GCM-SIV Encrypt GCM-SIV AES-GCM Decrypt GCM-SIV

Home , Authenticated encryption, Block cipher

Appeared at ACM CCS CCS ACM at Appeared 2015

Haifa Univ. and Intel and Univ. Haifa Ilan University Ilan - Bar

Gueron Shay Yehuda Lindell Yehuda

Encryption Encryption Under One Cycle per Byte per Cycle One Under at

Nonce Misuse Nonce Full Resistant Authenticated Authenticated Resistant -

SIV: - GCM

` How to Encrypt with a Block Cipher Block a with Encrypt to How

times faster! times 7 is NI - AES with encryption CTR - AES •

The Intel AES Intel The NI instruction is fully fully is instruction NI - pipelineable •

Does this matter? this Does •

encryption can be parallelized be can encryption – CTR •

encryption is strictly strictly is encryption – CBC sequential •

Efficiency: • CBC vs CTR vs CBC

` CBC vs CTR vs CBC

completely broken completely – CTR •

reveals common prefix common reveals – CBC •

IV/nonce reuse IV/nonce •

CBC is harder to tamper with tamper to harder is CBC •

Integrity •

are input to the block cipher block the to input are

CBC breaks at the birthday bound since since bound birthday the at breaks CBC values values ” random ” •

and security is preserved as long as it doesn it as long as preserved is security and t repeat t ’

CTR has better security bounds bounds security better has CTR the counter is a nonce nonce a is counter the – •

Security bounds Security •

CBC vs CTR CTR vs CBC Security Security –

` IV/Nonce Reuse IV/Nonce

Not used inside Linux / Linux inside used Not /random dev •

Intel has RDRAND and RDSEED on all new chips new all on RDSEED and RDRAND has Intel •

Randomness is much harder than it should be should it than harder much is Randomness • Why Should an IV Repeat? IV an Should Why

commented out commented

, code that was crucial for RNG reseeding was was reseeding RNG for crucial was that code , 2006 In •

, a bug in in bug a , 2008 In Linux was found was Linux Debian • Bad Randomness Bad

signature

failed to generate a new random nonce for each each for nonce random new a generate to failed

software for for software because Sony Sony because recovered was 3 PlayStation

the ECDSA private private ECDSA the , 2010 In key used by Sony to sign sign to Sony by used key •

3 PlayStation • Bad Randomness Bad

We use this for entropy estimation entropy for this use We •

Factor both moduli both Factor •

where where Computed and and ) ’ 푁 , 푁 ( 퐺퐶퐷 푞 ’ 푝 = ’ 푁 푝푞 = 푁 •

had a common factor common a had 12,934 •

Some of the moduli repeated thousands of times (no entropy) (no times of thousands repeated moduli the of Some •

Different owners can decrypt each other each decrypt can owners Different s traffic s ’ •

occurred more than once than more occurred 71,052 •

million RSA keys from the web the from keys RSA million 6.4 Collected •

RSA Keys Keys RSA 2012 al. et Lenstra –

Conclusion: an an Conclusion: bits of entropy of bits 33 of ” average “ •

ퟐ푵

giving giving So, ퟐ ≈ 푵 ퟗퟑퟒ , ퟏퟐ = •

ퟓퟔ . ퟑퟐ

ퟎ ퟎퟎ , ퟖퟎퟎ , ퟏퟐ ퟐ

We have number of collisions = = collisions of number have We 12,934 •

double)

We have have We (number of primes is is primes of (number = 풒 ퟎퟎퟎ , ퟖퟎퟎ , ퟏퟐ •

ퟐ푵 푵

from a domain of size N is is N size of domain a from

≈

ൗ

ퟐ

풒

ퟐ

풒

The expected number of collisions in q samples samples q in collisions of number expected The • Entropy Estimation via RSA Keys RSA via Estimation Entropy

Can we do better? Efficiently? better? do we Can •

than CTR than …

CBC still reveals common prefixes, but is better better is but prefixes, common reveals still CBC •

repeat, what should we do? we should what repeat,

Given that randomness can repeat and does does and repeat can randomness that Given • Bad Randomness Bad

GCM: •

vulnerable due to CTR encryption CTR to due vulnerable and MAC

MAC followed by CTR encryption: encryption: CTR by followed MAC - CBC - CBC to due slow •

