new blockcipher modes of operation with beyond the
play

New Blockcipher Modes of Operation with Beyond the Birthday Bound - PowerPoint PPT Presentation

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms


  1. ✓ ✏ New Blockcipher Modes of Operation with Beyond the Birthday Bound Security ✒ ✑ Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 15–17, 2006

  2. Blockcipher Modes Algorithms that provide ⎧ • privacy (encryption mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • authenticity (MAC) ⎨ • privacy and authenticity (AE mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ based on blockciphers. 2

  3. Blockcipher Modes Algorithms that provide ⎧ ⊲ privacy (encryption mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • authenticity (MAC) ⎨ ⊲ privacy and authenticity (AE mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ based on blockciphers. 3

  4. Known Encryption Modes ⎧ ⊲ CTR ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • CBC ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • OFB ⎨ • CFB ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • ECB ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ 4

  5. CTR ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 • S = ( S 0 , S 1 , . . . , S 7 ): keystream • Encryption: C = M ⊕ S • Decryption: M = C ⊕ S 5

  6. Advantages of CTR • provable security • security proofs with the standard PRP assumption • highly efficient • single blockcipher key • fully parallelizable • allows precomputation of keystream • allows random access 6

  7. Security Definition • “Indistinguishability from random strings” (Rogaway, Bellare, Black, Krovetz, ’03) • Scenario: Adaptive chosen plaintext attack • Goal: To distinguish between – “real ciphertext” – “truly random string” (of the same length as ciphertext) 7

  8. Keystream Generation Part of CTR ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 ✓ ✏ S i � = S j since E K ( · ) is a permutation. ✒ ✑ 8

  9. Keystream Generation Part of CTR • If S = ( S 0 , . . . , S σ − 1 ) is the keystream of CTR, Pr( S i = S j ) = 0 . • If S = ( S 0 , . . . , S σ − 1 ) is the truly random string, 0 . 3 σ ( σ − 1) ≤ Pr( S i = S j ) ≤ 0 . 5 σ ( σ − 1) . 2 n 2 n ( n : length of S i in bits, block size of E ) 9

  10. Keystream Generation Part of CTR CTR ( A ) ≤ 0 . 5 σ ( σ − 1) • For any A , Adv priv . 2 n ✓ ✏ Birthday Bound ✒ ✑ CTR ( A ) > 0 . 3 σ ( σ − 1) • There exists A s.t. Adv priv . 2 n ⊲ A guesses “random string” if there is a collision. ⊲ Otherwise A guesses “ciphertext of CTR.” 10

  11. Security of CTR ✓ ✏ CTR can NOT have beyond the birthday bound security (as long as E K ( · ) is a permutation). ✒ ✑ 11

  12. Our Work: New Encryption Mode ✓ ✏ CENC · · · C ipher-based ENC ryption ✒ ✑ ✓ ✏ beyond the birthday bound security without breaking advantages of CTR ✒ ✑ 12

  13. The Basic Idea • Convert E K ( · ) into a function. • G K ( x ) = E K ( x � 0) ⊕ E K ( x � 1), x ∈ { 0 , 1 } n − 1 (Lucks ’00, Bellare and Impagliazzo ’99) x � 0 x � 1 ❄ ❄ E K E K ✲ ❢ ✛ ❄ G ( x ) 13

  14. CENC Parameters • Blockcipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n • Nonce length: ℓ nonce bits, ℓ nonce < n • Frame width: w 14

  15. Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ 15

  16. Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ ❢ ❄ • L : mask 16

  17. Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❄ ❄ ❄ S 0 S 1 S 2 � �� � w blocks (1 frame) • w : frame width, default: w = 2 8 = 256 17

  18. Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 18

  19. Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 • N : Nonce, ctr ← N � 0 · · · 0 • default: | N | = ℓ nonce = n/ 2 19

  20. Encryption Algorithm of CENC N � 0 · · · 0 ↓ ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 ❄ ❄ ❄ ❄ ❄ ❄ M 0 M 1 M 2 M 3 M 4 M 5 ✲ ✲ ✲ ✲ ✲ ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ C 0 C 1 C 2 C 3 C 4 C 5 20

