Security Aspects of Authenticated Encryption (in light of the - PowerPoint PPT Presentation

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014

Outline  Authenticated Encryption: AE  Generic AE composition  Dedicated AE schemes - nonce-based AE - nonce misuse resistant AE  Further challenges  CAESAR AE competition 2

AE Security Goal Confidentiality + Authenticity 3

Confidentiality Encryption Scheme Alice Bob K K C = 1001…10 M Enc M Dec 4

Confidentiality Encryption Scheme Alice Bob K K C' = 101 1…10 M' ≠ M M Enc Dec Eve Confidentiality ≠ Authenticity 5

Authenticity Message Authentication Code: MAC Alice Bob K T MAC M K ? M T' = T MAC 6

Main Question How to combine Encryption and MAC in a secure way? Confidentiality + Authenticity 7

Generic Composition [BN’00] 1. Encrypt and MAC 2. MAC then Encrypt 3. Encrypt then MAC M M M Enc MAC MAC K 2 Enc K 1 K 1 K 2 C T M T C MAC K 2 Enc K 1 T Output ciphertext Output ciphertext Output ciphertext insecure secure insecure Caveat: Careful with interpretations! 8

Conventional Encryption Enc = (Kg, Enc, Dec) • Key generation: K ← $ Kg Encryption: (st , C) ← $ Enc st K (M) (randomized or stateful) Decryption: M ← Dec K (st, C) (deterministic) Correctness: Dec K (Enc K (M)) = M • Indistinguishability $IND-CPA |st,C| st,C M M $ Random Enc bits K 9

MAC MAC = (Kg, MAC, Verify) • Key generation: K ← $ Kg Authentication: T ← MAC K (M) (any) Verification: 1/0 ← Verify K (M, T) (deterministic) Correctness: Verify K (M, MAC K (M)) = 1 • Unforgeability (weak M’ ≠ M; strong M’,T’ ≠ M,T) M MAC K T M’,T’ Verify K ? 10 Win if ? is 1

Generic Composition [BN’00] IND-CPA Enc + Unforgeable MAC • AE secure: Enc then MAC • Off the shelf schemes Enc (CBC, CTR,...) + MAC (CBC-MAC,HMAC,PMAC,...) Caveat: Careful with interpretations! A. Enc often with badly or externally generated random st or IV B. st or IV is communicated out-of-band 11

A: Random IV Encryption Fix A: Environment Enc = (Kg, Enc, Dec) • not Enc selects IV Key generation: K ← $ Kg B: IV still in-band Encryption: IV, C ← Enc IV K (M) (deterministic) Decryption: M ← Dec K (IV, C) (deterministic) Correctness: Dec K (Enc IV K (M)) = M • Indistinguishability $IND-CPA |IV , C| M IV, C M $ Random Enc K IV ← $ IV bits 12

Nonce IV • N: nonce IV • Not required to be random • Unique non-repeating value • Can be communicated out of band • Theoretically: a way to work with an IV (randomness/state) out of Enc algorithm • Practically: ease of use 13

Nonce-based Encryption Scheme Fix A: Adversary Enc = (Kg, Enc, Dec) • can select N Key generation: K ← $ Kg Fix B: out-of-band Encryption: C ← Enc K (N, M) (deterministic) Decryption: M ← Dec K (N, C) (deterministic) Correctness: Dec K (N, Enc K (M)) = M • Indistinguishability (nonce respecting adversary) $IND-CPA |C| N , M N , M C $ Random Enc K bits 14

Generic Composition Reconsidered [NRS’14] • Build nonce-based AE from 1. IV-Enc + MAC SIV 15

Generic Composition Reconsidered [NRS’14] • Build nonce-based AE from 2. N-Enc + MAC • Generic composition disadvantages Efficiency issues: 2 passes over the data Use of 2 keys Prone to misuse with conventional Enc schemes 16

Other Ways to Build AE Schemes? 1. Generic AE composition + off the shelf primitives - 2 passes - 2 keys 2. Dedicated AE scheme (AE designs from scratch) 3. Something in between  (state of the art) 17

Dedicated AE Prior to CAESAR Building Block Nonce dependent Nonce independent AE security AE security IAPM*’00, OCB*’01, SIV’06, BTM’09, Block cipher XECB*’01, CCM’03, McOE- G’11, POET’14 GCM’04, OTR*’14, COPA’13 CLOC’14 Sponge Wrap’11 Permutation Ketje&Keyak’14 APE’14 NORX’14 18 * hold a patent

AE Syntax AE = (Kg, E, D) • Key generation: K ← $ Kg Encryption: C ← E K (A, N, M) (deterministic) Decryption: M/ ⊥ ← D K (A, N, C) (deterministic) Correctness: D K (A, N, E K (A, N, M)) = M Alice Bob K K A, N, C A, N, M E D M/ ⊥ 19

AE Confidentiality • $IND-CPA |C| N,A,M C N,A,M $ Random E K bits Adversary is nonce respecting 20

AE Integrity • INT-CTXT N, A,M E K C C’≠ C D K ? Win if ? is M ≠ ⊥ Adversary maybe nonce respecting 21

Nonce-based AE Security |C| ⊥ N, A, M N, A,C’ N, A,C’ C ? $ N, A,M Random ⊥ E K D K bits Adversary is nonce respecting 22

Example AE with Block Cipher OCB *RBBK’01+ d M 1 M 2 M d ⊕ M i i=1 α 1 α 2 α d β 1 . . . AES K AES K AES K AES K α 1 α 2 α d β 2 α i = f i (K,N) β i = g i (K,N) C 1 C 2 C d T If BC (AES) is SPRP, OCB is AE secure up to 2 n/2 queries for non repeating N 23

