Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44
Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 2 / 44
Why permutations? Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 3 / 44
Why permutations? Symmetric crypto: what textbooks and intro s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 4 / 44
Why permutations? The truth about symmetric crypto today Block ciphers: 5 / 44
Why permutations? What block cipher are used for Hashing (as discussed) and its modes HMAC, MGF1, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM 6 / 44
Why permutations? Block cipher operation 7 / 44
Why permutations? Block cipher operation: the inverse 8 / 44
Why permutations? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM Most schemes with misuse-resistant claims So for most uses you don t need the inverse! 9 / 44
Block cipher internals Why permutations? 10 / 44
Why permutations? Davies-Meyer compression function 11 / 44
Why permutations? Removing diffusion restriction not required in hashing 12 / 44
Why permutations? Simplifying the view: iterated permutation 13 / 44
Why permutations? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: less barriers more diffusion no more need for efficient inverse no more worries about key schedule 14 / 44
Why permutations? Examples of permutations In Salsa, Chacha, Grindahl In SHA-3 candidates: CubeHash, Grøstl, JH, MD6, In CAESAR candidates: Ascon, Icepole, Norx, π-cipher, Primates, Stribob, And of course in Keccak 15 / 44
What is authenticated encryption? Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 16 / 44
What is authenticated encryption? What is authenticated encryption (AE)? Messages and cryptograms M = (AD, P) message with associated data and plaintext M c = (AD, C) cryptogram with associated data and ciphertext All of M is authenticated but only P is encrypted wrapping: M to M c unwrapping: M c to M Symmetric cryptography: same key used for both operations Authentication aspect unwrapping includes verification of M c if not valid, it returns an error wrap operation adds redundancy: C > P often redundancy coded at the end of C: tag T Note: this is usually called AEAD 17 / 44
What is authenticated encryption? Limitation of AE: traffic analysis Traffic analysis: length of messages number of messages Solution creating dummy messages random-length padding of plaintext to be done on higher layer AE scheme security should be independent from this layer 18 / 44
What is authenticated encryption? Limitation of AE: need for message uniqueness Concrete AE proposals are deterministic Equal messages lead to equal cryptograms information leakage concern of replay attacks at unwrapping end Solution is using nonces (Number used only ONCE) impose that the AD is a nonce for the given key K often presented as a separate field N wrapping engine shall ensure (K, N) is unique wrapping becomes stateful a simple message counter suffices From now on we always include a nonce N 19 / 44
What is authenticated encryption? Functional behaviour Wrapping: state: K and past nonces N input: M = (N, AD, P) output: C or processing: if (N N ) return else add N to N and return C Wrap[K](N, AD, P) Unwrapping: state: K input: M c = (N, AD, C) output: P or processing: return Unwrap[K](N, AD, C): P if valid and otherwise 20 / 44
What is authenticated encryption? Sessions Session: cryptogram authenticates also previous messages full sequence of messages since the session started Additional protection against: insertion, omission, re-ordering of messages within a session Attention point: last message of session Alternative view: splits a long cryptogram in shorter ones intermediate tags See [Bellare, Kohno and Namprempre, ACM 2003], [KT, SAC 2011], [Boldyreva, Degabriele, Paterson, Stam, EC 2012] and [Hoang, Reyhanitabar, Rogaway and Vizár, 2015] 21 / 44
What is authenticated encryption? Functional behaviour, with sessions Initialization of stateful session object D state: past nonces N (may be omitted for unwrapping) input: key K, nonce N processing: if (N N ) return else add N to N and create D with D.S Init(K, N) D.S will be updated during the session Wrapping return C (i) D.Wrap(AD (i), P (i) ) this updates D.S Unwrapping return D.Unwrap(AD (i), C (i) ): P (i) or in case of no error, this updates D.S session may be aborted after specific number of errors 22 / 44
An ideal AE scheme Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 23 / 44
An ideal AE scheme Pseudo-random function (PRF) input 24 / 44
An ideal AE scheme Stream cipher nonce plaintext = ciphertext 25 / 44
An ideal AE scheme Message authentication code (MAC) plaintext plaintext 26 / 44
An ideal AE scheme Authenticated encryption nonce plaintext plaintext = ciphertext 27 / 44
An ideal AE scheme Incrementality packet #1 packet #1 28 / 44
An ideal AE scheme Incrementality packet #1 packet #2 packet #1 packet #2 28 / 44
An ideal AE scheme Incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 28 / 44
An ideal AE scheme An ideal AE scheme Separate fixed-length tag, so M c = (N, AD, C, T) Functional components: random oracle RO variable output length, implied by the context RO e ( ) = RO( 1) for encryption RO a ( ) = RO( 0) for tag computation Wrapping if (N N ) it returns C RO e (K N AD) P T RO a (K N AD P) Unwrapping P RO e (K N AD) C T RO a (K N AD P) If (T = T) return, else return P Note: RO input shall be uniquely decodable in K, N AD and P 29 / 44
An ideal AE scheme Ideal AE scheme, now supporting sessions Initialization if (N N ) it returns D.S K N Wrapping of M (i) = (AD (i), P (i) ) D.S D.S AD (i) 1 D.S D.S P (i) 0 return (C (i), T (i) ) and then C (i) RO(D.S) P (i) and then T (i) RO(D.S) Unwrapping of M (i) c = (AD (i), C (i), T (i) ) save current state in case of error: S D.S D.S D.S AD (i) 1 and then P (i) RO(D.S) C (i) D.S D.S P (i) 0 and then τ RO(D.S) if (τ = T (i) ) return P (i), else D.S S and then return Note: RO input shall be uniquely decodable in K, N AD (i) and P (i) 30 / 44
An ideal AE scheme Security of our ideal AE scheme Attack model: adversary can adaptively query: Init, respecting nonce uniqueness (not counted), D.Wrap (q w times) and D.Unwrap (q u times) RO(x): n times Input to RO(K ) never repeats: outputs are uniformly random intra-session: each input to RO is longer than previous one inter-session: first part of RO input (N, K) never repeated So cryptograms C (i) and tags T (i) are uniformly random 31 / 44
An ideal AE scheme Forgery Target: building sequence of valid cryptograms M (1) c... M (l) c not obtained from calls to wrap for some M (1)... M (l) Strategy: best strategy: send random but well-formatted cryptograms success probability for q u attempts: q u 2 T Success after 2 T online calls to D.Unwrap 32 / 44
An ideal AE scheme Privacy break Target: learning on plaintext bits of M (l) c without unwrapping all of M (1) c Strategy:... M (l) c best strategy at unwrap: send cryptograms with modified C i or T i success probability for q u attempts: q u 2 T Success after 2 T online calls to D.Unwrap 33 / 44
An ideal AE scheme Key recovery Target(s): Strategy: single target key: getting one specific key multiple target: getting one key out of m target keys best strategy: exhaustive key search single target: success probability for n key guesses n2 K multi-target: success probability for n key guesses mn2 K 1 out of m keys recovered after 2 K log 2(m+1) offline calls to RO( ) Countermeasure: global nonce 34 / 44
Back to sponges Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 35 / 44
Back to sponges Use Sponge for MACing Key Padded message MAC 0 f f f f f 36 / 44
Back to sponges Use Sponge for (stream) encryption Key IV 0 f f f Key stream Similar to block cipher modes: Long keystream per IV: like OFB Short keystream per IV: like counter mode 37 / 44
Back to sponges Single pass authenticated encryption Key IV Padded message MAC 0 f f f f f Key stream But this is no longer the sponge 38 / 44
Back to sponges The duplex construction Object: D = duplex[f, pad, r] Requesting l-bit output Z = D.duplexing(σ, l) input σ and output Z limited in length Z depends on all previous inputs 39 / 44
Back to sponges Generating duplex responses with a sponge Z 0 = sponge(σ 0, l 0 ) 40 / 44
Back to sponges Generating duplex responses with a sponge Z 1 = sponge(pad(σ 0 ) σ 1, l 1 ) 40 / 44
Back to sponges Generating duplex responses with a sponge Z 2 = sponge(pad(σ 0 ) pad(σ 1 ) σ 2, l 2 ) 40 / 44
Back to sponges Full-state keyed duplex Z ¾ Z ¾ Z ¾ K ± iv f f f [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015] [Daemen, Mennink, VA, Asiacrypt 2017] 41 / 44
Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 T (0) SUV = Secret and Unique Value Works in sessions 42 / 44
Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) T (0) C (1) T (1) SUV = Secret and Unique Value Works in sessions 42 / 44
Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) P (2) T (0) C (1) T (1) C (2) T (2) SUV = Secret and Unique Value Works in sessions 42 / 44
Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) SUV = Secret and Unique Value Works in sessions 42 / 44
Conclusions What textbooks and intro s should say from now on :-) Symmetric cryptography primitives: Block ciphers Key stream generators Permutations And their modes-of-use Picture by Sébastien Wiertz 43 / 44
Conclusions Any questions? Thanks for your attention! Q? 44 / 44