Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India) CHES 2017, Taipei, Taiwan September, 2017 1 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Introduction 1 Specification for COFB 2 Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 2 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) A symmetric encryption scheme AE = ( K , E , D ) E : K ⇥ M ⇥ N ⇥ A ! C D : K ⇥ C ⇥ N ⇥ A ! M [ { ? } Figure: Data Transmission C set of tagged ciphertexts (Taken from [3]) ? : special symbol to denote reject Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA 3 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) Input � M , A , N , K Output � C K - Key space, M - Message space, N - Nonce space, A - Associated Data space, C - Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address 4 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice’s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption 5 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Security of Authenticated Encryption [4] Privacy We want IND-CPA Integrity Adversary’s goal: Receiver accepts a forged tuple (( C ∗ , T ) , N , A ) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT 6 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Unified AE Security Adversary A runs in time t A makes q enc queries ( σ enc blocks) q f forge queries ( σ f forge blocks) Adv AE E ( A ) = ∆ A (( E K , D K ); ($ , ? )) $ returns a random string from the range set of E K ? oracle always returns ? Adv AE E (( q , q f ) , ( σ , σ f ) , t ) = max A Adv AE E ( A ) 7 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Construction of AE Scheme Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function 8 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Possible Options for Feedback Message Feedback Current M [ i ] is the feedback X [ i ] for the next BC call Ciphertext Feedback Current C [ i ] is the feedback X [ i ] Output Feedback Previous BC output Y [ i � 1] is the feedback X [ i ] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X [ i ] can not be computed by exactly one of M [ i ], C [ i ], Y [ i � 1] 9 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Di ff erent Feedback Modes and COFB (Combined Feedback) Mode X [ i − 1] X [ i − 1] X [ i − 1] X [ i − 1] R ρ R R R X [ i ] X [ i ] M [ i ] G M [ i ] X [ i ] M [ i ] X [ i ] M [ i ] C [ i ] C [ i ] C [ i ] Output Message C [ i ] Ciphertext feedback feedback feedback Combined feedback 10 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Introduction 1 Specification for COFB 2 Design of COFB AE Security Bounds Properties Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 11 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Goal of This Design Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC 12 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Design Rationale and Challenges COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n / 2 bits more for masking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n / 2 bits instead of n Su ffi cient for standard security bound: thanks to our feedback function 13 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Benchmarking in Terms of State Size Rate: Data block/BC calls Scheme State Size Rate Security Proof COFB 1 . 5 n + k 1 Yes 1 JAMBU [9] 1 . 5 n + k Yes (Integrity only) 2 1 CLOC/ SILC [5, 6] 2 n + k Yes 2 iFEED [10] 3 n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] � 3 n + k 1 Yes 1 COLM [2] 3 n + k Yes 2 14 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References COFB AE Mode ∆ = E K ( N ) [ n / 4+1 .. 3 n / 4] mask ∆ (1 , 0) mask ∆ (2 , 0) mask ∆ (2 , δ A ) 0 n/ 2 N Z [1] Z [2] Z [3] mask ∆ ( a , b ) = α a (1 + α ) b ∆ X [1] X [2] X [3] (Tweak fn described later) E K E K E K E K Y [0] Y [1] Y [2] ρ 1 ( y , A ) := G · y � A A [1] ρ 1 A [2] ρ 1 A [3] ρ 1 Y [3] ρ ( y , M ) = ( ρ 1 ( y , M ) , y � M ) mask ∆ (3 , δ A ) mask ∆ (4 , δ A ) mask ∆ (4 , δ A + δ M ) G : Full rank matrix 6 = I X [1] X [2] X [3] ( ρ , ρ 1 described later) X [4] X [5] X [6] Y [3] E K E K E K For B = A / M ρ Y [4] Y [5] Y [6] If B 6 = λ ^ n divides | B | M [1] ρ 1 M [2] ρ M [3] ρ T Then δ B = 1 C [2] C [3] Else δ B = 2 C [1] 15 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Instantiation of COFB AE Mode : COFB-AES Underlying BC We use AES - 128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function ρ 1 and ρ Functions ρ 1 and ρ Functions - Simple linear feedback functions Last block has a di ff erent tweak 16 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Tweak Function ∆ - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are su ffi cient Computed/updated by mask ∆ ( a , b ) = α a (1 + α ) b . ∆ α - primitive element of F 2 64 This idea has been taken from XEX [7] (but masked length is halved) ( a , b ) 2 [0 .. L ] ⇥ [0 .. 4], L be the message length in blocks 17 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Linear Feedback Functions ρ 1 and ρ ρ 1 ( y , M ) := G · y � M and ρ ( y , M ) = ( ρ 1 ( y , M ) , y � M ) G : ( y 1 , y 2 , y 3 , y 4 ) ! ( y 2 , y 3 , y 4 , y 4 � y 1 ) 0 I 0 0 0 0 I 0 G n × n = 0 0 0 I I 0 0 I 18 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Security Level for COFB-AES Security Bound for Privacy Nonce- respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce- respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O ( 2 n / 2 n ) queries (almost birthday bound with block size n) 19 COFB
Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Important Features of COFB AE Advantages Rate = 1 Very low state size of 1 . 5 n + k (n: state size, k : key size) Very flexible mode ( any BC can be used) inverse - free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial 20 COFB
Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Introduction 1 Specification for COFB 2 Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 21 COFB
Recommend
More recommend