better proofs for rekeying d j bernstein security of aes
play

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k - PDF document

Mar 19, 2023 •252 likes •577 views

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

  1. 1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n − 1)) is distinguishable from uniform with probability n ( n − 1) = 2 129 , plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k 1 ; : : : ; k T . Success chance ≈ Tn ( n − 1) = 2 129 .

  2. 2 “Rekeying” seems less dangerous. Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Split F ( k ) into 500000 “subkeys”. Output F ( k ′ ) for each subkey k ′ : i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)).

  3. 2 “Rekeying” seems less dangerous. Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Split F ( k ) into 500000 “subkeys”. Output F ( k ′ ) for each subkey k ′ : i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)). Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ?

  4. 2 “Rekeying” seems less dangerous. Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Split F ( k ) into 500000 “subkeys”. Output F ( k ′ ) for each subkey k ′ : i.e., F (AES k (0) ; AES k (1)); F (AES k (2) ; AES k (3)); : : : F (AES k (999998) ; AES k (999999)). Repeat for k 1 ; : : : ; k T . What is attacker’s success chance p T ? Intuitively clear that p T ≤ Tp 1 . So let’s analyze p 1 .

  5. 3 Attack strategy 1: Attack the master key k . Distinguish F ( k ) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 .

  6. 3 Attack strategy 1: Attack the master key k . Distinguish F ( k ) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . Attack strategy 2: Attack a subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform.

  7. 3 Attack strategy 1: Attack the master key k . Distinguish F ( k ) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈ 1 = 2 89 . Attack strategy 2: Attack a subkey k ′ . Distinguish F ( k ′ ) from uniform, assuming k ′ is uniform. Intuition: No other attacks exist. But where is this proven?

  8. 4 FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘ -level “cascade”. 2-level cascade: key k ; input ( N 1 ; N 2 ); output S ( S ( k; N 1 ) ; N 2 ).

  9. 4 FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘ -level “cascade”. 2-level cascade: key k ; input ( N 1 ; N 2 ); output S ( S ( k; N 1 ) ; N 2 ). Example: Define S ( k; N ) = (AES k (2 N ) ; AES k (2 N + 1)), with N ∈ { 0 ; 1 ; : : : ; 499999 } . S expands AES-256 key k into (AES k (0) ; : : : ; AES k (999999)).

  10. 4 FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘ -level “cascade”. 2-level cascade: key k ; input ( N 1 ; N 2 ); output S ( S ( k; N 1 ) ; N 2 ). Example: Define S ( k; N ) = (AES k (2 N ) ; AES k (2 N + 1)), with N ∈ { 0 ; 1 ; : : : ; 499999 } . S expands AES-256 key k into (AES k (0) ; : : : ; AES k (999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit N i : S expands k into S ( k; 0) ; S ( k; 1).

  11. 5 Theorem statement is wrong: omits factor q . Fixed in 2005. Here q is the number of queries. The intuition didn’t notice q ; why does q matter for the proof?

  12. 5 Theorem statement is wrong: omits factor q . Fixed in 2005. Here q is the number of queries. The intuition didn’t notice q ; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps.

  13. 5 Theorem statement is wrong: omits factor q . Fixed in 2005. Here q is the number of queries. The intuition didn’t notice q ; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S .

  14. 6 Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S .

  15. 6 Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S . Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q : Replace cascade outputs from q th (distinct) subkey. Could skip steps if q > # { N } .

  16. 6 Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S . Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q : Replace cascade outputs from q th (distinct) subkey. Could skip steps if q > # { N } . Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem.

  17. 7 Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper.

  18. 7 Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input ( N 1 ; N 2 ), NMAC computes S ( S ( k; N 1 ) ; N 2 ), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.)

  19. 7 Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input ( N 1 ; N 2 ), NMAC computes S ( S ( k; N 1 ) ; N 2 ), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

  20. 8 Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong.

  21. 8 Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials.

  22. 8 Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong.

  23. 8 Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong.

  24. 8 Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

  25. 9 Hmmm. CCS 2005 Barak–Halevi “A model and architecture for pseudo-random generation with applications to /dev/random ”? RNG outputs F ( k ), F ( G ( k )), etc. Another complicated proof.

  26. 9 Hmmm. CCS 2005 Barak–Halevi “A model and architecture for pseudo-random generation with applications to /dev/random ”? RNG outputs F ( k ), F ( G ( k )), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying.

  27. 9 Hmmm. CCS 2005 Barak–Halevi “A model and architecture for pseudo-random generation with applications to /dev/random ”? RNG outputs F ( k ), F ( G ( k )), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

  28. 10 A simple tight new proof Remember the goal: analyze p T . There are T keys. Cipher 1: key �→ many subkeys. Cipher 2: subkey �→ outputs.

  29. 10 A simple tight new proof Remember the goal: analyze p T . There are T keys. Cipher 1: key �→ many subkeys. Cipher 2: subkey �→ outputs. New proof has just two steps.

  30. 10 A simple tight new proof Remember the goal: analyze p T . There are T keys. Cipher 1: key �→ many subkeys. Cipher 2: subkey �→ outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T -target attack against cipher 1.

  31. 10 A simple tight new proof Remember the goal: analyze p T . There are T keys. Cipher 1: key �→ many subkeys. Cipher 2: subkey �→ outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T -target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ ( T · many)-target attack against cipher 2.

  32. � � � � � � � � 11 multi-target single-target two-level two-level security security new, easy harder multi-target single-target one-level one-level security security X induct induct multi-target single-target many-level many-level security security X: FOCS 1996 Bellare–Canetti– Krawczyk Lemma 3.2. Harder; not suitable for induction.

Recommend

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

881 views • 58 slides
The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. The impact of

566 views • 22 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at Chicago The bug-of-the-month club Every few months CERT announces Yet Another Security Hole In Sendmailsomething that lets local or even

592 views • 31 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC: This sounds simple but it has deep reaching consequences in both the protocol and the

2.05k views • 180 slides
Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of Illinois at Chicago Main goals of cryptography Alice and Bob are communicating. Eve is eavesdropping. Alice and Bob have several standard security

310 views • 29 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, Academia Sinica http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards.

603 views • 38 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, National Taiwan U. http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted

641 views • 35 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic

413 views • 39 slides
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides

More recommend