Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

Transcription

1 Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India) CHES 2017, Taipei, Taiwan September, 2017 COFB 1

2 1 Introduction COFB 2

3 Authenticated Encryption (AE) Figure: Data Transmission (Taken from [3]) A symmetric encryption scheme AE =(K, E, D) E : K M N A!C D : K C N A! M [ {?} C set of tagged ciphertexts?: special symbol to denote reject Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA COFB 3

4 Authenticated Encryption (AE) Input M, A, N, K Output C K -Keyspace,M - Message space, N - Nonce space, A -AssociatedDataspace,C -Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address COFB 4

5 Authenticated Encryption (AE) Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption COFB 5

6 Security of Authenticated Encryption [4] Privacy We want IND-CPA Integrity Adversary s goal: Receiver accepts a forged tuple ((C, T ), N, A) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT COFB 6

7 Unified AE Security Adversary A runs in time t A makes q enc queries ( enc blocks) q f forge queries ( f forge blocks) Adv AE E (A) = A((E K, D K ); ($,?)) $returnsarandom string from the range set of E K? oracle always returns? Adv AE E ((q, q f ), (, f ), t) =max A Adv AE E (A) COFB 7

8 Construction of AE Scheme Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function COFB 8

9 Possible Options for Feedback Message Feedback Current M[i] isthefeedbackx [i] forthenextbccall Ciphertext Feedback Current C[i] isthefeedbackx [i] Output Feedback Previous BC output Y [i 1] is the feedback X [i] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X [i] can not be computed by exactly one of M[i], C[i], Y [i 1] COFB 9

10 Di erent Feedback Modes and COFB (Combined Feedback) Mode X[i 1] M[i] X[i 1] X[i 1] X[i 1] R R R X[i] X[i] M[i] X[i] M[i] M[i] R G X[i] C[i] C[i] C[i] Message feedback Ciphertext feedback Output feedback C[i] Combined feedback COFB 10

11 Design of COFB AE Security Bounds Properties 1 Introduction 2 Design of COFB AE Security Bounds Properties COFB 11

12 Goal of This Design Design of COFB AE Security Bounds Properties Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC COFB 12

13 Design Rationale and Challenges Design of COFB AE Security Bounds Properties COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n/2 bitsmoreformasking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n/2 bits instead of n Su cient for standard security bound: thanks to our feedback function COFB 13

14 Design of COFB AE Security Bounds Properties Benchmarking in Terms of State Size Rate: Data block/bc calls Scheme State Size Rate Security Proof COFB 1.5n + k 1 Yes 1 JAMBU [9] 1.5n + k 2 Yes (Integrity only) 1 CLOC/ SILC [5, 6] 2n + k 2 Yes ifeed [10] 3n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] 3n + k 1 Yes 1 COLM [2] 3n + k 2 Yes COFB 14

15 COFB AE Mode Design of COFB AE Security Bounds Properties = E K (N) [n/4+1..3n/4] mask (a, b) = a (1 + ) b (Tweak fn described later) 1 (y, A) :=G y A (y, M) =( 1 (y, M), y M) G: Fullrankmatrix6= I (, 1 described later) For B = A/M If B 6= ^ ndivides B Then B =1 Else B =2 mask (1, 0) mask (2, 0) mask (2, A) 0 n/2 N Z[1] Z[2] Z[3] X[1] X[2] X[3] EK EK EK EK Y [0] Y [1] Y [2] A[1] 1 A[2] 1 A[3] 1 Y [3] mask (3, A) mask (4, A) mask (4, A + M ) X [1] X [2] X [3] X[4] X[5] X[6] Y [3] EK EK EK Y [4] Y [5] Y [6] M[1] 1 M[2] M[3] T C[1] C[2] C[3] COFB 15

16 Design of COFB AE Security Bounds Properties Instantiation of COFB AE Mode : COFB-AES Underlying BC We use AES-128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function 1 and Functions 1 and Functions - Simple linear feedback functions Last block has a di erent tweak COFB 16

17 Tweak Function Design of COFB AE Security Bounds Properties - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are su cient Computed/updated by mask (a, b) = a (1 + ) b. - primitive element of F 2 64 This idea has been taken from XEX [7] (but masked length is halved) (a, b) 2 [0..L] [0..4], L be the message length in blocks COFB 17

