linking oae and blockwise attack models
play

Linking OAE and Blockwise Attack Models Fast Software Encryption - PowerPoint PPT Presentation

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux, Damian Vizr EPFL, Switzerland Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G. Endignoux, D. Vizr (EPFL)


  1. Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux, Damian Vizár EPFL, Switzerland Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 1 / 20

  2. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  3. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) ⇒ most proposed schemes are online . M [ 1 ] M [ j ] M [ n ] ... ... C [ 1 ] C [ j ] C [ n ] ... ... Online authenticated encryption : computable on the fly, constant memory. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  4. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  5. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? Main contribution : we prove equivalence between OAE and blockwise notions, modulo new PR-TAG notion. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  6. Online authenticated encryption We consider the setting of [Fleischmann et al., 2012] Online authenticated encryption scheme Π = ( K , E , D ) finite key space K deterministic algorithms E and D K K H H C , T E D M ∨ ⊥ C , T M Required properties: correctness: D ( K , H , E ( K , H , M )) = M onlineness: Core ◦ E ( K , H , · ) ∈ OPerm [ n ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 4 / 20

  7. Online authenticated encryption M [ 1 ] M [ j ] M [ n ] H ... ... C [ 1 ] C [ j ] C [ n ] ... ... T blocks of n bits B n = { 0 , 1 } n message space B ∗ n header space H (e.g. { 0 , 1 } ∗ ) = nonce + associated data tag space T = B τ ( τ bits) ciphertext space C = B ∗ n × T (core ciphertext blocks + authentication tag) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 5 / 20

  8. Online authenticated encryption We model encryption by online permutations of B ∗ n . M [ 1 ] M [ j ] M [ n ] ... ... π ∈ OPerm [ n ] C [ 1 ] C [ j ] C [ n ] ... ... C [ j ] depends only on M [ 1 ] , . . . , M [ j ] . G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 6 / 20

  9. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] blockwise privacy [Fouque et al., 2003-2004] blockwise integrity [Fouque et al., 2003] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  10. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] ⇒ indistinguishability from idealized primitive blockwise privacy [Fouque et al., 2003-2004] ⇒ left-or-right sequential blockwise CPA blockwise integrity [Fouque et al., 2003] ⇒ existential forgery of ciphertext G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  11. OAE security Game OAE-REAL proc Initialize $ ← K K proc Enc ( H , M ) return E ( K , H , M ) proc Dec ( H , C ) return D ( K , H , C ) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  12. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  13. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ Adv OAE ( A ) = Pr [ A OAE-REAL ⇒ 1 ] − Pr [ A OAE-IDEAL ⇒ 1 ] Π Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  14. Blockwise privacy Game LORS-BCPA proc Initialize $ ← K K $ ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � H ← H M ← � � M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  15. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  16. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] Adv D-LORS-BCPA ( A ) = 2 · Pr [ A LORS-BCPA ⇒ 1 ] − 1 Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  17. Blockwise privacy: deterministic schemes? Issue with deterministic left-or-right indistinguishability: trivial attacks possible. Query a L 0 L 1 R 0 R 1 Query b L 0 L 2 R 2 R 3 ⇒ Compare C a [ 0 ] and C b [ 0 ] to distinguish between left and right. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 10 / 20

  18. Blockwise privacy: deterministic schemes? We define the online-respecting condition to avoid these attacks. Valid adversaries must respect it. LLCP ( L a , L b ) 1 = LLCP ( R a , R b ) if H a = H b L a [ 1 ] L a [ j ] L a [ n ] R a [ 1 ] R a [ j ] R a [ n ] ... ... ... ... L b [ 1 ] L b [ j ] L b [ p ] R b [ 1 ] R b [ j ] R b [ p ] ... ... ... ... Equivalently (Proposition 1): ∃ σ H ∈ OPerm [ n ] s.t. L i = σ H i ( R i ) 1 length of longest common prefix G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 11 / 20

  19. Blockwise integrity Game B-INT-CTXT proc Initialize win ← 0 $ ← K K X ← ∅ � � H ← ⊥ ; M ← ε ; j ← 0 proc Enc ( H , P ) if � H = ⊥ then � H ← H M ← � � M || P C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  20. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  21. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win Adv B-INT-CTXT ( A ) = Pr [ A B-INT-CTXT ⇒ 1 ] Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  22. Main results D-LORS-BCPA ∧ B-INT-CTXT Prop. 2 OAE Thms. 1, 2, 3 Thm. 4 D-LORS-BCPA ∧ B-INT-CTXT ∧ PR-TAG Relations between notions shown in the paper. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 13 / 20

Recommend


More recommend