An Introduction to Authenticated Encryption. Palash Sarkar

Transcription

1 An Introduction to Authenticated Encryption Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata 20 September 2016 Presented at the Workshop on Authenticated Encryption Indian Statistical Institute Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

2 Communication Communication between geographically distant parties. Content Form Applications voice picture computer file text phone FAX SMS military business politics diplomacy Message: a sequence of bits (bitstream). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

3 Two Aspects of Communication Error-free communication. Reliable communication over a noisy channel. Coding theory. Secure communication. Private communication over an open (public) channel. Cryptography. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

4 Sensitive Messages Short messages. Headquarter to field unit: Attack at dawn. MD to broker: Buy XYZ shares. Long messages. s, phone coversations, text files, images (maps). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

5 Communication Over the Internet No dedicated path from sender to receiver. Messages are broken into packets. Packets for a single message generated at the source may take different paths to the destination. Each packet consists of the following. Body: actual data. Header: identifying information for a packet. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

6 Encryption, Authentication,... Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

7 Encryption Sender msg public channel Receiver Encrypt cpr Decrypt K adversary K Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

8 Authentication Sender msg public channel Receiver Generate Tag (msg, tag) Verify Tag K adversary K Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

9 Authenticated Encryption (AE) Sender msg public channel Receiver nonce Encrypt cpr = (C, tag) Decrypt nonce K adversary K Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

10 AE with Associated Data (AEAD) Sender public channel Receiver hdr, msg nonce Encrypt (hdr, cpr = (C, tag)) Decrypt nonce K adversary K Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

11 Deterministic AEAD (DAEAD) Sender hdr, msg public channel Receiver Encrypt (hdr, cpr = (C, tag)) Decrypt K adversary K Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

12 Adversarial Models Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Known plaintext attack: the attacker knows (P 1, C 1 ),..., (P t, C t ); goal: find the key or find P corresponding to a new C. Chosen plaintext attack: the attacker chooses P 1,..., P t ; receives corresponding C 1,..., C t ; goal: find the key or find P corresponding to a new C. Chosen ciphertext attack. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

13 Authenticated Encryption Usually both confidentiality and authentication are required simultaneously. Confidentiality ensures privacy of the communication. Authentication ensures integrity of the message/sender. Internet packets. Confidentiality and authentication of the body (data). Header cannot be encrypted, since then the packet cannot be forwarded by intermediate routers. Header has to be authenticated. Gives rise to authenticated encryption with associated data. (header=associated data) Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

14 Perfect Secrecy versus Authentication Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

15 One-Time Pad message true random sequence ciphertext Perfect Secrecy: For a, b {0, 1}, Pr[M i = a C i = b] = Pr[M i = a]. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

16 One-Time Pad and Authentication One-time pad does not provide authentication. Consider message: attack at dawn. Let y 1 y 2 be the ciphertext under one-time pad where, y 1 is the encryption of attack. y 2 is the encryption of at dawn. Then y 1 itself is a valid forgery. If the adversary can successfully truncate the message, then the field unit may be lead into believing that the order is to attack immediately. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

17 Block Ciphers and Modes of Operations Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

18 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encrypt key K Decrypt cpr blk msg blk Block Cipher. E : {0, 1} k {0, 1} n {0, 1} n. D : {0, 1} k {0, 1} n {0, 1} n. For each K {0, 1} k, D K (E K (M)) = M. Typical values: n, k = 128, 192, 256. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

19 Choosing a Block Cipher Public domain approach: AES, DES, IDEA, MARS, SERPENT, RC6,... AES: standardised by the NIST (USA) for encryption of sensitive (unclassified) information; FIPS 197, November 26, Proprietary approach: pros: benefit from security by obscurity ; cons: cannot benefit from third party cryptanalysis. Mixed approach: start from a public domain block cipher; introduce additional structure and generalize to a large family of block ciphers; pick a random block cipher from the family. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

20 Looking Beyond a Block Cipher Assumption: the block cipher is perfectly secure (whatever that may mean). Is that the end of the story? No! Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

21 Block Cipher and Practical Requirements Block length. The block cipher handles n-bit blocks. Typically, n = 128, 192 or 256 bits. Message Requirements. Handle long messages. Handle variable length messages. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

22 Block Cipher and Practical Requirements Secure Block Cipher. The block cipher ensures strong security for n-bit blocks. Security Requirements. Privacy only. Authentication. Authenticated encryption. Authenticated encryption with associated data. Others. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

23 Modes of Operations Enables use of a block cipher for bulk encryption. Extend domain (and range). Different applications have different security goals. privacy authentication authenticated encryption authenticated encryption with associated data deterministic authenticated encryption with associated data disk encryption format preserving encryption Handling multiples of block length is easier than handling arbitrary lengths. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

24 Conventional modes of operations message: M 1, M 2, M 3,...; initialization vector: n-bit IV (used as nonce). Electronic codebook (ECB) mode: C i = E K (M i ), i 1. Cipher block chaining (CBC) mode: C 1 = E K (M 1 IV); C i = E K (M i C i 1 ), i 2. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

25 Conventional modes of operations (contd.) Output feedback (OFB) mode: Z 1 = E K (IV); Z i = E K (Z i 1 ), i 2; C i = M i Z i, i 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C 1 = M 1 E K (IV); C i = M i E K (C i 1 ), i 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

26 Conventional modes of operations (contd.) Counter (CTR) mode: C i = M i E K (nonce bin(i)), i 1. nonce is an n/2-bit string. bin(i) is an n/2-bit binary representation of i. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

27 Insecurity of ECB Mode Source: Wikipedia, Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

28 Some Formalism Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

29 Secrecy and Randomness K K is a secret 128-bit value. K is uniformly distributed over {0, 1} 128. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

30 Using a Secret A φ K (A) B ψ K (B) K Cryptographic methods interact with the environment using K. The interaction is via certain functions (φ and ψ). The values φ K (A) or ψ K (B) are public. Each such value potentially leaks information about K. How to argue about security? Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

31 Functions Parameterised by a Secret φ : K D R; φ K (A) = φ(k, A). An adversary can see the values V (1) = φ K (A (1) ), V (2) = φ K (A (2) ), V (3) = φ K (A (3) ),.... An adversary may choose the values A (1), A (2), A (3),.... Idea of security: The values V (1), V (2), V (3),... should appear independent and uniformly distributed over R to the adversary. How to formalise this notion? Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

32 Functions Parameterised by a Secret (contd.) φ : K D R; φ K (A) = φ(k, A). K, D and R are finite sets. Let K = {0, 1} k and so there are 2 k possible functions φ. Secret K Uniform Random K φ is specified by k bits of randomness. φ is chosen uniformly at random from the set of possible 2 k functions indexed by K. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

33 Uniform Random Function f : D R. There are a total of R D functions from D to R. f is chosen uniformly at random from R D f is specified by D log R bits of randomness. A useful view if A 1, A 2, A 3,... are distinct values then f (A 1 ), f (A 2 ), f (A 3 ),... are independent and uniformly distributed. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

34 Random Versus Uniform Random φ is a random function: k bits of randomness. f is a uniform random function: D log R bits of randomness. A typical set of values: k = 128; D = ; R = Gap in randomness: 128 versus If the adversary has unbounded resources, then this gap in randomness can be detected. To obtain a meaningful definition, the adversary is restricted: either by time/space, or, by number of queries, or, both. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

35 The Adversary A An algorithm. Computational restrictions: time/space. Information theoretic restrictions: number of queries/total number of bits in all queries. Oracle access: Provides queries to one or more oracle and obtains proper responses. Adaptive: next query can depend on the previous queries (to different oracles) and their responses. Outputs a bit (0 or 1) at the end of oracle interactions. Notation: Adversary A interacts with an oracle O and finally outputs 1: A O 1 Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

36 Pseudorandom Permutation Choose a random K K; adversary has oracle access to E K. E K A π Adv prp E = Pr (A) [ K $ K : A E K ( ) 1 ] [ ] Pr π $ Perm(n) : A π( ) 1 Perm(n): set of all bijections from {0, 1} n to {0, 1} n. Adv prp E (t, q, σ): time t; # queries q; query complexity σ. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

37 Strong Pseudorandom Permutation Choose a random K K; adversary has oracle access to E K and E 1 K ; adversary is computationally bounded. -1 E K E K A π π -1 Adv ±prp E (A) ] = Pr [K $ K : A E K ( ),E 1 K ( ) 1 [ ] Pr π $ Perm(n) : A π( ),π 1 ( ) 1 Adv ±prp E (t, q, σ): time t; # queries q; query complexity σ. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

38 Pseudo-Random Function φ is a random function. f is a uniform random function. f φ A Adv prf φ (A) = Pr[Af 1] Pr[A φ 1]. Adv prf E (t, q, σ): time t; # queries q; query complexity σ. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

39 Authentication: Security Definition msg Sender generate tag (msg, tag) (msg,tag) Receiver verify tag yes/no public channel secret key K adversary secret key K Adversary chooses messages M (1), M (2), M (3),.... Recieves corresponding tags tag (1), tag (2), tag (3),.... Adversary produces (M, tag). Success: if (M, tag) passes verification. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

40 Authentication: Arguing Security f : messages tags. If f is a PRF, then authentication is achieved. If a t-bit tag is produced, then Adv auth f So, it is sufficient to show PRF property. (q, σ) = 1 2 t + Adv prf (q, σ). f Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

41 PRF from Block Ciphers: Arguing Security Let f : messages tags. f is built using a block cipher E K ; so, f is a random function; but, not a uniform random function. Required to argue that the outputs of f appear independent and uniformly distributed. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

42 PRF from Block Ciphers: Arguing Security f : messages tags. Restrictions on the PRF-adversary. Computational: bound on the run time t. Information theoretic: bounds on the number of queries q and query complexity σ. The underlying block cipher E K is modelled as an SPRP. Computationally bounded adversary: access to E K, E 1 K. Information theoretically bounded adversary: for π $ Perm(n) access to π, π 1. Information-theoretic PRF-adversary. Required to show that the success probability of a valid forgery is small. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

43 AEAD: Some Formalism Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

44 AE: Syntax F n [N, X ]: set of all functions f : N X X {0, 1} n if f (N, P) = (C, tag), then len(p) = len(c); N : the nonce space; X : the message space; {0, 1} n : tag space; (easy to formalise more general tag spaces); AE-function f : f N ( ) = f (N, ) is an injection; given N, C, tag, there is a unique P such that f (N, P) = (C, tag); decryption is possible. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

45 Random AE Function {f K } K K : a keyed subset of AE functions: f K is the encryption function of the AE scheme; decryption function g K g K : N X {0, 1} n X { }: g K (N, C, tag) = P if f K (N, P) = (C, tag); g K (N, C, tag) =, otherwise. K is the key space. Random AE function f K : K is chosen uniformly at random from K. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

46 AE: Privacy Definition Adversary A has oracle access to f ; Let f be a random AE-function adaptively queries f on (N (s), P (s) ), s = 1,..., q; gets back (C (s), tag (s) ); nonce-respecting: nonces for different queries are distinct; Finally, A outputs a bit. Adv priv f (A) = Pr[A f 1] Pr[A f 1]. f : on input (N (s), P (s) ) returns independent and uniform random strings of appropriate lengths. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

47 AE: Authenticity Adversary A oracle access to f ; queries (N (s), X (s) ), s = 1,..., q 1 are made adaptively; receives responses (Y (s), tag (s) ); nonce respecting queries; finally, outputs a forgery (N (q), Y (q), tag (q) ). Restrictions: (N (q), Y (q), tag (q) ) (N (s), Y (s), tag (s) ) for all 1 s q 1; no restriction on N (q) ; it can be equal to one of the earlier N (s) s. Success: if there is an X (q) such that f (N (q), X (q) ) = (Y (q), tag (q) ). Adv aeauth f (A) = Pr[succ(A)]. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

48 Authentication: PRF versus AE f is a PRF: adversary adaptively queries f on M (1), M (2),...; receives in response tag (1), tag (2),...; finally outputs (M, tag) as a (possible) forgery. f is an AE function: adversary adaptively queries f on (N (1), M (1) ), (N (2), M (2) ),...; receives in response (C (1), tag (1) ), (C (2), tag (2) ),...; finally outputs (C, tag) as a (possible) forgery. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

49 Block-Cipher Based AE Schemes: Security Proofs Proofs are reductions: Privacy: Ability to distinguish outputs of the AE function from random reduces to defeating the PRP property of the underlying block cipher. Authenticity: Ability to forge reduces to defeating the SPRP property of the underlying block cipher. Caveat: Proofs are long and complex (and error prone). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

50 Computational/Information Theoretic Arguments Since concrete primitives are proposed, only computational security can be proved. Replace the block cipher by an appropriate ideal primitive (PRP/SPRP). Rest of the argument is information theoretic. Adversary has unbounded computational power and consequently can be assumed to be deterministic. The argument reduces to bounding the advantage/success probability of such an adversary. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

