Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G.

Size: px

Start display at page:

Download "Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G."

Jonah Simmons
5 years ago
Views:

1 Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G. Paterson (RHUL) 26 mars 2014 Journées C2

2 Single-Key Attack on a cryptosystem F k F x F(k,x) 1

3 Single-Key Attack on a cryptosystem F Related-Key Attack (RKA) on a cryptosystem F k k k F F F x F(k,x) x F(k 1,x) x F(k n,x) k 1,, k n derived from k in adversary-specified way. 1

4 Practice Fault injection attacks: an attacker A forces the cryptosystem to run on a different related key. k A F Fault Injection F x F(k,x) x F(k,x) 2

5 Theory [BK03] defines a class Φ of Related-Key Deriving (RKD) functions for F. k k k F F F (φ 1,x 1 ) F(k 1,x 1 ) (φ 2,x 2 ) F(k 2,x 2 ) (φ n,x n ) F(k n,x n ) k i = φ i (k) where φ i Φ 3

6 Pseudorandom Functions (PRF) A family of functions F: K D R: o Efficiently computable o Hard to distinguish from a random function. 4

7 Pseudorandom Functions (PRF) A family of functions F: K D R: o Efficiently computable o Hard to distinguish from a random function. x D Oracle If b = 1 If b = 0 k k A b =? y R x F F(k,x) x G G(k,x) 4

8 The Naor-Reingold PRF (NR) We use the Naor-Reingold PRF, denoted NR. Let G = <g> be a group of prime order p. NR: Z n 0,1 n {0 n } G p NR(k,x) = g n x[i] k[i] i = 1 5

9 Outline Part 1: Security model and state of the art. [BK03,BC10] Part 2: A First Extension => affine PRF. Part 3: Generalization => affine and polynomial PRFs. 6

10 Part 1: Security Model: Φ-RKA-PRF [BK03] Let F: K D R be a PRF and Φ class of RKD-functions (set of functions φ: K K). Initialize : Pick at random k K, b {0,1} and G: K D R. Oracle (φ,x) Φ D If b = 1 If b = 0 φ(k) φ(k) A y R F G Until adversary A responds b. x F(φ(k),x) x G(φ(k),x) F is a Φ-RKA-PRF if 2. Pr b = b 1 is negligible for any adversary A. 7

11 Key-Malleability M is Φ-Key-Malleable if there is a Key-Transformer that can compute M(φ(k),x) from M(k,u) for any φ Φ. k A u M(k,u) PRF M M(φ(k),x) 8

12 Bad Thing About Key-Malleability M is Φ-Key-Malleable => M is not Φ-RKA-Secure A (id,u) M(k,u) Oracle RKA M Compute M(φ(k),x) (φ,x) M(φ(k),x) Checks if the values match. 9

13 BUT: M is Φ-RKA-Secure for a unique-input adversary (which cannot query twice the same x). How to force the adversary to be unique-input? F(k,x) = M(k,g(k,x)), with g an injective function. Idea: g(k,x) = H(k,x) with H a collision-resistant hash function. Not clear how to prove it. 10

14 BUT: M is Φ-RKA-Secure for a unique-input adversary (which cannot query twice the same x). How to force the adversary to be unique-input? F(k,x) = M(k,g(k,x)), with g an injective function. Idea: g(k,x) = H(M(k,w),x) s.t. M(k,w) = M(k,w) iff k = k (Key-Fingerprint w). Example: NR(k,x) = g k[i] i = 1 w = (10 0, 010 0,, 0 01) NR(k,w) = (g k[1], g k[2],, g k[n] ) n x[i] 10

15 Good Thing About Key-Malleability For a claw-free class Φ (s.t. k, φ φ, φ(k) φ (k)): M(φ(k),w) = M(φ (k),w) iff φ = φ H is collision-resistant + distinct (φ,x) => H((M(φ(k),w),x)) distinct Unique-input F(k,x) M(k,H(M(k,w),x)) is RKA-secure. 11

16 The Bellare-Cash Framework [BC10] For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 12

17 The Bellare-Cash Framework [BC10] For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Multiplicative RKA-secure PRF. Additive RKA-secure PRF (with reduction time O(2 n )). 12

18 Why this reduction time? NR(k+1,11 1) = g (k 1 +1).(k 2 +1)..(k n +1) = g k 1 k 2 k n. g k 2 k 3 k n. g k 1 k 3 k n.. g k 1. g 2 n terms = NR(k,11 1).NR(k,01 1).NR(k,101 1)..NR(k,10 0).g Running time: O(2 n ) 13

19 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF M Φ = {id} Φ-Key-Malleable 14

20 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF M Φ = {id} Φ-Key-Malleable What about other classes Φ s.t. Φ-Key-Malleable? 14

21 Part 2: The Non-Claw-Freeness Problem If there exists φ φ s.t. φ(k) = φ (k) A (φ,x) Φ 0,1 n y G Oracle h = H(x,M(φ(k),w)) y M(φ(k),h) A (φ,x) Φ 0,1 n y G Oracle h = H(x,M(φ (k),w)) y M(φ (k),h ) y = y (φ φ )(k) = 0 15

22 How to Handle Claws? New problem: Φ-Key-Collision (Φ-KC). Initialize: $ k K Adversary (φ,x) Challenger M(φ(k),x) (φ,φ ) Finalize(φ,φ ): φ φ s.t. φ(k) = φ (k) 16

23 A First Result For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 17

24 A First Result For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H + Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 17

25 A First Result For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H + Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Affine RKA-secure PRF (with reduction time O(2 n )). 17

26 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Φ-Key-Malleable 18

27 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-Key-Malleable 18

28 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-Key-Malleable What about non-key-malleable classes? 18

29 Part 3: Extension to the polynomial case Φ-Unique-Input-RKA-Security: Initialize: $ $ k K, b {0,1} Unique-Input Adversary (φ,x) y Challenger If b = 0 y M(φ(k),x) Else y $ Finalize(b ): b = b b 19

30 From Key-Malleability to UI-RKA-Security M is a Φ-Key-Malleable PRF => M is Φ-UI-RKA-Secure Unique-Input Adversary PRF Attacker PRF Oracle (φ,x) y Uses KM: If b = 0 y M(φ(k),x) Else y $ u z If b = 0 z M(k,u) Else z G(k,u) b b 20

31 Generalization For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 21

32 Generalization For any class Φ. PRF M: o Φ-UI-RKA-Secure o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 21

33 Generalization For any class Φ. PRF M: o Φ-UI-RKA-Secure o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Polynomial RKA-secure PRF (with polynomial time reduction!) 21

34 NR: Φ aff -UI-RKA Security Let A be a unique-input adversary. (φ,x) Φ aff 0,1 n If b = 0 If b = 1 k A y G NR NR(φ(k),x) $ $ 22

35 NR: Φ aff -UI-RKA Security NR(k+1,11 1) = g (k 1 +1).(k 2 +1)..(k n +1) = g k 1 k 2 k n. g k 2 k 3 k n. g k 1 k 3 k n.. g k 1. g = NR(k,11 1).NR(k,01 1).NR(k,101 1)..NR(k,10 0).g Exponential running time. 2 n terms 23

36 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) 24

37 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 24

38 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 24

39 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 Exponents: (k 1 +1).(k 2 +1) and k 2 => Linearly independant 24

40 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 Exponents: (k 1 +1).(k 2 +1) and k 2 => Linearly independant y 2 $ 24

41 (φ 1,x 1 ) y 1 (φ q,x q ) y q A 25

42 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q A 25

43 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q A (φ,x) 25

44 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25

45 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25

46 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25

47 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) y 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25

48 Reduction Time: q x (Time for the statistical linearity test). O(q(q 3 + n)) => Polytime Reduction 26

49 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Φ-UI-RKA-Secure Φ-Key-Malleable 27

50 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-UI-RKA-Secure Φ-Key-Malleable 27

51 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-UI-RKA-Secure Φ-Key-Malleable Generalization Polynomial-RKA-PRF (Polytime) 27

52 Open problems o Larger classes? (e.g. φ(k) = M.k, for an invertible matrix M). o Other assumptions (DLIN-based for LW-PRF, Lattice-based, ). 28

53 Thank you for your attention. Questions? References in the slides: [BK03] Mihir Bellare and Tadayoshi Kohno. A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In Eli Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages ,Warsaw, Poland, May 4 8, Springer, Berlin, Germany. [BC10] Mihir Bellare and David Cash. Pseudorandom functions and permutations provably secure against related-key attacks. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages , Santa Barbara, CA, USA, August 15 19, Springer, Berlin, Germany. 29

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Michel Abdalla 1 Fabrice Benhamouda 1 Alain Passelègue 1 Kenneth. Paterson 2 1 Département d Informatique, École normale supérieure