ℓ ′ frames, ℓ + ℓ ′ − 1 ≤ 2 n − 1 – A makes at most ℓ + ℓ ′ queries • The only term that depends on τ is 2 / 2 τ • It does not depend on the input length 25

Encryption of CIP • Replace the Hash in CHM with CIP.Hash • inputs: the key K , nonce N , plaintext M • outputs: the ciphertext C and tag T ( K, N, M ) → CIP → ( C, T ) • M is encrypted and authenticated, can be any length, | C | = | M | 26

Encryption of CIP N CENC M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 0 S 0 S 0 S 0 S 1 27

Encryption of CIP N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 28

Encryption of CIP N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 29

Encryption of CIP N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 C 9 T 1 T 1 T 2 T 2 T 3 T 3 T 1 T 1 T 2 T 2 T 3 T 3 T 1 T 1 T 2 T 2 T 3 T 3 0 n 0 n 1 n 1 n 2 n 2 n E K H E K H E K H T 30

Hash Key Derivation of CIP • Hash keys: K H , T 1 , . . . , T ̟ – K H ← E K ( � 0 � n/ 2 � 1 n/ 2 ) � · · · � E K ( �⌈ k/n ⌉ − 1 � n/ 2 � 1 n/ 2 ) – T 1 ← E K ( �⌈ k/n ⌉� n/ 2 � 1 n/ 2 ) – T 2 ← E K ( �⌈ k/n ⌉ + 1 � n/ 2 � 1 n/ 2 ) – · · · – T ̟ ← E K ( �⌈ k/n ⌉ + ̟ − 1 � n/ 2 � 1 n/ 2 ) 31