encrypt or decrypt to make a single key bbb secure nonce
play

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC - PowerPoint PPT Presentation

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT


  1. Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT Secure Platform Laboratories, NTT Corporation, Japan CRYPTO, 2018 August 22, 2018 N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 1 / 28

  2. Introduction Wegman-Carter MAC WC MAC [Wegman and Carter, JCSS 1981] H K h M ⊕ F K N T N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 2 / 28

  3. Introduction Wegman-Carter MAC WC MAC [Wegman and Carter, JCSS 1981] H K h M ⊕ F K N T Nonce Respecting (NR): O ( ǫ q v ) security (Beyond the Birthday Bound) Nonce Misuse (NM): No security !! N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 2 / 28

  4. Introduction Encrypted Wegman-Carter MAC EWC MAC [Cogliati and Seurin, CRYPTO 2016] H K h M ⊕ F K E K ′ N T N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 3 / 28

  5. Introduction Encrypted Wegman-Carter MAC EWC MAC [Cogliati and Seurin, CRYPTO 2016] H K h M ⊕ F K E K ′ N T Nonce Respecting (NR): Same security (Beyond the Birthday Bound) Nonce Misuse (NM): Birthday Bound security N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 3 / 28

  6. Introduction Encrypted Wegman-Carter MAC EWC MAC [Cogliati and Seurin, CRYPTO 2016] H K h M ⊕ F K E K ′ N T Nonce Respecting (NR): Same security (Beyond the Birthday Bound) Nonce Misuse (NM): Birthday Bound security F K → E K : NR security drops to Birthday Bound!! N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 3 / 28

  7. Introduction Encrypted Wegman-Carter MAC Towards Beyond Birthday Security H K h M ⊕ E K ′ N F K T N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 4 / 28

  8. Introduction Encrypted Wegman-Carter MAC Towards Beyond Birthday Security H K h M E K 1 ⊕ ⊕ E K ′ N T E K 2 N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 5 / 28

  9. Introduction Encrypted Wegman-Carter MAC Towards Beyond Birthday Security H K h M E K 1 ⊕ ⊕ E K ′ N T E K 2 Can we reduce the number of BC calls? N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 5 / 28

  10. Introduction Encrypted Wegman-Carter with Davies-Meyer EWCDM MAC [Cogliati and Seurin, CRYPTO 2016] H K h M z ⊕ ⊕ E K E K ′ N T Instantiation of F K by Keyed Davies-Meyer Construction N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 6 / 28

  11. Introduction Encrypted Wegman-Carter with Davies-Meyer EWCDM MAC [Cogliati and Seurin, CRYPTO 2016] H K h M z ⊕ E K E K ′ N T MAC security: 2 n / 3-bit (NR setting), n / 2-bit (NM setting) N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 7 / 28

  12. Introduction Encrypted Wegman-Carter with Davies-Meyer EWCDM MAC [Cogliati and Seurin, CRYPTO 2016] H K h M z ⊕ E K E K ′ N T MAC security: 2 n / 3-bit (NR setting), n / 2-bit (NM setting) Conjecture of Cogliati and Seurin EWCDM is secure upto ≈ n -bit (NR setting). N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 7 / 28

  13. Introduction Encrypted Wegman-Carter with Davies-Meyer EWCDM MAC [Cogliati and Seurin, CRYPTO 2016] H K h M z ⊕ E K E K ′ N T MAC security: 2 n / 3-bit (NR setting), n / 2-bit (NM setting) Conjecture of Cogliati and Seurin Single keyed EWCDM (i.e K = K ′ ) is BBB Secure against NR adversaries. N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 8 / 28

  14. Introduction Current Results on EWCDM Current Results on EWCDM [Mennink and Neves, CRYPTO 2016]: Optimal PRF security of EWCDM (NR setting) n -bit security of Mirror Theory: Unverifiable!! [Cogliati and Seurin, DCC 2018]: Difficulty of proving the security of single-keyed EWCDM N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 9 / 28

  15. Content Outline Decrypted Wegman-Carter wth Davies-Meyer (DWCDM) Specification Necessity of Nonce-space Reduction (Extended) Mirror Theory Mirror Theory Extended Mirror Theory Security of DWCDM H-Coefficient Technique Proof Approach 1K-DWCDM N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 10 / 28

  16. DWCDM Decrypted Wegman-Carter with Davies-Meyer Decrypted Wegman-Carter with Davies-Meyer (DWCDM) H K h M z E − 1 ⊕ E K N T K Single Keyed Nonce Based MAC (Nonce Space: 2 n / 3 bits) MAC security: 2 n / 3-bit (NR setting), n / 2-bit (NM setting) Assumptions on H Regular, Almost XOR Universal 3-way regular (i.e., H ( X 1 ) ⊕ H ( X 2 ) ⊕ H ( X 3 ) = Y ( � = 0)) N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 11 / 28

