CRYPTANALYSIS AGAINST SYMMETRIC- KEY SCHEMES WITH ONLINE CLASSICAL QUERIES AND OFFLINE QUANTUM COMPUTATIONS

Transcription

1 #RSAC SESSION ID: CRYP-W14 CRYPTANALYSIS AGAINST SYMMETRIC- KEY SCHEMES WITH ONLINE CLASSICAL QUERIES AND OFFLINE QUANTUM COMPUTATIONS Akinori Hosoyamada Researcher NTT Secure Platform Laboratories

2 Cryptanalysis against Symmetric- Key Schemes with Online Classical Queries and Offline Quantum Computations Akinori Hosoyamada Yu Sasaki NTT Secure Platform Laboratories

3 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 3

4 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 4

5 Quantum attacks on Symmetric Key Schemes Some Symmetric key schemes are also broken in poly-time by quantum computers in some specific situations Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 5

6 Quantum attacks on Symmetric Key Schemes Depends on attack models Some Symmetric key schemes are also broken in poly-time by quantum computers in some specific situations Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 6

7 Attack Models Chosen Plaintext Attack Enc. Oracle Message Ciphertext Computer Adversary 7

8 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message Ciphertext Message Ciphertext Computer Quantum Computer Adversary Adversary 8

9 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q2 model, quantum query Quantum Enc. Oracle Message Ciphertext Quantum Superposed Message Quantum Superposed Ciphertext Computer Quantum Computer Adversary Adversary 9

10 Poly-time attacks are in Q2 model (quantum superposition query attack) Class Q2 Poly : OO(nn) quantum queries Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 10

11 Poly-time attacks are in Q2 model (quantum superposition query attack) Class Q2 Poly : OO(nn) quantum queries Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Poly-time attacks can be realized in Q2 model Q2 model is theoretically interesting However, Q1 is more realistic model than Q2 Q1 should receive much more attention 11

12 Attack Models Chosen Plaintext Attack Enc. Oracle We focus Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message on Ciphertext Message Ciphertext Q1 model Computer Quantum Computer Adversary Adversary 12

13 Quantum Hardware Models If hardware becomes large, architecture significantly affects running time of algorithms a. free communication model [Ber09,BB17] any qubit can interact with any qubit b. realistic communication model [Ber09,BB17] a qubit can interact with only near qubits c. independent small processors without communication 13

14 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 14

15 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 15

16 Classical Online-Offline MITM attacks Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn nn ff ss ff pp zz xxx Online: query DD distinct xx nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Conditions to Apply On-Off MITM 1. ff ss can be calculated only by making online queries (ff ss has some secret information) 2. ff pp can be calculated offline 3. If we find xx, xx s.t. ff ss xx = ff pp xx, then we can get some secret information on a crypto scheme 16

17 Classical Online-Offline MITM attacks Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 17

18 Classical Online-Offline MITM attacks xx ff ss Pattern 1 Example: Offline: guess 2 nn /DD distinct x nn nn nn nn xx ss ff ss ff pp xxx ff ss ff pp DD zz = 2 nn/2 TT = 2 nn/2 yy ss yyy xxx Online: query DD distinct xx DD = 2 nn/3 TT = 2 2nn/3 Online: query DD many xx ss Pattern 2 Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 18

19 Classical Online-Offline MITM attacks xx ff ss Pattern 1 Example: Offline: guess 2 nn /DD distinct x nn nn nn nn xx ss ff ss ff pp xxx ff ss ff pp DD zz = 2 nn/2 TT = 2 nn/2 yy ss yyy xxx Online: query DD distinct xx DD = 2 nn/3 TT = 2 2nn/3 Online: query DD many xx ss Pattern 2 Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline Some phase: schemes Find xx s.t. claim ff pp xx security = ff ss xx ii up for to some TT 12 2nn/3 ii DD (BBB (DD-multi-target security) by limiting preimage DDsearch to be on < 2ff nn/3 pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 19

20 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 20

21 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 21

22 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message Ciphertext Message Ciphertext Computer Quantum Computer Adversary Adversary 22

23 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 23

24 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 24

25 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn Some schemes claim security xx ss up to nn nn ff ss TT 2 2nn/3 ff pp xxx ff ss ff pp zz yy ss yyy (BBB security) by limiting DD to be < 2 nn/3 xxx Online: query DD distinct xx But Online: query DD many xx ss Those claims are broken in the quantum settings Offline: compute 2 nn /DD many xxx Attack Procedure Goal: since To tradeoff find xx, xx changes s.t. ff ss xx = from ff pp (xx TT ) (then DD = we 2can nn to get a some better information) one 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 25

