Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland - PowerPoint PPT Presentation

Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland ASK 2015 30 Sept - 3 Oct Singapore 1/34

Agenda I. The Emergence of Online-AE (OAE) II. Definitions of Security Notions III. Our New Security Definitions(s) and Construction(s) IV. Conclusion 2/34

The emergence of online-AE (OAE) Fleischmann, Forler, Lucks (FFL) McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes. FSE 2012. ( Full version, with Wenzel, retitled “ McOE: A Foolproof On-line Authenticated Encryption Scheme.” Cryptology ePrint report 2011/644 (Nov 2011; Dec 2013) Promised an AE notion & scheme that was • online  single pass encryption with O(1) memory and • misuse resistant  retain security in the presence of nonce-reuse APE Joltik Prøst-APE COBRA ICEPOLE MORUS COPA KIASU Minalpher Prøst-COPA iFeed NORX Artemia ElmD Marble Jambu SHELL STRIBOB Deoxys POET ++AE CBEAM Keyak FFL-security claimed by authors Something like FFL-security claimed by authors original This claimed by others This claimed by others versions 3/34

Today The FFL definition (“OAE 1 ”) has several issues. What does it say ? What’s problematic with what it says? What should a definition for online-AE say? 1) If we want it to be as nonce-reuse misuse-resistant as possible 2) If we don’t care about nonce-reuse misuse resistance This talk is based on the following paper: Viet Tung Hoang, Reza Reyhanitabar, Phillip Rogaway, Damian Vizár: “Online Authenticated-Encryption and its Nonce-Reuse Misuse- Resistance”, CRYPTO 2015 4/34

Both being online and being nonce-reuse secure are good aims M = 00101110101101111010111101111000001110011000101 … time memory E K C = 101111010101000111010110111000110101011 … 5/34

All-in-one definition [Rogaway, Shrimpton 2006]. Builds on a sequence nAE: Definition of work beginning with [Bellare-Rogaway 2000, Katz-Yung 2000 ] N, A, M K ( ,, ) E $ (  ,  ,  ) C C A M ^ ^ (  ,  ,  ) K ( ,, ) D N, A, C - Pr[ A $ ^  1 ] nae E D ( A ) = Pr[ A K K  1 ] Adv P A may not - Repeat an N in an Enc query - Ask a Dec query ( N, A, C ) after C is returned by an ( N , A ,  ) Enc query 6/34

nAE: Assumptions N, A, M K ( ,, ) E $ (  ,  ,  ) C C A M ^ ^ (  ,  ,  ) K ( ,, ) D N, A, C 1. Atomicity of M 2. Atomicity of C 3. OK to demand non-repeating N 7/34

MRAE: Misuse-Resistant AE [Rogaway, Shrimpton 2006] N, A, M K ( ,, ) E $ (  ,  ,  ) C C A M ^ ^ (  ,  ,  ) K ( ,, ) D N, A, C mrae - Pr[ A $ ^  1 ] E D Adv ( A ) = Pr[ A K K  1 ] P - Repeat an Enc( N , A , M ) query A may not: - Ask Dec( N, A, C ) after C is returned by an Enc( N , A ,  ) query If N repeats: - authenticity is undamaged - privacy is damaged to the extent that’s unavoidable MRAE schemes can’t be online 8/34

SIV construction satisfies MRAE [Rogaway and Shrimpton: Eurocrypt 2006] ... A 1 A m M ... E K 2 f K 1 IV C 9/34

MRAE CAESAR candidates that satisfy MRAE : • AES-CMCC • HS 1 -SIV • Joltik v1.3 (has an MRAE mode) • Deoxys v1.3 (has an MRAE mode) 10/34

“robust - AE” (RAE) [Hoang, Krovetz, Rogaway: Eurocrypt 2014] RAE is a traditional AE notion, with atomic M and C. What is new compared to MRAE is only that the user supplies t , and it can be arbitrary. M CAESAR candidate AEZ satisfy RAE K t N E A t C 11/34

Online ciphers [Bellare, Boldyreva, Knudsen, Namprempre 2001] Fix some n . Let B n = { 0,1 } n = all possible blocks. M 1 M 2 M 3 M 4 M 5 * Let B n = all strings of blocks. E K * * A multiple-of- n cipher is a map E : K  B n  B n where E ( K ,  ) is a length-preserving permutation for C 2 C 3 C 5 C 1 C 4 each K  K . OPerm[ n ] = all multiple-of- n ciphers p where the i- th block of p ( X ) depends only on the first i blocks of X . Good online cipher : multiple-of- n cipher E where E ( K ,  ) is indistinguisable from p ↞ OPerm[ n ] 12/34

FFL’s syntax for AE Fix some n . A multiple-of- n AE scheme is a triple P = ( K , E , D ) with E : K  H  M  { 0,1 } * D : K  H  { 0,1 } *  M ^ * with M = B n and the decryptability condition. M E K H C t Assume | C |=| M |+ t 13/34

FFL definition: OAE1 M 1 M 2 M 3 M 4 M 5 Privacy (corrected from FFL) E K H C 1 C 2 C 3 C 4 C 5 T t This part is like a This part is like an online cipher for each H bunch of random bits +Authenticity Unforgeability 14/34

FFL definition: OAE1 Def : a multiple-of- n AE scheme P is OAE1-secure if A Adv oae1 ( A ) = Pr[ A Left  1] – Pr[ A Right  1] P Not allowed to ask Dec( H , C ) after Enc( H , M ) returns C is “small” for “reasonable” adversaries A . 15/34

OAE1 is weak: the “trivial attack” • LCP[ n ]: C i only depends on K , H , M 1 · · · M i C = E ( K , H , M ) • Want to decrypt • Assume: an oracle that encrypts with K, H Enc Eg: n = 1 0 m =| C | encryption Enc M 1 0 queries to recover M Enc M 2 M 1 0 In general, m ( 2 n - 1 ) n … queries to recover M • OAE1 is quite insecure for small n • Crucial to identify n when speaking of security 16/34

Like the “BEAST” attack OAE1 is weak: the CPSS attack of [Duong, Rizzo 2011] Assume LCP[ n ] (say n =128) 0 120 P S S 128 bits 0 120 E K S B C 0 112 S S 1 128 bits 128 bits chosen-prefix/secret-suffix 0 112 S S 1 B (any byte string) (want to learn it) 17/34

But the real problem isn’t these attacks. It’s a failure to capture the underlying goal. M 1 M 2 M 3 M 4 M 5 1. Blocksize n should be a user-selectable value, not a scheme-dependent constant. It arises from a resource constraint of a user. It E K H shouldn’t be related to an implementing technology. 2. Security needs to be defined for strings of C 1 C 2 C 3 C 4 C 5 T all lengths, not just multiples-of- n. Saying one will pad begs the question. 3. Decryption too should be online How useful is it to have online-encryption if the receiver has to buffer the entire ciphertext? 4. The reference object is not ideal. Why an online cipher followed by random bits? We could do better with a different reference object. 18/34

Towards OAE2 [Tsang, Solomakhin, Smith 2009] [Bertoni, Daemen, Peeters,Van Assche 2010/2012] User-selectable segmentation M M 4 K N M 1 M 2 M 3 E .next E .init E .next E .next E .last t t t t C 1 C 2 C 3 C 4 C 19/34

Towards OAE2 User-selectable segmentation M M 4 K N M 1 M 2 M 3 E .next E .init E .next E .next E .last t t t t K N C 1 C 2 C 3 C 4 D .init D .next D .next D .next D .last M 1 M 2 M 3 M 4 20/34

Towards OAE2 User-selectable segmentation M M 4 K N M 1 M 2 M 3 E .next E .init E .next E .next E .last ~ K N C 1 C 2 C 3 C 4 D .init D .next D .next D .next D .last ^ M 1 M 2 ^ 21/34

Towards OAE2 User-selectable segmentation A 4 A 1 A 2 A 3 M 4 K N M 1 M 2 M 3 E .next E .init E .next E .next E .last A 1 A 2 A 3 A 4 K N C 1 C 2 C 3 C 4 D .init D .next D .next D .next D .last M 1 M 2 M 3 M 4 22/34

Towards OAE2 Syntax Def : A segmented-AE scheme is a tuple P =( K , E , D ) where K is a distribution on strings and E = ( E .init, E .next, E .last) and D =( D .init, D .next, D .last) are triples of deterministic algorithms: E .init: K  N  S D .init: K  N  S E .next: S  A  M  C  S D .next: S  A  C  M  S ^ E .last: S  A  M  C D .last: S  A  C  M ^ A = M = C =, * N , * 23/34

Formulating security OAE2 : basic notion: best-possible security even if nonces get reused. • dOAE : intermediate notion adapted from “ Dupexing the Sponge” paper • of [Bertoni, Daemen, Peeters, Van Assche 2010/2012] • nOAE : weakening: equivalent in the cases that nonces are not reused. Can ask anything of the encryption oracle except OAE2 ( N , A , M ) then ( N , A , M ) strength Can ask anything of the encryption oracle except dOAE ( N , A , M || M ) then ( N , A , M || M ’ ) Can ask anything of the encryption oracle except nOAE ( N , A , M ) then ( N , A ’ , M ’ ) 24/34

Towards OAE2 Ideal behavior N M 1 M 2 M 3 M 4 ’ f N , M 1 (  ) f N , M 1 , M 2 , M 3 (  ) f N (  ) f N , M 1 , M 2 (  ) t t t t C 1 C 2 C 3 C 4 Random t -expanding injective function tweaked by the subscript For AD: add in the A i to each subscript 25/34

Towards OAE2 Ideal behavior A 4 A 1 A 2 A 3 N M 1 M 2 M 3 M 4 ’ f N , A 1 , A 2 , A 3 , A 4 , M 1 , M 2 , M 3 (  ) f N , A 1 , A 2 , M 1 (  ) F f N , A 1 (  ) f N , A 1 , A 2 , A 3 , M 1 , M 2 (  ) t t t t C 1 C 2 C 3 C 4 F ↞ IdealOAE[ t ] C F ( N , A , M , d ) 26/34

Formalizing OAE2 The adversary A should be unable to distinguish the green and blue games 27/34

Three formulations of OAE2 Why? • Very different approaches  essentially equivalent definitions • Clarify the extent to which they are equivalent OAE 2a – The definition I just sketched.. Conceptually simplest. Meant to formalize best possible security : fix t and ask how well can you do. OAE 2 b – Tighter definition: model adversary’s ability to ask incremental queries. Grow chains instead of asking vector-valued queries. OAE 2 c – Easiest to work with, measures distance from random bits. Aspirational – only works for “large” t . Illustrates why t ought to be large. 28/34