Stronger Security Variants of GCM-SIV

Similar documents
Stronger Security Variants of GCM-SIV

Integrity Analysis of Authenticated Encryption Based on Stream Ciphers

On the Counter Collision Probability of GCM*

Authenticated Encryption Mode for Beyond the Birthday Bound Security

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

GCM Security Bounds Reconsidered

AES-OTR v3. Designer/Submitter: Kazuhiko Minematsu (NEC Corporation, Japan) Contact Address:

Breaking and Repairing GCM Security Proofs

On the Security of CTR + CBC-MAC

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Further More on Key Wrapping. 2011/2/17 SKEW2011 Lyngby Nagoya University Yasushi Osaki, Tetsu Iwata

Tweakable Blockciphers with Beyond Birthday-Bound Security

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Lecture 12: Block ciphers

Solution of Exercise Sheet 7

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Modern Cryptography Lecture 4

A survey on quantum-secure cryptographic systems

Tweakable Enciphering Schemes From Stream Ciphers With IV

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Introduction to Cybersecurity Cryptography (Part 4)

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Introduction to Cybersecurity Cryptography (Part 4)

Symmetric Encryption

CS 6260 Applied Cryptography

Modes of Operations for Wide-Block Encryption

An Introduction to Authenticated Encryption. Palash Sarkar

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

A Pseudo-Random Encryption Mode

ECS 189A Final Cryptography Spring 2011

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Symmetric Crypto Systems

A Domain Extender for the Ideal Cipher

Provable Security in Symmetric Key Cryptography

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Symmetric Crypto Systems

CS 6260 Applied Cryptography

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Online Authenticated Encryption

Breaking and Repairing GCM Security Proofs

Foundations of Network and Computer Security

Improving Upon the TET Mode of Operation

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CPA-Security. Definition: A private-key encryption scheme

Notes for Lecture 9. 1 Combining Encryption and Authentication

Efficient Message Authentication Codes with Combinatorial Group Testing

Deterministic Authenticated-Encryption

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Revisiting Variable Output Length XOR Pseudorandom Function

Post-quantum security models for authenticated encryption

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3

Improved security analysis of OMAC

Blockcipher-based MACs: Beyond the Birthday Bound without Message Length

III. Pseudorandom functions & encryption

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Improved Security Analysis for OMAC as a Pseudo Random Function

Lecture 10: NMAC, HMAC and Number Theory

Lecture 4: DES and block ciphers

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Innovations in permutation-based crypto

Block Ciphers/Pseudorandom Permutations

New Attacks against Standardized MACs

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Message Authentication. Adam O Neill Based on

Another Look at XCB. Indian Statistical Institute 203 B.T. Road, Kolkata , India

CTR mode of operation

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

On High-Rate Cryptographic Compression Functions

Tweak-Length Extension for Tweakable Blockciphers

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

A New Paradigm of Hybrid Encryption Scheme

Design Paradigms for Building Multi-Property Hash Functions

Fast and Secure CBC-Type MAC Algorithms

Efficient Beyond-Birthday-Bound-Secure Deterministic Authenticated Encryption with Minimal Stretch

Introduction to Cryptography Lecture 4

Characterization of EME with Linear Mixing

Parallelizable and Authenticated Online Ciphers

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Robust Authenticated-Encryption

MESSAGE AUTHENTICATION 1/ 103

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

BLOCK CIPHERS KEY-RECOVERY SECURITY

Symmetric Encryption. Adam O Neill based on

ISO/IEC Revisited: Beyond Birthday Bound

Security of Symmetric Primitives under Incorrect Usage of Keys

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Message Authentication Codes (MACs) and Hashes

Module 2 Advanced Symmetric Ciphers

Chosen-Ciphertext Security without Redundancy

On the Influence of Message Length in PMAC s Security Bounds

Transcription:

Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number

Introduction

Nonce-Based AE and Its Limitation Nonce-based authenticated encryption : GCM [MV04], CCM [WHF02], OCB [RBBK01], EAX [BRW04], etc. They use a nonce for security: repeating the nonce has critical impact on security Counter-then-MAC (incl. GCM): leaks plaintext difference For GCM, even authentication key is leaked, allows universal forgery [MV04] D.McGrew and J.Viega: The Security and Performance of the Galois/Counter Mode of Operation, Indocrypt 2004. [WHF02] D.Whiting, R.Housley, and N.Ferguson: AES Encryption and Authentication Using CTR Mode and CBC-MAC. 2002. [RBBK01] P.Rogaway, M.Bellare, J.Black, and T.Krovetz: OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM CCS 2001. [BRW04] M.Bellare, P.Rogaway, and D.Wagner: The EAX Mode of Operation. FSE 2004: 1

MRAE and SIV Deterministic AE (DAE), a.k.a Misuse-resistant Nonce-based AE (MRAE) [RS06] Provides best-possible security if nonce is missing or exists but can be repeated by mistake Many concrete proposals including several CAESAR submissions SIV, Synthetic IV [RS06] A general approach to construct MRAE use a PRF to generate IV (also used as a tag), use IV in IV-based encryption [RS06] P.Rogaway and T.Shrimpton. A Provable-Security Treatment of the Key-Wrap Problem. Eurocrypt 2006. 2

How SIV works Components: F : K A M T Enc : K T M M, and the inverse, Dec Typically a keystream generator For encryption of plaintext M with associated data A: 1. T F K (A, M) 2. C Enc K (T, M) 3. Return tag T and ciphertext C Decryption: receives (A, T, C), computes M Dec K (T, C) and checks if F K (A, M) matches with T Provable security of SIV We need PRF security of F and IV-based encryption security of Enc 3

GCM-SIV

GCM-SIV GCM-SIV Proposed by Gueron and Lindell [GL15] Instantation of SIV using GCM components, GHASH and GCTR Very fast AESNI implementations [GL15] Provable security O(2 (n k)/2 ) Typically n = 128, k = 32. Thus about 48-bit security Concrete Bound For three-key version, with q encryption and q decryption queries: Adv mrae GCM-SIV(A) 2Adv prf E (A ) + q2 2 95 + q2 + q 2 128 [GL15] S.Gueron and Y.Lindell : GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. ACM CCS 2015 4

GCM-SIV Specification: Algorithm GCM-SIV-E K (N, A, M) 1. V H L (N, A, M) 2. T E K (V ) 3. IV msb n k (T ) 0 k 4. m M n 5. S CTR K (IV, m) 6. C M msb M (S) 7. return (C, T ) Algorithm GCM-SIV-D K (N, A, C, T ) 1. IV msb n k (T ) 0 k 2. m C n 3. S CTR K (IV, m) 4. M C msb C (S) 5. V H L (N, A, M) 6. T E K (V ) 7. if T T then return 8. return M H L is GHASH (with final xor of n-bit N) H L (N, A, M) = GHASH L (A, M) N CTR K employs incrementation in the last k bits (as GCM) Initial counter value is msb n k (T ) 5

GCM-SIV N A M IV = msb n k (T ) 0 k CTR K H L inc inc inc V E K E K E K E K E K M[1] M[2] M[m 1] M[m] T C[1] C[2] C[m 1] C[m] 6

Security Bound is Tight Attack by counter collision search Fix A and M and make 2 (n k)/2 enc-queries (N i, A, M) w/ distinct N i s For i and j w/ msb n k (T i ) = msb n k (T j ), the adversary gets the same ciphertext N A M IV = msb n k(t ) 0 k CTR K H L inc inc inc V E K E K E K E K E K M[1] M[2] M[m 1] M[m] T C[1] C[2] C[m 1] C[m] 7

Considerations on Security Nonce-misuse-resistance : obivious quantitative gain in security from GCM While quantitatively the security can be degraded from GCM distinguishing attack with q = O(2 (n k)/2 ) queries For GCM, there is no attack of the same complexity if N = 96, IV is N itself no counter collision Even if N 96 GCM bound is still good [NMI15] [NMI15] : Y.Niwa, K.M., T.Iwata. GCM Security Bounds Reconsidered. FSE 2015. 8

Our Contributions The design strategy of reusing GCM components to build MRAE is practically valuable While the security offered by GCM-SIV may not be satisfactory in practice It seems some unexplored design space for stronger security Up to the birthday bound (n/2-bit security)? Beyond the birthday bound? Our contributions GCM-SIV1: a minor variant of GCM-SIV achieving birthday bound security GCM-SIVr (for r 2): by reusing r GCM-SIV1 instances to achieve rn/(r + 1)-bit security 9

GCM-SIV1

GCM-SIV1 The changes are so simple: use the whole T as IV use full n-bit counter incrementation instead of k-bit incrementation N A M IV = T CTR K H L inc inc inc V E K E K E K E K E K M[1] M[2] M[m 1] M[m] T C[1] C[2] C[m 1] C[m] 10

GCM-SIV1 Concrete Bound If H L is ɛ-almost universal (ɛ-au), Adv mrae GCM-SIV1(A) 0.5q 2 ɛ + 0.5q2 2 n + σ2 2 n + q 2 n for q total (enc and dec) queries, each query is of length at most nl bits, and σ queried blocks If H L is GHASH, ɛ = l/2 n thus lq 2 /2 n + σ 2 /2 n + q/2 n Thus GCM-SIV1 is secure up to the standard birthday bound w.r.t. σ 11

Comparison of Bounds Comprison of security bounds for GCM-SIV and GCM-SIV1 Minimum attack complexity is increased ((n k)/2 to n/2 bits) Still, depending on the average query length (σ/q), we can decribe two possible parameter settings where GCM-SIV1 beats GCM-SIV and vice versa 12

Implementation aspects GCM-SIV1 is very close to GCM-SIV, but it needs full n-bit arithmetic addition slightly degraded performance from GCM-SIV using GCTR 13

GCM-SIVr

Beyond the Birthday Bound (BBB) Beyond O(σ 2 /2 n ) bound how? Generic approach: use 2n-bit blockcipher in SIV of 2n-bit data path Effective instantiation not easy: Widely-used 256-bit blockcipher? Known constructions for 2n-bit blockcipher from n-bit one (say, many-round Luby-Rackoff) not fully efficient not reusing GCM components (deviation from our strategy) Our approach : GCM-SIVr Compose r GCM-SIV1 instances in a manner close to black-box 14

GCM-SIV2 1. Take two independently-keyed H L s to get 2n-bit hash value (V [1], V [2]) 2. Encrypt hash value with four blockcipher calls to get 2n-bit tag (T [1], T [2]) 3. Plaintext is encrypted by a sum of two CTR modes taking two IVs, T [1] and T [2] N A M N A M T [1] T [2] H L1 H L2 V [1] V [2] inc inc inc inc inc inc E K1 E K2 E K3 E K4 E K1 E K2 E K1 E K2 E K1 E K2 E K1 E K2 M[1] M[2] M[m 1] M[m] T [1] T [2] C[1] C[2] C[m 1] C[m] 15

Proving Security of GCM-SIV2 First game : Distinguish MAC function F2, which takes (N, A, M) T, from random function Assuming blockciphers are random permutations 16

Analysis of F2 SUM-ECBC by Yasuda [Y10] for BBB-secure PRF It is a sum of two Encrypted CBC-MACs (EMACs) T = E K2 (CBC-MAC[E K1 ](M)) E K4 (CBC-MAC[E K3 ](M)) [Y10] proved PRF bound 12l 4 q 3 /2 2n for SUM-ECBC, thus 2n/3-bit security (ignoring l) [Y10] K.Yasuda. The Sum of CBC MACs Is a Secure PRF. CT-RSA 2010 17

Analysis of F2 F2 is reduced to SUM-ECBC if output is chopped to n bits, either T [1] or T [2] H L is CBC-MAC Osaki [O12] : CBC-MAC can be any ɛ-au hash function [O12] A.Osaki. A Study on Deterministic Symmetric Key Encryption and Authentication. Master s thesis, Nagoya University 18

Analysis of F2 Our task : extending [Y10][O12] so that F2 can handle 2n-bit output Game-playing technique [BR06] [Y10][O12] employed a game having four cases depending on the existance of collision in V [i] for given input and for i = 1, 2 We can employ a similar analysis as [Y10][O12] but need subcases to handle 2n-bit output PRF bound If H L is ɛ-au, Adv prf F2 (A) 8q3 3 2 2n + 6ɛ2 q 3 If H L is GHASH, Adv prf F2 (A) 8.7l2 q 3 2 2n [BR06] M. Bellare, P. Rogaway: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. EUROCRYPT 2006 19

Analysis of Encryption Part Second game: F2 is replaced with a random function R Encryption takes 2n-bit random IV, (T [1], T [2]) i-th counter block is (T [1] + i 1, T [2] + i 1) Quite similar analysis as F2: (N, A, M, i) (T [1] + i 1, T [2] + i 1) can be seen as a hashing process involving R and inc function Low collision probability for two distinct inputs, in fact 1/2 2n 20

Security of GCM-SIV2 Concrete Bound of GCM-SIV2 For any (q, l, σ)-adversary A, Adv mrae GCM-SIV2(A) 7σ3 2 2n + 6ɛ2 q 3 + q 2 2n, and if H L is GHASH, the r.h.s. is bounded by 7σ 3 2 2n + 6l2 q 3 2 2n + q 2 2n. 21

Generalization to any r The tag is generated by Fr : N A M {0, 1} nr. Analysis of Fr : we introduce X = (x 1,, x r ) {0, 1} r, where x i = 1 indicates a collision on H Li s outputs Exploit the symmetric property : the analysis is only depending on the Hamming weight of X not much technical difficulty but needs careful work N A M N A M N A M HL1 HL2 HL3 V [1] V [2] V [3] T [1] T [2] T [3] E K1 E K2 E K3 E K4 E K5 E K6 E K7 E K8 E K9 CTRK1 CTRK2 CTRK3 S[1] S[2] S[3] M T [1] T [2] T [3] C 22

Security of GCM-SIVr Let f bad (p) be the probability of bad event invoked with weight of X being p {0,..., r} Then f bad (p) is bounded by (2ɛ) r q r+1 for any 0 p r Concrete Bound of Fr For any (q, l, σ)-adversary A, Adv prf Fr (A) r 2r max p {f bad(p)} r (4ɛ) r q r+1, which is r (4l) r q r+1 /2 nr if H L is GHASH Note: a dedicated analysis for given r can improve the bound constant (which we employed for r = 2) Encryption security is similarly derived as Fr 23

Security of GCM-SIVr Concrete Bound of GCM-SIVr For any (q, l, σ)-adversary A, we have Adv mrae GCM-SIVr (A) r (4ɛ) r q r+1 + 4r σ r+1 2 nr + q 2 nr, and if GHASH is used for H L, Adv mrae GCM-SIVr (A) r (4l)r q r+1 2 nr + 4r σ r+1 2 nr + q 2 nr Summary GCM-SIVr is secure up to about 2 rn/(r+1) query complexity, and hence it asymptotically achieves full n-bit security 24

Conclusions Variants of GCM-SIV to offer quantitatively stronger security GCM-SIV1 : Standard n/2-bit security by tiny change to the original GCM-SIVr for r 2 : Use r GCM-SIV1 instances to go beyond the birthday bound, rn/(r + 1)-bit security Close to the black-box composition, highly parallel (To our knowledge) the first concrete MRAE scheme to achieve asymptotically optimal security based on classical blockcipher Large r implies large computation and large bandwidth, thus impractical 25

Conclusions Variants of GCM-SIV to offer quantitatively stronger security GCM-SIV1 : Standard n/2-bit security by tiny change to the original GCM-SIVr for r 2 : Use r GCM-SIV1 instances to go beyond the birthday bound, rn/(r + 1)-bit security Close to the black-box composition, highly parallel (To our knowledge) the first concrete MRAE scheme to achieve asymptotically optimal security based on classical blockcipher Large r implies large computation and large bandwidth, thus impractical Thank you! 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback