Permutation-based Authenticated Encryption

Similar documents
On authenticated encryption and the CAESAR competition

Permutation-based symmetric cryptography

Message authentication codes

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

ECE 646 Lecture 8. Modes of operation of block ciphers

Feedback Week 4 - Problem Set

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

SHA-3 vs the world. David Wong

Summary on Crypto Primitives and Protocols

CAESAR submission: K v1

Solutions to exam in Cryptography December 17, 2013

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Winter 2011 Josh Benaloh Brian LaMacchia

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Symmetric Cryptography

Security Analysis of Extended Sponge Functions. Thomas Peyrin

CS155. Cryptography Overview

symmetric cryptography s642 computer security adam everspaugh

DIAC 2015, Sept, Singapore

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Introduction to cryptology (GBIN8U16)

Some Aspects of Block Ciphers

Multiple forgery attacks against Message Authentication Codes

CS155. Cryptography Overview

Advanced security notions for the SSH secure channel: theory and practice

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Pipelineable On-Line Encryption (POE)

Cryptography [Symmetric Encryption]

Authenticated Encryption in TLS

Cryptology complementary. Symmetric modes of operation

COMP4109 : Applied Cryptography

ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Misuse-resistant crypto for JOSE/JWT

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Lecture 4: Authentication and Hashing

Cryptography Functions

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

CIS 4360 Secure Computer Systems Symmetric Cryptography

Content of this part

Lecture 1 Applied Cryptography (Part 1)

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function

Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block Cipher Operation. CS 6313 Fall ASU

Cryptography. Summer Term 2010

Introduction to Cryptography. Lecture 3

CS 495 Cryptography Lecture 6

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Accredited Standards Committee X9, Incorporated

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Jaap van Ginkel Security of Systems and Networks

Unit 8 Review. Secure your network! CS144, Stanford University

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers

Software Benchmarking of the 2 nd round CAESAR Candidates

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

The JAMBU Lightweight Authentication Encryption Mode (v2)

Block ciphers, stream ciphers

CSC 474/574 Information Systems Security

Symmetric Encryption 2: Integrity

Computer Security CS 526

Cryptography 2017 Lecture 3

How to Securely Release Unverified Plaintext in Authenticated Encryption

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Block Cipher Modes of Operation

Symmetric Encryption. Thierry Sans

Introduction to Cryptography. Lecture 3

Cryptographic hash functions and MACs

Data Encryption Standard (DES)

1 Achieving IND-CPA security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Study Guide to Mideterm Exam

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS408 Cryptography & Internet Security

Stream Ciphers An Overview

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

IDEA, RC5. Modes of operation of block ciphers

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 3: Symmetric Key Encryption

Cryptography (cont.)

BCA III Network security and Cryptography Examination-2016 Model Paper 1

The Rectangle Attack

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Transcription:

Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44

Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 2 / 44

Why permutations? Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 3 / 44

Why permutations? Symmetric crypto: what textbooks and intro s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 4 / 44

Why permutations? The truth about symmetric crypto today Block ciphers: 5 / 44

Why permutations? What block cipher are used for Hashing (as discussed) and its modes HMAC, MGF1, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM 6 / 44

Why permutations? Block cipher operation 7 / 44

Why permutations? Block cipher operation: the inverse 8 / 44

Why permutations? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, Block encryption: ECB, CBC, Stream encryption: synchronous: counter mode, OFB, self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, Authenticated encryption: OCB, GCM, CCM Most schemes with misuse-resistant claims So for most uses you don t need the inverse! 9 / 44

Block cipher internals Why permutations? 10 / 44

Why permutations? Davies-Meyer compression function 11 / 44

Why permutations? Removing diffusion restriction not required in hashing 12 / 44

Why permutations? Simplifying the view: iterated permutation 13 / 44

Why permutations? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: less barriers more diffusion no more need for efficient inverse no more worries about key schedule 14 / 44

Why permutations? Examples of permutations In Salsa, Chacha, Grindahl In SHA-3 candidates: CubeHash, Grøstl, JH, MD6, In CAESAR candidates: Ascon, Icepole, Norx, π-cipher, Primates, Stribob, And of course in Keccak 15 / 44

What is authenticated encryption? Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 16 / 44

