Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus, Denmark FSE 2017, Tokyo, Japan 8 th March 2017 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 1 / 33
Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. PKC13: robustness for PKE & IBE revisited by Farshim et al. AC10: Mohassel extends robustness to Hybrid Encryption. TCC10: robustness introduced for PKE & IBE by Abdalla et al. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 2 / 33
Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice Bob
Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice C Bob K 1 K 2 Eve P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 3 / 33
Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33
Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? Enc(K, s) = Enc(K, s ) = FORGE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33
Motivating Key Robustness - Example 2 CBC-MAC: m 0 m 1 m 2 m t 1 0 E K E K E K E K T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 5 / 33
Motivating Key Robustness - Example 2 CBC-MAC: (m 0, m 0 ) (m 1, m 1 ) (m 2, m 2 ) (m t 1, m t 1 ) 0 E K E K E K E K T MAC(K, M) = MAC(K, M ) = T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 6 / 33
Definitional Landscape Complete Robustness (CROB): adversarially generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB security: 1. (C, K 1 K 2 ) A 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 7 / 33
Definitional Landscape Strong Robustness (SROB): honestly generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB SROB 1. (C, K 1 K 2 ) A 1. C A Enc,Dec 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 8 / 33
Definitional Landscape CROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 9 / 33
Definitional Landscape AE-secure scheme = SROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 10 / 33
Definitional Landscape AE-secure scheme CROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 11 / 33
Definitional Landscape - MACs CROB SROB 1. (T, M 1, M 2, K 1 K 2 ) A 1. (T, M 1, M 2 ) A Tag,Ver 2. Ver(K 1, M 1, T ) = 1 3. Ver(K 2, M 2, T ) = 1 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 12 / 33
Definitional Landscape - MACs SUF-secure MAC scheme = SROB-secure. CROB SROB SUF P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 13 / 33
The Big Picture FROB CROB XROB SFROB KROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 14 / 33
Generic Composition Same Keys: Enc-Then-MAC is CROB Enc is CROB OR MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB Different Keys: Enc-Then-MAC is CROB Enc is CROB AND MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 15 / 33
Generic Composition Proof intuition (Enc-Then-Mac): A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K e1 K m1 K e2 K m2 M 1 Enc MAC M 2 Enc MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 16 / 33
Generic Composition Proof intuition. A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K m1 K m2 C MAC C MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 17 / 33
CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33
CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. Different-Keys: authenticate the encryption key. Enc((K e K m ), M): C Enc(K e, M) T RO(K m, (C K e )) return (C, T ) AE-security CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33
CROB AE in the Standard Model Idea: construct a CROB secure MAC in the Standard Model. First attempt: Enc((K e K m ), M): C Enc(K e, M) T MAC(K m, (C K e )) return (C, T ) Issue: pseudorandomness for MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 19 / 33
CROB AE in the Standard Model Idea: construct a CR-PRF in the Standard Model. Second attempt: Enc((K e K m ), M): C Enc(K e, M) T PRF(K m, (C K e )) return (C, T ) Issue: ensure the PRF is Collision-Resistant. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 20 / 33
Collision-Resistant PRFs in the Standard Model Collision-Resistant PRF: PRF(K 1, M 1 ) = PRF(K 2, M 2 ) = (K 1, M 1 ) = (K 2, M 2 ) Key-Injective PRF: PRF(K 1, M) = PRF(K 2, M) K 1 = K 2 Right-Injective PRG: PRG RHS (K 1 ) = PRG RHS (K 2 ) K 1 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 21 / 33
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Collision-Resistant PRF: PRF(K, M) = PRF(K, M ) = (K, M) = (K, M ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 22 / 33
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 1 - Key-Injective PRF: PRF(K 2, C 1 ) = PRF(K 2, C 1) K 2 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 23 / 33
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 2 - Right-Injective PRG: PRG RHS (K ) = PRG RHS (K ) K = K P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 24 / 33
Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 3 - Permutation: PRP(K 1, M) = PRP(K 1, M ) M = M P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 25 / 33
Right-Injective PRGs Building-block 1: a right injective PRG. Use the construction by Yao: PRG(x) := HC(x) HC(π(x))... HC(π x 1 (x)) π x (x) }{{}}{{} Left Part Right Part π is a pseudorandom permutation. HC is a hardcore predicate. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 26 / 33
Key-Injective PRFs Building-block 2: a Key-Injective PRF via the GGM construction. Open problems: more efficient constructions from weaker assumptions. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 27 / 33
Left/Right Collision-Resistant PRGs Building-block 3: length doubling Left/Right Collision-Resistant PRGs. PRG LHalf (K ) = PRG LHalf (K ) K = K AND PRG RHalf (K ) = PRG RHalf (K ) K = K Example: G(x 1, x 2, x 3 ) := ( (g x 1, g x 1x 2, g x 2x 3 ), (g x 2, g x 1x 3, g x 3) ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 28 / 33
CROB transforms in the Standard Model Analogue of the ABN transform in the symmetric setting: MAC key is generated on the fly. MAC is collision-resistant. Definition Enc(K e, M): K m Gen m (1 λ ) (K 1 e K 2 e ) PRG(K e ) C Enc(K 1 e, (M K m )) T Tag(K m, (C K 2 e )) return (C T ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 29 / 33
Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33
Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33
Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: x 1 = (K 2, K 3 ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 i x i C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 31 / 33
Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 1 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K, C 3 ) = M C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 32 / 33
Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 2 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K 3, C 3 ) = M 3 C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 33 / 33