Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gaëtan Leurent, Ferdinand Sibleyras Inria, équipe SECRET EUROCRYPT 2018 1 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction • Cryptography: Alice encrypts then sends messages to Bob. • Symmetric: Alice and Bob share the same key. • Public channel: Eve (attacker) can see and/or manipulate what is being sent. Eve ...11001101011... Alice Bob 2 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. 3 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. Mode of operation Describes how to use a block cipher along with a plaintext message of arbitrary length to achieve some concrete cryptographic goals. 3 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i 4 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. 4 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. Inputs IV � i to the block cipher never repeat. 4 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . 5 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . Security proof ( σ the number of blocks) Adv IND CTR- E k ( σ ) ≤ Adv PRF E k ( σ ) ≤ Adv PRP E k ( σ ) + σ 2 / 2 n + 1 Distinguisher After σ ≃ 2 n / 2 encrypted blocks we expect a collision on the K i with high probability in the case of a random ciphertext. That is the birthday bound coming from the birthday paradox. 5 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • matching distinguishers at the proof’s bound c 0 c 1 c 2 6 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • matching distinguishers at the proof’s bound c 0 c 1 c 2 Folklore assumptions [Ferguson, Schneier, Kohno] CTR leaks very little data. [...] It would be reasonable to limit the cipher mode to 2 60 blocks, which allows you to encrypt 2 64 bytes but restricts the leakage to a small fraction of a bit. When using CBC mode you should be a bit more restrictive. [...] We suggest limiting CBC encryption to 2 32 blocks or so. 6 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . 7 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . 7 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguisher uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . 7 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguisher uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . Main Idea Collect many keystream blocks K i and encryptions of secret block c j = K j ⊕ S ; then look for a value S such that K i ⊕ c j � = S ∀ i � = j . 7 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 8 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem Main Idea Collect many keystream blocks K i ∈ A and encryptions of secret block c j = K j ⊕ S ∈ B ; then look for a value S ∈ S such that ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 8 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 n via coupon collector problem • To exclude 2 n candidates of S , we need n · 2 n values a i ⊕ b j • Lists A and B of size √ n · 2 n / 2 . Complexity: ˜ O ( 2 n ) 9 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 • To exclude 1 candidate of S , we need 2 n values a i ⊕ b j • Lists A and B of size 2 n / 2 . Complexity: ˜ O ( 2 n ) 9 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 b 6 ? a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 ? b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 ⊕ s a 5 ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24
Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 ⊕ s ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24
Recommend
More recommend