Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption. Dagstuhl January 12, 2016

Transcription

1 Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves EPFL, EPFL, KU Leuven, University of Coimbra Dagstuhl January 12, / 18

2 Tweakable Blockciphers k m E c 2 / 18

3 Tweakable Blockciphers tweakable k m t Ẽ c Tweak: exibility to the cipher Each tweak gives dierent permutation 2 / 18

4 Tweakable Blockciphers in OCBx 2 OCBgen A 1 A 2 A a M i M 1 M 2 M d Ẽ N,A1 k Ẽ N,A2 k Ẽ N,Aa k Ẽ N,M k Ẽ N,M1 k Ẽ N,M2 k Ẽ N,M d k T C 1 C 2 C d Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] Internally based on tweakable blockcipher Ẽ Tweak (N, tweak) is unique for every evaluation 3 / 18

5 Tweakable Blockciphers in OCBx 6 OCBgen-with-arrows A 1 A 2 A a M i M 1 M 2 M d Ẽ N,A1 k Ẽ N,A2 k Ẽ N,Aa k Ẽ N,M k Ẽ N,M1 k Ẽ N,M2 k Ẽ N,M d k T C 1 C 2 C d Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] Internally based on tweakable blockcipher Ẽ Tweak (N, tweak) is unique for every evaluation Change of tweak should be ecient 3 / 18

6 Masking-Based Tweakable Blockciphers 7 picpgen Blockcipher-Based. tweak-based mask ppermutation-based.p tweak-based mask m E k c m P c 4 / 18

7 Masking-Based Tweakable Blockciphers 7 picpgen Blockcipher-Based. tweak-based mask ppermutation-based.p tweak-based mask m E k c m P c typically 128 bits much larger: bits 4 / 18

8 Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) m E k c (α, β, γ, N) is tweak (simplied) 5 / 18

9 Powering-Up Masking (XEX) XEX by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) m E k c (α, β, γ, N) is tweak (simplied) Used in OCB2 and in various CAESAR candidates 5 / 18

10 Powering-Up Masking (XEX) 4XEX pictem by Rogaway [Rog04]: 2 α 3 β 7 γ E k (N) 2 α 3 β 7 γ (k N P (k N)) m E k c m P c (α, β, γ, N) is tweak (simplied) Used in OCB2 and in various CAESAR candidates Permutation-based variants in Minalpher and Prøst 5 / 18

11 Powering-Up Masking in OCB2 1 OCB2g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18

12 Powering-Up Masking in OCB2 7 OCB2-with-arrows-1g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18

13 Powering-Up Masking in OCB2 8 OCB2-with-arrows-2g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18

14 Powering-Up Masking in OCB2 9 OCB2-with-arrows-3g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18

15 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d 6 / 18

16 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g A 1 A 2 A a M i M 1 M 2 M d L L 2 a 3 2 L 2 d 3L 2L 2 2 L 2 d L E k E k E k E k E k E k E k 2L 2 2 L 2 d L L = E K(N) T C 1 C 2 C d Update of mask: Shift and conditional XOR Variable time computation Expensive on certain platforms 6 / 18

17 Word-Based Powering-Up Masking ccs Chakraborty and Sarkar [CS06]: z i E k (N) m E k c z {0, 1} w is a generator, (i, N) is tweak Tower of elds: z i F 2 w[z]/g instead of x i F 2 [x]/f 7 / 18

18 Word-Based Powering-Up Masking ccs Chakraborty and Sarkar [CS06]: z i E k (N) m E k c z {0, 1} w is a generator, (i, N) is tweak Tower of elds: z i F 2 w[z]/g instead of x i F 2 [x]/f Word-based powering-up Similar drawbacks as regular powering-up 7 / 18

19 Gray Code Masking cgray OCB1 and OCB3 use Gray Codes: ( i (i 1) ) Ek (N) m E k c (i, N) is tweak Updating: G(i) = G(i 1) 2 ntz(i) 8 / 18

20 Gray Code Masking cgray OCB1 and OCB3 use Gray Codes: ( i (i 1) ) Ek (N) m E k c (i, N) is tweak Updating: G(i) = G(i 1) 2 ntz(i) Single XOR Logarithmic amount of eld doublings (precomputed) More ecient than powering-up [KR11] 8 / 18

21 High-Level Contributions Masked Even-Mansour Improved masking of tweakable blockciphers Simpler to implement and more ecient Constant time (by default) Relies on breakthroughs in discrete log computation 9 / 18

22 High-Level Contributions Masked Even-Mansour Improved masking of tweakable blockciphers Simpler to implement and more ecient Constant time (by default) Relies on breakthroughs in discrete log computation Application to Authenticated Encryption Nonce-respecting AE in 0.55 cpb Misuse-resistant AE in 1.06 cpb 9 / 18

23 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) 10 / 18

24 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) Combines advantages of: Powering-up masking Word-based LFSRs 10 / 18

25 Masked Even-Mansour (MEM) cmem Masked Even-Mansour (MEM): ϕ γ 2 ϕβ 1 ϕα 0 P (N k) m P c ϕ i are xed LFSRs, (α, β, γ, N) is tweak (simplied) Combines advantages of: Powering-up masking Word-based LFSRs Simpler, constant-time (by default), more ecient 10 / 18

26 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR 11 / 18

27 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR Sample LFSRs (state size b as n words of w bits): b w n ϕ (x 1,..., x 15, (x 0 1) (x 9 1) (x 10 1)) (x 1,..., x 3, (x 0 5) x 1 (x 1 13)) (x 1, (x 0 11) x 1 (x 1 13)) (x 1,..., x 3, (x 0 3) (x 3 5)) (x 1,..., x 15, (x 0 5) (x 3 7)) (x 1,..., x 7, (x 0 29) (x 1 9)) (x 1,..., x 15, (x 0 53) (x 5 13)) (x 1,..., x 49, (x 0 3) (x 23 3)) / 18

28 Design Considerations Particularly suited for large states (permutations) Low operation counts by clever choice of LFSR Sample LFSRs (state size b as n words of w bits): b w n ϕ (x 1,..., x 15, (x 0 1) (x 9 1) (x 10 1)) (x 1,..., x 3, (x 0 5) x 1 (x 1 13)) (x 1, (x 0 11) x 1 (x 1 13)) (x 1,..., x 3, (x 0 3) (x 3 5)) (x 1,..., x 15, (x 0 5) (x 3 7)) (x 1,..., x 7, (x 0 29) (x 1 9)) (x 1,..., x 15, (x 0 53) (x 5 13)) (x 1,..., x 49, (x 0 3) (x 23 3)).... Work exceptionally well for ARX primitives 11 / 18

29 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms 12 / 18

30 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms / 18

31 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] 12 / 18

32 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] }{{} results implicitly used, e.g., by Prøst (2014) 12 / 18

33 Uniqueness of Masking Intuitively, masking goes well as long as ϕ γ 2 ϕβ 1 ϕα 0 ϕ γ 2 ϕβ 1 ϕα 0 for any (α, β, γ) (α, β, γ ) Challenge: set proper domain for (α, β, γ) Requires computation of discrete logarithms }{{} solved by Rogaway [Rog04] } {{ } results implicitly used, e.g., by Prøst (2014) } {{ } solved in this work using breakthroughs in discrete log computation 12 / 18

34 Bare Implementation Results Mask computation in cycles per update In most pessimistic scenario (for ours): Masking Sandy Bridge Haswell Powering-up Gray code Ours Dierences may amplify/diminish in a mode 13 / 18

35 Application to AE: OPP 1 OPPg A 0 A 1 A a 1 M i M 0 M 1 M d 1 ϕ 0 (L) ϕ 1 (L) ϕ a 1 (L) ϕ 2 1 ϕa 1 (L) ϕ 2 ϕ 0 (L) ϕ 2 ϕ 1 (L) ϕ 2 ϕ d 1 (L) P P P P P P P ϕ 0 (L) ϕ 1 (L) ϕ a 1 (L) ϕ 2 1 ϕa 1 (L) ϕ 2 ϕ 0 (L) ϕ 2 ϕ 1 (L) ϕ 2 ϕ d 1 (L) C 1 C 2 C d L = P (N k) ϕ 1 = ϕ id, ϕ 2 = ϕ 2 ϕ id T Oset Public Permutation (OPP) Generalization of OCB3: Permutation-based More ecient MEM masking Security against nonce-respecting adversaries 0.55 cpb with reduced-round BLAKE2b 14 / 18

36 Application to AE: MRO 2 MROg A 0 A a 1 M 0 M d 1 A M T 0 T d 1 ϕ 0 (L) ϕ a 1 (L) ϕ 1 ϕ 0 (L) ϕ 1 ϕ d 1 (L) ϕ 2(L) ϕ 2(L) P P P P P P ϕ 0 (L) ϕ a 1 (L) ϕ 1 ϕ 0 (L) L = P (N k) ϕ 1 = ϕ id, ϕ 2 = ϕ 2 ϕ id ϕ 1 ϕ d 1 (L) ϕ 2 1 (L) P T ϕ 2 1 (L) C 1 ϕ 2(L) M 0 ϕ 2(L) M d 1 C d Misuse-Resistant OPP (MRO) Fully nonce-misuse resistant version of OPP 1.06 cpb with reduced-round BLAKE2b 15 / 18

37 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds 16 / 18

38 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds Main implementation results (more in paper): nonce-respecting misuse-resistant Platform AES-GCM OCB3 Deoxys OPP 4 OPP 6 Cortex-A Sandy Bridge Haswell / 18

39 Implementation State size b = 1024 LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) P : BLAKE2b permutation with 4 or 6 rounds Main implementation results (more in paper): nonce-respecting misuse-resistant Platform AES-GCM OCB3 Deoxys OPP 4 OPP 6 GCM-SIV Deoxys = MRO 4 MRO 6 Cortex-A Sandy Bridge Haswell / 18

40 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) 17 / 18

41 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x / 18

42 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x / 18

43 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x / 18

44 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x / 18

45 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 19 = (x 3 53) (x 8 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x / 18

46 Implementation: Parallelizability LFSR on 16 words of 64 bits: ϕ(x 0,..., x 15 ) = (x 1,..., x 15, (x 0 53) (x 5 13)) Begin with state L i = [x 0,..., x 15 ] of 64-bit words x 16 = (x 0 53) (x 5 13) x 17 = (x 1 53) (x 6 13) x 18 = (x 2 53) (x 7 13) x 19 = (x 3 53) (x 8 13) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 Parallelizable (AVX2) and word-sliceable 17 / 18

47 Conclusion Masked Even-Mansour Simpler, constant-time (by default), more ecient Justied by breakthroughs in discrete log computation MEM-based AE outperforms its closest competitors More Info Thank you for your attention! 18 / 18