the limited power of verification queries in message
play

The Limited Power of Verification Queries in Message Authentication - PowerPoint PPT Presentation

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K


  1. The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15

  2. Modes of Operation p � E K F K E K 2 / 15

  3. Modes of Operation p � E K F K E K Example: Deoxys AES-OTR ASCON OMD 2 / 15

  4. Modes of Operation p � E K F K E K Example: Deoxys AES-OTR ASCON OMD Advantage of modes: able to focus on primitive 1 Reduce security of AE scheme to that of underlying primitive 2 For AE this is done for confidentiality and authenticity 2 / 15

  5. Reduction Loss 1 Reduction is often not perfect, results in a loss of security 2 Loss of security quantified in terms of parameters Table: Examples of parameters. Block size n q Number of tagging or encryption queries k Key length Maximum message length ℓ σ Total number of encryption and decryption blocks 3 / 15

  6. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD 4 / 15

  7. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD σ 2 σ 2 σ 2 Confidentiality: 2 n + ( S ) PRP 0 2 n + PRF 2 n 4 / 15

  8. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD σ 2 σ 2 σ 2 Confidentiality: 2 n + ( S ) PRP 0 2 n + PRF 2 n + v + v + v + v Authenticity: 2 n 2 n 2 n 2 n 4 / 15

  9. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n 5 / 15

  10. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n n = 128 , q = 2 48 : ℓ ≤ 2 15 − → ℓ ≤ 2 30 5 / 15

  11. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n n = 128 , q = 2 48 : ℓ ≤ 2 15 − → ℓ ≤ 2 30 n = 128 , ℓ = 2 15 : q ≤ 2 48 − → q ≤ 2 63 5 / 15

  12. Improved Bounds: Permutation Based Modes c n k security 192 128 96 96 Ascon 256 64 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  13. Improved Bounds: Permutation Based Modes c n k security 96 224 96 96 Ascon 128 192 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  14. Improved Bounds: Permutation Based Modes n security c n k n old 96 224 1.75 96 96 Ascon 128 192 3 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  15. Improved Bounds: Permutation Based Modes n security c n k n old 96 224 1.75 96 96 Ascon 128 192 3 128 128 128 1152 1.12 128 128 ICEPOLE 256 1024 1.06 256 256 128 384 1.2 128 128 NORX 256 768 1.2 256 256 80 120 2.92 80 80 GIBBON/ HANUMAN 120 160 3.90 120 120 6 / 15

  16. Improved security bounds leads to 1 Better parameter choices 2 Increased longevity 3 Increased efficiency 7 / 15

  17. Improved security bounds leads to 1 Better parameter choices 2 Increased longevity 3 Increased efficiency Despite advances, there is still a lot of work left. 7 / 15

  18. Authenticity Definition M M T Verify Tag T M ⊥ Auth ( q, v ) : forgery success with q tagging queries and v forgery attempts 8 / 15

  19. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 9 / 15

  20. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher ℓ 2 ( q + v ) 2 2 128 9 / 15

  21. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries 1 2 (0 + v ) 2 2 128 9 / 15

  22. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 2 128 9 / 15

  23. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 v vs 2 128 2 128 9 / 15

  24. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 v vs 2 128 2 128 1 v = 2 64 : 1 vs 2 64 9 / 15

  25. Optimal Bound So far only certain types of MACs have optimal bound: 1 Nonce-based 2 Multiple keys Excludes PMAC, CBC-MAC, OMAC 10 / 15

  26. Optimal Bound So far only certain types of MACs have optimal bound: 1 Nonce-based 2 Multiple keys Excludes PMAC, CBC-MAC, OMAC For AE 1 except for TBC modes, none with optimal bounds 2 Generic composition: reduction to MAC-security → need optimal MACs 10 / 15

  27. Question Why do well-designed schemes exhibit quadratic dependence? 11 / 15

  28. Question Why do well-designed schemes exhibit quadratic dependence? Proof techniques 11 / 15

  29. PRF-based MAC M T PRF Y 12 / 15

  30. PRF-based MAC M T PRF ? Y = M ⊥ 12 / 15

  31. Generic Reduction Best possible generic reduction: Auth ( q, v ) 13 / 15

  32. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) 13 / 15

  33. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) � � q 2 + v 2 PRF ( q + v ) ∈ Ω 2 s 13 / 15

  34. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) � � q 2 + v 2 PRF ( q + v ) ∈ Ω 2 s PMAC 2 τ + c · ℓ ( q + v ) 2 v 2 n 13 / 15

  35. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n 14 / 15

  36. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits 14 / 15

  37. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits Confidentiality: 0 . 5( σ + q + 1) 2 2 n � �� � PRP-PRF switch 14 / 15

  38. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits Confidentiality: 0 . 5( σ + q + 1) 2 2 n � �� � PRP-PRF switch Authenticity: 0 . 5( σ + q + v + 1) 2 + v ( ℓ + 1) 2 n 2 τ � �� � PRP-PRF switch 14 / 15

  39. Summary 1 Better security bounds improve longevity and efficiency of schemes 15 / 15

  40. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries 15 / 15

  41. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries Conjecture: All CAESAR modes provably achieve the optimal bound. 15 / 15

  42. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries Conjecture: All CAESAR modes provably achieve the optimal bound. Paper in the works 1 Generalizing known techniques, applied to GCM to recover bound 2 Analyze block cipher based modes in detail, applied to PMAC to recover bound 15 / 15

Recommend


More recommend