CCM: •

Encryption? What About Authenticated Authenticated About What

This means that integrity is lost forever! lost is integrity that means This •

Much more seriously seriously more Much H can be recovered be can H – •

As with CTR plaintexts can be recovered be can plaintexts CTR with As •

if the nonce repeats, then: repeats, nonce the if – GCM •

Encryption? What About Authenticated Authenticated About What

bits 32 length

- AES In bits and counter of of counter and bits 96 length of nonce a use CTR, •

CTR encryption: encryption: CTR suffices to have a unique nonce unique a have to suffices •

enough

need random IV; nonce not good good not nonce IV; random need encryption: CBC •

Only require that nonce is unique is nonce that require Only •

based encryption: based - Nonce •

IV must be randomly chosen randomly be must IV •

IV (initial vector) encryption: vector) (initial IV • Preliminaries: IV vs Nonce Encryption Nonce vs IV Preliminaries:

same N is used, must have same prefix in online in prefix same have must used, is N same

If two long messages differ only in the last bit, when when bit, last the in only differ messages long two If •

This cannot be achieved for online encryption online for achieved be cannot This •

Even if N is different and the message the same the message the and different is N if Even •

Even if N is the same and the message is not is message the and same the is N if Even •

– Otherwise full security (authenticated encryption): (authenticated security full •

This is inherent is This •

same ciphertext same

If N is same and message is same same is message and same is N If the result is the the is result the – •

Security property Security •

Denote nonce by N by nonce Denote •

Nonce Misuse Resistance Resistance Misuse Nonce ] Shrimpton - Rogaway [

1 퐾 ) 푀 , 푁 ( 퐹 = 푇

2 퐾 Decryption: Decryption: ; check ; nonce with 푐 퐷푒 ← 푀 푇 퐶 •

Output Output ) 푇 , 푀 , 푁 ( •

Encrypt Encrypt using nonce nonce using key with ; denote result by by result denote ; 2 퐾 푀 퐶 푇 •

: 2 Step •

Apply a PRF PRF a Apply ; denote result by by result denote ; to key with 퐹 푇 ) 푀 , 푁 ( 1 퐾 •

: 1 Step •

message message Input: and nonce nonce and 푁 푀 •

Abstract SIV Encryption Encryption SIV Abstract ] Shrimpton - Rogaway [

authenticated encryption authenticated

also serves as a valid MAC and so have have so and MAC valid a as serves also value The 푇 •

is pseudorandom is value 푇

is the same but but same the is nonce If is different, then by PRF the the PRF by then different, is 푁 푀 •

pseudorandom

is different, then by PRF the value value the PRF by then different, is nonce If is is 푁 푇 •

Security •

1 퐾 2 퐾 with nonce nonce with ; ( 퐹 = 푇 푇 푀 푐 퐸푛 ← 퐶 ) 푀 , 푁

Encryption: • SIV Encryption Security Encryption SIV

퐾 1 퐾 2 퐾 2 퐾 , 1 Claim: Claim: is a PRF a is 푀 , 푁 퐹 푁 ⊕ 푀 퐻 퐹 = •

1 퐾 1 퐾 푥 퐻 Pr ∶ 푧 , 푦 , 푥 ∀ 휖 ≤ 푧 = 푦 퐻 ⊕ 푛

Let Let XOR universal hash function hash universal XOR - an be 휖 퐻 •

simpler primitives simpler

construct a more efficient PRF using using PRF efficient more a construct – 2 Option •

Very expensive Very •

What PRFs do we have? CBC have? we do PRFs What MAC - •

apply a PRF based on AES on based PRF a apply – 1 Option • Efficient Instantiations Efficient

Therefore, secure PRF for negligible negligible for PRF secure Therefore, 휖 •

for each pair each for

property, this happens with probability only only probability with happens this property, XOR - the By 휖 휖 •

1 퐾 1 퐾

Equivalently: if if Equivalently: ′ 푁 ⊕ 푁 = 푀 퐻 ⊕ 푀 퐻 •

′

1 퐾 1 퐾

where where 푀 , 푁 , 푀 , 푁 ′ 푁 ⊕ 푀 퐻 = 푁 ⊕ 푀 퐻

′ ′ ′

By the PRF property of of property PRF the By , can distinguish only if it queries queries it if only distinguish can , 퐹 •