  17. DWCDM Necessity of Nonce-space Reduction Necessity of Nonce-space Reduction Π( x 1 ) ⊕ Π( x 2 ) = H k ( m ) + x 1 x 4 Π( x 2 ) ⊕ Π( x 3 ) = H k ( m ) + x 2 x 3 x 5 Π( x 3 ) ⊕ Π( x 4 ) = H k ( m ) + x 3 Π( x 4 ) ⊕ Π( x 5 ) = H k ( m ) + x 4 x 6 x 2 Π( x 5 ) ⊕ Π( x 6 ) = H k ( m ) + x 5 Π( x 6 ) ⊕ Π( x 3 ) = H k ( m ) + x 6 x 1 N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 12 / 28

  18. DWCDM Necessity of Nonce-space Reduction Necessity of Nonce-space Reduction Π( x 1 ) ⊕ Π( x 2 ) = H k ( m ) + x 1 x 4 Π( x 2 ) ⊕ Π( x 3 ) = H k ( m ) + x 2 x 3 x 5 Π( x 3 ) ⊕ Π( x 4 ) = H k ( m ) + x 3 Π( x 4 ) ⊕ Π( x 5 ) = H k ( m ) + x 4 x 6 x 2 Π( x 5 ) ⊕ Π( x 6 ) = H k ( m ) + x 5 Π( x 6 ) ⊕ Π( x 3 ) = H k ( m ) + x 6 x 1 � x 3 + x 4 + x 5 + x 6 = 0 N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 12 / 28

  19. DWCDM Necessity of Nonce-space Reduction Necessity of Nonce-space Reduction Π( x 1 ) ⊕ Π( x 2 ) = H k ( m ) + x 1 x 4 Π( x 2 ) ⊕ Π( x 3 ) = H k ( m ) + x 2 x 3 x 5 Π( x 3 ) ⊕ Π( x 4 ) = H k ( m ) + x 3 Π( x 4 ) ⊕ Π( x 5 ) = H k ( m ) + x 4 x 6 x 2 Π( x 5 ) ⊕ Π( x 6 ) = H k ( m ) + x 5 Π( x 6 ) ⊕ Π( x 3 ) = H k ( m ) + x 6 x 1 � x 3 + x 4 + x 5 + x 6 = 0 Forging Event ( x i + x i +1 + · · · + x j = 0) ⇒ ( x j , m , x i ) is a valid forgery. N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 12 / 28

  20. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory A system of q equations P n 1 ⊕ P t 1 = λ 1 P n 2 ⊕ P t 2 = λ 2 . . . P n q ⊕ P t q = λ q N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 13 / 28

  21. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory A system of q equations P n 1 ⊕ P t 1 = λ 1 P n 2 ⊕ P t 2 = λ 2 . . . P n q ⊕ P t q = λ q φ : { n 1 , t 1 , . . . , n q , t q } → { 1 , . . . , r } be a surjective index mapping function. N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 13 / 28

  22. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory Equivalent reduced system of q equations P φ ( n 1 ) ⊕ P φ ( t 1 ) = λ 1 P φ ( n 2 ) ⊕ P φ ( t 2 ) = λ 2 . . . P φ ( n q ) ⊕ P φ ( t q ) = λ q System of q equations over P = { P 1 , . . . , P r } variables. N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 14 / 28

  23. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory Equivalent reduced system of q equations P φ ( n 1 ) ⊕ P φ ( t 1 ) = λ 1 P φ ( n 2 ) ⊕ P φ ( t 2 ) = λ 2 . . . P φ ( n q ) ⊕ P φ ( t q ) = λ q System of q equations over P = { P 1 , . . . , P r } variables. Goal of Mirror Theory • Lower bound the number of solutions to P such that P a � = P b for a � = b ∈ { 1 , . . . , r } . N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 14 / 28

  24. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory System of Equations r distinct unknowns System of equations: P n i ⊕ P t i = λ i , i ∈ { 1 , . . . , q } Index mapping function φ : { n 1 , t 1 , . . . , n q , t q } → { 1 , . . . , r } N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 15 / 28

  25. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory System of Equations r distinct unknowns System of equations: P n i ⊕ P t i = λ i , i ∈ { 1 , . . . , q } Index mapping function φ : { n 1 , t 1 , . . . , n q , t q } → { 1 , . . . , r } Graph Based View Circle P φ ( n 1 ) = P φ ( n 2 ) λ 2 λ 1 λ 3 P φ ( t 1 ) = P φ ( n 3 ) P φ ( t 3 ) = P φ ( t 2 ) N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 15 / 28

  26. Mirror Theory and Extended Mirror Theory Mirror Theory Patarin’s Mirror Theory System of Equations r distinct unknowns System of equations: P n i ⊕ P t i = λ i , i ∈ { 1 , . . . , q } Index mapping function φ : { n 1 , t 1 , . . . , n q , t q } → { 1 , . . . , r } Graph Based View Degenerate Circle P φ ( n 1 ) = P φ ( n 2 ) P φ ( t 1 ) = P φ ( n 3 ) P φ ( t 2 ) = P φ ( t 3 ) λ 1 + λ 2 λ 2 λ 2 λ 1 λ 1 λ 3 P φ ( t 1 ) = P φ ( n 3 ) P φ ( t 3 ) = P φ ( t 2 ) P φ ( n 1 ) P φ ( n 2 ) N. Datta, A.Dutta, M.Nandi and K.Yasuda DWCDM: Single-Key BBB Secure MAC 15 / 28

Recommend


More recommend