New Blockcipher Modes of Operation with Beyond the Birthday Bound - PowerPoint PPT Presentation

✓ ✏ New Blockcipher Modes of Operation with Beyond the Birthday Bound Security ✒ ✑ Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 15–17, 2006

Blockcipher Modes Algorithms that provide ⎧ • privacy (encryption mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • authenticity (MAC) ⎨ • privacy and authenticity (AE mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ based on blockciphers. 2

Blockcipher Modes Algorithms that provide ⎧ ⊲ privacy (encryption mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • authenticity (MAC) ⎨ ⊲ privacy and authenticity (AE mode) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ based on blockciphers. 3

Known Encryption Modes ⎧ ⊲ CTR ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • CBC ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • OFB ⎨ • CFB ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • ECB ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ • · · · ⎩ 4

CTR ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 • S = ( S 0 , S 1 , . . . , S 7 ): keystream • Encryption: C = M ⊕ S • Decryption: M = C ⊕ S 5

Advantages of CTR • provable security • security proofs with the standard PRP assumption • highly efficient • single blockcipher key • fully parallelizable • allows precomputation of keystream • allows random access 6

Security Definition • “Indistinguishability from random strings” (Rogaway, Bellare, Black, Krovetz, ’03) • Scenario: Adaptive chosen plaintext attack • Goal: To distinguish between – “real ciphertext” – “truly random string” (of the same length as ciphertext) 7

Keystream Generation Part of CTR ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 ✓ ✏ S i � = S j since E K ( · ) is a permutation. ✒ ✑ 8

Keystream Generation Part of CTR • If S = ( S 0 , . . . , S σ − 1 ) is the keystream of CTR, Pr( S i = S j ) = 0 . • If S = ( S 0 , . . . , S σ − 1 ) is the truly random string, 0 . 3 σ ( σ − 1) ≤ Pr( S i = S j ) ≤ 0 . 5 σ ( σ − 1) . 2 n 2 n ( n : length of S i in bits, block size of E ) 9

Keystream Generation Part of CTR CTR ( A ) ≤ 0 . 5 σ ( σ − 1) • For any A , Adv priv . 2 n ✓ ✏ Birthday Bound ✒ ✑ CTR ( A ) > 0 . 3 σ ( σ − 1) • There exists A s.t. Adv priv . 2 n ⊲ A guesses “random string” if there is a collision. ⊲ Otherwise A guesses “ciphertext of CTR.” 10

Security of CTR ✓ ✏ CTR can NOT have beyond the birthday bound security (as long as E K ( · ) is a permutation). ✒ ✑ 11

Our Work: New Encryption Mode ✓ ✏ CENC · · · C ipher-based ENC ryption ✒ ✑ ✓ ✏ beyond the birthday bound security without breaking advantages of CTR ✒ ✑ 12

The Basic Idea • Convert E K ( · ) into a function. • G K ( x ) = E K ( x � 0) ⊕ E K ( x � 1), x ∈ { 0 , 1 } n − 1 (Lucks ’00, Bellare and Impagliazzo ’99) x � 0 x � 1 ❄ ❄ E K E K ✲ ❢ ✛ ❄ G ( x ) 13

CENC Parameters • Blockcipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n • Nonce length: ℓ nonce bits, ℓ nonce < n • Frame width: w 14

Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ 15

Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ ❢ ❄ • L : mask 16

Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❄ ❄ ❄ S 0 S 1 S 2 � �� � w blocks (1 frame) • w : frame width, default: w = 2 8 = 256 17

Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 18

Keystream Generation Part of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 • N : Nonce, ctr ← N � 0 · · · 0 • default: | N | = ℓ nonce = n/ 2 19

Encryption Algorithm of CENC N � 0 · · · 0 ↓ ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ L ✲ L ✲ L ✲ ✲ L ✲ L ✲ L ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 ❄ ❄ ❄ ❄ ❄ ❄ M 0 M 1 M 2 M 3 M 4 M 5 ✲ ✲ ✲ ✲ ✲ ✲ ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ C 0 C 1 C 2 C 3 C 4 C 5 20

Advantages of CENC ⊲ provable security — beyond the birthday bound • security proofs with the standard PRP assumption ⊲ highly efficient — small cost • single blockcipher key • fully parallelizable • allows precomputation of keystream • allows random access 21

Indistinguishability from Random Strings Encryption Oracle Random String Oracle ( N ′ , M ′ ) ( N, M ) CENC K ( · ) R ( · ) ✛ ✲ A ✲ ✛ C ′ = random string C = CENC K ( N, M ) A must not repeat nonce � � K ( A CENC K ( · , · ) = 1) − Pr R ( A R ( · , · ) = 1) def Adv priv � � CENC ( A ) = � Pr � 22

Security Definition for E (PRP, LR ’88) Random Permutation Blockcipher Oracle Oracle X ′ X E K ( · ) P ( · ) ✛ ✲ B ✲ ✛ Y ′ = P ( X ′ ) Y = E K ( X ) � � K ( B E K ( · ) = 1) − Pr P ( B P ( · ) = 1) def Adv prp � � E ( B ) = � Pr � 23

Theorem. If there exists A against CENC such that: • at most q queries, and • at most σ blocks, then there exists B against E such that: • time ( B ) = time ( A ) + O ( n ˆ σw ), • at most ( w + 1)ˆ σ/w queries, and σ 3 CENC ( A ) − w ˆ 2 2 n − 3 − w ˆ σ • Adv prp E ( B ) ≥ Adv priv 2 n , where ˆ σ = σ + qw . 24

Interpretation ✓ ✏ • CENC is secure up to 2 82 blocks (AES, w = 2 8 ). ⊲ CTR is secure up to 2 64 blocks. ✒ ✑ ✓ ✏ If we encrypt σ ≤ 2 n/ 2 blocks, σ 3 CENC ( A ) ≤ w ˆ 2 2 n − 3 + w ˆ 2 n ≤ 2 w ˆ σ σ • Adv priv 2 n CTR ( A ) ≤ 0 . 5 σ 2 ⊲ Adv priv ( w : constant, ˆ σ ≈ σ ) 2 n ✒ ✑ 25

Cost for the Security Improvement ✓ ✏ w + 1 blockcipher calls for w blocks of keystream ✒ ✑ • 257 calls to encrypt 256 blocks (Default: w = 2 8 ) ⊲ The cost is 1 / 257 = 0 . 4% compared to CTR. • 1 frame is w blocks, which is 4KBytes. ⊲ 99.9% of the Internet traffic is less than 1.5KBytes. ⊲ The cost is one blockcipher call compared to CTR. 26

New Authenticated-Encryption Mode ✓ ✏ CHM · · · C ENC with H ash-based M AC ✒ ✑ • CENC for privacy. • Hash-based MAC (Wegman-Carter MAC) for au- thenticity. • Beyond the birthday bound security. • Similar to GCM by McGrew & Viega. 27

Open Question ✓ ✏ ⊲ The security bound of CTR is tight. • ∀ A , Adv priv CTR ( A ) ≤ 0 . 5 σ ( σ − 1) / 2 n • ∃ A , Adv priv CTR ( A ) > 0 . 3 σ ( σ − 1) / 2 n ✒ ✑ ✓ ✏ σ 3 / 2 2 n − 3 + w ˆ ∀ A , Adv priv σ/ 2 n CENC ( A ) ≤ w ˆ ✒ ✑ ⊲ Improve the security bound σ 3 / 2 2 n − 3 + w ˆ ⊲ Attack with Adv priv σ/ 2 n ) CENC ( A ) > Ω( w ˆ 28

Conjecture ✓ ✏ The security bound can be improved. ∀ A , Adv priv σ/ 2 n ) CENC ( A ) ≤ O ( w ˆ ✒ ✑ 29

Conclusion ✓ ✏ • New encryption mode, CENC • New AE mode, CHM • beyond the birthday bound security ✒ ✑ Questions? Tetsu Iwata iwata@cis.ibaraki.ac.jp 30