COBRA: A Parallelizable Authenticated Online Cipher without Block - PowerPoint PPT Presentation

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23

Overview COBRA 1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher 2 / 23

Background: Misuse Resistance Nonces cannot always be guaranteed unique: 1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied 3 / 23

Background: Misuse Resistance Nonces cannot always be guaranteed unique: 1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda) 3 / 23

Background: Misuse Resistance Nonces cannot always be guaranteed unique: 1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda) 1 High latency (receive full message before first output) 2 Storage issues (large internal state) 3 / 23

Background: Misuse Resistance Nonces cannot always be guaranteed unique: 1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda) 1 High latency (receive full message before first output) 2 Storage issues (large internal state) ⇒ We want online schemes 3 / 23

Background: Online Scheme M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in SIV, HBS, BTM. 4 / 23

Background: Online Scheme M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in SIV, HBS, BTM. M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in an online AE scheme. 4 / 23

Background: Online Nonce Misuse N 1 , K C ∗ M M 1 C 1 T 1 1 N 2 , K C ∗ M M 2 C 2 T 2 2 N 3 , K M ′ C 3 T 3 5 / 23

Background: Online Nonce Misuse N , K C ∗ M 1 C 1 T 1 M 1 N , K C ∗ M M 2 C 2 T 2 2 N , K M ′ C 3 T 3 5 / 23

Background: Online Nonce Misuse N , K C ∗ M 1 T 1 M C 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 5 / 23

Background: Online Nonce Misuse N , K C ∗ M 1 T 1 M C 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 5 / 23

Background: Online Nonce Misuse N , K C ∗ M 1 T 1 M C 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 2 No relationship past common prefix 5 / 23

Background: GCM not Misuse Resistant CTR K N, M C, T GHASH K GCM 6 / 23

Background: GCM not Misuse Resistant CTR K + N, M C, T GHASH K GCM 6 / 23

Overview COBRA: 1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher 7 / 23

Overview COBRA: 1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher 7 / 23

Motivation: Overview of Some Online Schemes cycles per byte – lower is better 8 . 9 8 6 4 2 0 0 0 0 McOE-G Figure : Sandy Bridge with AES-NI 2 2 References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes cycles per byte – lower is better 8 . 9 8 6 4 2 . 06 2 0 0 0 McOE-G COPA Figure : Sandy Bridge with AES-NI 2 2 References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes cycles per byte – lower is better 8 . 9 Misuse Resistant 8 Nonce Dependent 6 4 2 . 55 2 . 06 2 0 0 McOE-G GCM COPA Figure : Sandy Bridge with AES-NI 2 2 References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes cycles per byte – lower is better 8 . 9 Misuse Resistant 8 Nonce Dependent 6 4 2 . 55 2 . 06 2 0 . 98 0 McOE-G GCM COPA OCB Figure : Sandy Bridge with AES-NI 2 2 References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation Can we close the gap in efficiency between nonce dependent and misuse resistant schemes? 9 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] 10 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M ′ [1] M ′ [2] M ′ [3] M ′ [4] β 1 β 2 β 3 β 4 C ′ [1] C ′ [2] C ′ [3] C ′ [4] 10 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M ′ [1] M ′ [2] M ′ [3] M ′ [4] α 1 α 2 α 3 α 4 C ′ [1] C ′ [2] C ′ [3] C ′ [4] 10 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M ′ [1] M ′ [2] M [3] ′ M ′ [4] α 1 α 2 α 3 α 4 C ′ [1] C ′ [2] C [3] C ′ [4] 10 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M ′ [1] M ′ [2] M [3] ′ M ′ [4] α 1 α 2 α 3 α 4 C ′ [1] C ′ [2] C [3] C ′ [4] 10 / 23

Motivation: Misuse Resistance From OCB? M [1] M [2] M [3] M [4] α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] 1 Dependency upon previous message blocks 2 Function using only key 3 No collisions between different messages ⇒ Universal hash 10 / 23

Motivation: Nonce Dependent Versus Misuse Resistant Difference in efficiency: at least efficiency of universal hash 11 / 23

Motivation: Universal Hash in AE 3 Cycles per byte – lower is better 2 . 53 2 . 53 2 1 1 . 03 0 Sandy Bridge Ivy Bridge Haswell Figure : GCM with AES-NI. Results Gueron DIAC 2013. 12 / 23

Motivation: Universal Hash in AE 3 GHASH Cycles per byte – lower is better AES-CTR 2 . 52 2 . 52 2 1 . 79 1 . 79 1 1 . 03 0 . 4 0 Sandy Bridge Ivy Bridge Haswell Figure : GCM with AES-NI. Results Gueron DIAC 2013. 12 / 23

Overview COBRA: 1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher 13 / 23

Overview COBRA: 1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher 13 / 23

Motivation: How To Add Authenticity? M [1] M [2] M [3] M [4] L L L + + + + L × × × α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] 14 / 23

Motivation: How To Add Authenticity? M [1] M [2] M [3] M [4] L L L + + + + L × × × α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M [1] ⊕ M [2] ⊕ M [3] ⊕ M [4] δ T 14 / 23

Motivation: How To Add Authenticity? M [1] M [2] M [3] M [4] L L L + + + + L × × × α 1 α 2 α 3 α 4 C [1] C [2] C [3] C [4] M [1] ⊕ M [2] ⊕ M [3] ⊕ M [4] δ T 14 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04 M [1] M [2] M [3] M [4] α 1 α 2 + + β 1 + β 2 + γ 1 γ 2 + + + + δ 1 δ 2 C [1] C [2] C [3] C [4] α i , β i , γ i , δ i : uniform random functions (URF) 15 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04 M [1] M [2] M [3] M [4] α 1 α 2 + + ρ 1 ρ 2 β 1 + β 2 + σ 1 σ 2 γ 1 γ 2 + + + + δ 1 δ 2 C [1] C [2] C [3] C [4] α i , β i , γ i , δ i : uniform random functions (URF) 15 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04 M [1] M [2] M [3] M [4] α 1 α 2 + + ρ 1 ρ 2 ρ 1 ⊕ ρ 2 ⊕ σ 1 ⊕ σ 2 η β 1 + β 2 + σ 1 σ 2 T γ 1 γ 2 + + + + δ 1 δ 2 C [1] C [2] C [3] C [4] α i , β i , γ i , δ i : uniform random functions (URF) 15 / 23

Overview COBRA: 1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher 16 / 23

Building A Scheme: Starting Point M [1] M [2] M [3] M [4] M [5] M [6] β 1 + β 2 + β 3 + γ 1 γ 2 γ 3 + + + C [1] C [2] C [3] C [4] C [5] C [6] β i , γ i : uniform random functions (URF) 17 / 23

Building A Scheme: Starting Point M [1] M [2] M [3] M [4] M [5] M [6] β 1 + β 2 + β 3 + γ 1 γ 2 γ 3 + + + C [1] C [2] C [3] C [4] C [5] C [6] β i , γ i : uniform random functions (URF) 17 / 23

Building A Scheme: Starting Point M [1] M [2] M [3] M [4] M [5] M [6] β 1 + β 2 + β 3 + γ 1 γ 2 γ 3 + + + C [1] C [2] C [3] C [4] C [5] C [6] β i , γ i : uniform random functions (URF) 17 / 23

Building A Scheme: Adding Dependency M [1] M [2] M [3] M [4] M [5] M [6] N · L L L L L L L 2 + + × + × + × + × + × + β 1 + β 2 + β 3 + γ 1 γ 2 γ 3 + + + C [1] C [2] C [3] C [4] C [5] C [6] β i , γ i : URFs L : secret value derived from the key N : nonce 18 / 23

Building A Scheme: Adding Dependency M [1] M [2] M [3] M [4] M [5] M [6] N · L L L L L L L 2 + + × + × + × + × + × + β 1 + β 2 + β 3 + ρ 1 ρ 2 ρ 3 γ 1 γ 2 γ 3 + + + σ 1 σ 2 σ 3 C [1] C [2] C [3] C [4] C [5] C [6] β i , γ i : URFs L : secret value derived from the key N : nonce 18 / 23

Building A Scheme: Adding Authenticity ρ 1 ⊕ ρ 2 ⊕ ρ 3 ⊕ σ 1 ⊕ σ 2 ⊕ σ 3 δ 1 + N δ 2 T ρ i , σ i : outputs of URFs δ i : URFs N : nonce 19 / 23