Stronger Security Variants of GCM�SIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1
Nonce�Based AE � Nonce�based authenticated encryption � GCM, CCM, OCB, EAX,... � uses a nonce for security � repeating the nonce has critical impact on security � Counter�then�MAC (incl. GCM): leaks plaintext difference � For GCM, even authentication key is leaked, allows universal forgery �
MRAE, SIV, and GCM�SIV � Nonce�reuse misuse�resistance AE [RS06], MRAE � Provides best�possible security even if a nonce is repeated � SIV, HBS, BTM, a version of OMD � CAESAR candidates (AEZ, HS1�SIV, SCT,...) � SIV, Synthetic IV [RS06] � A general approach to construct MRAE � use a PRF to generate IV (also used as a tag), use IV in IV�based encryption [RS06] Rogaway, P ., Shrimpton, T.: A Provable�Security Treatment of the Key�Wrap Problem. EUROCRYPT 2006 �
MRAE, SIV, and GCM�SIV � A: associated data (AD) � M: plaintext � C: ciphertext �
GCM�SIV � GCM�SIV [GL15] � Gueron and Lindell, CCS ’15 � instantiation of SIV using components from GCM � GHASH, AES�CTR � Provable security, O(2 (n�k)/2 ) � Typically n=128, k=32 (throughout the talk) � Very fast AESNI implementations ��������������������������������������������������������������� ����������� q: # of enc queries q‘ : # of dec queries [GL15] Gueron, S., Lindell, Y.: GCM�SIV: Full Nonce Misuse�Resistant Authenticated Encryption at Under One Cycle per � Byte. ACM CCS 2015
GCM�SIV � � = (L,K’,K) � H L (N,A,M) = GHASH L (A,M) xor N � N: nonce, n bits �
GCM�SIV � � = (L,K’,K) � H L (N,A,M) = GHASH L (A,M) xor N � N: nonce, n bits �
The Security Bound Is Tight Attack = Counter collision search � Fix A and M, make q = 2 (n�k)/2 queries (N i ,A,M) with distinct N i ’s � For i and j with msb n�k (T i ) = msb n�k (T j ), we observe the same � ciphertext �
Overview � GCM�SIV has a stronger security guarantee than GCM, i.e. nonce�misuse�resistance � a distinguishing attack with q=2 (n�k)/2 queries is possible � q=2 48 when k=32 � does not contradict the security claim of the designers � Does not happen with GCM � If |N|=96, 96�bit IV is N itself – no collision for encrypiton � Even if |N| is not 96 still OK (see [NMI15]) � Depending on the query length distribution, the ������������ security of GCM�SIV can be lower than GCM [NMI15] Niwa, M, Iwata, GCM security bounds reconsidered. FSE 2015. �
Overview � Can we design an MRAE scheme with n/2�bit security? � standard birthday bound, O( � 2 /2 n ) � � : total length of queries in n�bit blocks � there are plenty of examples, SIV, HBS, BTM,... � GCM�SIV1 � a minor variant of GCM�SIV achieving O( � 2 /2 n ) bound � not a new design, simply use the original SIV as it is � Can we design an MRAE scheme with higher security? � GCM�SIV2 with 2n/3�bit security � (e.g. 86�bit for n=128) � GCM�SIVr for r>=3 with rn/(r+1)�bit security ��
GCM�SIV ��
GCM�SIV1 No truncation Full n�bit counter increment (i.e. inc(X) = X+1 mod 2 n ) ��
GCM�SIV1 � Provably secure, n/2�bit security � standard birthday bound � follows from [RS06] ����������������������������������� �����!�������!������� q: # of queries (sum of enc and dec queries) ℓ : max length of query in n�bit blocks � : # of total plaintext blocks ��
Comparing security bounds � For simplicity we assume � GCM�SIV MRAE bound : q 2 /2 n�32 � GCM AE bound : � 2 /2 n � GCM�SIV1 MRAE bound : q 2 ℓ� /2 n + � 2 /2 n � � /q denotes “average query length (AVL)” � We compare the bounds, ignoring the difference of AE and MRAE ��
Comparing security bounds � No single winner: � GCM is always better GCM�SIV1 � Almost no difference when AVL > ℓ 0.5 � GCM�SIV is better than GCM when 2 16 < AVL � GCM�SIV1 is better than GCM�SIV when AVL < (2 32 � ℓ ) 0.5 � Since AVL <= ℓ , the condition is roughly ℓ <= 2 16 � GCM�SIV is better than GCM and GCM�SIV1 if all queries are 2 32 blocks � GCM�SIV keeps 48�bit security while 32�bit security for others ��
Implementation issue � GCM�SIV1 needs full n�bit arithmetic addition � can degrade performance from GCM�SIV (how much?) � Difference from GCM’s CTR – does not allow to use GCM components as is ��
Beyond the Birthday Bound Higher security? � � Beyond the birthday bound (BBB) security � Secure even � ~ 2 n/2 generic approach : doubling data path and component � � construct a 2n�bit blockcipher (BBB�secure), plug it into an existing BB�secure scheme (e.g. SIV) defined over 2n�bit blocks Increased implementation cost � Also instantiation is non�trivial. Are there any “standard” � 256�bit blockciphers? 2n n " K E K 2n n … … SIV[ " K ] SIV[E K ] … … ��
Beyond the Birthday Bound � Provably�secure transformation of n�bit BC into 2n�bit BC : � Classical Luby�Rackoff does not work � 3 or 4 Feistel rounds, up to BB security � ������������ : possible in theory, not really practical (e.g. many Feistel rounds) � Our approach : �������������������������� ���������������������������������������� �������� � ������������������������������ n n n SIV[E K1 ] SIV[E K2 ] SIV[E K ] … … … ��
GCM�SIV2 Two GCM�SIV1 instances, taking the output sum (in a � sense) Independently�keyed � ��
Proving security � Game 1: we first focus on MAC function F2, which takes (N,A,M) �> T � Assuming BCs are random permutations � We prove F2’s PRF bound F2 ��
Proving security Game 2: we assume F2 is a perfect random function � Proving encryption part’s security � � Since (N,A,M) is unique while encryption, 2n�bit IVs (T[1],T[2]) are uniformly random � Similar as the analysis of F2 Taking the sum of bounds obtained at Games 1 and 2 � F2 ��
Analysis of F2 � The proof is based on SUM�ECBC proposed by Yasuda [Y10] for BBB�secure MAC (in fact PRF) � Essentially two EMACs with final addition of two MAC tags � EMAC = Encrypted CBC�MAC � Independent keys � Already standardized ! (ISO 9797�1 algorithm 5 ) M[2] M[3] M[4]||pad M[1] n E K1 E K1 E K1 E K2 E K1 M[2] M[3] M[4]||pad M[1] T n E K3 E K3 E K3 E K4 E K3 �� [Y10] Yasuda, K.: The Sum of CBC MACs Is a Secure PRF. CT�RSA 2010
Analysis of F2 � PRF bound [Y10]: 12 ℓ 4 q 3 /2 2n � Thus 2n/3�bit security (ignoring ℓ ) M[2] M[3] M[4]||pad M[1] n E K1 E K1 E K1 E K2 E K1 M[2] M[3] M[4]||pad M[1] T n E K3 E K3 E K3 E K4 E K3 �� [Y10] Yasuda, K.: The Sum of CBC MACs Is a Secure PRF. CT�RSA 2010
Analysis of F2 � Generalize SUM�ECBC in two ways : � arbitrarily message hashing (not only CBC�MAC) [O12] � Universal � �Almost Universal ( � �AU) � 2 output blocks M[2] M[3] M[4]||pad M[1] � �AU H_K1 E K5 E K1 E K1 E K1 E K1 E K3 M[2] M[3] M[4]||pad T2 M[1] T1 n E K6 E K3 E K3 E K3 � �AU H_K2 E K3 E K4 �� [O12] Osaki. A Study on Deterministic Symmetric Key Encryption and Authentication. Master's thesis at Nagoya U
The game used for F2 � Game�playing technique � [Y10] introduced the game consisting of 4 cases (Case A,B,C,D) � we do the same for r=2, for both T[1] and T[2] � Case A : (V[1],V[2]) = (new, new) � Case B : (V[1],V[2]) = (old, new) V[1] ∉� the previous ∉ E K’1 inputs � Case C : (V[1],V[2]) = (new, old) V[2] ∉� the previous ∉ E K’3 inputs � Case D : (V[1],V[2]) = (old, old) F2 ��
Case A � Let # 1 and # 2 be the two random permutations for the finalizations of F2 � Let Y(1) and Y(2) be the set of # 1 and # 2 outputs never appeared before � y = (y(1), y(2)) is uniform over Y (2) =Y(1) x Y(2) V[1] V[2] n n # 1 # 2 y(1) y(2) T[1] ��
Case A � We need to know when T[1] = # 1 (V[1]) xor # 1 (V[2]) is uniform � Fair set over S = ({0,1} n ) r [L00] : a subset of X s.t. � |{(s 1 ,…,s r ) ∈ S : s 1 ⊕� s 2 ⊕�… ⊕ s r = z}| is |S|/2 n for any z � [L00] : Fair set is constructed by subtracting a set C of size i r from Y (r) when r is even � i denotes the number of points queried done so far � For odd r , exists a set C s.t. |C| = i r and the union of C and Y (r) yields a fair set � Not necessarily unique, any construction will work ��
Recommend
More recommend