Proof idea: Proof •

1 퐾 2 퐾 2 퐾 , 1 퐾 The construction: construction: The 푁 ⊕ 푀 퐻 퐹 = 푀 , 푁 퐹 •

Universal Hash Based PRF Based Hash -

One key: derive the two keys using AES itself AES using keys two the derive key: One •

ENC - CTR and PRF for key same use keys: Two •

ENC) - CTR PRF, GHASH, (for keys different Three •

Versions: •

Encryption is AES is Encryption CTR - •

The PRF used is AES (only need a single block) single a need (only AES is used PRF The •

Viega - [McGrew ]

universal hash function (for negligible negligible (for function hash universal ) ) 휖

The GHASH function H in GCM is an an is GCM in H function GHASH The XOR XOR - 휖 •

The GCM The SIV Instantiation SIV -

Deployment ease (use existing code bases) code existing (use ease Deployment •

Efficiency •

Why is this important? this is Why •

We only change the order of operations of order the change only We •

are identical to the existing AES existing the to identical are GCM -

A very important property: property: important very A all the elements here here elements the all •

The GCM The SIV Instantiation SIV -

NI for CTR and PCLMULQDQ for GHASH GHASH for PCLMULQDQ and CTR for NI - AES Use

PACLMULQDQ 2015) (2014) (2013) (2012) (2010)

Skylake (Sept. Skylake Broadwell Haswell bridge Sandy Westmere / AES-NI Pre

0.00

23 0.50

cycles

0.65 0.65

0.76 0.76 1.00

1.02 1.02 1.50

per per byte 2.00

2.50

2.75 2.75 3.00 cost of CTR! of cost

3.08 3.08

GCM at the the at GCM 3.50

- AES ) 2015 (

4.00

GCM performance GCM - AES

Across Intel CPU CPU Intel Across GCM - AES enerations G

(cannot be done in parallel) in done be (cannot begin can

, GHASH must be finished before CTR before finished be must GHASH , SIV - GCM In ENC ENC - •

parallel

, CTR , GCM In ENC and GHASH are interleaved and run in in run and interleaved are GHASH and ENC - •

Encryption •

Efficiency of GCM vs GCM vs GCM of Efficiency SIV -

the same as the original GCM) original the as same the ” be

, can also interleave interleave also can , SIV - GCM In should should “ cost (decryption •

, once again CTR again once , GCM In DEC and GHASH interleaved GHASH and DEC - •

Decryption: •

Efficiency of GCM vs GCM vs GCM of Efficiency SIV -

(without init) (without init) (with init) (with

GCM-SIV encrypt GCM-SIV AES-GCM decrypt GCM-SIV

0.20

0.40

Skylake

Cycles per byte

Broadwell

0.60

Haswell 0.80

0.65 0.65 0.65

0.76 0.76

0.77 0.77 1.00

0.92 0.92

0.94 0.94 1.20

1.10 1.10

1.16 1.16 1.18 1.18 1.40

key GCM key - 2 KB message KB 8 an over SIV -

SIV Performance Performance SIV - GCM Highlights –

optimization optimization

GCM for short messages, due to a new software software new a to due messages, short for GCM - AES best)

SIV (our implementation) is faster than ( than faster is implementation) (our SIV - GCM s ’ OpenSSL •

Time Comparison to AES to Comparison Time GCM -

standard use of AES of use standard - non

The only exception is AEZ, which is based on a a on based is which AEZ, is exception only The •

When measured on modern x modern on measured When processors processors 64 •

implementations

Based on published authors published on Based optimized optimized ’ •

Including all CAESAR round round CAESAR all Including candidates 1 •

implemented nonce implemented misuse resistant schemes resistant misuse -

SIV significantly outperforms all other other all outperforms significantly SIV - GCM •

SIV Performance Comparison Performance SIV - GCM

We hope to see it adopted it see to hope We •

Unpatented •

code implementations coming soon coming implementations code optimized

Detailed Detailed specifications, reference code and Open Source Source Open and code reference specifications, •

Utilize existing code and software and code existing Utilize GCM implementations) GCM - (AES •

Utilizes existing hardware existing Utilizes •

deployable: deployable: Easily •

security security of proof Full full implementation full and •

extremely low low extremely GCM) - AES (almost cost

nonce misuse nonce Full resistant authenticated encryption at an an at encryption authenticated resistant - • Summary

` Thank You Thank