Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizár 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop on Symmetric Key Cryptography This work was partially supported by Microsoft Research D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 1 / 21
“Online Authenticated Encryption” Popular topic � Several definitional works related to online AE (blockwise attacks, CCA definition and online decryption, nonce misuse resistance, streaming channels) Popular target � CAESAR 1st round: 11 + 6 schemes claim online nonce misuse-resistance (or a variant) � New OAE construction presented at DIAC 2016 Repeatedly a point of discussion � Definitional works appearing over a large timespan (2003 - now) � When is an AE scheme online? � When is an AE scheme online and nonce misuse-resistant? D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 2 / 21
“Online Authenticated Encryption” Popular topic � Several definitional works related to online AE (blockwise attacks, CCA definition and online decryption, nonce misuse resistance, streaming channels) Popular target � CAESAR 1st round: 11 + 6 schemes claim online nonce misuse-resistance (or a variant) � New OAE construction presented at DIAC 2016 Repeatedly a point of discussion � Definitional works appearing over a large timespan (2003 - now) � When is an AE scheme online? � When is an AE scheme online and nonce misuse-resistant? D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 2 / 21
Nonce-based AEAD [Rogaway 02] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ N never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv nAE ( A ) = Pr − Pr Π D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21
Nonce-based AEAD [Rogaway 02] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ N never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv nAE ( A ) = Pr − Pr Π � Efficient, good guarantees . . . unless nonces repeat � D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21
Nonce Misuse-Resistant AE [Rogaway, Shrimpton 06] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ ( N , A , M ) never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv MRAE ( A ) = Pr − Pr Π � Only full repetitions of ( N , A , M ) are leaked now, full integrity D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21
Online Authenticated Encryption Functionality Perspective M = 00101110010100101011010111 . . . E K MEM CPU limited indep. of | M | C = 10001111010101000101 . . . time Extremely constrained devices Jitter-sensitive applications Performance-critical applications Latency-sensitive applications D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 4 / 21
Misuse-Resistant Online AE? Onlineness at odds with MRAE security: ◮ MRAE: every bit of C must depend on all bits of M ◮ online AE: can’t wait for all of M to compute C D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 5 / 21
Misuse-Resistant Online AE? Onlineness at odds with MRAE security: ◮ MRAE: every bit of C must depend on all bits of M ◮ online AE: can’t wait for all of M to compute C Fleischmann, Forler, Lucks: Online nonce misuse-resistant AE (OAE) Promise a notion and schemes both ◮ nonce misuse-resistant: retains security in presence of nonce repetition ◮ online: single-pass encryption with O(1) of memory → Call it OAE1 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 5 / 21
Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M 3 M 4 E K C 1 C 2 C 3 C 4 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21
Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M 3 M 4 M 1 M 2 M 3 M 4 π E K A C 1 C 2 C 3 C 4 C 1 C 2 C 3 C 4 ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E with π ← $ OPerm [ n ] D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21
Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M ′ 3 M ′ M 1 M 2 M 3 M 4 4 π E K A C ′ C ′ C 1 C 2 C 3 C 4 C 1 C 2 3 4 ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E with π ← $ OPerm [ n ] OPerm [ n ] set of all φ s.t. φ is length preserving permutation over B n for all X , Y , Y ′ ∈ B n , φ ( X � Y ) and φ ( X , Y ′ ) share prefix of | X | bits D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21
OAE1 [Fleischman,Forler,Lucks 12] A multiple of n AE cipher is a triplet Π = ( K , E , D ) E : K × H × M → { 0 , 1 } ∗ D : K × H × { 0 , 1 } ∗ → B ∗ n ∪ {⊥} with M = B ∗ n and decryptability condition. Assume | C | = | M | + τ . D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 7 / 21
OAE1 [Fleischman,Forler,Lucks 12] A multiple of n AE cipher is a triplet Π = ( K , E , D ) E : K × H × M → { 0 , 1 } ∗ D : K × H × { 0 , 1 } ∗ → B ∗ n ∪ {⊥} with M = B ∗ n and decryptability condition. Assume | C | = | M | + τ . M 1 M 2 M 3 M 4 Privacy OPerm [ n ] + random tag E K H τ + C 1 C 2 C 3 C 4 T Authenticity This should look like This should look like image of online permutation a random string Unforgeability for every H D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 7 / 21
OAE1 Security Notion • for all H do π H ← $ OPerm[ n ] • for all H, M do • K ← $ K R H,M ← $ { 0 , 1 } τ H, M Enc K ( · , · ) π H ( · ) � R H,M A C C Dec K ( · , · ) H, C ⊥ ( · , · ) M/ ⊥ ⊥ ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E H , C must not be obtained via previous encryption D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 8 / 21
OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21
OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 find B ∈ B n s.t. 1 LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21
OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21
OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 C 1 C 2 T ∗ LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21
OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 C 1 C 2 T ∗ LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 C 1 C 2 C 3 T return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21
Recommend
More recommend