linking oae and blockwise attack models
play

Linking OAE and Blockwise Attack Models Fast Software Encryption - PowerPoint PPT Presentation

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux 1 , 2 , Damian Vizr 1 1 EPFL, Switzerland 2 Kudelski Security Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G.


  1. Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux 1 , 2 , Damian Vizár 1 1 EPFL, Switzerland 2 Kudelski Security Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 1 / 20

  2. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  3. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) ⇒ most proposed schemes are online . M [ 1 ] M [ j ] M [ n ] ... ... C [ 1 ] C [ j ] C [ n ] ... ... Online authenticated encryption : computable on the fly, constant memory. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  4. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  5. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? Main contribution : we prove equivalence between OAE and blockwise notions, modulo new PR-TAG notion. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  6. Online authenticated encryption We consider the setting of [Fleischmann et al., 2012] Online authenticated encryption scheme Π = ( K , E , D ) finite key space K deterministic algorithms E and D K K H H C , T E D M ∨ ⊥ C , T M Required properties: correctness: D ( K , H , E ( K , H , M )) = M onlineness: Core ◦ E ( K , H , · ) ∈ OPerm [ n ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 4 / 20

  7. Online authenticated encryption M [ 1 ] M [ j ] M [ n ] H ... ... C [ 1 ] C [ j ] C [ n ] ... ... T blocks of n bits B n = { 0 , 1 } n message space B ∗ n header space H (e.g. { 0 , 1 } ∗ ) = nonce + associated data tag space T = B τ ( τ bits) ciphertext space C = B ∗ n × T (core ciphertext blocks + authentication tag) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 5 / 20

  8. Online authenticated encryption We model encryption by online permutations of B ∗ n . M [ 1 ] M [ j ] M [ n ] ... ... π ∈ OPerm [ n ] C [ 1 ] C [ j ] C [ n ] ... ... C [ j ] depends only on M [ 1 ] , . . . , M [ j ] . G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 6 / 20

  9. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] blockwise privacy [Fouque et al., 2003-2004] blockwise integrity [Fouque et al., 2003] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  10. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] ⇒ indistinguishability from idealized primitive blockwise privacy [Fouque et al., 2003-2004] ⇒ left-or-right sequential blockwise CPA blockwise integrity [Fouque et al., 2003] ⇒ existential forgery of ciphertext G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  11. OAE security Game OAE-REAL proc Initialize $ ← K K proc Enc ( H , M ) return E ( K , H , M ) proc Dec ( H , C ) return D ( K , H , C ) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  12. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  13. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ Adv OAE ( A ) = Pr [ A OAE-REAL ⇒ 1 ] − Pr [ A OAE-IDEAL ⇒ 1 ] Π Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  14. Blockwise privacy Game LORS-BCPA proc Initialize $ ← K K $ b ← { 0 , 1 } � � H ← ⊥ ; M ← ε ; j ← 0 proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � H ← H M ← � � M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  15. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) b ← { 0 , 1 } � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  16. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) b ← { 0 , 1 } � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] Adv D-LORS-BCPA ( A ) = 2 · Pr [ A LORS-BCPA ⇒ 1 ] − 1 Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  17. Blockwise privacy: deterministic schemes? Issue with deterministic left-or-right indistinguishability: trivial attacks possible. Query a L 0 L 1 R 0 R 1 Query b L 0 L 2 R 2 R 3 ⇒ Compare C a [ 0 ] and C b [ 0 ] to distinguish between left and right. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 10 / 20

  18. Blockwise privacy: deterministic schemes? We define the online-respecting condition to avoid these attacks. Valid adversaries must respect it. LLCP ( L a , L b ) 1 = LLCP ( R a , R b ) if H a = H b L a [ 1 ] L a [ j ] L a [ n ] R a [ 1 ] R a [ j ] R a [ n ] ... ... ... ... L b [ 1 ] L b [ j ] L b [ p ] R b [ 1 ] R b [ j ] R b [ p ] ... ... ... ... Equivalently (Proposition 1): ∃ σ H ∈ OPerm [ n ] s.t. L i = σ H i ( R i ) 1 length of longest common prefix G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 11 / 20

  19. Blockwise integrity Game B-INT-CTXT proc Initialize win ← 0 $ ← K K X ← ∅ � � H ← ⊥ ; M ← ε ; j ← 0 proc Enc ( H , P ) if � H = ⊥ then � H ← H M ← � � M || P C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  20. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  21. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win Adv B-INT-CTXT ( A ) = Pr [ A B-INT-CTXT ⇒ 1 ] Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  22. Main results D-LORS-BCPA ∧ B-INT-CTXT Prop. 2 OAE Thms. 1, 2, 3 Thm. 4 D-LORS-BCPA ∧ B-INT-CTXT ∧ PR-TAG Relations between notions shown in the paper. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 13 / 20

Recommend


More recommend