FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Similar documents
Stronger Security Variants of GCM-SIV

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Foundations of Network and Computer Security

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

2 Message authentication codes (MACs)

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Block Ciphers/Pseudorandom Permutations

Modern Cryptography Lecture 4

CS 6260 Applied Cryptography

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Symmetric Encryption

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

CTR mode of operation

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Foundations of Network and Computer Security

Key Recovery Attack against 2.5-round π-cipher

Lecture 12: Block ciphers

Solution of Exercise Sheet 7

CS 6260 Applied Cryptography

Foundations of Network and Computer Security

Message Authentication Codes (MACs)

Block ciphers And modes of operation. Table of contents

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Symmetric Crypto Systems

Notes for Lecture 9. 1 Combining Encryption and Authentication

Introduction to Cybersecurity Cryptography (Part 4)

A block cipher enciphers each block with the same key.

Building Secure Cryptographic Transforms, or How to Encrypt and MAC

On the Security of CTR + CBC-MAC

Symmetric Crypto Systems

A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)

Introduction to Cybersecurity Cryptography (Part 4)

ECS 189A Final Cryptography Spring 2011

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

ACORN: A Lightweight Authenticated Cipher (v3)

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Lecture 4: DES and block ciphers

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Lecture 9 - Symmetric Encryption

Lecture 5, CPA Secure Encryption from PRFs

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Stronger Security Variants of GCM-SIV

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Symmetric Encryption. Adam O Neill based on

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Lecture 5: Pseudorandom functions from pseudorandom generators

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Breaking and Repairing GCM Security Proofs

CSc 466/566. Computer Security. 5 : Cryptography Basics

Klein s and PTW Attacks on WEP

Online Authenticated Encryption

Deterministic Authenticated-Encryption

Analysis of Underlying Assumptions in NIST DRBGs

Public-key Cryptography: Theory and Practice

Introduction to Cryptography Lecture 4

1 Cryptographic hash functions

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Breaking Symmetric Cryptosystems Using Quantum Algorithms

of the Data Encryption Standard Fauzan Mirza

Cryptography Lecture 4 Block ciphers, DES, breaking DES

New Attacks against Standardized MACs

RSA RSA public key cryptosystem

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

BLOCK CIPHERS KEY-RECOVERY SECURITY

1 Cryptographic hash functions

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

An Introduction to Authenticated Encryption. Palash Sarkar

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

On the Counter Collision Probability of GCM*

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

Leftovers from Lecture 3

Lecture 10 - MAC s continued, hash & MAC

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Post-quantum security models for authenticated encryption

Message Authentication. Adam O Neill Based on

CPA-Security. Definition: A private-key encryption scheme

Digital Signatures. Adam O Neill based on

Hashes and Message Digests Alex X. Liu & Haipeng Dai

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Lecture 7: CPA Security, MACs, OWFs

Breaking H 2 -MAC Using Birthday Paradox

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Block Cipher Cryptanalysis: An Overview

Lectures 2+3: Provable Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CPSC 467: Cryptography and Computer Security

Transcription:

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY Guy Barwell guy.barwell@bristol.ac.uk University of Bristol Abstract. We present attacks against CMCC that invalidate the claimed security of integrity protection and misuse resistance. We exploit the fact zeropadding is used on both the message and authenticated data and demonstrate how one may generate a forgery with a single call to the encryption oracle. From this we calculate the ciphertext of the chosen message, yielding a forgery and so breaking INT-CTXT. In the nonce-reuse setting, existence of a forgery leads directly to a 2-query distinguisher. 1. Description of Stateless CMCC CBC-Mac-Counter-CBC[5] henceforth CMCC is a CAESAR[1] submission, and comes in both stateful and stateless forms. In this note we consider the stateless version, which is the recommended conguration, and demonstrate a weakness in the mode of operation itself. As such, our attacks holds across all stateless parameter sets, irrespective of the choice of primitives. 1.1. Notation. Following the original paper, let B be the blocksize in bits,τ the number of authenticity bits and N a Public Message Number which must be a nonce, with recommended values B, τ, N = 128, 64, 32. No secret message number is used in the stateless version. Let and denote respectively the xor and concatenation of two strings. Constant bytes are provided in hexadecimal and typeset in typewriter font eg 0xB6. Finally, 0 α is the string of α zero bits. Whilst all lengths will be given in bits, as per submission requirements[1] they shall all be exact number of bytes, and thus multiples of 8. Where appropriate, E K represents an encryption oracle, whilst CMCC K is the CMCC encryption function under key K. 1.2. Components. For clarity of notation, we will describe CMCC in terms of the following well known components, each instantiated with an appropriate blockcipher for which the recommendation is aes: Let Pad b M be the function that returns bitstring M padded up to b bits by appending suciently many zero bits. Let MSB b M be the Most Signicant Bits function, returning bitstring M truncated to the rst b bits. Let E k m be the encryption of a single block m with key k using the block cipher. Let CBC N k M be the cipher block chaining mode[3] encryption of message M under key k and initial value N. Let MAC N k M be an unforgable MAC on message M under key k and with initial value N. The recommended instantiation is AES-CMAC[4]. 1

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY 2 Algorithm 1 Stateless CMCC Encryption if 2 A + M + τ 2B 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 CMCCN, A, M K, L 1, L 2, L 2, L 3 KeyExpansionK W E K 0xB6 B N N P 1 P 2 M 0 τ st. P 1 { P 2, P 2 8} R 0 Pad B P 1 R 1 CBC W L 3 R 0 X MSB P2 R 1 P 2 T 1 Pad B X A T 2 E L2 T 1 X 2 MSB P1 T 2 P 1 S 0 Pad B X 2 S 1 CBC W L 1 S 0 X 1 MSB P2 S 1 X Return X 1, X 2 Let CTR N k M be the counter mode encryption[2] of M under key k with initial counter value N. The internal mechanism KeyExpansionK is instantiated by the scheme as simply splitting a key K several block lengths long into separate keys. 1.3. CMCC Encryption. We split the two possible cases of the algorithm into two separate listings. In Algorithm 1 we provide the algorithm used to encrypt if the message,associated data and tag lengths satisfy 2 A + M + τ 2B, and Algorithm 2 provides the code used otherwise. The decryption algorithm on input K, N, A, X 1, X 2 uniquely recovers P 1 P 2 from 1.4 2.4 in the long version and if this string parses as M 0 τ returns that M. Otherwise if the string does not end with 0 τ the string fails authentication and decryption returns. For a full listing of the algorithm, see the original paper [5]. 2. Attacks on stateless CMCC We now describe ecient forgeries against the two variants. 2.1. Forgery on stateless CMCC for short messages. Let N, A, M be an encryption input triple such that 2 A + 8 + M + τ 2B for example, it would suce to have an empty message and half a block of associated data. We produce a forgery by appending a zero byte to the associated data and submitting the same ciphertext. Consider the dierence between the internal variables of the routine when encrypting N, A, M and N, A 0x00, M. The only place the input variables differ is on line 1.8, where in the former T 1 Pad B X A, and in the latter T 1 Pad B X A 0x00. However, since the padding is with zero bytes and up to the same length, in each case T 1 takes the same value. Thus for the whole

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY 3 Algorithm 2 Stateless CMCC Encryption if 2 A + M + τ > 2B 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 EncryptN, A, M K, L 1, L 2, L 2, L 3 KeyExpansionK W E K 0xB6 B N N P 1 P 2 M 0 τ st P 1 { P 2, P 2 8} R 0 Pad β P 1 β = min {β BN: β P 2 } R 1 CBC W L 3 R 0 X MSB P2 R 1 P 2 V MAC W L 2 X A X 2 CTR V L2 P 1 S 0 Pad β X 2 S 1 CBC W L 1 S 0 X 1 MSB P2 S 1 X Return X 1, X 2 of the calculation the internal variables are the same in each case. Therefore, by requesting the encryption X 1, X 2 = E K N, A 0x00, M from the encryption oracle, we can can produce the forgery on the associated data, since we know that CMCC K N, A, M = N, A, X 1 X 2. 2.2. Related ciphertexts from related messsages in stateless CMCC for Longer messages. The key observation is that the method used to parse input on line 2.5 and apply padding on line 2.7 allow us to create two messages M, M such that the majority of the internal variables take the same values whether calculating CMCC K N, A, M or CMCC K N, A, M. As a result, the ciphertext from one can be used to form the ciphertext of the other by modifying just the nal byte. Lemma 1. Let N, A, M be a valid nonce, associated-data, message triple with M = 2iB + 8 τ for some i N and 2 A + M + τ > 2B. Write M = M 1 M 2 with M 1 = ib and M 2 = ib + 8 τ, and set M = M1 0x00 M 2. Then, if X 1, X 2 = CMCC K N, A, M and X 1, X 2 = CMCC K N, A, M, we have that MSB ib X 1 = MSB ib X 1, and X 2 = MSB ib X 2. Proof. For clarity's sake, we let the internal variables from the encryption of M use the same notation as in Algorithm 2, and their counterparts during the second encryption shall use the same variable names, marked with a tilde. A direct comparison of the two encryptions is provided in Appendix A. The rst line on which the internal variables will dier is 2.4, where P 1, P 2 = M 1, M 2 0 τ, as opposed to P 1, P 2 = M 1 0x00, M 2 0 τ. In particular, we have that P 2 = P 2 and P 1 = P 1 0x00. P 1 = ib, whilst the other three are of length ib + 8 bits. Therefore, on line 2.5 both P 1 and P 1 are zero padded up to the next block boundary, meaning R 0 = R 0 = M 1 0 B. Thus the dierence between P 1 and P 1 is hidden by the padding.

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY 4 Results: Previous [5] New short New long τ = 64 32 8 64 32 8 64 32 8 Condentiality of plaintext 128 128 128 integrity for plaintext 64 32 16 7 7 7 integrity for Assoc. data 64 32 16 0 0 0 integrity for PMN 64 32 16 Table 1. Comparison of integrity goals for stateless AES-CMCC v1 with t byte tag This directly leads to the internal variables across lines 2.6,2.7 and 2.8 being equal, meaning R 1, X, V = R 1, X, Ṽ. Therefore, the streams generated by the counter on line 2.9 are also equal, and since P 1 = P 1 0x00 we have X 2 = X 2 χ for some unknown byte χ. Now, line 2.10 again zero pads up to the next block boundary, and so S 0 = X 2 0 B, whilst S 0 = X 2 χ 0 B 8. Notice that, because P 1 was a multiple of the block length, the only dierence between these values occurs in the nal block. This is important since on line 2.11 we now encrypt S 0 and S 0 in CBC mode, which means that S 1 and S 1 are equal on all but the nal block. Finally, this means that X 1 and X 1 are equal on all but the nal block. Since X 1 = P 2 = ib + 8, any dierence between X 1 and X 1 occurs within the nal8 bits. 2.3. Forgery on stateless CMCC for longer messages. To produce a forgery in the int-ctxt game, we pick an associated-data/message pair that satises the requirements of Lemma 1. For example: A, M = 0 B, 0 4B+8 τ. Having constructed M as above, we query the encryption oracle for X 1, X 2 = E K N, A, M for some valid nonce. Let X 2 = MSB ib X 2, and set X1 = MSB ib X 1. From the result above, we know that the valid encryption of CMCC K N, A, M = X 1 δ, X 2 for some byte δ. Thus to construct a forgery we simply guess all 2 8 possible values of δ, and query each one to the decryption oracle. One of these will be a valid ciphertext, and thus a valid forgery. Therefore, with one query of the encryption oracle and at most 2 8 queries of the decryption oracle expected number of queries 2 7 a forgery can be produced for stateless CMCC for longer messages. 3. Comparison with security claims of CBCC 3.1. Integrity. Table 2.1 of [5] provides integrity goals for the scheme, and is reproduced in the rst three columns of Table 1. The next triplet of columns refer to the strength of the protection oered when a very short message is used, as investigated in Section 2.1, and the nal set to those investigated in Section 2.3. The new results are signicantly lower than the claimed security level. 3.2. Robustness: Extending the forgery to an distinguisher against MRAE. Section 2.1 of the CMCC submission document states that robustness against Public-Message-Number abuse ie nonce reuse should be optimal. However, since we are able to calculate a valid encryption for a known message without querying the oracle on it, we can construct a distinguisher against the misuse resistance claim. First, we follow the method given in this note to nd the encryption for

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY 5 a message M we have not queried the oracle on. Then, after querying the oracle for C = E K N, A, M, we can compare C with our forgery, and thus distinguish a CMCC-Encrypt oracle from a Random Oracle with overwhelming probability. Similarly, Section 2.2 states that it should not be possible to modify a valid ciphertext to cause a predictable change in the plaintext, something we demonstrate is possible. 4. Conclusion We have presented attacks that demonstrate the integrity guarantees of CMCC are not as high as originally conjectured, and that some of the security claims of CMCC are therefore not met. This attack is due to the use of zero-padding, and it might be possible to resolve the weakness using a more robust padding scheme, even if the validity of paddings is not checked. 5. Acknowledgements The author is grateful for helpful discussions and comments on a previous draft provided by Martijn Stam and Gaven Watson. Thanks also to Daniel Bernstein for coordinating the CAESAR competition and hosting the submissions. This work was conducted whilst Guy Barwell a PhD student in the University of Bristol Cryptography-Security group. He was supported by an EPSRC grant. References [1] Daniel Bernstein. CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html, 2013. 1 [2] M Dworkin. Recommendation for Block Cipher Modes of Operations. NIST SP 800-38A, December 2001. 2 [3] FIPS. 81: DES Modes of Operation. Issued December, 2:63, 1980. 1 [4] JH Song, R Poovendran, J Lee, and T Iwata. RFC 4493: The AES-CMAC algorithm. Technical report, Technical report, Corporation for National Research Initiatives, Internet Engineering Task Force, Network Working Group, 2006. 1 [5] Jonathan Trostle. AES-CMCC: v1. Submitted to CAESAR competition, March 2014. 1, 2, 4

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY 6 Appendix A. comparison between encryption N, A, M 1 M 2 and N, A, M 1 0x00 M 2 2.1 2.2 2.3 2.4 EncryptN, A, M 1 M 2 EncryptN, A, M 1 0x00 M 2 L 1, L 2, L 3 KeyExpansionK K, L 2 KeyExpansionK W E K 0xB6 16 N N P 1 P 2 M 1 M 2 0 τ L 1, L 2, L 3 KeyExpansionK K, L2 KeyExpansionK W E K 0xB6 16 N N P1 P 2 M 1 0x00 M 2 0 τ 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 //P 1 = M 1, P 2 = M 2 0 τ // P 1 = P 1 0x00, P 2 = P 2 // P 1 = ib; P 2 = ib + 8 // P 1 = P 2 = ib + 8 R 0 Pad i+1b P 1 R 0 Pad i+1b P 1 0x00 R 1 CBC W L 3 R 0 R 1 CBC W L 3 R 0 X MSB P2 R 1 P 2 X MSB P2 R 1 P 2 V MAC W L 2 X A V MAC W L 2 X A X 2 CTR V L2 P 1 X2 CTR V L2 P 1 0x00 // X 2 = P 1 = ib // X 2 = X 2 χ for some byte χ S 0 Pad i+1b X 2 S0 Pad i+1b X 2 χ //S 0 = X 2 0 B // S 0 = X 2 χ 0 B 8 S 1 CBC W L 1 X 2 0 B S1 CBC W L 1 X 2 χ 0 B 8 //MSB ib S 1 = MSB ib S 1 X 1 MSB ib+8 S 1 X X1 MSB ib+8 S 1 X //MSB ib X 1 = MSB ib X 1 //ie: they only dier on nal byte Return X 1, X 2 Return X 1, X 2

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback