AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverified Plaintext: Tight Unified Model and Application to ANYDAE Donghoon Chang and Nilanjan Datta and Avijit Dutta and Bart Mennink and Mridul Nandi and Somitra Sanadhya and Ferdinand Sibleyras Institute for Advancing Intelligence, TCG-CREST, Kolkata Fast Software Encryption 2020 26th October, 2020 1 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Outline of the Talk Definitions of AE and Security Notion. RUP Security. INT-RUP Attack on SUNDAE. MONDAE: An INT-RUP Secure Variant of SUNDAE. ANYDAE: Generic INT-RUP Design. TUESDAE: An Optimal Instantiation of ANYDAE. 2 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography Privacy Integrity
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography Privacy Integrity Enc. Scheme MAC Scheme 3 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography + Privacy Integrity Enc. Scheme AE Scheme MAC Scheme 4 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Goal of Symmetric Cryptography Symmetric Cryptography + Privacy Integrity Enc. Scheme AE Scheme MAC Scheme Stateful AE (Nonce, Random IV or Arbitrary IV Based). Stateless AE. 4 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Stateful Authenticated Encryption (AE) Authenticated Encryption Enc. Algorithm Dec. Algorithm N N C E K D K M / ⊥ M A A 5 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Stateless Authenticated Encryption (AE) Authenticated Encryption Enc. Algorithm Dec. Algorithm N N C E K D K M / ⊥ M A A 6 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Privacy Requirement (IND-CPA). Real World Ideal World (Enc. Function) (Random Function) E K RF 7 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Privacy Requirement (IND-CPA). Real World Ideal World (Enc. Function) (Random Function) E K RF For a secure AE, the distinguishing advantage is negligible. 7 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K 8 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K A forges if A can produce a non-trivial ( N ∗ , A ∗ , C ∗ ) tuple such that D K ( N ∗ , A ∗ , C ∗ ) = M ∗ . 8 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE Integrity Requirement (INT-CTXT). E K D K A forges if A can produce a non-trivial ( N ∗ , A ∗ , C ∗ ) tuple such that D K ( N ∗ , A ∗ , C ∗ ) = M ∗ . For a secure AE, the forging advantage is negligible. 8 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Security of AE An AE scheme is secure in a conventional sense if it achieves IND-CPA and INT-CTXT security. 9 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Release of Unverifiable Plaintext (RUP) Issue of AE Plaintext blocks can only be released after successful verification in the receiver end. But the buffer size in the receiving end is limited. As a result, it might not be able to hold the entire plaintext at once. Receiver might have to release the plaintext before verifying. 10 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model N A C N A C N A C D K Core D K V K M / ⊥ E K ⊤ / ⊥ M 11 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). 12 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. 12 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. PA1 Notion. Real World Ideal World E K D K E K S Enc. Hist 12 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Security Model Security of AE in RUP Model formalized by Andreeva et al. (ASIACRYPT 2014). PA1 / PA2 notion. INT-RUP notion. PA2 Notion. Real World Ideal World E K D K E K S Enc. Hist 13 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE RUP Secure AE An AE scheme is RUP secure if it achieves IND-CPA and PA1 and INT-RUP security. 14 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Hoang et al. introduced RAE notion (EUROCRYPT 2015). • Distinguish AE from a random injective function. Hoang et al. introduced RAE sim notion (EUROCRYPT 2015). • Employs PA2 notion. Barwell et al. introduced SAE notion (IMACC 2015). • Refinement of RAE for nonce based AE. Ashur et al. introduced RUPAE notion (CRYPTO 2017). Focuses on nonce based AE. PA1 + INT-RUP with the ideal model decryption being a random function. 15 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. 16 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. 16 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. These security notions hold for nonce based AE. Security is void when nonce is misused. 16 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE Different Variants of RUP Security Encode-then-SPRP is known to achieve RAE and RUPAE security. Such construction is two pass in both encryption and decryption. These security notions hold for nonce based AE. Security is void when nonce is misused. We need a security model in RUP scenario which allows Nonce Misuse. Single pass decryption feature. 16 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE AERUP Security Notion AERUP Security Notion. Real World Ideal World E K D K V K $ S ⊥ AERUP ⇐ ⇒ AE + PA1 + INT-RUP. 17 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. 18 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. Makes a + 2 m + 1 BC invocations. 18 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T Determinstic AE. Makes a + 2 m + 1 BC invocations. One of the AE Candidates in NIST Lightweight Cryptography competition. 18 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. 19 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. State size as small as the block size. 19 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE [Banik et al., FSE 2019] A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 C 1 C 2 T SUNDAE is particularly efficient for short messages. State size as small as the block size. Offers good implementation characteristics both on lightweight and high-performance platforms. 19 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE is not RUP Secure: INT-RUP Insecurity A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 T C 1 C 2 1. A makes query D K ( ǫ, T 1 , C 1 [1]), where T 1 = 110 n − 2 and obtains M 1 [1]. 20 / 30
AE Definition RUP Security RUP Attack on SUNDAE ANYDAE SUNDAE is not RUP Secure: INT-RUP Insecurity A 1 A 2 M 1 M 2 pad pad 110 n − 2 E K E K E K E K E K E K E K ⌊·⌋ | M 2 | | A 2 | < n ? 2 : 4 | M 2 | < n ? 2 : 4 M 1 M 2 T C 1 C 2 1. A makes query D K ( ǫ, T 1 , C 1 [1]), where T 1 = 110 n − 2 and obtains M 1 [1]. A learns E K (110 n − 2 ) = M 1 [1] ⊕ C 1 [1] . 20 / 30
Recommend
More recommend