Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Transcription

1 Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented at the IACR School on Computer-aided Cryptography, University of Maryland, College Park, USA, June 1 June 4, 2015.

2 Introduction Problem: Designing/proving crypto constructions is hard 2 / 33

3 Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! 2 / 33

4 Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! Program Synthesis Automatically construct programs based on (small) set of rules Has been applied to crypto protocols (e.g., [AGHP12],[BCG + 13], etc.) 2 / 33

5 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 3 / 33

6 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33

7 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33

8 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) 4 / 33

9 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block 4 / 33

10 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block Example: Cipher-Block Chaining (CBC) Mode m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 4 / 33

11 Background: Security of Modes of Operation Want output of mode to look random to adversary IND$-CPA What is IND$-CPA? Adversary A has oracle access to either (World 0) a truly random function (World 1) the desired mode of operation A specifies messages to encrypt and receives resulting ciphertexts A s Goal: Decide whether in World 0 or World 1 Secure: A cannot distinguish between worlds 5 / 33

12 Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! 6 / 33

13 Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! Question: Can we automate the security analysis, synthesize new modes? Solution: Construct framework for automatically proving modes of operation secure, use this to synthesize new modes 6 / 33

14 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values 7 / 33

15 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled 7 / 33

16 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled Meta-Theorem: Exists valid labeling = mode IND$-CPA-secure 7 / 33

17 Mode of Operation: Formal Definition Defined by two algorithms: Init(1 n ) (c 0, z 0 ) Block(m i, z i 1 ) (c i, z i ) Enc k (m = m 1 m l ): Compute (c 0, z 0 ) Init(1 n ) For i = 1,..., l: Compute (c i, z i ) Block(m i, z i 1 ) Output c 0 c l m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 8 / 33

18 Viewing Modes as Graphs GENRAND DUP IV m 1 m 2 m 3 OUT Init algorithm NEXTIV START M F k F k F k XOR IV c 1 c 2 c 3 PRP DUP OUT NEXTIV Block algorithm 9 / 33

19 Edge Labels: Intuition Recall: Edges denote intermediate values 10 / 33

20 Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? 10 / 33

21 Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? Goal: If values on edges into OUT nodes look random to adversary, then mode is IND$-CPA-secure 10 / 33

22 Edge Labels: Formalism (simplified) Each edge label is a tuple (type, flags): type {, R}: Type of intermediate value : Adversarially controlled R: Random flags {0, 1} 2 : Bit-vector denoting whether edge can be input into OUT or PRP E.g., prevents both DUP d values being output as ciphertext 11 / 33

23 Constraints GENRAND Constraints on Nodes: DUP OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

24 Constraints GENRAND DUP (R, 11) Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

25 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

26 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV (R, 01) XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

27 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 PRP DUP OUT NEXTIV Block algorithm 12 / 33

28 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags DUP OUT NEXTIV Block algorithm 12 / 33

29 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT NEXTIV Block algorithm 12 / 33

30 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Block algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT: Ingoing edge must have type R and flags.out = 1 12 / 33

31 Implementation Implemented model checker + synthesizer in OCaml Model Checker: (1) Checks whether an input mode is secure Recall: Valid labeling mode is secure Determining secure mode is a constraint-satisfaction problem Can use SMT solver (e.g., Z3) (2) Secure modes need to be decryptable Implement algorithm to check decryptability of mode Synthesizer: Can simply iterate over all possible graphs Use simple rules to reduce search space 13 / 33

32 Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure Total / 33

33 Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure Total We are able to synthesize all standard (secure) modes E.g., CBC, OFB, CFB, CTR, PCBC 14 / 33

34 Results Two results: 1. Apply program synthesis to modes of operation (CSF 2014) 2. Extend previous ideas to authenticated encryption (new) 15 / 33

35 Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity 16 / 33

36 Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity Authenticated Encryption (AE): mode of operation which encrypts and authenticates arbitrary-length messages 16 / 33