26 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn Some schemes claim security xx ss up to nn nn ff ss TT 2 2nn/3 ff pp xxx ff ss ff pp zz yy ss yyy (BBB security) by limiting DD to be < 2 nn/3 xxx Online: query DD distinct xx But Online: query DD many xx ss Those claims are broken in the quantum settings Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. due ff ss xx to = new ff pp (xx tradeoffs ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 26

27 MITM attacks in the quantum settings: 4 new tradeoffs between T and D NN TT DD-qubits (exp. qubits) Free communication model, DD 2 TT 2 = NN [BB17] Realistic communication model, DD 3/2 TT 2 = NN [BB17] Any (independent small processors), DD 4 TT 6 = NN 3 [CNPS17] NN 1/2 NN 3/7 Poly-qubits, DD TT 6 = NN 3 [CNPS17] ( Classical, DD TT = NN ) NN 3/7 NN 1/2 NN 2/3 NN 4/7 NN NN 3/4 DD Offline phase of MITM attack is accelerated by quantum multi-target preimage search 27

28 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 28

29 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 29

30 Attack on Chaskey Chaskey[Mou15] is a lightweight MAC Classical online-offline MITM attack can be applied to Chaskey (Classical tradeoff: TT DD = if n=128) 30

31 Attack on Chaskey Chaskey[Mou15] is a lightweight MAC Chaskey claims 80-bit security by restricting DD to be < 2 48 It claims security up to T 2 80 (n is set as n=128) Classical online-offline MITM attack can be applied to Chaskey (Classical tradeoff: TT DD = if n=128) 31

32 Attack on Chaskey If DD < 2 48 queries are allowed, then attack complexity becomes T D Q M Classical Case 1a (Exp. qubits, free communication) Case 1b (Exp. qubits, realistic communication) Case 1c (Exp. qubits, any communication) Case 2 (Poly. qubits) (2 7 ) 2 16 TT is overwhelmingly smaller than 2 80 of classical attack 32

33 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 33

34 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries 34

35 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries 35

36 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries Others FX-constructions 36

37 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 37

38 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 38

39 Summary MITM attack with Online Classical and Offline quantum computations (quantum attack in Q1 model) New tradeoffs between D and T in 4 models Some existing schemes claim BBB security on T by limiting the maximum number of D following the classical tradeoff DT=N, but such claims are broken by our attacks Thank you!! hosoyamada.akinori@lab.ntt.co.jp 39

40 #RSAC SESSION ID: CRYP-W14 IMPROVING STATELESS HASH-BASED SIGNATURES Guillaume Endignoux Software Engineer Google

41 Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1, Guillaume Endignoux 2 Wednesday 18 th April, Kudelski Security 2 Work done while at Kudelski Security and EPFL 1

42 Hash-based signatures What are hash-based signatures? Good hash functions are hard to invert = preimage-resistance. We can use this property to create signature schemes 1. 1 Whitfield Diffie and Martin E. Hellman. New directions in cryptography

43 Hash-based signatures What are hash-based signatures? Good hash functions are hard to invert = preimage-resistance. We can use this property to create signature schemes 1. Public key P 0 H P 1 H First step: scheme to sign 1-bit message. Key generation: commit to 2 secrets with H Sign bit b: reveal σ = S b Secret key S 0 S 1 Verify signature σ: compare H(σ) with P b 1 Whitfield Diffie and Martin E. Hellman. New directions in cryptography

44 Hash-based signatures Second step: sign n-bit message n copies of the previous scheme. P 0,0 P 0,1 P 1,0 P 1,1 P n,0 P n,1 H H H H H H S 0,0 S 0,1 S 1,0 S 1,1 S n,0 S n,1 Figure 1: Lamport signatures. 3

45 Hash-based signatures Second step: sign n-bit message n copies of the previous scheme. P 0,0 P 0,1 P 1,0 P 1,1 P n,0 P n,1 H H H H H H S 0,0 S 0,1 S 1,0 S 1,1 S n,0 S n,1 Figure 1: Lamport signatures. However, this is a one-time signature scheme. 3

46 Hash-based signatures More constructions: WOTS (Winternitz one-time signatures) = compact version of the n-bit message scheme. Merkle trees = stateful multiple-time signatures. HORS = stateless few-time signatures. HORST = HORS with Merkle tree. 4

