Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

Size: px

Start display at page:

Download "Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata"

Tracey Grant
5 years ago
Views:

1 Further More o Key Wrappig 011//17 SKEW011 Lygby Nagoya Uiversity Yasushi Osaki, Tetsu Iwata 1

2 What is key wrappig? Used to ecrypt specialized data, such as cryptographic keys A key wrappig that also esures itegrity is called a autheticated key wrappig (AKW) Used i key maagemet systems Used as a adapter betwee icompatible systems e.g. betwee a key maagemet system for 3DES ad AES etc.

3 What is key wrappig? Key wrappig ad AKW are widely used i practice ANSI X (008) IETF RFC 6030 (010) OASIS : Key Maagemet Iteroperability Protocol Specificatio Versio 1.0 NIST is i the process of specifyig a AKW scheme 3

4 Two approaches i desigig a AKW scheme Dedicated costructio Determiistic autheticated ecryptio (DAE) [RS06] SIV mode [RS06] HBS mode Geeric compositio Hash-the-Ecrypt [GH09] Hash-the-ECB, Hash-the-CBC, Hash-the-CTR, etc. 4 [GH09]R.Gearo,S.Halevi. More o Key Wrappig. SAC009. [RS06] Rogaway. P., Shrimpto. T.: A Provable-Security Treatmet of the Key-Wrap Problem. EUROCRYPT 006.

5 Gearo ad Halevi s results They examied combiatios of some ecryptio modes ad some hash fuctios Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure 5 XEX secure secure secure secure

6 Gearo ad Halevi s results They examied combiatios of some ecryptio modes ad some hash fuctios Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure 6 XEX secure secure secure secure

7 Gearo ad Halevi s results 7 ECB ad CBC modes are likely deployed already i existig systems There are a large umber of efficiet costructios of a uiv-hash fuctio, e.g. a polyomial hash fuctio, MMH, etc. Hash XOR Liear d-preimage uiversal Ecryptio resistat hash CTR broke broke secure secure ECB broke somewhat secure broke CBC broke somewhat secure ope problem masked ECB/CBC somewhat somewhat secure secure XEX secure secure secure secure

8 Our goal We show there exists a subset of uiv-hash fuctios that ca securely be used with ECB mode there exists a subset of uiv-hash fuctios that ca securely be used with CBC mode (It is a partial aswer to the ope problem) a moic polyomial is icluded i these subsets uiv-hash uiv-hash secure ECB? secure CBC 8

9 AKW scheme Wrappig key W Ecrypt a plaitext D {0,1} l uder W C AKW W (D ) Decrypt a ciphertext C {0,1} (l+1) uder W D or AKW -1 W (C ) meas reject 9

10 Security for AKW (1) [GH09] Radom-Plaitext Attack (RPA-security) Adversary A b'{0,1} ivoke D, D, C 0 i 1 i i q times Challege Wrappig D C 0 i i, D 1 i AKW AKW oracle bit: b key : W W D b i 0,1 : chose at radom 10 Adv rpa AKW A Prb' 1 b 1 Prb' 1 b 0

11 Security for AKW () [GH09] Itegrity of ciphertext (INT-security) Adversary A * C Adv it AKW : Challege ivoke D i, C i ciphertext q times A PrA forges Wrappig key:w D : chose at radom C i i AKW AKW oracle W D i 11 The AKW scheme is secure, if Adv rpa (A) ad Adv it (A) are sufficietly small

12 Hash-the-ECB [GH09] ad Hash-the-CBC [GH09] Hash-the-ECB (HtECB) Hash-the-CBC (HtCBC) 1

13 Our results The HtECB scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal C uiform C hash fuctio The HtCBC scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal CC uiform CC hash fuctio uiv-hash uiv-hash 13

14 Our results The HtECB scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal C uiform C hash fuctio The HtCBC scheme is a secure AKW scheme if the uderlyig hash fuctio is a uiversal uiform uiversal CC uiform CC hash fuctio uiv-hash We preset these ew otios uiv-hash 14

15 Classical otios of hash fuctio uiversal l Let X, X ' {0,1} ( X X ') be arbitrary bit strigs A keyed hash fuctio H is a ε 1 -uiversal hash fuctio if Pr[ H ( X ) H ( X ')] L L uiform l Let X { 0,1}, Y {0,1 } be arbitrary bit strigs A keyed hash fuctio H is a ε -uiform hash fuctio if Pr[ ( X ) Y] 1 15

16 New otios of hash fuctio uiversal C (uiversal with compositio) l Let X 1,, X l {0,1}, Z[1], Z[ l] {0,1 } ad l X ' {0,1} ( X ' ( Z[1],, Z[ l])) be arbitrary bit strigs A keyed hash fuctio H is a ε 3 -uiversal C hash fuctio if, for each of the l possible choices of X { Z[1], HL( X1)} { Z[ l], HL( Xl )}, Pr[ H L ( X ) H L ( X ')] 3 16

17 New otios of hash fuctio uiversal C For example, if l =, we require Pr[ ( Z[1], Z[]) Pr[ HL( HL( X1), Z[]) Pr[ H Z[1], H ( X )) Pr[ H L( L L( HL( X1), HL( X )) ( X ')] 3 ( X ')] 3 ( X ')] ( X ')] 3 3 Z [1] Z[] X 1 Z[] Z[1] X X 1 X 17 (X ) (X ) (X ) (X )

18 New otios of hash fuctio uiform C (uiform with compositio) l Let 1,, X l {0,1}, Z[1], Z[ l] {0,1 be arbitrary bit strigs X } A keyed hash fuctio H is a ε 4 -uiform C hash fuctio if, for each of the l possible choices of X { Z[1], HL( X1)} { Z[ l], HL( Xl )}, ad Y {0,1 } Pr[ ( X ) Y] 4 18

19 New otios of hash fuctio uiversal CC (uiversal with compositio ad xor costat) l Let X,, X {0,1}, Z[1], Z[ l] {0,1}, V[1],, V[ l] 1 l {0,1} l ad X ' {0,1} ( X ' ( Z[1],, Z[ l])) be arbitrary bit strigs A keyed hash fuctio H is a ε 5 -uiversal CC hash fuctio if, for each of the l possible choices, of X { Z[1], H ( X1) V[1]} { Z[ l], H ( X ) V[ l]} L L l Pr[ H L ( X ) H L ( X ')] 5 19

20 New otios of hash fuctio uiform CC (uiform with compositio ad xor costat) l Let X,, Xl {0,1}, Z[1], Z[ l] {0,1}, V[1],, V[ l] ad Y {0,1 } be arbitrary bit strigs A keyed hash fuctio H is a ε 6 -uiform CC hash fuctio if, for each of the l possible choices, of 1 X { Z[1], H ( X1) V[1]} { Z[ l], H ( X ) V[ l]} L L l {0,1} Pr[ ( X ) Y] 6 0

21 Theorem 1 (HtECB) Let H be a ε 1 -uiversal, ε -uiform, ε 3 -uiversal C, ε 4 -uiform C hash fuctio E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtECB[H,E] it HtECB[H,E] ( A) ( A) Adv Adv prp E sprp E q l ( A') q 1 4q l q ( A'') 1 q l q( l 1) max{, } where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries

22 Proof of INT Advatage (ituitio)? E * * D [1] D [] E E K K K * * * C [0] C [1] C [] * C * D l = D*[j] (0 j ) are a hash value or a fixed costat If D * [0] is a hash value, Pr[ (D * )=D * [0]] ε 3 because H is ε 3 -uiversal C hash fuctio If D * [0] is a fixed costat, Pr[ (D * )=D * [0]] ε 4 because H is ε 4 -uiform C hash fuctio it sprp q AdvHtECB[H, E] ( A) AdvE ( A'') 1 q l q( l 1) max{ 3, 4}

23 Theorem (HtCBC) Let H be a ε 1 -uiversal, ε -uiform, ε 5 -uiversal CC, ε 6 -uiform CC hash fuctio E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtCBC[H,E] it HtCBC[H,E] ( A) ( A) Adv Adv prp E sprp E ( A') q ( A'') 14q 1 q 1 q ( l 1) l q( l 1) max{, } where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries

24 Costructio of a Hash Fuctio A moic polyomial hash fuctio defied i (1) suffices to obtai a uiversal uiversal C uiversal CC uiform uiform C uiform CC hash fuctio for sufficietly small ε 1,...,ε 6 4 H L l 1 l X L L X[1] L X[ l] (1) X X1,, Xl 0, 1 l 0, Iput : Key : L 1 The multiplicatio is over GF( )

25 A moic polyomial hash fuctio It ca be implemeted easily from a polyomial hash fuctio A polyomial hash fuctio is the basic costructio of a uiversal hash fuctio Used i [MV04][NIST800-38D][Be05] [MV04] McGrew, D., Viega, J.: The Security ad Performace of the Galois/Couter Mode (GCM) of Operatio. [NIST800-38D] NIST: Recommedatio for Block Cipher Modes of Operatio: Galois/Couter Mode (GCM) ad GMAC. [Be05] Berstei, D.J.: The poly1305-aes Message-Autheticatio Code. 5

26 Coclusios We proposed a total of four ew otios of a keyed hash fuctio Based o the ew otios, we showed that HtECB ad HtCBC schemes are secure AKW schemes The result o the HtCBC scheme partially solves the ope problem We showed that there exists a efficiet costructio of a keyed hash fuctio that satisfies all the six otios 6

27 7 Thak you!

28 Lemma 3 The keyed hash fuctio defied i (1) is a l l 1 l 1 - uiversal, - uiform, - uiversal l 1 l 1 - uiversalcc, - uiform CC C l 1, - uiform hash fuctio C, 8

29 Corollary 1 (HtECB) Let H be the keyed hash fuctio defied i (1) E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtECB[H,E] it HtECB[H,E] ( A) Adv ( A) Adv where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries prp E sprp E 8q ( l 1) ( A') 3q ( l 1) ( A'') 9

30 Corollary (HtCBC) Let H be the keyed hash fuctio defied i (1) E be a blockcipher The for ay A that ivokes the oracle at most q times, there exist adversaries A ad A such that Adv Adv rpa HtCBC[H,E] it HtCBC[H,E] ( A) Adv ( A) Adv where A makes at most q (l +1) queries ad A makes at most (q +1)(l +1) queries prp E sprp E 16q ( A') ( A'') 3q ( l 1) ( l 1) 30

31 Hash-the-ECB + (HtECB + ) D[0] D D [1] D[l] D[0] D D [1] D[l] d 31 bit E bit K lsb ~ C[0] EK EK C [1] C[l] d ~ C[0] E? K bit lsb bit E -1-1 K EK C [1] C[l]

32 Corollary 3 64 l q ) Adv it ] ( ),,Perm( [ HtECB A d H d d d H l l q l q A 1 1) ( 1) ( 3 ) ( Adv it ] ),,Perm( [ HtECB

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell Message Autheticatio Codes Readig: Chapter 4 of Katz & Lidell 1 Message autheticatio Bob receives a message m from Alice, he wats to ow (Data origi autheticatio) whether the message was really set by Alice.