COLM Elena Andreeva 1 , Andrey Bogdanov 2 , Nilanjan Datta 3 , Atul Luykx 1 , Bart Mennink 1 , Mridul Nandi 3 , Elmar Tischhauser 2 , Kan Yasuda 4 1 KU Leuven and iMinds, Belgium 2 DTU Compute, Denmark 3 Indian Statisftical Institute, India 4 NTT Secure Platform Laboratories, Japan September 27, 2016 1 / 12
CAESAR Overview Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher. Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys* 2 / 12
Block Cipher Mode Disadvantages 1. Usually birthday bound security 2. Efficiency cannot improve beyond block cipher (see e.g. AEGIS vs. CTR) 3 / 12
Block Cipher Mode Advantages 1. Block ciphers are ubiquitous 2. Can be used with any block cipher 3. A safe bet: security reduction to underlying block cipher Block size ≥ 128 bits ⇒ Can process petabytes of data with success probability well below 2 − 30 4 / 12
Block Cipher Modes in Candidates Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher. Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys* 5 / 12
Block Cipher Modes in Candidates Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher. Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys* ( Θ CB and SCT) 5 / 12
Robustness Table: Levels of resistance to nonce misuse. Level 1 Level 2 Level 3 AES-OTR COLM Deoxys-II (SCT) CLOC and SILC JAMBU OCB Deoxys-I 6 / 12
Background: Online Nonce Misuse Resistance N 1 , K C ∗ M M 1 C 1 T 1 1 N 2 , K C ∗ M 2 C 2 T 2 M 2 N 3 , K C 3 T 3 M ′ 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C 1 T 1 1 N , K C ∗ M M 2 C 2 T 2 2 N , K M ′ C 3 T 3 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C T 1 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C T 1 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C T 1 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 2 No relationship past common prefix 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C T 1 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 2 No relationship past common prefix 3 Hoang et al. CRYPTO 2015 attack. . . 7 / 12
Background: Online Nonce Misuse Resistance N , K C ∗ M M 1 C T 1 1 N , K C ∗ M M 2 C T 2 2 N , K M ′ C ′ T 3 1 Equality of prefixes of messages determined 2 No relationship past common prefix 3 Hoang et al. CRYPTO 2015 attack. . . 4 but still much more robust than GCM, OCB, OTR, . . . 7 / 12
Advantage over SCT: Online Scheme 1 High latency (receive full message before first output) 2 Storage issues (large internal state) M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in SCT. 8 / 12
Advantage over SCT: Online Scheme 1 High latency (receive full message before first output) 2 Storage issues (large internal state) M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in SCT. M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] T Dependency in COLM. 8 / 12
COLM Comparison with ELmD and COPA COPA ELmD COLM Simplified masking ✓ Fully parallelizable authentication ✓ ✓ XOR mixing for authentication ✓ ✓ ρ mixing for encryption ✓ ✓ Bottom layer encryption ✓ ✓ Intermediate tags ✓ ✓ 9 / 12
COLM Description npub � param A [1] A [ a ] M [1] M [2] M [ l ] M [ l + 1] 2 · L 1 2 2 · L ⊕ 7 · 2 l − 1 · L ⊕ 7 · 2 l · L ⊕ 2 a · L 1 L 1 ⊕ ⊕ ⊕ 2 · L ⊕ AA [1] AA [ a ] MM [1] MM [2] MM [ l ] MM [ l + 1] E K E K E K E K E K E K E K Z [1] Z [ a ] X [1] X [2] X [ l ] X [ l + 1] W [1] W [ l ] IV · · · · · · ρ ρ ρ ρ + + Y [1] Y [2] Y [ l ] Y [ l + 1] E K E K E K E K CC [1] CC [2] CC [ l ] CC [ l + 1] 2 2 · L 2 7 · 2 l − 1 · L 2 ⊕ ⊕ ⊕ ⊕ 2 · L 2 7 · 2 l · L 2 C [1] C [2] C [ l ] C [ l + 1] 10 / 12
Summary COLM: strengths of COPA + ELmD 1 security reduction to block cipher 2 online misuse resistance: most robust AES-mode in the competition 3 highly parallelizable Thank you for your attention. 11 / 12
Andreeva et al. “How to securely release unverified plaintext in 1 authenticated encryption” ASIACRYPT 2014 Hoang et al. “Online authenticated-encryption and its nonce-reuse 2 misuse-resistance” CRYPTO 2015 Dobraunig et al. “Related-Key Forgeries for Proest-OTR” FSE 2015 3 Nandi “XLS is Not a Strong Pseudorandom Permutation” ASIACRYPT 4 2014 Nandi “Revisiting Security Claims of XLS and COPA” eprint 5 Lu “On the Security of the COPA and Marble Authenticated Encryption 6 Algorithms against (Almost) Universal Forgery Attack” eprint Fuhr et al. “Collision Attacks against CAESAR Candidates” ASIACRYPT 7 2015 Bogdanov et al “Comb to Pipeline: Fast Software Encryption Revisited” 8 FSE 2015 Dobraunig et al “Statistical Fault Attacks on Nonce-Based Authenticated 9 Encryption Schemes” ASIACRYPT 2016 10 Nandi “On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes” ASIACRYPT 2015 11 Kaplan et al. “Breaking Symmetric Cryptosystems using Quantum Period Finding” CRYPTO 2016 12 Bay et al. “Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm” ASIACRYPT 2016
Recommend
More recommend