What is authenticated encryption? What is authenticated encryption (AE)? Messages and cryptograms M = (AD, P) message with associated data and plaintext M c = (AD, C) cryptogram with associated data and ciphertext All of M is authenticated but only P is encrypted wrapping: M to M c unwrapping: M c to M Symmetric cryptography: same key used for both operations Authentication aspect unwrapping includes verification of M c if not valid, it returns an error wrap operation adds redundancy: C > P often redundancy coded at the end of C: tag T Note: this is usually called AEAD 17 / 44

What is authenticated encryption? Limitation of AE: traffic analysis Traffic analysis: length of messages number of messages Solution creating dummy messages random-length padding of plaintext to be done on higher layer AE scheme security should be independent from this layer 18 / 44

What is authenticated encryption? Limitation of AE: need for message uniqueness Concrete AE proposals are deterministic Equal messages lead to equal cryptograms information leakage concern of replay attacks at unwrapping end Solution is using nonces (Number used only ONCE) impose that the AD is a nonce for the given key K often presented as a separate field N wrapping engine shall ensure (K, N) is unique wrapping becomes stateful a simple message counter suffices From now on we always include a nonce N 19 / 44

What is authenticated encryption? Functional behaviour Wrapping: state: K and past nonces N input: M = (N, AD, P) output: C or processing: if (N N ) return else add N to N and return C Wrap[K](N, AD, P) Unwrapping: state: K input: M c = (N, AD, C) output: P or processing: return Unwrap[K](N, AD, C): P if valid and otherwise 20 / 44

What is authenticated encryption? Sessions Session: cryptogram authenticates also previous messages full sequence of messages since the session started Additional protection against: insertion, omission, re-ordering of messages within a session Attention point: last message of session Alternative view: splits a long cryptogram in shorter ones intermediate tags See [Bellare, Kohno and Namprempre, ACM 2003], [KT, SAC 2011], [Boldyreva, Degabriele, Paterson, Stam, EC 2012] and [Hoang, Reyhanitabar, Rogaway and Vizár, 2015] 21 / 44

What is authenticated encryption? Functional behaviour, with sessions Initialization of stateful session object D state: past nonces N (may be omitted for unwrapping) input: key K, nonce N processing: if (N N ) return else add N to N and create D with D.S Init(K, N) D.S will be updated during the session Wrapping return C (i) D.Wrap(AD (i), P (i) ) this updates D.S Unwrapping return D.Unwrap(AD (i), C (i) ): P (i) or in case of no error, this updates D.S session may be aborted after specific number of errors 22 / 44

An ideal AE scheme Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 23 / 44

An ideal AE scheme Pseudo-random function (PRF) input 24 / 44

An ideal AE scheme Stream cipher nonce plaintext = ciphertext 25 / 44

An ideal AE scheme Message authentication code (MAC) plaintext plaintext 26 / 44

An ideal AE scheme Authenticated encryption nonce plaintext plaintext = ciphertext 27 / 44

An ideal AE scheme Incrementality packet #1 packet #1 28 / 44

An ideal AE scheme Incrementality packet #1 packet #2 packet #1 packet #2 28 / 44

An ideal AE scheme Incrementality packet #1 packet #2 packet #3 packet #1 packet #2 packet #3 28 / 44

An ideal AE scheme An ideal AE scheme Separate fixed-length tag, so M c = (N, AD, C, T) Functional components: random oracle RO variable output length, implied by the context RO e ( ) = RO( 1) for encryption RO a ( ) = RO( 0) for tag computation Wrapping if (N N ) it returns C RO e (K N AD) P T RO a (K N AD P) Unwrapping P RO e (K N AD) C T RO a (K N AD P) If (T = T) return, else return P Note: RO input shall be uniquely decodable in K, N AD and P 29 / 44

An ideal AE scheme Ideal AE scheme, now supporting sessions Initialization if (N N ) it returns D.S K N Wrapping of M (i) = (AD (i), P (i) ) D.S D.S AD (i) 1 D.S D.S P (i) 0 return (C (i), T (i) ) and then C (i) RO(D.S) P (i) and then T (i) RO(D.S) Unwrapping of M (i) c = (AD (i), C (i), T (i) ) save current state in case of error: S D.S D.S D.S AD (i) 1 and then P (i) RO(D.S) C (i) D.S D.S P (i) 0 and then τ RO(D.S) if (τ = T (i) ) return P (i), else D.S S and then return Note: RO input shall be uniquely decodable in K, N AD (i) and P (i) 30 / 44

An ideal AE scheme Security of our ideal AE scheme Attack model: adversary can adaptively query: Init, respecting nonce uniqueness (not counted), D.Wrap (q w times) and D.Unwrap (q u times) RO(x): n times Input to RO(K ) never repeats: outputs are uniformly random intra-session: each input to RO is longer than previous one inter-session: first part of RO input (N, K) never repeated So cryptograms C (i) and tags T (i) are uniformly random 31 / 44

An ideal AE scheme Forgery Target: building sequence of valid cryptograms M (1) c... M (l) c not obtained from calls to wrap for some M (1)... M (l) Strategy: best strategy: send random but well-formatted cryptograms success probability for q u attempts: q u 2 T Success after 2 T online calls to D.Unwrap 32 / 44

An ideal AE scheme Privacy break Target: learning on plaintext bits of M (l) c without unwrapping all of M (1) c Strategy:... M (l) c best strategy at unwrap: send cryptograms with modified C i or T i success probability for q u attempts: q u 2 T Success after 2 T online calls to D.Unwrap 33 / 44

An ideal AE scheme Key recovery Target(s): Strategy: single target key: getting one specific key multiple target: getting one key out of m target keys best strategy: exhaustive key search single target: success probability for n key guesses n2 K multi-target: success probability for n key guesses mn2 K 1 out of m keys recovered after 2 K log 2(m+1) offline calls to RO( ) Countermeasure: global nonce 34 / 44

Back to sponges Outline 1 Why permutations? 2 What is authenticated encryption? 3 An ideal AE scheme 4 Back to sponges 35 / 44

Back to sponges Use Sponge for MACing Key Padded message MAC 0 f f f f f 36 / 44

Back to sponges Use Sponge for (stream) encryption Key IV 0 f f f Key stream Similar to block cipher modes: Long keystream per IV: like OFB Short keystream per IV: like counter mode 37 / 44

Back to sponges Single pass authenticated encryption Key IV Padded message MAC 0 f f f f f Key stream But this is no longer the sponge 38 / 44

Back to sponges The duplex construction Object: D = duplex[f, pad, r] Requesting l-bit output Z = D.duplexing(σ, l) input σ and output Z limited in length Z depends on all previous inputs 39 / 44

Back to sponges Generating duplex responses with a sponge Z 0 = sponge(σ 0, l 0 ) 40 / 44

Back to sponges Generating duplex responses with a sponge Z 1 = sponge(pad(σ 0 ) σ 1, l 1 ) 40 / 44

Back to sponges Generating duplex responses with a sponge Z 2 = sponge(pad(σ 0 ) pad(σ 1 ) σ 2, l 2 ) 40 / 44

Back to sponges Full-state keyed duplex Z ¾ Z ¾ Z ¾ K ± iv f f f [Mennink, Reyhanitabar and Vizár, Asiacrypt 2015] [Daemen, Mennink, VA, Asiacrypt 2017] 41 / 44

Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 T (0) SUV = Secret and Unique Value Works in sessions 42 / 44

Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) T (0) C (1) T (1) SUV = Secret and Unique Value Works in sessions 42 / 44

Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) P (2) T (0) C (1) T (1) C (2) T (2) SUV = Secret and Unique Value Works in sessions 42 / 44

Back to sponges Example: Keyak An authenticated-encryption scheme submitted to CAESAR using Keccak-p[1600, n r = 12] or Keccak-p[800, n r = 12] 0 SUV 1 P(1) A (1) P (2) A (3) T (0) C (1) T (1) C (2) T (2) T (3) SUV = Secret and Unique Value Works in sessions 42 / 44

Conclusions What textbooks and intro s should say from now on :-) Symmetric cryptography primitives: Block ciphers Key stream generators Permutations And their modes-of-use Picture by Sébastien Wiertz 43 / 44

Conclusions Any questions? Thanks for your attention! Q? 44 / 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback