Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizár 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by Microsoft Research D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 1 / 22
Authenticated Encryption ??!! K K #RJ%K *G%FS M D M E ⊥ A A ◮ Confidentiality+Authenticity/Integrity for M [Bellare,Namprempre 00],[Katz,Yung 00] ◮ Authenticity for A [Rogaway 02] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 2 / 22
Authenticated Encryption ??!! Need redundancy K K #RJ%K *G%FS M D M E ⊥ A A ◮ Confidentiality+Authenticity/Integrity for M [Bellare,Namprempre 00],[Katz,Yung 00] ◮ Authenticity for A [Rogaway 02] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 2 / 22
Ciphertext Epxansion a.k.a. Stretch Redundancy in AE: ciphertext expansion M E K τ bits C Ciphertext expanded by τ bits ⇒ Expected cost of forgery: ≈ 2 τ queries D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 3 / 22
How to Stretch? w.r.t. the Syntax of Security Notions Group 1: (Mostly) constant τ , parameter of the scheme � nAE [Rogaway, Bellare, Black, Krovetz 01] � AEAD [Rogaway 02] � DAE and MRAE [Rogaway, Shrimpton 06] � OAE [Fleischmann, Forler, Lucks 12] � AE-RUP [Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda 14] � OAE2 [Hoang, Reyhanitabar, Rogaway, V 15] Group 2: User-selectable τ per query � RAE [Hoang, Krovetz, Rogaway 15] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 4 / 22
How to Stretch? w.r.t. the Syntax of Security Notions Group 1: (Mostly) constant τ , parameter of the scheme � nAE [Rogaway, Bellare, Black, Krovetz 01] � AEAD [Rogaway 02] � DAE and MRAE [Rogaway, Shrimpton 06] � OAE [Fleischmann, Forler, Lucks 12] � AE-RUP [Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda 14] � OAE2 [Hoang, Reyhanitabar, Rogaway, V 15] ◮ Different tag lengths ⇒ independent keys Group 2: User-selectable τ per query � RAE [Hoang, Krovetz, Rogaway 15] ◮ “Best possible security”, hard to achieve ◮ Cannot be “online” ◮ Complicated, difficult to implement D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 4 / 22
Stretch-Misuse Group 1: Constant τ , parameter of the scheme � nAE � AEAD � DAE and MRAE � OAE � AE-RUP � OAE2 D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 5 / 22
Stretch-Misuse Group 1: Constant τ , parameter of the scheme � nAE � AEAD � DAE and MRAE � OAE � AE-RUP � OAE2 What happens if stretch is (mis)treated as a user input? D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 5 / 22
Stretch-Misuse Why Should we Consider It? Because it is tempting: Handling multiple keys is annoying “Sliding-scale” authenticity as a feature � ( τ bits of stretch ⇒ τ bits of authenticity for individual messages ) � E.g. moderate τ 1 for most messages and huge τ 2 for critical Saving resources in constrained systems � E.g. sensor nodes: wireless communication is expensive � Reducing security to increase battery life (key exchange way too expensive) M E K C D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22
Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22
Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T Because it is a matter of “when”, not “if” a misuse occurs Past examples of this for other misuses D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22
Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T Because it is a matter of “when”, not “if” a misuse occurs Past examples of this for other misuses . . . and because there are attacks D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22
Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22
Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22
Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22
Nonce-based AE with Associated Data N never repeats, ( N , A , C ) not trivially correct: N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ � � � � A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 Adv aead ( A ) = Pr − Pr Π D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 8 / 22
Nonce-based AE with Associated Data N never repeats, ( N , A , C ) not trivially correct: N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ . . . and the ciphertext expansion is assumed to be constant � � � � A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 Adv aead ( A ) = Pr − Pr Π D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 8 / 22
Trivial Tag Length-Variation Attack on AEAD “Versions of OCB with different tag lengths exist, tag truncation trivially correct if used under same key” [Manger 13, CFRG discussion] Query C � T ← OCB [ 128 ] K ( N , A , M ) M 1 for target ( N , A , M ) N Enc K Compute T ′ ← trunc ( T , 64 ) A n bits 2 “Forge” trunc 3 C � T ′ ← OCB [ 64 ] − 1 τ bits K ( N , A , C � T ′ ) C -core T Obvious property, but . . . . . . contradicts the intuition of τ -bit resistance to forgery D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 9 / 22
Trivial Tag Length-Variation Attack on AEAD “Would it be better if the algorithms with different tag lengths could not affect each other?” Probably! Ad-hoc solutions proposed: OCB adopts fix proposed by Manger: “just drop the tag length into the nonce” Nandi proposes to do the same with AD CLOC&SILC, OTR and OMD heuristically tweaked for round 2 of CAESAR competition D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 9 / 22
Gradual Forgery for Ciphertext Translation Ciphertext Translation Message-only core + AD-“hash” | M | + τ bits N τ bits E K C M M C 0 | M | H K A n bits message-ciphertext already “looks random” H K can be AXU D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 10 / 22
b b b Gradual Forgery for Ciphertext Translation The Attack Original attack: gradual forgery on OMD [Dobraunig, Eichlseder, Mendel, Schläffer 14] Access to Enc and Dec oracles with stretch τ 1 < τ 2 < . . . < τ g using the same key, scheme with ciphertext translation structure Forgery for N , A ∗ , M with τ g bits of stretch A Enc K [ τ 1 ]( · , · , · ) Enc K [ τ 2 ]( · , · , · ) Enc K [ τ g − 1 ]( · , · , · ) Enc K [ τ g ]( · , · , · ) Dec K [ τ 1 ]( · , · , · ) Dec K [ τ 2 ]( · , · , · ) Dec K [ τ g − 1 ]( · , · , · ) Dec K [ τ g ]( · , · , · ) D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22
Gradual Forgery for Ciphertext Translation The Attack Pick some A � = A ∗ 1 Get C � T ← Enc [ τ 1 ]( N , A , M ) 2 Find δ ∈ { 0 , 1 } τ 1 s.t. Dec [ τ 1 ]( N , A ∗ , C � ( T ⊕ δ )) succeeds 3 Set ∆ A ← δ 4 ⊲ ∆ A = trunc ( H K ( A ) ⊕ H K ( A ∗ ) , τ 1 ) N τ 1 bits E K C M M C 0 | M | H K ∆ A A n bits N E K C M M C 0 | M | A ∗ H K D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22
Gradual Forgery for Ciphertext Translation The Attack Get C � T ← Enc [ τ 2 ]( N , A , M ) 5 Find δ ∈ { 0 , 1 } τ 2 − τ 1 s.t. Dec [ τ g ]( N , A ∗ , C � ( T ⊕ ∆ A � δ )) succeeds 6 Set ∆ A ← ∆ A � δ 7 N τ 1 , τ 2 − τ 1 bits E K C M M C 0 | M | H K ∆ A � δ A n bits N E K C M M C 0 | M | H K A ∗ D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22
Gradual Forgery for Ciphertext Translation The Attack • • • f Get C � T ← Enc [ τ g ]( N , A , M ) i Find δ ∈ { 0 , 1 } τ g − 1 − τ g s.t. Dec [ τ g ]( N , A ∗ , C � ( T ⊕ δ )) succeeds n Output forgery N , A ∗ , C � ( ∆ A � δ ) D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22
Recommend
More recommend