Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Similar documents
Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Feedback Week 4 - Problem Set

Cryptology complementary. Symmetric modes of operation

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

1 Achieving IND-CPA security

The OCB Authenticated-Encryption Algorithm

Block ciphers, stream ciphers

Authenticated Encryption

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Block Cipher Operation. CS 6313 Fall ASU

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Permutation-based Authenticated Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

ECE 646 Lecture 8. Modes of operation of block ciphers

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

CS 495 Cryptography Lecture 6

Refresher: Applied Cryptography

Information Security CS526

1 Defining Message authentication

CLOC: Authenticated Encryption

Introduction to cryptology (GBIN8U16)

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Scanned by CamScanner

Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Computer Security CS 526

Cryptography 2017 Lecture 3

Authenticated encryption

Authenticated Encryption

Goals of Modern Cryptography

Symmetric-Key Cryptography

Katz, Lindell Introduction to Modern Cryptrography

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Some Aspects of Block Ciphers

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Summary on Crypto Primitives and Protocols

Cryptography. Andreas Hülsing. 6 September 2016

ABC - A New Framework for Block Ciphers. Uri Avraham

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Symmetric Crypto MAC. Pierre-Alain Fouque

Introduction to Cryptography. Lecture 3

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptographic hash functions and MACs

How to Use Your Block Cipher? Palash Sarkar

Pipelineable On-Line Encryption (POE)

Automatic Proofs for Symmetric Encryption Modes

Updates on CLOC and SILC Version 3

Lecture 8: Cryptography in the presence of local/public randomness

ISA 562: Information Security, Theory and Practice. Lecture 1

Symmetric Cryptography

Updates on CLOC and SILC

Multiple forgery attacks against Message Authentication Codes

Authenticated Encryption: How Reordering can Impact Performance

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

DIAC 2015, Sept, Singapore

Network Security. Chapter 4 Symmetric Encryption. Cornelius Diekmann With contributions by Benjamin Hof. Technische Universität München

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

On Symmetric Encryption with Distinguishable Decryption Failures

10 Chosen Ciphertext Attacks

Content of this part

The Extended Codebook (XCB) Mode of Operation

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CS155. Cryptography Overview

: Practical Cryptographic Systems March 25, Midterm

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

The JAMBU Lightweight Authentication Encryption Mode (v2)

On authenticated encryption and the CAESAR competition

Using block ciphers 1

IDEA, RC5. Modes of operation of block ciphers

Lecture 8 - Message Authentication Codes

The Curse of Small Domains New Attacks on Format-Preserving Encryption

Stream Ciphers An Overview

CIS 4360 Secure Computer Systems Symmetric Cryptography

CPSC 467: Cryptography and Computer Security

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Introduction to Cryptography. Lecture 3

Advanced Cryptography 1st Semester Symmetric Encryption

Deoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore

Security & Indistinguishability in the Presence of Traffic Analysis

Homework 3: Solution

Symmetric Encryption 2: Integrity

Inductive Trace Properties for Computational Security

Provably Secure MACs from Differentially-uniform Permutations and AES-based Implementations

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

symmetric cryptography s642 computer security adam everspaugh

CSE 127: Computer Security Cryptography. Kirill Levchenko

Transcription:

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented at the IACR School on Computer-aided Cryptography, University of Maryland, College Park, USA, June 1 June 4, 2015.

