The Memory-Tightness of Authenticated Encryption Stefano Tessaro - PowerPoint PPT Presentation

The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger University of Washington CRYPTO 2020

Concrete security theorems: 𝐁𝐞𝐰 resources ≤ 𝜗 1 𝐁𝐞𝐰 0 resources Traditionally: time 𝑢 , data complexity/queries 𝑟 𝐁𝐞𝐰 𝑢, 𝑟 ≤ 𝜗 This work : time 𝑢 , data complexity/queries 𝑟 , memory 𝑇 𝐁𝐞𝐰 𝑢, 𝑟, 𝑇 ≤ 𝜗

Prior work F F o o c c u u s s : : p c u o b n l f i i c d - k e e n c y t i r a y l i p t t y o Time-memory tradeoffs Memory-tight reductions for symmetric encryption [ACFK17, WMHT18, GT20, [TT18, JT19, Dinur20, Bhattacharya20] SS20] This work: Time-memory tradeoffs for (nonce-based) authenticated encryption (AE) Positive results Tl;dr: Negative results

Nonce-based encryption NE=(NE.Kg, NE.Enc, NE.Dec) NE.Kg Security holds only if encryption under distinct nonces 𝐿 𝐿 𝐿 𝑂 𝑂 𝐷 NE.Enc NE.Dec 𝑁/⊥ 𝑁 𝐷 Long line of work on concrete security of nonce-based AE [BR00, RBBK01, R02, RS06 …] Can we extend them to consider memory?

Example : NE.Enc(𝐿, 𝑂, 𝑁) = E 0 𝑂 ⊕ 𝑁 E = 𝑜 -bit block cipher indr = indistinguishability from random ciphertexts Theorem. [JT19 + Dinur20] indr 𝑢, 𝑟, 𝑇 ≤ 𝑇 ⋅ 𝑟 log 𝑟 prp 𝑢, 𝑟, 𝑇 Ad Adv NE + Ad Adv E 2 ! 𝑢 = time, 𝑟 = # encryptions, 𝑇 = memory ! e.g. beyond-birthday security for 𝑇 < 2 " insecure 𝑇 secure Goal : similar results for AE security ? (like GCM [MV04]) 𝑟

Target: combined AE security notion (confidentiality + integrity) Usual proof approach: INDR + CTXT ⇒ AE indistinguishability from ciphertext integrity random ciphertexts ae 𝑢, 𝑟, 𝑇 ≤ Ad indr 𝑢, 𝑟, 𝑇 " + Ad ctxt 𝑢, 𝑟, 𝑇 # ae 𝑢, 𝑟 ≤ Ad indr 𝑢, 𝑟 + Ad ctxt 𝑢, 𝑟 Theorem. Ad Adv NE Adv NE Adv NE Theorem. Ad Adv NE Adv NE Adv NE Wanted: memory-tight reduction [ACFK17] 𝑇 " = 𝑇 # = 𝑇 Unclear! Known reduction is not memory-tight!

NE=(NE.Kg, NE.Enc, NE.Dec) ae 𝑢, 𝑟, 𝑇 ? Ad Adv NE Proc . ENC1(𝑂, 𝑁) Proc . ENC1(𝑂, 𝑁) Proc . ENC0(𝑂, 𝑁) 𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) 𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) 𝐷 ← L 𝑂, 𝐷 ← 𝑁 L 𝑂, 𝐷 ← 𝑁 Return 𝐷 Return 𝐷 Return 𝐷 Proc . DEC1(𝑂, 𝐷) Proc . DEC0(𝑂, 𝐷) Proc . DEC0(𝑂, 𝐷) Return NE.Dec(𝐿, 𝑂, 𝐷) Return L 𝑂, 𝐷 Return L 𝑂, 𝐷 $ NE.Kg $ NE.Kg 𝐿 ← 𝐿 ← indr 𝑢, 𝑟, 𝑇 + 𝑃(𝑟) 👏 ctxt(𝑢, 𝑟, 𝑇) 👎 Adv NE Ad Adv NE Ad

Proc . ENC1(𝑂, 𝑁) Proc . ENC1(𝑂, 𝑁) 𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) 𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) L 𝑂, 𝐷 ← 𝑁 Return 𝐷 Return 𝐷 Proc . DEC0(𝑂, 𝐷) Requires Return L 𝑂, 𝐷 indr memory security proportional to # Proc . DEC0(𝑂, 𝐷) of queries! Return L 𝑂, 𝐷 Proc . ENC0(𝑂, 𝑁) Proc . ENC0(𝑂, 𝑁) 𝐷 ← 𝐷 ← L 𝑂, 𝐷 ← 𝑁 Return 𝐷 Return 𝐷

Our results, in a nutshell 1. Memory-tight reduction and time-memory trade- offs in the channel setting • Typical usage within protocols like TLS • New technique: memory-adaptive reduction 2. Impossibility result for general memory-tight reduction INDR + CTXT ⇒ AE!

Channel setting: motivation AE often used to establish a secure communication channel, as in TLS implicit nonces = counter • ENC 𝐿, 0, 𝑁 $ , ENC 𝐿, 1, 𝑁 " , ⋯ receiver aborts upon the first decryption failure • in-order delivery • Channel setting captures this

The channel setting CH=(CH.Sg, CH.S, CH.R) 𝜏 & 𝜏 % CH.Sg 𝐷 𝑁 𝐷′ 𝑁′ / ⊥ CH.S CH.R 𝜏 % 𝜏 &

The channel setting: correctness CH=(CH.Sg, CH.S, CH.R) 𝜏 & 𝜏 % CH.Sg 𝐷 " 𝑁 " 𝑁 " 𝐷 " CH.S CH.R 𝜏 % 𝜏 & 𝑁 # 𝐷 # 𝐷 # 𝑁 # CH.S CH.R 𝜏 % 𝜏 & 𝑁 ' 𝐷 ' 𝐷 ' 𝑁 ' CH.S CH.R 𝜏 & 𝜏 %

The channel setting: security CH=(CH.Sg, CH.S, CH.R) 𝜏 & 𝜏 % CH.Sg 𝐷 " 𝑁 " 𝑁 " 𝐷 " CH.S CH.R 𝜏 % 𝜏 & 𝑁 # 𝐷 ' 𝐷 # ⊥ CH.S CH.R 𝜏 % 𝜏 & 𝐷 # 𝐷 ' 𝑁 ' ⊥ CH.S CH.R 𝜏 & 𝜏 %

AE security for channels CH=(CH.Sg, CH.S, CH.R) Proc . ENC0(𝑁) Proc . ENC1(𝑁) (𝜏 " , 𝐷) ← CH.S(𝜏 " , 𝑁) 𝐷 ← Enqueue(𝑁, 𝐷) Return 𝐷 Return 𝐷 ch−ae 𝑢, 𝑟, 𝑇 Proc . DEC0(𝐷) Proc . DEC1(𝐷) Adv NE Ad (𝑁 $ , 𝐷 $ ) ← Dequeue() (𝜏 # , 𝑁) ← CH.R(𝜏 # , 𝐷) If sync then Return 𝑁 If 𝐷 = 𝐷 $ then return 𝑁′ sync ← false Return ⊥ $ CH.Sg (𝜏 " , 𝜏 # ) ← sync ← true

Main theorem indistinguishability from random ciphertexts for ciphertext integrity for channels ae security for channels channels Theorem. [this work] ∀ 𝜇 ∈ ℕ ch % indr 𝑢, 𝑟, 3𝑇 + 𝑃(log𝑟 + 𝜇) + 1 ch % ae 𝑢, 𝑟, 𝑇 ≤ Ad ch % ctxt 𝑢, 𝑟, 𝑇 + 2 ⋅ Ad Adv CH Ad Adv CH Adv CH 2 & Memory-tight! New technique: Memory-adaptive reduction

ENC0 ENC1 ENC1 DEC1 DEC0 DEC0 easy next up! ch ( ctxt(𝑢, 𝑟, 𝑇) ch ( indr 𝑢, 𝑟, 3𝑇 + 𝑃 log 𝑟 + 𝜇 + 1 Ad Adv CH 2 ⋅ Ad Adv CH 2 )

Issue : size of queue grows with the number of queries $ {0,1} 𝑐 ← ENC * (𝑁 " ), ENC * 𝑁 # , ENC * 𝑁 ' (𝑁 ! , 𝐷 ! ) 𝐷 " , 𝐷 # , 𝐷 ' (𝑁 " , 𝐷 " ) (𝑁 # , 𝐷 # ) DEC $ 𝐷 " 𝑁 " Queue

Key idea : bounding queue size does not change behavior Example: only store ≤ 2 pairs $ {0,1} 𝑐 ← ENC * (𝑁 " ), ENC * 𝑁 # , ENC * 𝑁 ' (𝑁 ! , 𝐷 ! ) 𝐷 " , 𝐷 # , 𝐷 ' (𝑁 " , 𝐷 " ) DEC $ 𝐷 " , DEC $ 𝐷 # , DEC $ (𝐷 ' ) 𝑁 " , 𝑁 # , ⊥ Adversary had to remember 𝐷 " , 𝐷 # , 𝐷 ' to cause this! Queue Bound queue size to Δ = 2𝑇 + log 𝑟 + 𝜇 bits

Information-theoretic game 𝑀, Δ ∈ ℕ , Δ ≤ 𝑀 $ 0,1 , 𝑆 ← 𝐵 " 𝑗 ≤ 𝑀 − Δ Δ 𝑗 (𝑗, 𝜏) 𝜏 ≤ 𝑇 ? 𝐵 # = Δ Lemma. If Δ = 2𝑇 + 𝑃 log 𝑀 + 𝜇 then Pr[ 𝐵 " , 𝐵 # wins] ≤ 1 2 )

one of the most widely Application to GCM deployed encryption schemes CAU [BT16] : an abstraction of GCM encryption scheme from block cipher 𝐹 and hash function 𝐼 𝑜 -bit block cipher AXU Theorem. [this work] prp 𝑢, 𝑃 𝑟 , 𝑃(𝑇) + 𝑃 𝑇𝑟 log 𝑟 ch ] ae 𝑢, 𝑟, 𝑇 ≤ 4 ⋅ Ad Ad Adv NCH Adv E 2 ^ channel induced by CAU

Our results, in a nutshell 1. Memory-tight reduction and time-memory trade- offs in the channel setting • Typical usage within protocols like TLS • New technique: memory-adaptive reduction 2. Impossibility result for general memory-tight reduction INDR + CTXT ⇒ AE!

Negative result for the general setting Impossibility result for proving INDR+CTXT ⇒ AE in a • memory-tight way for nonce-based encryption schemes Similar spirit as prior work [ACFK17,WMHT18,GT20] • Also rules out memory-adaptive reductions (like the one • for channels) Evidence that some restriction necessary for memory- • tight reduction

Our result inefficient Theorem. [this work] ∀ INDR+CTXT-secure NE ∃ AE adversary 𝐵 ∗ making 𝑟 queries, using memory 𝑃(log 𝑟) s.t. ae 𝐵 ∗ ≈ 1 1) 1) Ad Adv NE 2) ∀ “efficient” black-box reductions 𝑆 using additional memory 𝑇 = 𝑝 𝑟 then indr 𝑆[𝐵 ∗ ] = negl Ad Adv NE 3) ∀ “efficient” black-box reductions 𝑆′ ctxt 𝑆′[𝐵 ∗ ] = negl Ad Adv NE

Our result Theorem. [this work] ∀ INDR+CTXT-secure NE ∃ AE adversary 𝐵 ∗ making 𝑟 queries, using memory 𝑃(log 𝑟) s.t. ae 𝐵 ∗ ≈ 1 1) 1) Ad Adv NE 2) ∀ “efficient” restricted black-box reductions 𝑆 using additional memory 𝑇 = 𝑝 𝑟 then indr 𝑆[𝐵 ∗ ] = negl Ad Adv NE 3) ∀ “efficient” restricted black-box reductions 𝑆′ ctxt 𝑆′[𝐵 ∗ ] = negl Ad Adv NE

Restricted black-box reduction 1. faithful ENC ' (𝑂, 𝑁) 𝐷 𝐵 ∗ 𝑆 ENC ` ENC ' (𝑂, 𝑁) ⋮ 𝐷 2. nonce-respecting 𝐵 ∗ ⇒ nonce-respecting 𝑆 3. straightline or fully-rewinding

The adversary 𝐵 ∗ : basic idea In round 𝑗 = 1, ⋯ , 𝑠 • $ 0,1 ℓ Encrypt random 𝑁 ( , 𝑁 ) , ⋯ , 𝑁 * ← • Intuition : reduction w/ memory 𝑙 ⋅ ℓ bits succeeds in each 𝐷 , ← ENC ' ( 𝑗, 𝑘 , 𝑁 , ) round w/ probability ≤ . $ [𝑣] Sample 𝑘 ∗ ← * • 𝑁 ← DEC ' ( 𝑗, 𝑘 ∗ , 𝐷 , ∗ ) If 𝑁 , ∗ ≠ 𝑁 then ABORT • All rounds succeed ⟹ Inefficiently break the scheme •

Conclusions Memory-sensitive bounds for the AE security of • channels Time-memory tradeoffs for the AE security of a TLS like channel instantiated with GCM New technique: Memory-adaptive reductions • Impossibility for full AE security • Evidence that restricting AE security to specific settings is inherent for memory-tight reductions

Open problems Memory-sensitive bounds for other practical examples • of channels? More applications of memory-adaptive reductions? •

Paper: https://eprint.iacr.org/2020/785