Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries - PowerPoint PPT Presentation

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018

History of WCS Outline Known Security Analysis Our Works Wegman-Carter-Shoup (WCS) MAC H M κ ⊕ E K N T • Nonce based Authenticator • Initial variant (WC authenticator) due to Wegman and Carter [WC81] • Use of Block cipher E K due to [Sho96]

History of WCS Outline Known Security Analysis Our Works Brief History of WC Authenticator • Code of Gilbert, MacWilliams and Sloane [GMS74] • one-time authentication protocol • Issue: a fresh key of size as large as message

History of WCS Outline Known Security Analysis Our Works Brief History of WC Authenticator • Code of Gilbert, MacWilliams and Sloane [GMS74] • one-time authentication protocol • Issue: a fresh key of size as large as message • WC authenticator uses strongly universal 2 hash function H κ (based on [CW79]). • R 1 , R 2 , . . . , is a sequence of secret keys • message number n (unique) and a message M • Tag: H κ ( M ) ⊕ R n .

History of WCS Outline Known Security Analysis Our Works Brief History of WC Authenticator H M κ ⊕ R n T • universal 2 is relaxed to a weaker hash AXU in [Kra94/Rog95] κ ( M ′ ) = δ ) is small – Pr( H κ ( M ) ⊕ H • polynomial hashing over n -bits: Poly κ ( M ) := m d · κ ⊕ · · · ⊕ m 1 · κ d is d 2 n -AXU

History of WCS Outline Known Security Analysis Our Works Getting rid of onetime masking M H κ ⊕ R n T Figure: We can compute R n directly from n and a secret key.

History of WCS Outline Known Security Analysis Our Works Getting rid of onetime masking M H κ ⊕ R n T Figure: We can compute R n directly from n and a secret key. • Use PRBG (Brassard [Bra83]). • Sequential in nature. • Direct efficient computation of R n (Blum-Blum-Shub PRBG) • also modeled as pseudorandom function.

History of WCS Outline Known Security Analysis Our Works Getting rid of onetime masking H M K h ⊕ F K N T • Use pseudorandom function

History of WCS Outline Known Security Analysis Our Works Finally - We have WCS M H κ ⊕ E K N T • Use pseudorandom function • The block cipher (pseudorandom permutation) is widely available. Shoup analyzed WC when PRF is replaced by PRP.

History of WCS Outline Known Security Analysis Our Works In this Talk We briefly revisit the security analysis. • Different attacks. • Shoup’s security guarantee. • Bernstein’s bound and interpretation.

History of WCS Outline Known Security Analysis Our Works In this Talk We briefly revisit the security analysis. • Different attacks. • Shoup’s security guarantee. • Bernstein’s bound and interpretation. Recent development on WCS. • Missing difference Problem [LS18]. • Luykx-Preneel ”optimal” forgeries [LP18] using false key set. Identify the issues of Luykx-Preneel forgeries.

History of WCS Outline Known Security Analysis Our Works In this Talk (contd.) We resolve it here. • We prove the optimality of Bernstein Bound. • False-key based approach, but different analysis:

History of WCS Outline Known Security Analysis Our Works In this Talk (contd.) We resolve it here. • We prove the optimality of Bernstein Bound. • False-key based approach, but different analysis: – messages are chosen random – messages are any fixed values

History of WCS Outline Known Security Analysis Our Works In this Talk (contd.) We resolve it here. • We prove the optimality of Bernstein Bound. • False-key based approach, but different analysis: – messages are chosen random – messages are any fixed values Finally, extend this to show tightness of GCM security

History of WCS Outline Known Security Analysis Our Works Polynomial Hashing based WCS Nonce Misuse Forgery Poly κ M ⊕ E K N T • P M ( κ ) := Poly κ ( M ) := m d · κ + · · · + m 1 · κ d • nonce misuse (Joux’s forbidden attack):

History of WCS Outline Known Security Analysis Our Works Polynomial Hashing based WCS Nonce Misuse Forgery Poly κ M ⊕ E K N T • P M ( κ ) := Poly κ ( M ) := m d · κ + · · · + m 1 · κ d • nonce misuse (Joux’s forbidden attack): 1. T and T ′ tags of ( N , M ) and ( N , M ′ ) ⇒ P M ( κ ) ⊕ P M ′ ( κ ) = T ⊕ T ′ 2. solve the hash key (solving polynomial equation).

History of WCS Outline Known Security Analysis Our Works Polynomial Hashing based WCS Nonce Respecting Forgery Poly κ M ⊕ E K N T Figure: T is a tag of ( N , M ). ( N , M ′ , T ′ ) is invalid κ �∈ Sol(P M ( κ ) ⊕ P M ′ ( κ ) = T ⊕ T ′ ) .

History of WCS Outline Known Security Analysis Our Works Polynomial Hashing based WCS Nonce Respecting Forgery Poly κ M ⊕ E K N T Figure: T is a tag of ( N , M ). ( N , M ′ , T ′ ) is invalid κ �∈ Sol(P M ( κ ) ⊕ P M ′ ( κ ) = T ⊕ T ′ ) . • d disjoint solutions for each forging attempt.

