Universal Forgery and Key Recovery Attacks on ELmD Authenticated - PowerPoint PPT Presentation

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Aslı Bay 1 , O˘ guzhan Ersoy 2 , Ferhat Karako¸ c 1 1 T¨ 2 Bo˘ UB˙ ITAK-B˙ ILGEM-UEKAE gazi¸ ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

Outline Background Authenticated Encryption and CAESAR Competition Specification of ELmD Cryptanalysis of ELmD Recovering Internal State L Forgery Attack Exploiting the Structure of ELmD Key Recovery Attacks Conclusion 2/27

Encryption vs. Authenticated Encryption ◮ Encryption Provides − − − − − → Confidentiality ◮ Message Authentication Provides − − − − − → Data-Origin Authentication ◮ In many applications, with encryption, message authentication is needed: 3/27

Encryption vs. Authenticated Encryption ◮ Encryption Provides − − − − − → Confidentiality ◮ Message Authentication Provides − − − − − → Data-Origin Authentication ◮ In many applications, with encryption, message authentication is needed: Message Encryption Authentication Scheme Code Authenticated Encryption Authenticity Confidentiality Achieve Both: Confidentiality &Authenticity 3/27

CAESAR Competition ◮ CAESAR: C ompetition for A uthenticated E ncryption: S ecurity, A pplicability, and R obustness ◮ Aim: identify a portfolio of authenticated ciphers that 1. offer advantages over AES-GCM 2. are suitable for widespread adoption ◮ Funded by NIST CAESAR Competition Timeline Announcement of Announcement of Announcement of Announcement of Submission Second-Round Call for Third-Round Finalists the Winner Candidates Deadline Candidates Submission July January March August TBA (?) December 2015 2013 2014 2016 2017 (?) 4/27

CAESAR Competition: Submissions ◮ Block Cipher Based: AEGIS, AES-COPA, AES-JAMBU, AES-OTR, AEZ, CLOC, Deoxys, ELmD , Joltik, OCB, POET, SCREAM, SHELL, SILC, Tiaoxin,... ◮ Stream Cipher Based: ACORN, HS1-SIV, MORUS, TriviA-ck ◮ Sponge Based: Ascon, ICEPOLE, Ketje, Keyak, NORX, PRIMATEs, STRIBOB, π -Cipher,... ◮ Permutation Based: Minalpher, PAEQ,... ◮ Compression Function Based: OMD 5/27

Specification of ELmD ◮ Proposed by Datta and Nandi for CAESAR ◮ A Third-Round CAESAR candidate ◮ A block cipher based Encrypt-Linear-mix-Decrypt authentication mode: Process message in the Encrypt-Mix-Decrypt paradigm ◮ Accepts Associated Data (AD) ◮ Online and Parallelizable 6/27

Linear Mixing Function ρ ◮ ρ function: x ᵨ t =x t =x t 2t 2t y=x 3t ◮ Field multiplication modulo p ( x ) = x 128 + x 7 + x 2 + x + 1 in GF (2 128 ) 7/27

Message Padding Rule Message: M = M 1 � M 2 � · · · � M ∗ ℓ ◮ Submitted Version: � ( M ∗ ℓ � 10 ∗ ) if | M ∗ ℓ | < 128 , and M ℓ +1 = ⊕ ℓ M ℓ = i =1 M i ℓ else M ∗ ◮ Modified Version: � ( ⊕ ℓ − 1 i =1 M i ) ⊕ ( M ∗ ℓ � 10 ∗ ) if | M ∗ ℓ | < 128 , M ℓ = ( ⊕ ℓ − 1 i =1 M i ) ⊕ M ∗ ℓ else M ℓ +1 = M ℓ 8/27

Parameters of ELmD ◮ AES-128 is used as E K in either 6 or 10 rounds ELmD(6 , 6) and ELmD(10 , 10) ◮ Provisions of intermediate tag (if required) Faster decryption and verification ◮ Internal parameter mask is either L = AES 10 (0) or L = AES 6 (AES 6 (0)) 9/27

Processing Associated Data ◮ IV is generated by processing Associated Data (D) ◮ D 0 = public number � parameters and D = D 0 � D 1 � · · · � D ∗ d , d � 10 ∗ if | D ∗ where D d = D ∗ d | � = 128, otherwise D d = D ∗ d d | � = 128, Masking= 7 · 2 d − 1 · 3 L ◮ If | D ∗ D 0 D 1 D d 2 . 3L 2 d . 3L 3L E K E K E K Z 0 Z 1 Z d IV W d W 1 W 2 ᵨ ᵨ ᵨ . . . 0 10/27

Encryption Padded Message: M = M 1 � M 2 � · · · � M ℓ Ciphertext: ( C , T ) = ( C 1 � C 2 � · · · � C ℓ , C ℓ +1 ) M l M l+1 M 1 M l M l+1 M 1 2 l-1 L 2 l L L 7 . 2 l-1 L 7 . 2 l-2 L L E K E K E K E K E K E K X 1 X l X l+1 X 1 X l X l+1 IV IV W 1 W l ᵨ . . . ᵨ ᵨ W 1 W l ᵨ . . . ᵨ ᵨ 1 Y 1 Y l+1 Y 1 Y l+1 1 -1 -1 E K E K -1 -1 E K E K -1 E K -1 E K 3 2 L 3 2 2 l-1 L 3 2 2 l L 3 2 L 3 2 2 l-1 L 3 2 2 l L C l+1 C 1 C l C l+1 C 1 C l * |=128 * |<128 |M l |M l 11/27

Decryption and Tag Verification ◮ Decryption: Inverse of Encryption ◮ Tag Verification: Release plaintext if M ℓ +1 = M ℓ else ⊥ is returned M l M l+1 M 1 M l+1 M l M 1 2 l-1 L 2 l L L 7 . 2 l-2 L 7 . 2 l-1 L L E K E K E K E K E K E K X 1 X l X l+1 X 1 X l X l+1 IV IV W 1 W l . . . ᵨ ᵨ ᵨ W 1 . . . W l ᵨ ᵨ ᵨ 1 Y 1 Y l+1 Y 1 Y l+1 1 -1 -1 E K E K -1 -1 E K E K -1 E K -1 E K 3 2 L 3 2 2 l-1 L 3 2 2 l L 3 2 L 3 2 2 l-1 L 3 2 2 l L C l+1 C 1 C l C l+1 C 1 C l * |=128 |M l * |<128 |M l 12/27

Security Claims ◮ 62.8-bit security for Confidentiality for any version ◮ 62.4-bit security for Integrity for any version ◮ Authors’ claim for Key Recovery Attacks ”... one can not use this distinguishing attack to mount a plaintext or key recovery attack and we believe that our construction provides 128 bits of security , against plaintext or key recovery attack” We disprove by a key recovery attack on ELmD(6 , 6) 13/27

Recovering Internal State L ◮ Reminder: L = AES 6 ( AES 6 (0)) or L = AES 10 (0) ◮ L is used to mask associated data, plaintexts and ciphertext ◮ By collision search of ciphertexts with approximate complexity 2 65 due to birthday attack ◮ Recovering L helps us to make forgery and key recovery attacks 14/27

Recovering Internal State L ◮ Take fixed D 0 , let ( D , M ) = ( D 1 , M 1 ) = ( α, M ) and ( D ′ , M ′ ) = ( D ′ 1 , M ′ 1 ) = ( β, M ) be two D 1 , D 1 ' ) ' ' ' ) sets of message pairs s.t. (D 0 = D 0 D 0 , D 0 M 1 , M 1 (M 1 = M 1 0 , 1 , . . . , 2 64 − 1 � � 3 . 7L α, β ∈ 3L 2 . 3L L DD 1 = DD 1 ◮ α is an incomplete block and β is E K E K E K complete , i.e., | α | = 64 and implies | β | = 128 ᵨ ᵨ ᵨ W 1 = W 1 IV = IV ◮ ( α � 10 63 ) ⊕ β scans all values in F 2 128 0 ◮ Search a collision in the first -1 E K ciphertexts, i.e., C 1 = C ′ 1 implies ◮ We recover L by solving DD 1 = DD ′ 3 2 L 1 D 1 ⊕ 3 · 7 · L = D ′ 1 ⊕ 3 · 2 · L , Collision: C 1 = C 1 15/27

Universal Forgery D 0 M 1 ' =D 0 2L 3L L DD 0 = MM 1 ' E K E K ◮ Target Message: ( D 0 , D , M ) IV X 1 '=IV IV ᵨ ᵨ ◮ First, query ( D 0 , M 1 = D 0 ⊕ 2 L ) , and 0 obtain ( C 1 , T ) Y 1 '=2IV ◮ We obtain -1 E K 1 ⊕ 3 2 L ) = 2 IV ′ E K ( C ′ CC 1 3 2 L C 1 16/27