51 AEAD Constructions Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

52 Construction Approachess Using a block cipher. Additionally, an AXU hash function may be used. Using a stream cipher supporting an IV and an AXU hash function. Using permutations (sponge-based constructions). Direct constructions of an integrated primitive: PHELIX, SOBER, AEGIS,... No reductionist proofs; instead direct cryptanalytic methods are to be considered. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

53 Block Cipher Based Constructions Two pass : first pass to encrypt; second pass to generate tag. The passes are at a conceptual level; only one physical pass over the data is required. Cost per n-bit block: 2[BC] or 1[BC]+1[M]. Single pass or rate-1: both encryption and tag generation is done in a single pass. Cost per n-bit block: 1[BC]+SOMETHING, where the SOMETHING is much smaller than 1[M] or 1[BC]. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

54 Two-Pass Constructions GCM: Counter + hash; standardised by NIST (USA). CCM: Counter + CBC-MAC; standardised by NIST (USA). CWC: Carter-Wegman + Counter Mode; EAX; CHM: CENC + hash; CCFB: between one and two-pass. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

55 GCM: An Overview Counter Mode + Polynomial Hash nonce: N; AD: A 1, A 2,...; msg: P 1, P 2,.... τ = E K (0 128 ); Y 0 = N if len(n) = 96; else Y 0 = GHASH τ (λ, N); Y i = incr(y i 1 ) for i = 1, 2,...; C i = P i E K (Y i ) for i = 1, 2,...; tag = GHASH τ (A, C) E K (Y 0 ). GHASH τ (A 1,..., C 1,...) = poly τ (A 1,..., C 1,..., len(a) len(c)); poly τ (X 1, X 2,..., X l ) = X 1 τ l X 2 τ l 1 X l τ. poly can be evaluated using Horner s rule. incr(y ): increment the last 32-bit word of Y. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

56 GCM: A Schematic Diagram Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

57 Single-Pass Constructions Constructions having associated (US) patents: IACBC, IAPM: (Jutla, 2001); XCBC, XECB: (Gligor-Donescu, 2001); OCB OCB1: Rogaway et al, 2001; OCB2: Rogaway 2004 based on tweakable block ciphers; OCB3: Krovetz-Rogaway, Constructions without assoicated patents: Chakraborty-Sarkar (2006, 2008); Generalisation of Rogaway s TBC based construction. Sarkar (2010): incorrect attacks by Chakraborty-Nandi (2016); Chakraborty-Sarkar (2015); Other constructions in the CAESAR competition. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

58 TBC Based Approach Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

59 (Tweakable) Block Ciphers msg blk cpr blk key K Encrypt key K Decrypt cpr blk msg blk msg blk cpr blk key K Encrypt tweak T key K Decrypt tweak T cpr blk msg blk Non-secret tweak allows flexibility in designing applications. Formalised by Liskov-Rivest-Wagner (2002). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

60 TBC and Modes of Operations Liskov-Rivest-Wagner (2002) described modes of operations using a TBC. These are not efficient. Rogaway (2004) Provides efficient construction of a TBC family. Introduces techniques for using a TBC family to construct different modes of operations. Message authentication. Authenticated encryption. Authenticated encryption with associated data. Chakraborty-Sarkar (2006,2008). Generalisation of Rogaway s TBC family. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

61 TBC from BC Given a block cipher E : {0, 1} k {0, 1} n {0, 1} n to construct a TBC E : {0, 1} k T {0, 1} n {0, 1} n where T is an appropriate tweak space. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

62 Chakraborty-Sarkar TBC Construction Based on Rogaway (2004). N,l XE Construction: ẼK (M) = EK (M + ). N,l XEX Construction: ẼK (M) = EK (M + ). where = f l (N ) and N = E K (N). f 1, f 2,... is a masking sequence. (N, l) is the tweak; tweak space is {0, 1} n {1, 2,..., 2 n 2}. Addition (and subtraction) is over a ring R. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

63 Masking Sequence f 1, f 2,..., f m is an (n, m, µ) masking sequence: (f s : {0, 1} n {0, 1} n ) Prob[f s (N ) = α] 1 µ Prob[f s (N ) = N + α] 1 µ Prob[f s (N ) = f t (N ) + α] 1 µ Prob[f s (N ) = f t (N ) + α] 1 µ N and N are independently and uniformly chosen from {0, 1} n. α is any fixed n-bit string. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

64 Security of XE and XEX Security of XE: Security of XEX: Adv prp (t, q) Advprp Ẽ E (t, 2q) + 5q2 2q2 + 2n+1 µ Adv ± prp Ẽ t = t + cq + c for constants c, c. (t, q) Adv ±prp E (t, 2q) + 5q2 4q2 + 2n+1 µ Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

65 Instantiations of R R as GF(2 n ): Define f i (N ) = N G i where G is an n n binary matrix whose characteristic polynomial is primitive over GF(2). f 1, f 2,..., f 2 n 2 is an (n, 2 n 2, 2 n ) masking sequence. Efficient instantiations of G: powering method, (word oriented) LFSR, CA. R as Z 2 n: Let p = 2 n + δ be a prime, with δ as small as possible, eg: p = Define f i (N ) = ((i + 1)N mod p) mod 2 n. f 1, f 2,..., f 2 n 2 is an (n, 2 n 2, 2 n 1 /(δ + 1)) masking sequence. Rogaway (2004): R as GF(2 n ) with the powering method. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

66 From TBC to AE XEX-TBC Ẽ with tweak space {0, 1}n {1, 2,..., 2 n/2 } {0, 1}. P 1 P 2 P 3 bin n (r) sum Ẽ N,1,0 K Ẽ N,2,0 K Ẽ N,3,0 K Ẽ N,4,0 K Ẽ N,4,1 K pad First r P 4 + C 1 C 2 C 3 C 4 tag N is used as a nonce; r = len(p 4 ); sum = P 1 + P 2 + P 3 + (C 4 0 ) + pad Figure : Rogaway s 2004 TBC-to-AE construction lifted to R. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

67 From TBC to AE (contd.) Required tweak space: {0, 1} n {1, 2,..., 2 n/2 } {0, 1}. Tweak space of XEX-TBC: {0, 1} n {1, 2,..., 2 n 2}. Injective Map φ : {1, 2,..., 2 n/2 } {0, 1} {1, 2,..., 2 n 2}. Linear Separation: φ(i, b) = i + Lb where L is an appropriately chosen large integer. R as GF(2 n ): L is the discrete log of (x + 1) (Rogaway 2004). R as Z 2 n: L = 2 n/2. Interleaved Separation: φ(i, b) = 2i + b. Avoids the (design time) discrete log computation. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

68 OCB3: An Overview Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

69 OCB3 Processing of message blocks M 1, M 2,..., M m : Full blocks using XEX construction: C i = E K (M i i ) i. Partial last block (if any) using XE construction: C = trunc(e K ( ) (M 0 )). Checksum (XOR of the message blocks) using XE construction: tag = Auth E K (chksum $ ). Processing of AD blocks A 1, A 2,... using XE construction: Full blocks: B i = E K (A i i ). Partial last block (if any): B = E K (A ). Auth = B 1 B 2. and $ depend upon the number of blocks in the message. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

70 OCB3: A Schematic Diagram Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

71 OCB3 OCB3 can also be viewed as derived from an appropriate TBC family. Differences to OCB2. The processing of the last partial message block and the checksum is different. No separate MAC of the associated data. Main difference is in the generation of the offsets i, and $. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

72 Offsets in OCB3 L = E K (0 128 ); L $ = xtimes(l ); L[0] = xtimes(l $ ); L[1] = xtimes(l[0]); L[2] = xtimes(l[1]);... Nonce: N (max length: 127); nonce = N 1 N; Top = nonce ; Bottom = nonce ; Ktop = E K (Top); Stretch = Ktop (Ktop (Ktop 8)); = 0 = (Stretch Bottom)[1..128]. i = i 1 L[ntz(i)]; i = 1,..., m 1; full last block: m = m 1 L[ntz(m)]; $ = m L $ ; partial last block: = m 1 L ; $ = L $. ntz(i): number of trailing zeros in the binary representation of i. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

73 Efficiency Features of OCB3 Reducing a block cipher call: if nonces are generated by a counter, the initial offset can be computed without a block cipher call 63/64 = 98% of the time. N K (Stretch Bottom)[1..128] is xor-universal. L[0], L[1],... are pre-computed and stored in memory: computing the next offset requires only a fetch from the memory. Checksum does not depend on any ciphertext block: processing of the checksum can be done in parallel with the processing of the last block. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

74 An Alternative to OCB3 Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

75 Chakraborty-Sarkar (2016) PAuth: a MAC scheme; PAuth: a MAC scheme which handles vector headers; PAE1, PAE2: two AE schemes; PAEAD1, PAEAD2: two AEAD schemes; PAEAD1, PAEAD2: two AEAD schemes which handles vector headers; DAE1, DAE2: two DAE schemes; DAEAD1, DAEAD2: two DAEAD schemes; implementation using Intel intrinsics: performance of AEAD schemes comparable (slightly slower) to OCB3; offers some design advantages. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

76 PAE1: A Schematic Diagram P 1 P 2 P 3 bin n (r) sum Γ γ,1 Γ γ,2 Γ γ,3 Γ γ,4 π π π π π P 4 Γ γ,1 Γ γ,2 Γ γ,3 C 1 C 2 C 3 First r tag C 4 T 4 = C 4 0 n r, sum = P 1 P 2 P 3 T 4 Γ γ,5 δ 1 pad. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

77 PAEAD1: Encryption PAEAD1.Encrypt K,fStr (N, H 1,..., H k, P): δ 0 = E K (fstr); δ 1 = Γ δ0,1; if k = 0, tag 2 = 0 n ; else tag 2 = PAuth K,δ0 (H 1,..., H k ); (C, tag 1 ) = Forward1 K,δ1 (N, P); return (C, tag 1 tag 2 ). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

78 PAuth PAuth K,fStr (P): 1. (P 1,..., P m ) = Format(P, n); 2. κ = E K (fstr); 3. if (m = 1 and r < n) sum = P 1 Γ κ, 1 ; 4. if (m = 1 and r = n) sum = P 1 Γ κ, 2 ; 5. if (m > 1) 6. C i = E K (P i Γ κ,i ), i = 1,..., m 1; 7. sum = C 1 C m 1 P m ; 8. if (r < n) then sum = sum Γ κ,m ; 9. end if; 10. tag = E K (sum); return tag. m: number of blocks; r: length of last block. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

79 Vector-Input PRF Generic conversion of a single-input PRF to a vector-input PRF: f (X1,..., X k ) = f (ω 0 (f (ω 1 X 1 ) f (ω k X k ))). ω 0,..., ω k are distinct, fixed w-bit words such that 2 w > k + 1. It is sufficient to take w = 8, i.e., the ω i s are distinct bytes. k is not fixed; k = 0: output is f (ω 0 ); k = 1, X 1 = 0: output is f (ω 0 f (ω 1 )). Converts PAuth1 to PAuth1. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

80 Forward1 Forward1 K,δ (N, P): 1. (P 1,..., P m ) = Format(P, n); 2. γ = E K (N δ); 3. C i = E K (P i Γ γ,i ) Γ γ,i ; i = 1,..., m 1; 4. pad = E K (bin n (r) Γ γ,m ); 5. C m = First r (P m pad); T m = C m 0 n r ; 6. sum = P 1 P m 1 T m Γ γ,m+1 δ pad; 7. tag = E K (sum); return (C 1 C m 1 C m, tag). Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

81 Generating the Offsets Γ s Γ γ,i = ψ i (γ): tower field representation of GF(2 n ) with n = n 1 n 2. ρ(α) is an irreducible polynomial of degree n 1 over GF(2). µ(x) is a monic primitive polynomial of degree n 2 over GF(2 n 1); all coefficients, except the constant term, of µ(x) can be chosen to be 0 or 1. ψ is the multiply-by-x map defined over GF(2 n 1) a generalised powering-up map; the minimal polynomial of ψ over GF(2) is primitive and of degree n. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

82 Design Advantages Nonces: n-bit strings; processed in the same way irrespective of whether they are generated by a counter or not. OCB3: if nonces are not sequential, each has to be encrypted and a small additional processing has to be done. Reconfigurable masking method: simply changing ρ and µ gives a new scheme. Easy to optimise for a target processor. For Intel processors use the usual powering-up map. For small processors such as Atmel AVR 8-bit, 16-bit and 32-bit microcontrollers, it makes sense to use an appropriate tower field. Avoids using a pre-computed table. The parameter fstr is a tweak to the mode of operation. Handles vector headers. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

83 Summary Motivation for authenticated encryption with associated data. Block ciphers and related modes of operations. A brief review of relevant formalism. Overview of construction approaches. Sketch of some constructions, including GCM and OCB. AEAD has a lot more to offer. CAESAR proposals. Other criteria: release of unverified ciphertext; handling tag length variability. Exciting times ahead for researchers. Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84

84 Thank you for your attention! Palash Sarkar (ISI, Kolkata) AE Introduction 20 September / 84