Example AE with Permutation Sponge Wrap *BDPV’11+ c 1 c 2 c L K, N T 1 T 2 m 1 m 2 m L 0 r . . . P P P P P 0 c absorbing squeezing If P is an ideal permutation, Sponge Wrap is AE secure up to min{2 k , 2 c/2 } queries for non repeating N - bound follows Sponge hash indifferentiability proof - but possibly conservative for secret K and N not repeating 24

Outline  Authenticated Encryption AE  Generic AE composition  Dedicated AE schemes - nonce-based AE - nonce misuse resistant AE  Further challenges  CAESAR AE competition 25

Nonce Misuse Resistant AE Not all security should be lost if N misused! 26

Distinct Nonces N 1 M 1 N 2 M 1 N 3 M 2 OCB/ OCB/ OCB/ Sponge Sponge Sponge Wrap Wrap Wrap C 1 C 2 C 3 27

Nonce Misuse Ciphertext Repetitions What security can be lost? N 1 M 1 N 1 M 1 N 1 M 2 OCB/ OCB/ OCB/ Sponge Sponge Sponge Wrap Wrap Wrap C 1 C 1 C 3 • Valid for ALL nonce respecting AE schemes 28

Nonce Misuse OCB Ciphertext Block Repetitions What else can be lost? M 2 M d M 1 OCB-Enc α 1 α 2 . . . α d AES K AES K AES K . . . α 1 α 2 α d C 1 C 2 C d 29

Nonce Misuse OCB Ciphertext Block Repetitions What else can be lost? (OCB looses confidentiality) M 2 M d M’ 1 OCB-Enc α 1 α 2 . . . α d AES K AES K AES K . . . α 1 α 2 α d C’ 1 C 2 C d • If blocks in C repeat (over distinct OCB calls) then blocks in M repeat (OCB, IAPM, XCBC, ...) 19

Nonce Misuse Sponge Wrap What else can be lost? (Sponge Wrap looses confidentiality) c 1 c' 1 K, N m 1 K, N m' 1 0 0 z 1 z 1 r r P P 0 0 c c c 1 ⊕ c’ 1 = m 1 ⊕ m’ 1 19

What to Do against Nonce Misuse? Not all security should be lost if N misused! 1. Security up to repetitions ciphertext leaks only presence of repeating Ms MAX: SIV, BTM, HBS but two passes over the data 2. Security up to longest common prefix ciphertext leaks only presence of common M prefixes LCP: McOE-G, COPA, APE, POET LCP + X: SpongeWrap 21

Nonce Misuse Resistance via Online Ciphers 1. Online cipher + authentication *BBKN‘01, FFLW’12+ nonce misuse resistant nmr AE scheme secure up to common prefix repetitions 22

Regular vs Online Ciphers • Normally in a cipher m 1 m 2 m 3 m 4 c 1 c 2 c 4 c 3 - more efficient • Online cipher - different security ( IND from random online permutation ) m 1 m 2 m 3 m 4 c 1 c 2 c 4 c 3 22

COPA [ABLMY’13] Nonce Misuse Resistant AE - nmr d M 1 M 2 M d ⊕ M i - online i=1 2 d-1 α 0 α 0 2 α 0 . . . β 1 - parallelizable E K E K E K E K . . . L E K E K E K E K 2 d-1 α 1 α 1 2 α 1 β 2 C 1 C 2 C d T L = E K (0) α 0 = 3L and α 1 = 2L β 1 = 2 d-1 .3 2 L and β 2 = 2 d-1 .7L 35

COPA Security Proof d ⊕ M i M 1 M 2 M d i=1 XEX XEX XEX XEX . . . Implicit ⊕ masks α i = 2 i-1 .3L XEX XEX XEX XEX C 1 C 2 C d T If E is SPRP, COPA is AE secure up to 2 n/2 queries 36

APE [ABLMNY’14] Nonce Misuse Resistant AE - nmr - online - RUP secure m 1 c 1 m 2 c 2 m L c L 0 r K P P P T K c If P is ideal permutation, APE is AE secure up to 2 c/2 queries 37

Outline  Authenticated Encryption AE  Generic AE composition  Dedicated AE schemes - nonce-based AE - nonce misuse resistant AE  Further challenges  CAESAR AE competition 38

Further Security Pitfalls in AE What if attacker gets C decryptions before verification completed? RUP : Release of unverified plaintext *ABLMNY’14+ • Scenarios - insecure memory - small buffer - real-time requirements • Not in current AE security models! 39

AE Syntax under RUP • Separate the AE Decryption D functionality into Dec and Verify (how we design AE schemes) C, T ← E K (A, N, M) M ← Dec K (A, N, C, T) 1/0 ← Verify K (A, N, C, T) Correctness: Dec K (A, N, E K (A, N, M)) = M and Verify K (A, N, E K (A, N, M)) = 1 40

RUP Confidentiality • $ IND-CPA + PA1 • Plaintext awareness PA1 N, A, M N, A,C N, A,C C M N, A, M C M E K Dec K E K Extractor Adversary can choose any nonce 41

RUP Integrity • Int-RUP N, A, M E K C, T N, A, C, T Dec K M N, A, C’, T’ Verify K ? Win if ? is 1 Adversary can choose any nonce 42

Security of AE Schemes under RUP IV Type Scheme PA1 Random CTR, CBC encryption Yes OCB No Nonce GCM, Sponge Wrap No CCM No COPA No Arbitrary McOE-G No APE Yes SIV, BTM, HBS Yes Encode-then-Encipher Yes 43