18 Design of COFB AE Security Bounds Properties Linear Feedback Functions 1 and 1 (y, M) :=G y M and (y, M) =( 1 (y, M), y M) G :(y 1, y 2, y 3, y 4 )! (y 2, y 3, y 4, y 4 y 1 ) I 0 0 G n n = B0 0 I IA I 0 0 I COFB 18

19 Security Level for COFB-AES Design of COFB AE Security Bounds Properties Security Bound for Privacy Nonce-respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce-respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O( 2n/2 n ) queries (almost birthday bound with block size n) COFB 19

20 Important Features of COFB AE Design of COFB AE Security Bounds Properties Advantages Rate =1 Very low state size of 1.5n + k (n: state size, k: keysize) Very flexible mode (any BC can be used) inverse-free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial COFB 20

21 1 Introduction COFB 21

22 Cycles per Byte Performance of COFB-AES Message length (Bytes) Algorithm COFB-AES ablockad,mblockm cycle count = (a+m) + 11 In this calculation, we assume a = m cpb = cycle count len len is length of M in bytes COFB 22

23 Cycles per Byte Performance of COFB-AES " cpb Message Length! COFB 23

24 COFB-AES Base Architecture AD/M N State chop Key AES r tweak T C COFB 24

25 COFB-AES Base Architecture Properties Serial processing of data Round-based architecture of AES Processes 128 bits per 12 clock cycles Uses very low storage registers Minimum hardware area among all the known implementations No pipelined register COFB 25

26 FSM for COFB-AES Base Architecture Start Reset St Load St AES Reset St AES Module FSM End St AES Start St Release Tag St If Final Block AES Round St Roundctr< 10 Compute Add Mask St Else, EOM, iscomplete AES Done St Roundctr= 10 COFB 26

27 COFB-AES FPGA Implementation Informations VHDL, Platform - Virtex 6, 7 Under Xilinx 13.4 Not compatible with GMU s ATHENa interface [1] Base Implementation Results Platform #Slice Frequency Mbps/ Mbps/ #LUTs #Slices Gbps Registers (MHZ) LUT Slice Virtex Virtex COFB 27

28 Benchmarking of COFB-AES on Virtex 6 Scheme #LUT #Slices Gbps Mbps / LUT Mbps / Slices ACORN (SC Based) PRIMATES-HANUMAN (Sponge) COFB-AES JAMBU-SIMON (BC Based) Ketje (Sponge) ASCON (Sponge) Joltik (TBC Based) JAMBU-AES (BC Based) SCREAM (TBC Based) NORX (Sponge) TriviA-ck (SC Based) Minalpher (BC Based) SILC (BC Based) DEOXYS (TBC Based) CLOC (BC Based) AES-GCM (BC Based) OCB (BC Based) ELmD (BC Based) AEZ (BC Based) AES-OTR (BC Based) Tiaoxin (BC Based) AEGIS (BC Based) AES-COPA (BC Based) COFB 28

29 1 Introduction COFB 29

30 Conclusion COFB : BC based AE Secure up to O(2 n/2 /n) queries Low area AE and can be used in low resource embedded devices COFB 30

31 1 Introduction COFB 31

32 ATHENa: Automated Tool for Hardware Evaluation. Elena Andreeva, Andrey Bogdanov, Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi, Elmar Tischhauser, and Kan Yasuda. COLM v1. CAESAR Competition. Mihir Bellare. AUTHENTICATED ENCRYPTION. Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. COFB 31

33 In Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000, Proceedings, pages , Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate CLOC. DIAC Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate SILC. DIAC Phillip Rogaway. E cient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. COFB 31

34 In ASIACRYPT, pages 16 31, Willem Schroé, Bart Mennink, Elena Andreeva, and Bart Preneel. Forgery and subkey recovery on CAESAR candidate ifeed. In Selected Areas in Cryptography - SAC nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pages , Hongjun Wu and Tao Huang. The JAMBU Lightweight Authentication Encryption Mode (v2). CAESAR Competition. Liting Zhang, Wenling Wu, Han Sui, and Peng Wang. ifeed[aes] v1. CAESAR Competition. COFB 32

35 Thank you COFB 32