History of WCS Outline Known Security Analysis Our Works Polynomial Hashing based WCS Nonce Respecting Forgery Poly κ M ⊕ E K N T Figure: T is a tag of ( N , M ). ( N , M ′ , T ′ ) is invalid κ �∈ Sol(P M ( κ ) ⊕ P M ′ ( κ ) = T ⊕ T ′ ) . • d disjoint solutions for each forging attempt. • success probability after v forging attempts: v · ǫ = v · d 2 n .

History of WCS Outline Known Security Analysis Our Works Bernstein and Shoup’s Bound on WCS • Classical bound: v · ǫ (based on RF or one time key)

History of WCS Outline Known Security Analysis Our Works Bernstein and Shoup’s Bound on WCS • Classical bound: v · ǫ (based on RF or one time key) • By PRP-PRF switching lemma: v · ǫ + ( q + v ) 2 . (1) 2 n +1

History of WCS Outline Known Security Analysis Our Works Bernstein and Shoup’s Bound on WCS • Classical bound: v · ǫ (based on RF or one time key) • By PRP-PRF switching lemma: v · ǫ + ( q + v ) 2 . (1) 2 n +1 • Shoup’s bound: if ǫ q 2 ≤ 1 . 2 v · ǫ, (2)

History of WCS Outline Known Security Analysis Our Works Bernstein and Shoup’s Bound on WCS • Classical bound: v · ǫ (based on RF or one time key) • By PRP-PRF switching lemma: v · ǫ + ( q + v ) 2 . (1) 2 n +1 • Shoup’s bound: if ǫ q 2 ≤ 1 . 2 v · ǫ, (2) • Bernstein Bound: For all q and v v · ǫ · (1 − q 2 n ) − q +1 ≈ v · ǫ · e q 2 / 2 n . (3) 2

History of WCS Outline Known Security Analysis Our Works Interpretation of Shoup’s and Bernstein Bound polynomial hash ( ǫ = d / 2 − n ) and v = 1 Compare: advantage = η • Classical bound: ( v + q ) ≪ 2 n / 2 ⇒ η is small • Shoup’s bound: q ≤ 2 n / 2 d ⇒ η ≈ 2 − n √ • Bernstein bound: q ≤ 2 n / 2 ⇒ η ≈ 2 − n

History of WCS Outline Known Security Analysis Our Works Interpretation of Shoup’s and Bernstein Bound polynomial hash ( ǫ = d / 2 − n ) and v = 1 Compare: advantage = η • Classical bound: ( v + q ) ≪ 2 n / 2 ⇒ η is small • Shoup’s bound: q ≤ 2 n / 2 d ⇒ η ≈ 2 − n √ • Bernstein bound: q ≤ 2 n / 2 ⇒ η ≈ 2 − n Example: n = 128 and d = 2 20 . Data limit is set for advantage 2 − 32 . • Classical bound: ( v + q ) ≤ 2 48 . 5 . • Shoup’s bound: q ≤ 2 54 . • Bernstein bound: q ≤ 2 64 .

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem Missing Difference Problem Let L , L ′ and S be three lists of n -bit strings satisfying the missing condition: s �∈ L ⊕ L ′ . ∃ s ∈ S , Find s .

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem Missing Difference Problem Let L , L ′ and S be three lists of n -bit strings satisfying the missing condition: s �∈ L ⊕ L ′ . ∃ s ∈ S , Find s . Complexity Finding Questions: 1. Let S = { 0 , 1 } n . How large the lists should be to ensure the missing condition? 2. How efficiently (both time and memory) we can compute s ?

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem • LS18 constructed 2 2 n / 3 (ignoring log factor) time and memory algorithm for missing difference when both list sizes are 2 2 n / 3 .

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem • LS18 constructed 2 2 n / 3 (ignoring log factor) time and memory algorithm for missing difference when both list sizes are 2 2 n / 3 . • Optimal list size: 2 n / 2 √ n .

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem • LS18 constructed 2 2 n / 3 (ignoring log factor) time and memory algorithm for missing difference when both list sizes are 2 2 n / 3 . • Optimal list size: 2 n / 2 √ n . 1. Assumptions: for all x ∈ L , x ′ ∈ L ′ , x ⊕ x ′ values are uniform and independent from { 0 , 1 } n \ { s } .

History of WCS Outline Known Security Analysis Our Works Missing Difference Problem • LS18 constructed 2 2 n / 3 (ignoring log factor) time and memory algorithm for missing difference when both list sizes are 2 2 n / 3 . • Optimal list size: 2 n / 2 √ n . 1. Assumptions: for all x ∈ L , x ′ ∈ L ′ , x ⊕ x ′ values are uniform and independent from { 0 , 1 } n \ { s } . 2. Number of pairs is 2 n · n .