trick or tweak
play

Trick or Tweak On the (In)security of OTRs Tweaks Raphael Bost 1 , 2 - PowerPoint PPT Presentation

Trick or Tweak On the (In)security of OTRs Tweaks Raphael Bost 1 , 2 Olivier Sanders 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 Orange Labs Asiacrypt 2016, Hanoi Raphael Bost, Olivier


  1. Trick or Tweak On the (In)security of OTR’s Tweaks Raphael Bost 1 , 2 Olivier Sanders 3 1 Direction Générale de l’Armement - Maîtrise de l’Information 2 Université de Rennes 1 3 Orange Labs Asiacrypt 2016, Hanoi Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 1 / 22

  2. Offset Two Rounds (OTR) M [ 1 ] M [ 2 ] CAESAR submission by K. Minematsu � (Eurocrypt ’14) E N , 1 , 0 � K Rate-1 AE Tweakable blockcipher based Inverse-free version of OCB � (only needs E , not E − 1 ) E N , 1 , 1 � K Two rounds Feistel construction Defined for any block size n . C [ 1 ] C [ 2 ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 2 / 22

  3. Tweakable Blockcipher (TBC) [LRW02] Add a public input to a blockcipher – the tweak – to add variability. Each tweak T ∈ T (the tweak space) yields an independent pseudo-random permutation. Tweakable Blockcipher (a.k.a tweakable PRP) The T ∈ T indexed permutation family � E K ( T , . ) is indistinguishable from a random permutation family π ( T , . ) E K ( .,. ) ⇒ 1 ] − P [ � � π ( .,. ) ⇒ 1 ] ≤ negl ( λ ) $ ← Perm ( T , n ) : A � $ P [ K ← K : A π Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 3 / 22

  4. OTR Encryption (1/2) M [ 1 ] M [ 2 ] M [ 2 ℓ − 3 ] M [ 2 ℓ − 2 ] � � E N , 1 , 0 � E N ,ℓ − 1 , 0 � K K . . . . . . � � E N , 1 , 1 E N ,ℓ − 1 , 1 � � K K C [ 1 ] C [ 2 ] C [ 2 ℓ − 3 ] C [ 2 ℓ − 2 ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 4 / 22

  5. OTR Encryption (2/2) if m is even if m is odd Tag 0 n M [ m − 1 ] M [ m ] M [ m ] � E N ,ℓ, 0 � Σ msb K E N ,ℓ, 1 � K � E ∗ , N ,ℓ, b 1 , b 2 � E N ,ℓ, 1 � pad � K K msb C [ m − 1 ] C [ m ] C [ m ] T Σ = M [ 2 ] ⊕ . . . ⊕ M [ m − 2 ] Σ = M [ 2 ] ⊕ . . . ⊕ M [ m − 1 ] ⊕ Z ⊕ C [ m ] ⊕ M [ m ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 5 / 22

  6. OTR’s security Theorem (Theorem 3 of [Min14]) If � E is a tweakable PRP, OTR is CPA-secure (confidentiality) and INT-CTXT-secure (unforgeability). Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 6 / 22

  7. Instantiating the TBC Remark We are working in F 2 n represented as F 2 [ X ] / ( P ( X )) with P is a degree n primitive polynomial in F 2 . Use the XE construction: � E N , i , j ( M ) = E K ( M + ∆ N i , j ) K M In [Rog04]: ∆ N i , j = X i ( X + 1 ) j δ with δ = E K ( N ) � ∆ N i , j ∆ N i + 1 , j = X · ∆ N i , j E K ∆ N i , j + 1 = ( X + 1 ) · ∆ N i , j C Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 7 / 22

  8. Instantiating the TBC Remark We are working in F 2 n represented as F 2 [ X ] / ( P ( X )) with P is a degree n primitive polynomial in F 2 . In OTRv1-v2 [Min14], for efficiency, an other masking scheme is used: M � ∆ N i , b = ( X i + 1 + b ) δ ∆ N i , j ℓ, b 1 , b 2 = [( X + 1 ) X ℓ + 1 + X · b 1 + b 1 + b 2 ] δ ∆ ∗ , N E K ∆ N i + 1 , 0 = X · ∆ N C i , 0 ∆ N i , 1 = ∆ N i , 0 + δ Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 7 / 22

  9. The flaw Lemma (Lemma 1 of [Min14]) The TBC is indistinguishable from a tweakable PRP. The proof of this lemma relies on the following claim Claim � � X i + 1 δ, ( X i + 1 + 1 ) δ, Let S 1 ( δ ) = � � ( X i + 2 + X i + 1 + b 1 X + b 2 ) δ ∪ i = 1 , b 1 ∈{ 0 , 1 } , b 2 ∈{ 0 , 1 } The elements of S 1 ( δ ) are pairwise different. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 8 / 22

  10. The flaw Lemma (Lemma 1 of [Min14]) The TBC is indistinguishable from a tweakable PRP. The proof of this lemma relies on the following claim Claim � � X i + 1 δ, ( X i + 1 + 1 ) δ, Let S 1 ( δ ) = � � ( X i + 2 + X i + 1 + b 1 X + b 2 ) δ ∪ i = 1 , b 1 ∈{ 0 , 1 } , b 2 ∈{ 0 , 1 } The elements of S 1 ( δ ) are pairwise different. Our attack This is not true in general! Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 8 / 22

  11. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  12. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  13. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . If P ( X ) = X n + X j + 1, there is a collision between X n and X j + 1 in F 2 n = F 2 [ X ] / ( P ( X )) . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  14. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . If P ( X ) = X n + X j + 1, there is a collision between X n and X j + 1 in F 2 n = F 2 [ X ] / ( P ( X )) . For more than half of n ≤ 10000, there is an irreducible trinomial P . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  15. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  16. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. For SW/HW efficiency, we usually choose P such that its non-zero coefficients are close to each other, preferably in the least significant bytes. P 64 ( X ) = X 64 + X 4 + X 3 + X + 1 P 128 ( X ) = X 128 + X 7 + X 2 + X + 1 Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  17. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. For SW/HW efficiency, we usually choose P such that its non-zero coefficients are close to each other, preferably in the least significant bytes. P 64 ( X ) = X 64 + X 4 + X 3 + X + 1 P 128 ( X ) = X 128 + X 7 + X 2 + X + 1 For n = 64 with the usual P , we have a collision of the type X i = X j + 1 + X j + X + 1 : X 64 = X 4 + X 3 + X + 1 Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  18. Consequences Problem There is a flaw in the proof of OTR, even for practical parameters. Does the confidentiality of OTR break? Does the unforgeability of OTR break? Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 11 / 22

  19. Typology of collisions � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 1 ≤ i ≤ q ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 There are three types of collision among the tweaks’ polynomials: X i = X j + 1 (1) X i = X j + 1 + X j + r ( X ) (2) X i + 1 + X i = X j + 1 + X j + r ( X ) (3) with r ( X ) ∈ { 0 , 1 , X , X + 1 } . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 12 / 22

  20. Attacks Out attack Type 1 ( X i = X j + 1) Break confidentiality and unforgeability. Type 2 ( X i = X j + 1 + X j + r ( X ) ) Break confidentiality if i < j . Break unforgeability o/w. Type 3 ( X i + 1 + X i = X j + 1 + X j + r ( X ) ) Break unforgeability. Idea: use the collision to have relations between block cipher’s inputs and create collisions on the outputs. Only one query to the encryption oracle, with a message of max ( i , j ) blocks. For n = 64: 1 kB message. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 13 / 22

  21. n = 128 in practice Usually, for n = 128, we choose P ( X ) = X 128 + X 7 + X 2 + X + 1 . There is no trivial collision. Remark This is not true for all irreducible P of degree 128. Ex: P ( X ) = X 128 + X 127 + X 61 + X 60 + 1 Can we find a collision among tweaks polynomials? Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 14 / 22

  22. In search for lost collision We are only interested in collisions with i and j < 2 64 : the security proof of OTR only holds up to the birthday bound. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 15 / 22

  23. In search for lost collision We are only interested in collisions with i and j < 2 64 : the security proof of OTR only holds up to the birthday bound. We cannot find such collisions by constructing a collision in F 2 64 and then lifting it in F 2 128 . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 15 / 22

Recommend


More recommend