  21. Advantages of CENC ⊲ provable security — beyond the birthday bound • security proofs with the standard PRP assumption ⊲ highly efficient — small cost • single blockcipher key • fully parallelizable • allows precomputation of keystream • allows random access 21

  22. Indistinguishability from Random Strings Encryption Oracle Random String Oracle ( N ′ , M ′ ) ( N, M ) CENC K ( · ) R ( · ) ✛ ✲ A ✲ ✛ C ′ = random string C = CENC K ( N, M ) A must not repeat nonce � � K ( A CENC K ( · , · ) = 1) − Pr R ( A R ( · , · ) = 1) def Adv priv � � CENC ( A ) = � Pr � 22

  23. Security Definition for E (PRP, LR ’88) Random Permutation Blockcipher Oracle Oracle X ′ X E K ( · ) P ( · ) ✛ ✲ B ✲ ✛ Y ′ = P ( X ′ ) Y = E K ( X ) � � K ( B E K ( · ) = 1) − Pr P ( B P ( · ) = 1) def Adv prp � � E ( B ) = � Pr � 23

  24. Theorem. If there exists A against CENC such that: • at most q queries, and • at most σ blocks, then there exists B against E such that: • time ( B ) = time ( A ) + O ( n ˆ σw ), • at most ( w + 1)ˆ σ/w queries, and σ 3 CENC ( A ) − w ˆ 2 2 n − 3 − w ˆ σ • Adv prp E ( B ) ≥ Adv priv 2 n , where ˆ σ = σ + qw . 24

  25. Interpretation ✓ ✏ • CENC is secure up to 2 82 blocks (AES, w = 2 8 ). ⊲ CTR is secure up to 2 64 blocks. ✒ ✑ ✓ ✏ If we encrypt σ ≤ 2 n/ 2 blocks, σ 3 CENC ( A ) ≤ w ˆ 2 2 n − 3 + w ˆ 2 n ≤ 2 w ˆ σ σ • Adv priv 2 n CTR ( A ) ≤ 0 . 5 σ 2 ⊲ Adv priv ( w : constant, ˆ σ ≈ σ ) 2 n ✒ ✑ 25

  26. Cost for the Security Improvement ✓ ✏ w + 1 blockcipher calls for w blocks of keystream ✒ ✑ • 257 calls to encrypt 256 blocks (Default: w = 2 8 ) ⊲ The cost is 1 / 257 = 0 . 4% compared to CTR. • 1 frame is w blocks, which is 4KBytes. ⊲ 99.9% of the Internet traffic is less than 1.5KBytes. ⊲ The cost is one blockcipher call compared to CTR. 26

  27. New Authenticated-Encryption Mode ✓ ✏ CHM · · · C ENC with H ash-based M AC ✒ ✑ • CENC for privacy. • Hash-based MAC (Wegman-Carter MAC) for au- thenticity. • Beyond the birthday bound security. • Similar to GCM by McGrew & Viega. 27

  28. Open Question ✓ ✏ ⊲ The security bound of CTR is tight. • ∀ A , Adv priv CTR ( A ) ≤ 0 . 5 σ ( σ − 1) / 2 n • ∃ A , Adv priv CTR ( A ) > 0 . 3 σ ( σ − 1) / 2 n ✒ ✑ ✓ ✏ σ 3 / 2 2 n − 3 + w ˆ ∀ A , Adv priv σ/ 2 n CENC ( A ) ≤ w ˆ ✒ ✑ ⊲ Improve the security bound σ 3 / 2 2 n − 3 + w ˆ ⊲ Attack with Adv priv σ/ 2 n ) CENC ( A ) > Ω( w ˆ 28

  29. Conjecture ✓ ✏ The security bound can be improved. ∀ A , Adv priv σ/ 2 n ) CENC ( A ) ≤ O ( w ˆ ✒ ✑ 29

  30. Conclusion ✓ ✏ • New encryption mode, CENC • New AE mode, CHM • beyond the birthday bound security ✒ ✑ Questions? Tetsu Iwata iwata@cis.ibaraki.ac.jp 30

Recommend


More recommend