Universal Forgery D 0 D 1 ' D 2 ' 3L 2 2 3L 2.3L E K E K E K ◮ Target Message: ( D 0 , D , M ) IV 2IV IV 0 IV ᵨ ᵨ ᵨ IV ◮ Query ( D ′ , M ) such that D ′ 0 = D 0 , 0 1 = C 1 ⊕ 3 2 L ⊕ 2 · 3 L , D ′ 2 = D 0 ⊕ 3 L ⊕ 2 2 · 3 L and D obtain D ′ ciphertext C and tag T ◮ ( C , T ) pair is also valid for ( D , M ) 17/27

Exploiting the Structure of ELmD Using the recovered L value, we can obtain two types of plaintext pairs for AES: 1. µ -multiplicative Pairs: For any P 1 and µ , µ · E ( P 1 ) = E ( P 2 ) 2. 1-difference Pairs: E ( Q 1 ) = E ( Q 2 ) ⊕ 1 Using these pairs, we can query any ciphertext to the decryption mode of the cipher AES 18/27

2-multiplicative Pairs: ( R 1 , R 2 ) with 2 · E ( R 1 ) = E ( R 2 ) D 0 1 =D 0 2L M 1 3L L 1 DD 0 = MM 1 E K E K 1 = IV 1 IV 1 X 1 ◮ Similar method with Forgery Attack IV 1 P P 0 ◮ First, query ( D 0 , M 1 = D 0 ⊕ 2 L ) and obtain 1 =2IV 1 Y 1 ( C 1 , T ) -1 E K ◮ We obtain 1 CC 1 E K ( C 1 1 ⊕ 3 2 L ) = 2 IV 1 3 2 L 1 C 1 19/27

2-multiplicative Pairs: ( R 1 , R 2 ) with 2 · E ( R 1 ) = E ( R 2 ) 2 1 3 2 L 2 3L 2 =D 0 1 D 1 = C 1 2 2 D 0 M 1 =R 1 L M 2 = R 1 2 L 3L 2 3L L 2L R 1 R 1 E K ◮ Choose D 1 to make IV = 0 E K E K E K 2 =E(R 1 ) X 1 IV 1 2IV 1 E(R 1 ) ◮ Pick M 1 and M 2 s.t IV 1 2 =E(R 1 ) W 1 0 0 P P P P MM 1 = MM 2 = R 1 2E(R 1 ) ◮ We obtain R 2 from C 2 s.t. -1 -1 E K E K 2 · E ( R 1 ) = E ( R 2 ) 2 3 2 2L R 2 =C 2 3 2 L 3 2 2L 2 C 1 2 C 2 20/27

µ -multiplicative Pairs: ( P 1 , P 2 ) with µ · E ( P 1 ) = E ( P 2 ) ◮ Obtain the plaintext R 2 such that 2 · E ( P 1 ) = E ( R 2 ) ◮ µ ′ = 3 − 1 ( µ ⊕ 1), and µ ′ ∈ F 2 128 can be represented as 2 127 · m 1 ⊕ 2 126 · m 2 ⊕ · · · ⊕ 2 · m 127 ⊕ m 128 where m i ∈ { 1 , 2 } P 1 P 1 P 1 MM 1 MM 2 MM 128 MM 129 = P 1 R 2 R 2 R 2 E K E K E K E K m 1 E(P 1 ) m 128 E(P 1 ) E(P 1 ) m 2 E(P 1 ) IV=0 . . . P P P P W 1 =m 1 E(P 1 ) W 2 =2m 1 E(P 1 ) m 2 E(P 1 ) W 128 = µ’E (P 1 ) Y 128 =(3 µ’ +1)E(P 1 ) = µ E(P 1 ) -1 -1 -1 -1 E K E K E K E K P 2 =CC 129 21/27

1-difference Pairs: ( R 1 , R 2 ) with E ( R 1 ) = E ( R 2 ) ⊕ 1 Generate 2-multiplicative pairs: E ( DD 1 ) = 2 · E ( DD 0 ) and E ( MM 2 ) = 2 · E ( MM 1 ) DD 0 DD 1 MM 1 = P 1 MM 2 = P 2 MM 3 = R 1 E K E K E K E K E K a 2a b 2b E K (R 1 ) a b 0 IV =0 P P P P 0 P E K (R 1 ) 1 -1 -1 E K E K E K (R 2 ) -1 E K 3 2 2 2 L R 2 =C 3 22/27