37 Background: Authenticated Encryption AE scheme: Tuple of algorithms Π = (K, E, D), where E(,, ) and D(,, ) are deterministic and take nonce as input, in addition to key and plaintext Adversary has access to oracle E(K,, ) and must never repeat a nonce Privacy: Similar to previous case Authenticity: Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 17 / 33

38 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers 18 / 33

39 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T 18 / 33

40 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random 18 / 33

41 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random Tweak depends on nonce, and nonce must be fresh on every query output of TBC is always random 18 / 33

42 Example: Offset Codebook (OCB) Mode M 1 M 2 M 3 M 4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C 1 C 2 C 3 tag C 4 τ 19 / 33

43 Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V 20 / 33

44 Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V Encryption procedure: X 0 0 2n ; v 1; M 1 M 2m M for i = 1 to m do T (N, v) (X i, C 2i 1 C 2i ) Enc EK (T, X i 1, M 2i 1 M 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X) return C 1 C 2m V [1, τ ] 20 / 33

45 Authenticated Encryption: Formal Definition Decryption procedure: C 1 C 2m tag C X 0 0 2n ; v 1 for i = 1 to m do T (N, v) 1 EK,E (X i, M 2i 1 M 2i ) Dec K (T, Xi 1, C 2i 1 C 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X m ) if tag V [1, τ ] then return else return M 1 M 2m 21 / 33

46 Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: 22 / 33

47 Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: INI IN IN INI IN IN INI XOR DUP DUP XOR TBC TBC TBC XOR TBC TBC XOR DUP DUP OUT FIN OUT OUT FIN OUT OUT Graph representations of Enc (left), Dec (middle), and Tag (right) for OCB mode. 22 / 33

48 Vertex Labels Each vertex label is a value type {$,, 0, 1}: $: Random : Adversarially controlled 0 and 1: Used to compare values on the same vertex in two runs of the Dec graph 0: The two values are the same 1: The two values are different 23 / 33

49 Constraints Constraints generally follow intuition and prior approach. E.g., $ $ TBC($ or 1) $ TBC(0) 0 TBC( ) 24 / 33

50 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity 25 / 33

51 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed 25 / 33

52 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 25 / 33

53 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. 25 / 33

54 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i 25 / 33

55 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i Want to show: This difference tag is random 25 / 33

56 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ i C i+1 26 / 33

57 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ i C i+1 26 / 33

58 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 i+1 and (2) both i C i+1 26 / 33

59 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both i C i+1 26 / 33

60 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 i C i+1 26 / 33

61 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ i C i+1 26 / 33

62 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random i C i+1 26 / 33

63 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph i C i+1 26 / 33

64 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph Given INI = $, check that OUT = $ Tag is random i C i+1 26 / 33

65 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ 27 / 33

66 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag 27 / 33

67 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 27 / 33

68 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 27 / 33

69 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 3. Tag graph with INI = $ OUT = $ 27 / 33

70 Implementation Implemented model checker + synthesizer in OCaml Model Checker: Checks whether input mode (given as Enc graph) is secure Need to generate Dec graph from Enc graph to check privacy Checks simple enough that SMT solver not needed! Also include check for parallelizability of mode Synthesizer: As before, can simply iterate over all possible graphs Use various techniques to reduce search space 28 / 33

71 Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time min min min hours hours Total / 33

72 Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time min min min hours hours Total Among 5 parallel modes of size 12, only one previously known (OCB) 29 / 33

73 Synthesis Results: Example Schemes M1 M2 M3 M4 C1 C2 C3 C4 tag τ M1 M2 M3 M4 Σ C1 C2 C3 C4 tag τ M1 M2 M3 M4 C1 C2 C3 C4 tag τ 30 / 33

74 Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB ± ± ± ± ± ± ± ± Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme 31 / 33

75 Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB ± ± ± ± ± ± ± ± Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme Synthesized schemes competitive with OCB! 31 / 33

76 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 32 / 33

77 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 32 / 33

78 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 3. Open Problem: Can we apply this approach to other primitives? 32 / 33

79 Thank You Any questions? Full Versions: Modes of operation: AE schemes: To appear shortly Code: Modes of operation: AE schemes: 33 / 33