the missing difference problem and its applications to
play

The Missing Difference Problem, and its Applications to Counter Mode - PowerPoint PPT Presentation

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent, Ferdinand Sibleyras Inria, quipe SECRET EUROCRYPT 2018 1 /


  1. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gaëtan Leurent, Ferdinand Sibleyras Inria, équipe SECRET EUROCRYPT 2018 1 / 24

  2. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction • Cryptography: Alice encrypts then sends messages to Bob. • Symmetric: Alice and Bob share the same key. • Public channel: Eve (attacker) can see and/or manipulate what is being sent. Eve ...11001101011... Alice Bob 2 / 24

  3. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. 3 / 24

  4. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Introduction Block Cipher E k : { 0 , 1 } n → { 0 , 1 } n A family of permutations indexed by a key (AES, 3DES, ...) where n is the bit size of the permutation or block’s size. Mode of operation Describes how to use a block cipher along with a plaintext message of arbitrary length to achieve some concrete cryptographic goals. 3 / 24

  5. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i 4 / 24

  6. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. 4 / 24

  7. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) IV � 0 IV � 1 IV � 2 IV � 3 E k E k E k E k m 0 m 1 m 2 m 3 c 0 c 1 c 2 c 3 m i : The plaintext. E k : The block cipher. c i : The ciphertext. IV : The Initialisation Value. c i = E k ( IV � i ) ⊕ m i Akin to a stream cipher: keystream XORed with the plaintext. Inputs IV � i to the block cipher never repeat. 4 / 24

  8. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . 5 / 24

  9. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) Let K i = E k ( IV � i ) the i th block of keystream. • If E k is a good Pseudo-Random Function (PRF) then all K i are random and this is a one-time-pad. • A block cipher is a Pseudo-Random Permutation (PRP) therefore K i are all distinct: K i � = K j ∀ i � = j . Security proof ( σ the number of blocks) Adv IND CTR- E k ( σ ) ≤ Adv PRF E k ( σ ) ≤ Adv PRP E k ( σ ) + σ 2 / 2 n + 1 Distinguisher After σ ≃ 2 n / 2 encrypted blocks we expect a collision on the K i with high probability in the case of a random ciphertext. That is the birthday bound coming from the birthday paradox. 5 / 24

  10. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • matching distinguishers at the proof’s bound c 0 c 1 c 2 6 / 24

  11. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion CBC and CTR CBC mode Both modes are: m 0 m 1 m 2 • widely deployed • proven secure up to IV birthday bound (2 n / 2 ) E k E k E k • matching distinguishers at the proof’s bound c 0 c 1 c 2 Folklore assumptions [Ferguson, Schneier, Kohno] CTR leaks very little data. [...] It would be reasonable to limit the cipher mode to 2 60 blocks, which allows you to encrypt 2 64 bytes but restricts the leakage to a small fraction of a bit. When using CBC mode you should be a bit more restrictive. [...] We suggest limiting CBC encryption to 2 32 blocks or so. 6 / 24

  12. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . 7 / 24

  13. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . 7 / 24

  14. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguisher uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . 7 / 24

  15. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The counter mode (CTR) From a distinguishing attack to a plaintext recovery attack ? • If we know m i , we recover K i = c i ⊕ m i . • We can observe repeated encryptions of a secret S that is c j = K j ⊕ S for many different j . • The distinguisher uses K i ⊕ K j � = 0 which implies K i ⊕ c j � = S ∀ i � = j . Main Idea Collect many keystream blocks K i and encryptions of secret block c j = K j ⊕ S ; then look for a value S such that K i ⊕ c j � = S ∀ i � = j . 7 / 24

  16. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 8 / 24

  17. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Missing difference problem Main Idea Collect many keystream blocks K i ∈ A and encryptions of secret block c j = K j ⊕ S ∈ B ; then look for a value S ∈ S such that ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . The missing difference problem • Given A and B , and a hint S three sets of n -bit words • Find S ∈ S such that: ∀ ( a , b ) ∈ A × B , S � = a ⊕ b . 8 / 24

  18. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 n via coupon collector problem • To exclude 2 n candidates of S , we need n · 2 n values a i ⊕ b j • Lists A and B of size √ n · 2 n / 2 . Complexity: ˜ O ( 2 n ) 9 / 24

  19. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Simple Sieving Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 b 5 a 6 b 6 a 7 b 7 × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × × 2 n 0 S Compute all a i ⊕ b j , remove results from a sieve S . Analysis: case |S| = 2 • To exclude 1 candidate of S , we need 2 n values a i ⊕ b j • Lists A and B of size 2 n / 2 . Complexity: ˜ O ( 2 n ) 9 / 24

  20. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 b 6 ? a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24

  21. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 b 5 a 6 ? b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24

  22. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 ⊕ s a 4 b 4 a 5 ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24

  23. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 ⊕ s a 5 ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24

  24. Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Searching Algorithm [McGrew, FSE’13] a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 a 5 ⊕ s ? b 5 a 6 b 6 a 7 b 7 Try Guess ( s ) • Make a guess and verify. for a in A do if ( s ⊕ a ) ∈ B then return 0 return 1 10 / 24

Recommend


More recommend