Introduction Problem: Designing/proving crypto constructions is hard 2 / 33

Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! 2 / 33

Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! Program Synthesis Automatically construct programs based on (small) set of rules Has been applied to crypto protocols (e.g., [AGHP12],[BCG + 13], etc.) 2 / 33

This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 3 / 33

This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33

This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33

Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) 4 / 33

Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block 4 / 33

Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block Example: Cipher-Block Chaining (CBC) Mode m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 4 / 33

Background: Security of Modes of Operation Want output of mode to look random to adversary IND$-CPA What is IND$-CPA? Adversary A has oracle access to either (World 0) a truly random function (World 1) the desired mode of operation A specifies messages to encrypt and receives resulting ciphertexts A s Goal: Decide whether in World 0 or World 1 Secure: A cannot distinguish between worlds 5 / 33

Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! 6 / 33

Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! Question: Can we automate the security analysis, synthesize new modes? Solution: Construct framework for automatically proving modes of operation secure, use this to synthesize new modes 6 / 33

Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values 7 / 33

Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled 7 / 33

Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled Meta-Theorem: Exists valid labeling = mode IND$-CPA-secure 7 / 33

Mode of Operation: Formal Definition Defined by two algorithms: Init(1 n ) (c 0, z 0 ) Block(m i, z i 1 ) (c i, z i ) Enc k (m = m 1 m l ): Compute (c 0, z 0 ) Init(1 n ) For i = 1,..., l: Compute (c i, z i ) Block(m i, z i 1 ) Output c 0 c l m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 8 / 33

Viewing Modes as Graphs GENRAND DUP IV m 1 m 2 m 3 OUT Init algorithm NEXTIV START M F k F k F k XOR IV c 1 c 2 c 3 PRP DUP OUT NEXTIV Block algorithm 9 / 33

Edge Labels: Intuition Recall: Edges denote intermediate values 10 / 33

Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? 10 / 33

Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? Goal: If values on edges into OUT nodes look random to adversary, then mode is IND$-CPA-secure 10 / 33

Edge Labels: Formalism (simplified) Each edge label is a tuple (type, flags): type {, R}: Type of intermediate value : Adversarially controlled R: Random flags {0, 1} 2 : Bit-vector denoting whether edge can be input into OUT or PRP E.g., prevents both DUP d values being output as ciphertext 11 / 33

Constraints GENRAND Constraints on Nodes: DUP OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND DUP (R, 11) Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV (R, 01) XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 PRP DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags DUP OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT NEXTIV Block algorithm 12 / 33

Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Block algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT: Ingoing edge must have type R and flags.out = 1 12 / 33

Implementation Implemented model checker + synthesizer in OCaml Model Checker: (1) Checks whether an input mode is secure Recall: Valid labeling mode is secure Determining secure mode is a constraint-satisfaction problem Can use SMT solver (e.g., Z3) (2) Secure modes need to be decryptable Implement algorithm to check decryptability of mode Synthesizer: Can simply iterate over all possible graphs Use simple rules to reduce search space 13 / 33

Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure 1 6 0 0 0 7 50 30 5 8 549 281 31 9 3130 1304 150 10 5107 1770 184 Total 8836 3383 370 14 / 33

Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure 1 6 0 0 0 7 50 30 5 8 549 281 31 9 3130 1304 150 10 5107 1770 184 Total 8836 3383 370 We are able to synthesize all standard (secure) modes E.g., CBC, OFB, CFB, CTR, PCBC 14 / 33

Results Two results: 1. Apply program synthesis to modes of operation (CSF 2014) 2. Extend previous ideas to authenticated encryption (new) 15 / 33

Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity 16 / 33

Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity Authenticated Encryption (AE): mode of operation which encrypts and authenticates arbitrary-length messages 16 / 33

Background: Authenticated Encryption AE scheme: Tuple of algorithms Π = (K, E, D), where E(,, ) and D(,, ) are deterministic and take nonce as input, in addition to key and plaintext Adversary has access to oracle E(K,, ) and must never repeat a nonce Privacy: Similar to previous case Authenticity: Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 17 / 33

Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers 18 / 33

Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T 18 / 33

Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random 18 / 33

Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random Tweak depends on nonce, and nonce must be fresh on every query output of TBC is always random 18 / 33

Example: Offset Codebook (OCB) Mode M 1 M 2 M 3 M 4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C 1 C 2 C 3 tag C 4 τ 19 / 33

Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V 20 / 33

Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V Encryption procedure: X 0 0 2n ; v 1; M 1 M 2m M for i = 1 to m do T (N, v) (X i, C 2i 1 C 2i ) Enc EK (T, X i 1, M 2i 1 M 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X) return C 1 C 2m V [1, τ ] 20 / 33

Authenticated Encryption: Formal Definition Decryption procedure: C 1 C 2m tag C X 0 0 2n ; v 1 for i = 1 to m do T (N, v) 1 EK,E (X i, M 2i 1 M 2i ) Dec K (T, Xi 1, C 2i 1 C 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X m ) if tag V [1, τ ] then return else return M 1 M 2m 21 / 33

Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: 22 / 33

Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: INI IN IN INI IN IN INI XOR DUP DUP XOR TBC TBC TBC XOR TBC TBC XOR DUP DUP OUT FIN OUT OUT FIN OUT OUT Graph representations of Enc (left), Dec (middle), and Tag (right) for OCB mode. 22 / 33

Vertex Labels Each vertex label is a value type {$,, 0, 1}: $: Random : Adversarially controlled 0 and 1: Used to compare values on the same vertex in two runs of the Dec graph 0: The two values are the same 1: The two values are different 23 / 33

Constraints Constraints generally follow intuition and prior approach. E.g., $ $ TBC($ or 1) $ TBC(0) 0 TBC( ) 24 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity 25 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed 25 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 25 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. 25 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i 25 / 33

Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i Want to show: This difference tag is random 25 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 i+1 and (2) both i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph i C i+1 26 / 33

Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph Given INI = $, check that OUT = $ Tag is random i C i+1 26 / 33

Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ 27 / 33

Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag 27 / 33

Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 27 / 33

Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 27 / 33

Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 3. Tag graph with INI = $ OUT = $ 27 / 33

Implementation Implemented model checker + synthesizer in OCaml Model Checker: Checks whether input mode (given as Enc graph) is secure Need to generate Dec graph from Enc graph to check privacy Checks simple enough that SMT solver not needed! Also include check for parallelizability of mode Synthesizer: As before, can simply iterate over all possible graphs Use various techniques to reduce search space 28 / 33

Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time 12 13 13 5 1 min 13 142 0 0 5.5 min 14 583 172 5 30.5 min 15 2229 39 5 2 hours 16 2123 35 1 2 hours Total 5090 259 16 29 / 33

Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time 12 13 13 5 1 min 13 142 0 0 5.5 min 14 583 172 5 30.5 min 15 2229 39 5 2 hours 16 2123 35 1 2 hours Total 5090 259 16 Among 5 parallel modes of size 12, only one previously known (OCB) 29 / 33

Synthesis Results: Example Schemes M1 M2 M3 M4 C1 C2 C3 C4 tag τ M1 M2 M3 M4 Σ C1 C2 C3 C4 tag τ M1 M2 M3 M4 C1 C2 C3 C4 tag τ 30 / 33

Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB 0.5864 ± 0.0036 0.6333 ± 0.0012 1 0.5991 ± 0.0037 0.6233 ± 0.0029 2 0.5915 ± 0.0011 0.6326 ± 0.0012 3 0.6616 ± 0.0011 2.2855 ± 0.0023 Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme 31 / 33

Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB 0.5864 ± 0.0036 0.6333 ± 0.0012 1 0.5991 ± 0.0037 0.6233 ± 0.0029 2 0.5915 ± 0.0011 0.6326 ± 0.0012 3 0.6616 ± 0.0011 2.2855 ± 0.0023 Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme Synthesized schemes competitive with OCB! 31 / 33

Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 32 / 33

Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 32 / 33

Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 3. Open Problem: Can we apply this approach to other primitives? 32 / 33

Thank You Any questions? Full Versions: Modes of operation: http://eprint.iacr.org/2014/774 AE schemes: To appear shortly Code: Modes of operation: https://github.com/amaloz/modes-generator AE schemes: https://github.com/amaloz/ae-generator 33 / 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback