Authenticated Encryption Mode for Beyond the Birthday Bound Security - PowerPoint PPT Presentation

✓ ✏ Authenticated Encryption Mode for Beyond the Birthday Bound Security ✒ ✑ Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008

Blockcipher plaintext M ✻ ❄ ✲ key K encryption decryption E ❄ ❄ ciphertext C • | M | = | C | = n (block length), | K | = k (key length) • designed to withstand various known attacks (diff. attack, linear attack,...) • indistinguishable from a random permutation even if the adversary obtains 2 n − δ plaintext-ciphertext pairs 2

Blockcipher Modes • privacy: CBC mode, CTR mode,... • authenticity: CBC MAC, CMAC, PMAC,... • privacy and authenticity: GCM, OCB, EAX,... Security Proofs • birthday bound • success probability O ( σ 2 / 2 n ) • σ : amount of data adversary obtains 3

Security Proofs with Beyond the Birthday Bound • privacy: CENC, NEMO • authenticity: RMAC, Poly1305, MACH • privacy and authenticity: Generic Composition, CHM Beyond the Birthday Bound? • higher security is a valid goal • huge gap between blockcipher security and mode security – blockcipher: 2 n − δ , mode: 2 n/ 2 • some applications require n = 64 (HIGHT, Present) – 2 32 is small 4

Goal of This Talk • design of authenticated encryption mode, AE1 • beyond the birthday bound security • fix several problems in existing modes 5

Authenticated Encryption • two security goals: – privacy – authenticity • two design approaches – generic composition: secure encryption + secure MAC (BN00, K01) – one algorithm of dedicated design, more efficient than generic composition 6

Authenticated Encryption Using Blockcipher • IAPM, IACBC (Jutla ’01) • XCBC, XECBS (Gligor, Donescu ’01) • OCB (Rogaway ’01) • GCM (McGrew and Viega ’04) • CHM (Iwata ’06) • · · · 7

GCM (McGrew, Viega ’04, NIST SP 800-38D) • Galois Counter Mode • recommended by NIST as NIST SP 800-38D • IETF 4160, payload encryption in IPSec • IEEE 802.1AE, Media Access Control Security, frame data encryption in Layer 2 of the Ethernet • IEEE P1619.1, tape storage encryption 8

GCM (McGrew, Viega ’04, NIST SP 800-38D) • blockcipher E • inputs: the key K , nonce N , plaintext M and header A • outputs: the ciphertext C and tag T ( K, N, M, A ) → GCM → ( C, T ) • M is encrypted and authenticated • A is authenticated (and not encrypted) • M and A can be any lengths • | C | = | M | 9

Encryption of GCM N 10 31 inc inc inc inc H ← E K (0 n ) E K E K E K E K E K ⊗ : mult. GF(2 n ) M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n T H H H H H H H H len( A ) len( C ) 10

Properties • combines CTR mode and polynomial hash over GF(2 n ) • uses single key • provable security – privacy: O ( σ 2 / 2 n ) – authenticity: O ( σ 2 / 2 n ) – σ : length of data in blocks • allows parallel calls of E – can boost the throughput of encryption 11

Properties • polynomial hash is not parallelizable x 1 x 2 x 3 x 4 0 n T H H H H – can be a bottleneck for hardware (Satoh et. al., ISC ’07 can be used) • C can not be processed until finishing A – can be a problem if C is ready before A • usual birthday bound security 12

CHM (Iwata, FSE ’06) • CENC with Hash based MAC • C can not be processed until finishing A – A and C are MACed separately • usual birthday bound security – uses CENC for encryption – CENC: encryption mode 13

Parameters of CENC • blockcipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n • nonce length: ℓ nonce bits, ℓ nonce < n • frame width: w 14

Key Stream Generation of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ L L L L L L ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 � �� � (1 frame) w blocks • L : mask • w : frame width, default: w = 2 8 = 256 • N : nonce, ctr ← N � 0 · · · 0, default: | N | = ℓ nonce = n/ 2 15

Encryption of CENC N � 0 · · · 0 ↓ ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ L L L L L L ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ M 0 M 1 M 2 M 3 M 4 M 5 ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ C 0 C 1 C 2 C 3 C 4 C 5 16

Indistinguishability from Random String CENC oracle random oracle ( N ′ , M ′ ) ( N, M ) CENC K ( · ) ✛ ✲ R ( · ) ✲ ✛ A C ′ = random string C = CENC K ( N, M ) A must not repeat the same nonce � � K ( A CENC K ( · , · ) = 1) − Pr R ( A R ( · , · ) = 1) def Adv priv � � CENC ( A ) = � Pr � 17

Security Theorem of CENC σ 3 CENC ( A ) ≤ w ˆ 2 2 n − 3 + w ˆ σ Adv priv 2 n + Adv prp E ( B ) • A : q queries with total of σ blocks • B : ( w + 1)ˆ σ/w queries • ˆ σ = σ + qw • beyond the birthday bound 18

CHM (Iwata, FSE ’06) • CENC with Hash based MAC • S 0 ← E K (1 n − 1 0), S 1 ← E K (1 n ), • use CENC to produce 1 + | M | /n blocks of S CENC K ( N ) → S ���� � �� � 1 | M | /n S A S C • C ← M ⊕ (first | M | bits of S C ) • T ← Hash S 0 ( C ) ⊕ Hash S 1 ( A ) ⊕ S A (truncate if needed) 19

Encryption of CHM S 0 ← E K (1 n − 1 0) N S 1 ← E K (1 n ) CENC N , A , C : padded M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 1 S 0 S 0 S 0 S 0 20

Security Theorems • privacy σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv priv 2 n • authenticity σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv auth 2 n +(1 + H max + M max ) 2 τ • beyond the birthday bound, τ ≤ n : tag length • H max , M max are max. block lengths of header and plaintext 21

Properties • combines CENC and polynomial hash • uses single key • A and C are MACed separately • better than the birthday bound security – problem if τ is small (e.g. τ = 32 or 48) – similar to GCM CHM ( A ) ≤ · · · + (1 + H max + M max ) Adv auth 2 τ • polynomial hash is not parallelizable (as in GCM) – can be a bottleneck for hardware 22

Inner Product Hash • fully parallelizable • inputs: x = ( x 1 , . . . , x t ), key k = ( k 1 , . . . , k t ), • output: H k ( x ) = ( x 1 , . . . , x t ) · ( k 1 , . . . , k t ) = x 1 · k 1 ⊕ · · · ⊕ x t · k t multiplication over GF(2 n ) • | k | can be large, | x | = | k | 23

AE1 (This Talk) • uses blockcipher • can be used even if τ is small • allows parallel computation – ̟ : frame width, default: ̟ = 2 or 4 • Hash part – input x , keys K , T 1 , . . . , T ̟ (constant size) – output T 24

Padding for Hash x x 10 · · · 0 � �� � × n bits � �� � � �� � ���� ̟ blocks · · · ̟ ≤ ̟ (1 frame) 25

Hash of AE1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • combines inner product ( x 1 , . . . , x ̟ ) · ( T 1 , . . . , T ̟ ) and E • long (but constant) key size • about | x | /n field multiplications and | x | /̟n E calls 26

Hash of AE1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • frame counter to avoid trivial swap • last block of x is non-zero (by padding) • proof that AE1.Hash is ǫ -AXU 27

AE1.Hash is ǫ -AXU ( ǫ -almost XOR universal) • H is ǫ -AXU if ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ GF(2 τ ), Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ǫ • Proposition ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ GF(2 τ ), Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ℓ + ℓ ′ − 1 + 2 2 τ + Adv prp E ( A ) 2 n – x : ℓ frames, x ′ : ℓ ′ frames, ℓ + ℓ ′ − 1 ≤ 2 n − 1 – A makes at most ℓ + ℓ ′ queries • 2 / 2 τ is a constant 28

Encryption of AE1 • Replace the Hash in CHM with AE1.Hash • inputs: the key K , nonce N , plaintext M • outputs: the ciphertext C and tag T ( K, N, M ) → AE1 → ( C, T ) • M is encrypted and authenticated, can be any length, | C | = | M | 29

Hash Key Derivation of AE1 • Hash keys: K H , T 1 , . . . , T ̟ – K H ← E K ( � 0 � n/ 2 � 1 n/ 2 ) � · · · � E K ( �⌈ k/n ⌉ − 1 � n/ 2 � 1 n/ 2 ) – T 1 ← E K ( �⌈ k/n ⌉� n/ 2 � 1 n/ 2 ) – T 2 ← E K ( �⌈ k/n ⌉ + 1 � n/ 2 � 1 n/ 2 ) – · · · – T ̟ ← E K ( �⌈ k/n ⌉ + ̟ − 1 � n/ 2 � 1 n/ 2 ) 30

Encryption of AE1 N CENC M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 0 S 0 S 0 S 0 S 1 31

Encryption of AE1 N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 32

Encryption of AE1 N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 33