On the Counter Collision Probability of GCM*

Similar documents
Breaking and Repairing GCM Security Proofs

GCM Security Bounds Reconsidered

Breaking and Repairing GCM Security Proofs

Authenticated Encryption Mode for Beyond the Birthday Bound Security

Stronger Security Variants of GCM-SIV

Stronger Security Variants of GCM-SIV

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Type 1.x Generalized Feistel Structures

High Performance GHASH Function for Long Messages

Foundations of Network and Computer Security

Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

EME : extending EME to handle arbitrary-length messages with associated data

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Foundations of Network and Computer Security

Tweakable Enciphering Schemes From Stream Ciphers With IV

ECS 189A Final Cryptography Spring 2011

High Performance GHASH Function for Long Messages

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

Studies on Disk Encryption

non-trivial black-box combiners for collision-resistant hash-functions don t exist

Blockcipher-based MACs: Beyond the Birthday Bound without Message Length

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Another Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

On the Security of CTR + CBC-MAC

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture Notes. Advanced Discrete Structures COT S

A Domain Extender for the Ideal Cipher

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Introduction to Cybersecurity Cryptography (Part 4)

Information-theoretic Secrecy A Cryptographic Perspective

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Message Authentication Codes (MACs)

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Leftovers from Lecture 3

Introduction to Cybersecurity Cryptography (Part 4)

Foundations of Network and Computer Security

Characterization of EME with Linear Mixing

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

CPSC 467: Cryptography and Computer Security

The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3

Solution of Exercise Sheet 7

A Multiple Bit Parity Fault Detection Scheme for The Advanced Encryption Standard Galois/ Counter Mode

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Division Property: a New Attack Against Block Ciphers

Modes of Operations for Wide-Block Encryption

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Provable security. Michel Abdalla

Provably Secure MACs From Differentially-uniform Permutations and AES-based Implementations

Quantum Differential and Linear Cryptanalysis

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

A block cipher enciphers each block with the same key.

CS 6260 Applied Cryptography

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

Parallelizable and Authenticated Online Ciphers

Symmetric Crypto Systems

Differential Fault Analysis on the families of SIMON and SPECK ciphers

Symmetric Crypto Systems

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Block Ciphers/Pseudorandom Permutations

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Linear Feedback Shift Registers

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

ASYMMETRIC ENCRYPTION

Impossible Differential Attacks on 13-Round CLEFIA-128

Modern Cryptography Lecture 4

Key Recovery Attack against 2.5-round π-cipher

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

The Security of Abreast-DM in the Ideal Cipher Model

Asymmetric Encryption

Exam Security January 19, :30 11:30

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Recent Cryptanalysis of RC4 Stream Cipher

The Indistinguishability of the XOR of k permutations

STRIBOB : Authenticated Encryption

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Cryptography and Security Final Exam

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Advances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

CS 6260 Applied Cryptography

Multikey Homomorphic Encryption from NTRU

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Algebraic Aspects of Symmetric-key Cryptography

Transcription:

On the Counter Collision Probability of GCM* Keisuke Ohashi, Nagoya University Yuichi Niwa, Nagoya University Tetsu Iwata, Nagoya University Early Symmetric Crypto (ESC) seminar January 14 18, Mondorf les Bains, Luxembourg *Work in Progress 1

GCM Galois/Counter Mode authenticated encryption mode of 128 bit blockciphers designed by McGrew and Viega in 2004 [MV04] selected as the NIST recommended authenticated encryption mode in 2007 widely used in practice ISO/IEC 19772, IEEE P1619.1, NSA Suite B, IETF IPsec, SSH, SSL, [MV04] David A. McGrew and John Viega: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. INDOCRYPT 2004. Full version in Cryptology eprint Archive: Report 2004/193 2

Overview big constant Joux at Dagstuhl Seminar (January 2012): Do you have an attack that matches the bound (exploiting the fact that there is a big constant)? I don t know tightness of the bounds, possibility of improvement [IOM12] Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu : Breaking and Repairing GCM Security Proofs. CRYPTO 2012. Full version in Cryptology eprint Archive: Report 2012/438 3

Overview ESC (January 2013): I still don t know, but we have made some progress [IOM12] Tetsu Iwata, Keisuke Ohashi, and Kazuhiko Minematsu : Breaking and Repairing GCM Security Proofs. CRYPTO 2012. Full version in Cryptology eprint Archive: Report 2012/438 4

Encryption Algorithm of GCM input: K: blockcipher key N: nonce A: associated data M: plaintext output: C: ciphertext T: tag E K : Blockcipher n = 128 (block size) GHASH L : Universal hash L=E K (0 n ), ε: empty string 5

Increment Function in GCM inc( X Y ) = X (Y+1 mod 2 32 ) X = 96, Y =32 Example inc( 0x0 01 ) = 0x0 02 inc( 0x0 0ffffffff ) = 0x0 0 inc r ( Z ): apply inc( ) on Z for r times Z = 128 6

GHASH L (ε, N) A universal hash function defined over GF(2 128 ), which is defined by the irreducible polynomial p(x) = 1+x+x 2 +x 7 +x 128, where the multiplicative identity element is 0x80 0 N 0 0 N 128 = ( X[1],,X[x] ) GHASH L (ε, N) = X[1] L x X[2] L x 1 X[x] L Example N = 0x00000000 00000000 02 (72 bits) GHASH L (ε, N) = 0x00000000 00000000 02000000 00000000 L 2 0x00000000 00000000 00000000 00000048 L if N 128 then deg( GHASH L (ε, N) ) 2 7

Counter Collision N, N 96 A counter collision: for some r, I[r] = I [0] inc r ( GHASH L (ε, N) ) = GHASH L (ε, N ) Coll L (r, N, N ) 8

Counter Collision N, N 96 A counter collision is a bad event: I[1] = I [0], I[2] = I [1], xor of two ciphertexts = xor of two plaintexts the information about plaintexts is leaked We need to show that Pr L [ Coll L (r, N, N ) ] is small 9

Pr L [ Coll L (r, N, N ) ] Is Small [Lemma 3, MV04] Pr L [ Coll L (r, N, N ) ] max{ d, d } / 2 128 where d = deg( GHASH L (ε, N) ), d = deg( GHASH L (ε, N ) ) turns out to be wrong for some ( r, N, N ) [IOM12] r = 0x0 01, N = 0x0 02 (72 bits), N = 0x0 06 (72 bits) [Lemma 3, MV04] says Pr L [ Coll L (r, N, N ) ] 2 / 2 128 but Pr L [ Coll L (r, N, N ) ] 32 / 2 128 (a lower bound) a distinguishing attack with Adv priv GCM[Rand(n), ] (A) 32/2 128 10

Pr L [ Coll L (r, N, N ) ] Is Small [Lemma 2, IOM12] For each 0 r 2 32 1 Pr L [ Coll L (r, N, N ) ] α r max{ d, d } / 2 128 where d = deg( GHASH L (ε, N) ), d = deg( GHASH L (ε, N ) ) α r can be large α r = 32 when r = 0x0 01 α r = 3524578 when r = 0x2aaaaaab, 0x55555555, 0xaaaaaaab, 0xd5555555 3524578 is about 2 22 big constant appears in the upper bound 11

Dagstuhl Seminar (January 2012) Joux: Do you have an attack that matches the bound (exploiting the fact that there is a big constant)? finding (r, N, N ) such that Pr L [ Coll L (r, N, N ) ] (big constant) / 2 128 12

Examples in [IOM12] r = 0x0 01, N = 0x0 17 2, N = 0x0 17 6 (72 bits) r = 0x0 01, N = 0x0 15 20 12, N = 0x0 15 60 12 (112 bits) r = 0x0 01, N = 0x0 17 20 10, N = 0x0 17 60 10 (112 bits) r = 0x0 01, N = 0x0 14 40 3, N = 0x0 14 c0 3 (72 bits) Pr L [ Coll L (r, N, N ) ] 32 / 2 128 13

How We Found N, N 128 GHASH L (ε, N) = (N 0 0) L 2 N 128 L = U L 2 V L Pr[ inc r ( GHASH L (ε, N) ) = GHASH L (ε, N ) ] inc 1 ( U L 2 V L ) = U L 2 V L started with random ( U, V, U, V ) at some point we found that ( U, V, U, V ) of the form V = V U = 0 8i X 0 120 8i U = 0 8i X 0 120 8i X, X = 8 has many solutions 14

Try the Same for r = 0x55555555 r = 0x55555555 for each ( U,V,U,V ) // V=V counter = 0 for 3524578 values of C solve U L 2 V L C = U L 2 V L if inc r ( U L 2 V L ) = U L 2 V L then counter++ } output ( U,U,V ) if counter is large 15

Result r = 0x55555555 counter = 8495 for the following values of (N,N ): (0x0 01d000000000000, 0x0 02b000000000000) (0x0 02c000000000000, 0x0 064000000000000) (0x0 0160000000000, 0x0 0320000000000) (0x0 0270000000000, 0x0 07d0000000000) N = N = 112 16

So? Pr L [ Coll L (r, N, N ) ] 8495 / 2 128 Adv priv GCM[Rand(n), ] (A) 8495/2 128 Pr L [ Coll L (r, N, N ) ] 4247 max{d, d } / 2 128 2 12 max{d, d } / 2 128 Not as large as 2 22, but the gap is now smaller 32 vs 2 22 > 2 12 vs 2 22 17

Security Bounds [IOM12] The tightness is open There is a possibility to reduce 2 22 to a smaller constant, but it cannot be less than 2 12 (if we follow the proof strategy in [IOM12]) 18

ASK 2012 (August 2012) Try to find (r,n,n ) that gives a higher collision probability (U,V,U,V ) can take approximately 2 128 2 128 values Yasuda: Try smaller GCM? 19

Small GCM with n = 16 block size is n = 16 bits inc( ) operates on 4 bits GHASH is defined over GF(2 16 ) with the lexicographically first irreducible polynomial p(x) = 1+x+x 3 +x 5 +x 16 20

Small GCM with n = 16 Pr L [ Coll L (r, N, N ) ] α r max{ d, d } / 2 16 α r = 5 (max) when r = 0x3, 0x5, 0xb, 0xd N, N 16 GHASH L (ε, N) = (N 0 0) L 2 N 16 L = U L 2 V L Pr[ inc r ( GHASH L (ε, N) ) = GHASH L (ε, N ) ] 10 / 2 16 inc r ( U L 2 V L ) = U L 2 V L also consider V V about 2 33 values of ( U,V,U,V ) 21

Result Pr [ Coll L (r, N, N ) ] = 10 / 2 16 holds for 87,406 pairs of (N,N ) when r = 0x3, 0xd for 86,951 pairs of (N,N ) when r = 0x5, 0xb For any (r,n,n ), Pr L [ Coll L (r, N, N ) ] α r max{ d, d } / 2 16 There exists (r,n,n ) such that Pr L [ Coll L (r, N, N ) ] = α r max{ d, d } / 2 16 There is an attack that matches the bound The big constant in security bounds cannot be replaced by a smaller one 22

Small GCM with n = 20 block size is n = 20 bits inc( ) operates on 5 bits GHASH is defined over GF(2 20 ) with the lexicographically first irreducible polynomial p(x) = 1+x 3 +x 20 23

Small GCM with n = 20 Pr L [ Coll L (r, N, N ) ] α r max{ d, d } / 2 20 α r = 8 (max) when r = 0x5, 0xb, 0x15, 0x1b N, N 20 GHASH L (ε, N) = (N 0 0) L 2 N 20 L = U L 2 V L Pr[ inc r ( GHASH L (ε, N) ) = GHASH L (ε, N ) ] 16 / 2 20 inc r ( U L 2 V L ) = U L 2 V L also consider V V about 2 41 values of ( U,V,U,V ) Result: Pr [ Coll L (r, N, N ) ] = 16 / 2 20 holds for 49,065 pairs of (N,N ) when r = 0x5 There is an attack that matches the bound 24

Conclusions Joux: Do you have an attack that matches the bound? The tightness is still open for n = 128, but the gap is now smaller (2 12 vs 2 22 ) We have a matching attack for small versions of GCM (n = 16, 20) Plan: to investigate small versions of GCM for n = 24, 28, 32,... 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback