RIV and Resilient Authenticated Encryption Farzaneh Abed 1 , Christian Forler 2 , Eik List 1 , Stefan Lucks 1 , Jakob Wenzel 1 1 Bauhaus-Universität Weimar 2 Hochschule Schmalkalden Dagstuhl, Jan 10-15, 2016
Section 1 RIV Dagstuhl, Jan 10-15, 2016 2/19 Bauhaus-Universität Weimar RIV and Resilient AE
What is RIV? Nonce-based AE scheme Authenticity and privacy in standard setting Derived from SIV Robust Full authenticity + DAE-privacy under nonce re-use ( like SIV ) Preserves security properties under release of unverified plaintexts ( unlike SIV ) Provably secure, assuming only the AES is secure Inverse-free Efficient instantiation (pseudo-dot-product hashing + AES) Dagstuhl, Jan 10-15, 2016 3/19 Bauhaus-Universität Weimar RIV and Resilient AE
Recent Definitions for “Robustness” Boldyreva et al.’13 Studied effects of multiple distintinguishable error messages in probabilistic or stateful schemes. Andreeva et al.’14 Captured remaining security under release of unverified plaintexts (RUP). Hoang et al.’15 Defined robust AE (RAE) as a notion for best achievable security of an AE scheme with a user-chosen ciphertext expansion. Badertscher et al.’15 Investigated RAE with the frameworks by Maurer and Renner. Barwell et al.’15 Defined subtle AE as reference framework for the other notions. Model leakage beyond that of invalid plaintext; allows to model leakage as a property of the decryption implementation rather than of the scheme. Dagstuhl, Jan 10-15, 2016 4/19 Bauhaus-Universität Weimar RIV and Resilient AE
Previous Robust AE Schemes Four CAESAR candidates: Julius [Bahack]: no 2nd-round CAESAR candidate POET [Abed et al.]: on-line APE [Andreeva et al.]: on-line AEZ [Hoang et al.]: “proof-then-prune” (see below) Beyond CAESAR: Mr. Monster Burrito [Bertoni et al.’14] Protected IV [Shrimpton and Terashima’13] OleF [Bhaumik and Nandi’15]: on-line mCPFB [Chakraborti et al.’15]: on-line, rate-3/4 sp-AELM [Agrawal et al.’15]: on-line encryption, off-line decryption Theoretically, any secure STPRP can be transformed into a robust AE scheme using Encode-then-Encipher [Hoang et al.’14]. Dagstuhl, Jan 10-15, 2016 5/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Prove” – AEZ, as Proven Secure black boxes: block ciphers .......... first 2m message blocks .......... last 2 blocks M M’ M M’ M M’ 1 1 m m m+1 m+1 X X 1 X m S Y S Y m 1 S � � � � � � � � � � � � Y C1 C’ Cm C’ Cm+1 C’ 1 m m+1 Dagstuhl, Jan 10-15, 2016 6/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Then Prune” – The Proposed Instantiation of AEZ Except for two calls, all block-cipher invocations are replaced by 4-round AES .......... first 2m message blocks .......... last 2 blocks M M’ M M’ M M’ 1 1 m m m+1 m+1 ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ���� ���� ��� ��� ���� ���� ��� ��� � � � � � � � � � � � � ���� ���� ��� ��� ���� ���� ��� ��� ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� C1 C’ Cm C’ Cm+1 C’ 1 m m+1 Dagstuhl, Jan 10-15, 2016 7/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF CTR T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Off-line Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE
“Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Off-line No resilience to RUP ( ≈ one-time-pad used twice) Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: SIV with one more round zero H/N M H/N: Header and nonce M: Message PRF−1 C/T: Ciphertext (with tag) zero: constant 0 n CTR R PRF−2 T C Dagstuhl, Jan 10-15, 2016 9/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: SIV with one more round zero H/N M H/N: Header and nonce M: Message PRF−1 C/T: Ciphertext (with tag) zero: constant 0 n CTR R Same properties as SIV PRF−2 Except for T C Maximum resilience to RUP Dagstuhl, Jan 10-15, 2016 9/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) PRF−1 CTR R PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 R CTR PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a CTR R random R for every new ( H / N , C ) PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a CTR R random R for every new ( H / N , C ) PRF−2 For old ( H / N , C ) the value T must be new – and thus R T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE
RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a R CTR random R for every new ( H / N , C ) PRF−2 For old ( H / N , C ) the value T must be new – and thus R T C → M is random, and → Output of PRF-1 will not match Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE
Instantiation of RIV Based on AES-128 PRFs: Encode-Hash-Encrypt: Unique encoding for inputs Apply CLHASH, a multi-stage universal hash function Feed result into block cipher Encryption: AES in CTR mode Dagstuhl, Jan 10-15, 2016 11/19 Bauhaus-Universität Weimar RIV and Resilient AE
Recommend
More recommend