The Multi-User Security of Double Encryption Viet Tung Hoang Stefano Tessaro Florida State University UC Santa Barbara EUROCRYPT 2017 May 3, 2017 1
Double Encryption Single Encryption: trivial E J key-recovery in O(2 k ) time. Double Encryption: use meet-in-the-middle attack to E J 1 E J 2 recover keys in O(2 k ) time. 2
Double Encryption Single Encryption: trivial E J key-recovery in O(2 k ) time. Double Encryption: use meet-in-the-middle attack to E J 1 E J 2 recover keys in O(2 k ) time. Conventional wisdom : Double Encryption adds no security 3
Double Encryption Single Encryption: trivial E J key-recovery in O(2 k ) time. Double Encryption: use meet-in-the-middle attack to E J 1 E J 2 recover keys in O(2 k ) time. Conventional wisdom : Double Encryption adds no security Today : Double Encryption adds some security, if we look at a broader angle 4
Conventional Security Definition $ $ Procedure Enc( x ) Procedure Enc( x ) $ Return Return Procedure Dec( x ) Procedure Dec( x ) Return Return Enc A Dec 5
Conventional Security Definition $ $ Procedure Enc( x ) Procedure Enc( x ) $ Return Return Procedure Dec( x ) Procedure Dec( x ) Return Return Enc A Dec 6
Multi-user (mu) Security - The conventional notion consider just single-user (su) security -In practice, adversary attacks multiple users, adaptively distributing its resources $ $ Procedure Enc( x , i ) Procedure Enc( x , i ) Return Return Procedure Dec( x , i ) Procedure Dec( x , i ) Return Return 7
Multi-user (mu) Security - The conventional notion consider just single-user (su) security -In practice, adversary attacks multiple users, adaptively distributing its resources $ $ Procedure Enc( x , i ) Procedure Enc( x , i ) Return Return Procedure Dec( x , i ) Procedure Dec( x , i ) Return Return -Mu security can be implicitly obtained via hybrid arguments : 8
Double Encryption Improves Mu Security Claim : Double Encryption improves mu security 9
Double Encryption Improves Mu Security Claim : Double Encryption improves mu security -AES has only 64-bit security in mu setting due to key-collision attack. [Biham 02] Choose random keys A User # q User #1 User #2 Check for matching entries between two tables to recover some user’s key 10
Double Encryption Improves Mu Security Claim : Double Encryption improves mu security -AES has only 64-bit security in mu setting due to key-collision attack. [Biham 02] Choose random keys A User # q User #1 User #2 Check for matching entries between two tables to recover some user’s key - Today : Mu security of DE(AES) ≈ Su security of AES 128-bit security 11
History of Mu Analyses on SE/DE Adv vanishes k : key length, n : block length, q : # queries when q ≈ Construction Advantage Security level SE: matching attack of hybrid argument by [Biham 02] DE: hybrid argument on [ABDV98] bound DE: dream bound 12
Goals and Results -Give a generic technique for bounding information-theoretic mu security. + Our method can handle any indistinguishability games (PRF, AE, blockcipher), and any ideal primitive (random oracle, ideal cipher, ideal permutation). 13
Goals and Results -Give a generic technique for bounding information-theoretic mu security. + Our method can handle any indistinguishability games (PRF, AE, blockcipher), and any ideal primitive (random oracle, ideal cipher, ideal permutation). -Showcase the method via Double Encryption Advantage Security level if 14
Results Visualization of the mu and su bounds of Single Encryption (SE) and Double Encryption (DE) on AES parameters Adv log 2 (#queries) Mu security of SE ( tight ) Mu security of DE (naïve analysis) Mu security of DE ( our result ) Su security of DE Su security of DE 15
The Technique: Almost Proximity Almost proximity: very general, but can be overly complex in some setting 16
The Technique: Almost Proximity Almost proximity: very general, but can be overly complex in some setting Simplified generic treatment : can handle many settings such as GCM, but not Double Encryption 17
The Technique: Almost Proximity Almost proximity: very general, but can be overly complex in some setting A treatment for blockcipher: Simplified generic treatment : tailored to DE can handle many settings such as GCM, but not Double Encryption 18
The Technique: Almost Proximity Almost proximity: very general, but can be overly complex in some setting A treatment for blockcipher: Simplified generic treatment : tailored to DE can handle many settings such as GCM, but not Double Encryption Generalize the pointwise proximity technique of [Hoang, Tessaro 2016] 19
Simplified Almost Proximity - Bound the distinguishing advantage of two randomized systems S 0 and S 1 $ Cost metrics: q : # of construction queries S 0 S 1 p : # of primitive queries A : data complexity, e.g. the total length of queries X may encode (+, x ) or (-, y ), and Z may encode (+, K , z ) or (-, K , z ) Assume that q queries of data complexity invoke primitive queries 20
Simplified Almost Proximity Transcript of the interaction S 0 S 1 A Probability that S i behaves according to Classify mu transcripts Classify su transcripts to A mu transcript is nice if for to “nice” and “not nice” “good” and “bad” any user, the induced su transcript is good Restriction : Involves only queries 21
Simplified Almost Proximity - Classify mu transcripts by “nice” and “not nice” Random variable for transcript in S 0 Bound Mu analysis, but for the “ideal” system S 0 22
Simplified Almost Proximity - Classify mu transcripts by “nice” and “not nice” Random variable for transcript in S 0 Bound Mu analysis, but for the “ideal” system S 0 23
Simplified Almost Proximity - Classify mu transcripts by “nice” and “not nice” Random variable for transcript in S 0 Bound Mu analysis, but for the “ideal” system S 0 1 + Area + Area Area Area 24
Giving Bound on Nice Mu Transcripts induced su transcripts are good Area + Area Goal : bound by analyses on su good transcripts Area 25
Giving Bound on Nice Mu Transcripts induced su transcripts are good Area + Area Goal : bound by analyses on su good transcripts Area How : Establish a bound on any good su transcript of parameters Used in H-coefficient technique [Patarin 08] to establish su bound super-additive 26
Giving Bound on Nice Mu Transcripts induced su transcripts are good Area + Area Goal : bound by analyses on su good transcripts Area How : Establish a bound on any good su transcript of parameters Used in H-coefficient technique [Patarin 08] to establish su bound super-additive Super-additivity : Example: is super-additive is not super-additive 27
Simplified Almost Proximity: From Su to Mu Security Non-adaptive q 1 queries of A data complexity User 4 User 3 User 2 User 1 Totally, queries of data complexity and p queries Suppose that for any su adversary B of parameters Hybrid argument : 28
Simplified Almost Proximity: From Su to Mu Security Non-adaptive q 1 queries of A data complexity User 4 User 3 User 2 User 1 Totally, queries of data complexity and p queries Accounting Suppose that for any su adversary B of parameters for simulated queries Hybrid argument : 29
Simplified Almost Proximity: From Su to Mu Security Non-adaptive q 1 queries of A data complexity User 4 User 3 User 2 User 1 Totally, queries of data complexity and p queries Accounting Suppose that for any su adversary B of parameters for simulated queries Hybrid argument : Super-additivity 30
Simplified Almost Proximity: From Su to Mu Security Main problem in mu security : Adversary can adaptively distribute the resources across multiple users 31
Simplified Almost Proximity: From Su to Mu Security Main problem in mu security : Adversary can adaptively distribute the resources across multiple users To avoid adaptivity, do hybrid argument at the transcript level 32
Simplified Almost Proximity: From Su to Mu Security Main problem in mu security : Adversary can adaptively distribute the resources across multiple users To avoid adaptivity, do hybrid argument at the transcript level 1 good su transcript + Area Area 33
Simplified Almost Proximity: From Su to Mu Security Main problem in mu security : Adversary can adaptively distribute the resources across multiple users To avoid adaptivity, do hybrid argument at the transcript level 1 good su transcript + Area Area Area + 34
Technique for mu-CCA Security of Blockcipher E Blockcipher $ Ideal cipher S 0 S 1 A call to makes t calls to A Accounting A ’s resources via p and q only Goal : Do only su analyses, but achieve mu results 35
Technique for mu-CCA Security of Blockcipher E Blockcipher $ Ideal cipher S 0 S 1 A call to makes t calls to A Accounting A ’s resources via p and q only Goal : Do only su analyses, but achieve mu results Classify su transcripts into “good” and “bad” No restriction 36
Recommend
More recommend