47 Hash-based signatures SPHINCS = stateless many-time signatures (up to 2 50 messages). Hyper-tree of WOTS signatures certificate chain Hyper-tree of height H = 60, divided in 12 layers of {Merkle tree + WOTS} WOTS Merkle Merkle... Hyper-tree Sign message M: Select index 0 i < 2 60 Sign M with i-th HORST instance Chain of WOTS signatures.... HORST Figure 2: SPHINCS. 5

48 Hash-based signatures Hash-based signatures in a nutshell: Post-quantum security well understood Grover s algorithm: preimage-search in O(2 n/2 ) instead of O(2 n ) for n-bit hash function. Signature size is quite large: 41 KB for SPHINCS (stateless), 8 KB for XMSS (stateful). 6

49 Contributions We propose improvements to reduce signature size of SPHINCS: PRNG to obtain a random subset (PORS) Octopus: optimized multi-authentication in Merkle trees Secret key caching Non-masked hashing 7

50 PRNG to obtain a random subset

51 From HORS to PORS Sign a message M with HORS: Hash the message H(M) = 28c5c... Split the hash to obtain indices {2, 8, c, 5, c,...} and reveal values S 2, S 8,... i SPHINCS leaf M H 2 8 c 5 c Public key P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 10 P 11 P 12 P 13 P 14 P 15 H H H H H H H H H H H H H H H H Secret key S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 S 11 S 12 S 13 S 14 S 15 8

52 From HORS to PORS Sign a message M with HORS: Hash the message H(M) = 28c5c... Split the hash to obtain indices {2, 8, c, 5, c,...} and reveal values S 2, S 8,... i SPHINCS leaf M H 2 8 c 5 c Problems: Some indices may be the same fewer values revealed lower security... Attacker is free to choose the hyper-tree index i larger attack surface. 8

53 From HORS to PORS PORS = PRNG to obtain a random subset. Seed a PRNG from the message. Generate the hyper-tree index. Ignore duplicated indices. SPHINCS leaf M G i 2 8 c 5 c e Significant security improvement for the same parameters! 9

54 From HORS to PORS Advantages of PORS: Significant security improvement for the same parameters! Smaller hyper-tree than SPHINCS for same security level Signatures are 4616 bytes smaller. Performance impact of PRNG vs. hash function is negligible For SPHINCS, generate only 32 distinct values. 10

55 Octopus: multi-authentication in Merkle trees

56 Octopus Merkle tree of height h = compact way to authenticate any of 2 h values. Small public value = root Small proofs of membership = h authentication nodes 11

57 Octopus How to authenticate k values? Use k independent proofs = kh nodes. This is suboptimal! Many redundant values... 12

58 Octopus How to authenticate k values? Optimal solution: compute smallest set of authentication nodes. 13

59 Octopus How many bytes does it save? It depends on the shape of the octopus! Examples for h = 4 and k = 4: between 2 and 8 authentication nodes. 14

60 Octopus Theorem Given a Merkle tree of height h and k leaves to authenticate, the minimal number of authentication nodes n verifies: h log 2 k n k(h log 2 k ) For k > 1, this is always better than the kh nodes for k independent proofs! 15

61 Octopus In the case of SPHINCS, k = 32 uniformly distributed leaves, tree of height h = 16. In our paper, recurrence relation to compute average number of authentication nodes. Method Number of auth. nodes Independent proofs 512 SPHINCS Octopus (worst case) 352 Octopus (average) 324 Octopus authentication saves 1909 bytes for SPHINCS signatures on average. 2 SPHINCS has a basic optimization to avoid redundant nodes close to the root. 16

62 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

63 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

64 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

65 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

66 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

67 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

68 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

69 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17

70 Conclusion

71 Take-aways Octopus + PORS = great improvement over HORST. These modifications are simple to understand low risk of implementation bugs. More improvements in the paper. 18

72 Implementation Two open-source implementations: Reference C implementation, proposed for NIST pqcrypto standardization Rust implementation with focus on clarity and testing 19

73 Conclusion Thank you for your attention! 20

74 Secret key caching WOTS signatures to connect Merkle trees are large ( 2144 bytes per WOTS). Figure 3: SPHINCS. 21

75 Secret key caching We use a larger root Merkle tree, and cache more values in private key. computed at key generation time cached key (re)computed at signing time Figure 4: Secret key caching. 22

76 Non-masked hashing In SPHINCS, Merkle trees have a XOR-and-hash construction, to use a 2nd-preimage-resistant hash function H. Various masks, depending on location in hyper-tree; all stored in the public key. Post-quantum preimage search is faster with Grover s algorithm We remove the masks and rely on collision-resistant H. m i H H (a) Masked hashing in SPHINCS. (b) Mask off. 23