sign in sign up
<<
Home , Keystream, Salsa20

SCU-PRF CONSTRUCTING A USING A PSEUDORANDOM FUNCTION

A Thesis

Presented to the faculty of the Department of Computer Science California State University, Sacramento

Submitted in partial satisfaction of the requirements for the degree

MASTER OF SCIENCE

in

Computer Science

by

Matthew Clarke-Lauer

SPRING 2012 SCU-PRF CONSTRUCTING A SECURE CHANNEL USING A PSEUDORANDOM FUNCTION

A Thesis

by

Matthew Clarke-Lauer

Approved by:

, Committee Chair Dr. Theodore Krovetz

, Second Reader Dr. V. Scott Gordon

, Third Reader Dr. Jinsong Ouyang

Date

ii Student: Matthew Clarke-Lauer

I certify that this student has met the requirements for format contained in the University format manual, and that this thesis is suitable for shelving in the Library and credit is to be awarded for the thesis.

, Department Chair Dr. Cui Zhang Date

Department of Computer Science

iii Abstract of SCU-PRF CONSTRUCTING A SECURE CHANNEL USING A PSEUDORANDOM FUNCTION by Matthew D. Clarke-Lauer

The establishment of a secure channel of communication between two parties is a primary goal of modern . In an ideal world, the secure channel is a dedicated, untappable, and impenetrable method of transmitting data between a sender and receiver. An adversary would be unable to see or modify any information crossing the channel. Unfortunately, that is not possible in the real world. Most communication is done using channels that are susceptible to eavesdropping and in- terference. In order to overcome these problem cryptography attempts to recreate the secure channel in order to provide confidentiality and authenticity to all com- munications between two parties. Pseudorandom functions provide an ideal starting point for designing cryptographic primitives that met these goals. Work done by Philip Rogaway and Mihir Bellare has shown the usefulness of a random oracle as a starting point for developing asymmetric- cryptographic primitives. This paper expands on that concept by providing algorithms that meet the goals of confidentiality and authenticity by using a conceptual pseudorandom function to construct a set of symmetric-key cryptographic primitives. Due to it’s flexibility and simplicity, a conceptual pseudorandom function is used to construct a

iv symmetric-key cipher and a message authentication that are both simple and efficient, while meeting the requirements of a confidentiality and authenticity. Based on those two primitives, an authenticated scheme is built in order to provide the guarantees of the secure channel. This paper provides the design and implementation for the SCU-PRF, a pseu- dorandom function created by combining the and the VHASH universal hash function. The SCU-PRF is designed with the goal of efficiency, re- quiring little more computation than the base components of Salsa20 and VHASH. Using the algorithms built with the conceptual PRF, a complete implementation of the protocols is created using SCU-PRF. When tested SCU-PRF proved to be an efficient and flexible pseudorandom function with a performance profile ideal for constructing a high efficiency secure channel.

, Committee Chair Dr. Theodore Krovetz

Date

v DEDICATION

This work is dedicated to my wife Annie and my son Eli. Thank you for providing me a reason to always strive for better

vi ACKNOWLEDGMENT

I would like to thank my advisor, Dr. Ted Krovetz, for his time and encour- agement in finishing this Master’s thesis. Without his guidance this thesis would not have been possible.

vii TABLE OF CONTENTS

Page Dedication ...... vi Acknowledgement ...... vii List of Tables ...... xi List of Figures ...... xii Chapter 1. INTRODUCTION ...... 1 2. PSEUDORANDOM FUNCTIONS AND THEIR MATHEMATICAL BACK- GROUND ...... 4 2.1. Adversarial Models ...... 4 2.2. Mathematical Background ...... 5 2.2.1. Functions ...... 5 2.2.2. Randomness ...... 6 2.2.3. Pseudorandomness ...... 7 2.3. Related Work ...... 8 3. OVERVIEW OF THE SECURE CHANNEL ...... 10 3.1. Trust Models ...... 10 3.2. Privacy ...... 11 3.2.1. ...... 11 3.2.2. Stream Cipher ...... 12 3.3. Authenticity ...... 14 3.3.1. Message Authentication Code ...... 15

viii 3.3.2. Universal Hash-Functions Family ...... 16 4. CONSTRUCTING THE SECURE CHANNEL WITH PSEUDORANDOM FUNCTIONS ...... 18 4.1. Conceptual Pseudorandom Function ...... 18 4.2. Confidentiality Using a PRF ...... 18 4.3. Authentication Using a PRF ...... 20 4.4. Constructing the Secure Channel ...... 21 5. SCU-PRF - STREAM CIPHER UNIVERSAL HASH PSEUDORANDOM FUNCTION ...... 23 5.1. Test Environment ...... 23 5.2. Phase 1 - Compression ...... 23 5.2.1. VHASH ...... 24 5.2.2. Probability of Hash Collisions ...... 25 5.3. Phase 2 - Expansion ...... 27 5.3.1. Salsa20 ...... 27 5.4. Engineering Obstacles ...... 29 5.4.1. Key Handling ...... 29 5.4.2. VHASH Modifications ...... 29 5.4.3. Salsa20 Modifications ...... 29 5.4.4. SCU-PRF Context ...... 30 5.5. SCU-PRF Algorithm ...... 30 5.5.1. SCU-PRF Performance ...... 30 5.6. Cryptographic Applications and Performance ...... 31 5.6.1. Encryption ...... 31

ix 5.6.2. Authentication ...... 33 5.6.3. Secure Channel Performance ...... 37 5.7. Performance Overview ...... 39 6. CONCLUSION ...... 41 6.1. Future Work ...... 42 Appendix . Source Code ...... 44 References ...... 54

x LIST OF TABLES

Page Table 5.1. Specifications of Lenovo T400 Test Platform ...... 24 Table 5.2. Performance of VHASH-128 in CPU Cycles Per Block . . . . . 25 Table 5.3. Performance of SCU-PRF in CPU Cycles Per Byte ...... 32 Table 5.4. Performance of SCU-PRF Based Encryption in CPU Cycles Per Byte ...... 34 Table 5.5. Performance of SCU-PRF Based Authentication in CPU Cycles Per Byte ...... 36 Table 5.6. Performance of SCU-PRF Based Authenticated Encryption in CPU Cycles Per Byte ...... 38 Table 5.7. Cryptographic Algorithm Performance Comparison ...... 40

xi LIST OF FIGURES

Page Figure 3.1. Encryption Data Flow ...... 12 Figure 3.2. Message Authentication Data Flow ...... 15 Figure 3.3. Message Authentication Code Data Flow ...... 16 Figure 5.1. SCU-PRF Design ...... 28 Figure 5.2. SCU-PRF Efficiency ...... 33 Figure 5.3. SCU-PRF Based Encryption Efficiency ...... 35 Figure 5.4. SCU-PRF Based MAC Efficiency ...... 35 Figure 5.5. SCU-PRF Based Authenticate Encryption Efficiency ...... 37

xii 1

CHAPTER 1 INTRODUCTION

As technology has advanced, so has the act of communication. Exchanging information in a secure fashion has changed with the advent of digital communica- tions and the internet. As society moves away from a physical and analog world, the methods used for providing privacy have changed. Digital eavesdropping has become more prevalent due to the flow of information around the globe. A message can be modified and transmitted in a fraction of a second by an adversary with simple and affordable tools. Due to these changes, the difficulty of providing confidentiality and authenticity has grown. Cryptography is the study of techniques for providing information security. It uses mathematical systems to establish a secure channel for communications. In order to provide a secure channel, two major goals must be achieved: confidentiality and authenticity. To achieve these goals, a number of different tools or cryptographic primitives are utilized, many of which have their foundations in the ability to produce random data. The goal of confidentiality is to prevent an unauthorized party from access- ing secret information. This could be as simple as preventing a third party from reading an email between family members or as complex as protecting a database of private consumer information. Encryption schemes are used to achieve confiden- tial communication. They provide a party with the ability to disguise or encrypt a message. For example, requires letters of the original message to be substituted for other letters of the alphabet. This is a very rudimentary cipher 2 and was historically performed by hand using a shared key, a piece of shared private information. The cipher is used to encode a message, or plain text, into its secret equivalent, or cipher text. In the case of the substitution cipher, the key was just a list of the letters in the alphabet along with the letters they are mapped to. Once the encrypted message was received, the same key would be used to reverse the encryp- tion, providing the receiver with the original message. While the use of this style of cipher is now obsolete, the concept of using a shared private key to encode plain text messages into the cipher text equivalent is the basis for all modern encryption.[4] The goal of authenticity is two fold. Message authenticity is the concept of determining whether a message was modified. On the other hand, user authenticity provides a guarantee about the identity of the sender of a message. Unless the receiver physically observes the sender creating the message, the source of a message and the message’s authenticity is unknown to a receiver. Cryptography has solved this problem by creating a message authentications code(MAC). The sender can use the shared private-key, like the cipher example above, to create a signature or fingerprint that represents the message using the MAC. The signature or fingerprint is a condensed representation of the message that is not easily recreated and serves as proof that the message came from the sender. The receiver can create their own signature based on the message and if the two are the same then the message must be unmodified and must have come from the sender or a party with the same private key.[4] Within cryptography, the concept of randomness, or statistically unrelated data[16], is used to achieve the goals of confidentiality and authenticity. Unfor- tunately, true randomness is very difficult to achieve with modern computers. Due to the fact the computers are deterministic machines, pseudorandomness is used in- 3 stead. Pseudorandom data is generated deterministically from non-random sources and should be computationally indistinguishable from true randomness.[1] This al- lows cryptographic primitives to be built using a reproducible source of data that appears to be random. Pseudorandom functions(PRF) provide a source of pseudo- random data and a conceptual starting point from which many types of cryptographic primitives can be built. This paper shows that it is not only possible to achieve the goals of confidential- ity and authenticity using PRFs as the only primitive, but it can be done efficiently. This is done by showing that each goal can be achieved using a conceptual PRF. Once the methods are established for providing confidentiality and authenticity, the implementation of SCU-PRF is presented. The SCU-PRF is a efficient PRF created from the combination of a stream cipher and universal hash function. Based on the the algorithm created to show that a conceptual PRF can be used to achieve confidentiality and authenticity, the SCU-PRF can be used to provide a real world implementation that meets the two cryptographic goals efficiently. 4

CHAPTER 2

PSEUDORANDOM FUNCTIONS AND THEIR MATHEMATICAL BACKGROUND

Although pseudorandom functions are often used in cryptography, they are based heavily in mathematics and set theory. In order to properly define what a PRF is and how it can be used to achieve the goal of a secure channel, an overview of the concept of an adversarial model and the mathematical background of functions and pseudorandomness is necessary.

2.1 Adversarial Models Modeling an adversary is a common way of analyzing the security of a crypto- graphic operation. For example, if the goal was to analyze the security of a pseudo- random function, an adversary would be given a black box and allowed to query it using values within a specified range. The black box would contain either a truly ran- dom function or the pseudorandom function. The adversary would query the black box and, based on the outputs, would guess whether it contains a truly random function or a pseudorandom function.[4] Example Let F : K ×D → R be a family of functions and A be an adversarial algorithm that takes an black box function. A then tried to identify whether F is

A A the function family RealF or a random function RandF . The advantage is found by computing the difference between the probability A correctly guesses when the black

A A box is RealF and the probability A correctly guesses when the oracle is RandF . The equation is shown below: 5

prf A A ADVF (A) = PR[RealF → 1] − PR[RandF → 1]

In this case, the goal is to be indiscernible from a random permutation. There-

prf fore, ADVF = 0 would imply that A has no insight into the contents of the black

A box and can only guess randomly whether or not it is RealF .[4] The adversarial model can be adjusted depending on the type and capabilities of the adversary. While this may modify how the probabilities are computed, the basic construction allows for a mathematical analysis of the security of cryptographic functions. [4]

2.2 Mathematical Background Pseudorandom functions are a mathematical construct used within cryptogra- phy. Understanding their use and construction requires an understanding of func- tions, function families and the goals of randomness.

2.2.1 Functions In a mathematical sense, a function is a defined by two sets A and B and a rule f which assigns each element in A to a single element in B. The set A is known as the domain and the set B as the codomain or range. The function f is represented by the notation f : A → B or f(a) = b where a ∈ A and b ∈ B.[1] A function family is a set of functions that share the same signature. If a function family F contained a set of functions mapping from A to B, the notation would be F : K × A → B, where K is the set of keys of F and D is the domain of F and R is the range of F . The sets of keys and the range are finite and all sets are non-empty. A key from the set K would be utilized to select a function from 6

the function family of F . F can be defined with a two input function with input A

and a key K as F (K,A) = B or, for a particular key k,Fk(a) = b,where a ∈ A and b ∈ B. [4] A one-way function is a particular type of function that is very important in cryptography. Function f is defined as a one-way function from set A to set B if f(a) is computationally “simple” to compute for all a ∈ A but for “essentially all” b ∈ B it is computationally “unfeasible” to find any a ∈ A where f(a) = b. This is the conceptual basis for the cryptographic hash and MAC functions to be discussed later. [1]

2.2.2 Randomness Cryptographic systems depend on the ability to generate unpredictable bit strings. While many cryptographic protocols are built along the concept of random- ness, true randomness is difficult to create deterministically and difficult to harness. A true random bit generator requires a natural source of randomness. Since com- puting systems are deterministic, it is impossible for them to generate truly random data. True random sources can be harnessed by a computing system, but unfortu- nately, it is difficult and error prone. Most sources of true randomness are subject to external influence. These include the seek time on hard drives, spikes in power consumption, mouse movement, and various other physical events that occur outside the confines of the basic computing model. This makes them not only highly erratic and unpredictable, but also difficult to properly reproduce.[1] The most basic conceptual randomization function is the random bit generator, which generates a sequence of statistically independent and unbiased binary digits. The random bit generator can be used to create a random number generator by 7 generating a bit sequence long enough to be converted from a binary representation to a decimal representation. [1]

Random Functions: A random function is a function family, from which a function is selected at random. This makes the term random misleading in this context. While this would imply that a function will always return data that appears to be random, the term random refers only to how a function is selected. The constant function that always returns a single value is just as valid a selection as a function that returns a different value for every input. By using a random function selected from a family of functions sharing the same mapping, the behavior will appear to be random, since the observer will not be aware which function is chosen from the family.[4]

2.2.3 Pseudorandomness Pseudorandomness is the theory of efficiently producing data that looks “ran- dom” despite originating from data with little to no randomness. This is a critical concept within cryptography, since deterministic algorithms that mimic randomness are the basis for most cryptographic protocols. Pseudorandom functions are one method used to generate pseudorandom data.[16]

Pseudorandom Functions: A pseudorandom function(PRF) is a family of functions with the property that the relation between the inputs and outputs of a random in- stance of the family is computationally indistinguishable from a random function.[1] This property makes PRFs an ideal theoretical tool for designing and building cryp- tographic protocols and primitives. They provide a simple way of modeling block ciphers, hash functions, and various other constructions. 8

A PRF is defined as the family of functions that provide a random mapping from the set of all string of length n to the set of all strings of length m. This can be represented by F : K×D → R, where F is a family of functions, K = {0, 1}n where n is the key length, and D = {0, 1}l and R = {0, 1}m where l is the length of the input bit string processed by the function family and m is the length of the pseudorandom output. It is important to note that m and l can be unrelated, which allows for pseudorandom functions to be a flexible base for constructing many different types of .[4] Based on the property of “computational indistinguishability” from a random function, an adversarial model can be built. The adversarial model is the same as the example used to explain adversarial models.

prf A A ADVF (A) = PR[RealF → 1] − PR[RandF → 1]

prf In the case of an ideal PRF, ADVF (A) = 0 or A can only guess randomly whether or not the black box contains a PRF or a random function. Based on this concept, pseudorandom functions can be applied with the purpose of creating secure protocols by guaranteeing that the protocol contains a component that determinis- tically produces data that appears to be random to an adversary. [4]

2.3 Related Work There has been research done showing how to implement a PRF from other cryptographic components. Langberg showed that a PRF can be constructed based the Diffie-Hellman construction and having equal security to Diffie-Hellman.[12] In 1995, Naor and Reingold presented the construction of a PRF from a cryptographic primitive called a pseudorandom synthesizer.[14] Naor and Reingold later show that 9 a PRF can be constructed from an unpredictable function, in this case a MAC, and postulating the applications of PRFs to private-key cryptography.[15]. Much of the work in this paper is a extension of their work, by formalizing the algorithms for the private-key primitives using a conceptual PRF and providing a complete PRF implementation. There has been other work converting from pseudorandom permutations to pseudorandom functions. Both Bellare et al. and Hall et al. approach the concept of showing a provable transformation from a pseudorandom permutation to a pseudo- random function, Bellare using a solution called data-dependent re-keying and Hall using transformations that they call ORDER and TRUNCATE. While both of these show provable transformations from a pseudorandom permutation to a pseudoran- dom function, they do not focus on the construction of a pseudorandom function from other cryptographic primitives.[6][13] In 1995, Bellare and Rogaway formalized how a random oracle can be a useful tool in bridging the gap between cryptographic theory and practice. They suggest that a practical protocol can be produced by first devising and proving correct the protocol with a random oracle and then replacing the random oracle with an appro- priately chosen function. They demonstrate this using public-key encryption, signa- tures, and zero knowledge proofs.[3] This concept is the basis for designing simple encryption and authentication protocols with a theoretical pseudorandom functions. Once the algorithms are designed using a theoretical function, the function can be replaced and a practical real-world implementation can be created. 10

CHAPTER 3

OVERVIEW OF THE SECURE CHANNEL

The goals of confidentiality and authenticity are built around the idea of con- structing a secure channel for communication. In an ideal world, a secure channel or transmission line existed between a sender and a receiver. The “ideal” secure channel is a dedicated, untappable, and impenetrable method of transmitting data between a sender and receiver. In this case, an adversary would be unable to see or modify any information crossing the channel.[4] Unfortunately, in real life the “ideal” secure channel is impossible. All trans- mission, whether over the air, via mail, or online, should be viewed as public. This allows any adversary to listen to and/or modify transmission between the sender and receiver. The two goals of cryptography, confidentiality and authenticity, work to provide the properties of a secure channel, even though the transmissions occur in public.[4]

3.1 Trust Models In order to create a method of communicating securely, a piece of shared in- formation or key must be established between the sender and receiver. This data is something that only trusted parties know and is used within cryptographic primitives as a way of controlling how data is processed. Two different keys will have a different result using the same primitive and the same message. A trust model specifies, ini- tially, who has what key. Two trust models exist within cryptography, symmetric-key, or private-key, and asymmetric-key, or public-key. In symmetric-key cryptography, an exact copy of the key is shared between all trusted parties. The shared-key is 11 usually a uniformly distributed random string of length n. The sender and receiver can use this key to communicate securely across a public network. Asymmetric-key cryptography allows a sender and receiver to create a shared-key without having any information in common at the beginning of communication. As this work is only concerned with symmetric-key cryptography, asymmetric-key cryptography will not be covered.[4]

3.2 Privacy The guarantee of privacy is provided by an encryption scheme. Encryption is the process of transforming a bit string into something that is unreadable or resembles random data. An encryption scheme consists of a key space, an algorithm for encryption, and an algorithm for decryption. Formally, a symmetric encryption scheme defined as the tuple < K, E, D >, where K is the set of all keys, E is an encryption algorithm, and D is a decryption algorithm, which would reverse the encryption algorithm. In order to construct an encryption scheme, cryptographic ciphers are utilized. Cryptographic ciphers are a type of primitive within symmetric key cryptography which provides a deterministic transformation of the provided bit string. By providing a secret key and a message to a cipher, the cipher will output a pseudorandom bit-string. A cipher alone cannot provide a guarantee of privacy, but is merely a tool for building a secure encryption protocol. There are two types of symmetric-key ciphers, the block cipher and string cipher. [4]

3.2.1 Block Cipher The block cipher is a cryptographic primitive used for the design of protocols for symmetric-key cryptography. A block cipher consists of a function E : {0, 1}k × 12

Figure 3.1: Encryption Data Flow

The data flow for a symmetric key encryption scheme is shown above. The or private key is used in both the encryption and decryption algo- rithms to allow for the sender, host 1, and the receiver, host 2, to communicate in secret.[9]

{0, 1}n → {0, 1}n. E takes two inputs, a k-bit string, the private-key, and a n-bit string, the plain text, and outputs a n-bit string, the cipher text. The parameters k and n represent the key-length and the block-length respectively and are associated with a block cipher. A block cipher must be invertable, meaning that for every keyed

−1 block cipher Ek, cipher text c and plain text p, Ek(p) = c and Ek (c) = p. Examples of block ciphers include Advances Encryption Standard(AES) and Data Encryption Standard(DES). [4]

3.2.2 Stream Cipher The stream cipher concept is based on a historical cipher called a One-Time Pad(OTP). The OTP is a cryptographic algorithm where the plain text is combined with a random key using predefined and reversible operation. Assuming that the key is truly random, this is the only known method to perform encryption that can be 13 mathematically proven to be secure. Due to its simplicity and strength, it had many historic uses during World War 2 and the Cold War to protect military and political communications.[10] The OTP has many limitations which prevent it from being used on a wide scale in modern cryptography.

• Keys must be at least as long as the message being encrypted

• Keys must be truly random

• Keys and plain text must be of the same number system, modulo 10(digits), modulo 26(letters), or modulo 2(binary)

• Each key can only be used once and must be destroyed after use

Modern cryptography deals with messages far longer and more complicated than those that are reasonably processed using an OTP. While the OTP is no longer a standard way of encrypting a message, the concepts used to design it and the security principles are the basis for many cryptographic primitives. The modern stream cipher is the pseudorandom equivalent of the OTP.[10] The stream cipher generates a string of pseudorandom bits called the key stream and combines it with the plain text using a exclusive-or operation. The resulting string is the cipher text. Stream ciphers are a class of symmetric-key cipher that are designed to work around the limitations of current block ciphers. Unlike block ciphers, which operate on a string with a length that is a multiple of the block length, stream ciphers encrypt each bit individually. This allows for stream ciphers to be used in situation where processing blocks of data is not efficient, such as telecommunications. Examples of stream ciphers are Salsa20 and .[1] 14

3.3 Authenticity The goal of authenticity is to prove the identity of the sender and the authen- ticity of the message. This is done using a message authentication scheme. This scheme utilizes a one-way function to generate a short representation, or tag, of the message. This tag is transmitted with the message to its destination, where another tag is generated from the message and compared with the transmitted tag. If the tags are the same, then the message is authentic. A message authentication scheme consists of a tag generating function and a tag verification function. The tag gener- ating function, takes a message and deterministically produces a tag or fixed length representation of a message. The tag verification function is used by the receiver to guarantee authenticity. This function take the tag and message and tells the receiver whether or not the tag matches the message. A usual construction for the tag verifi- cation function is to simply reproduce the tag using the tag generating function and compare the output to the transmitted tag. Cryptographic hash function are a one-way function that is used to distill any string of bits into a fixed length string. A hash function takes a message of arbitrary length as an input and then outputs a hash or signature. The hash consists of a bit string of finite length that is computationally difficult to reproduce without the original message and input parameters. Formally, a hash function has a domain D = {0, 1}∗ and a range R = {0, 1}n and takes the form of H : D → R. Due to the fact that | D |>| R |, it is guaranteed that given enough input values, two input values m and m0 will eventually collide or h(m) = h(m0). The goal of a hash is not to prevent this, but to make it computationally difficult to do without performing numerous hashes, which is extremely time consuming. The basic idea of a cryptographic hash function is that the hash serves as a compact representation 15

Figure 3.2: Message Authentication Data Flow

The data flow for message authentication is shown above. The sender uses a one-way hash function to create a tag, TX Digest, which is transmitted with the message. The receiver uses the message to create another tag, RX Digest, which is compared to TX Digest to determine whether the message is authentic.[9]

of the original input string and can be used to identify the string. The proper use of a cryptographic hash in a authentication scheme will provide only message authenticity, not user authenticity. Examples of cryptographic hash functions are the MD5 Message-Digest Algorithm and Secure Hash Algorithm(SHA-1).[1]

3.3.1 Message Authentication Code A distinct class of hash functions, called message authentication codes (MACs), allow a message to be authenticated using symmetric key cryptography. A MAC provides a tool for producing a message authentication scheme that guarantees user authenticity, as well as message authenticity. These types of hashes take as inputs a message and a secret key and produce a fixed size output. A MAC is defined as H : K × D → R, where K is the set of all keys of H. By using a secret key to create 16

Figure 3.3: Message Authentication Code Data Flow

The data flow for a MAC is shown above. The shared private key is used with the message in a one-way hash function to create the senders MAC, TX MAC. That MAC is transmitted with the message. The receiver uses the same private key to create another MAC, RX MAC, which is compared with the sender’s MAC. If they are equal then the message and the sender are authentic.[9]

a signature for the message and guaranteeing that the signature will be different for the same message with a different key, the authenticity of a message and its origin can be proven. Examples include UMAC and VMAC.[1]

3.3.2 Universal Hash-Functions Family A universal hash family is a set of functions H, or hash family, with the sig- nature H = h : A → B. The hash family H is“-almost-universal” if for any distinct x, x0 ∈ A the probability that h(x) = h(x0) is less than or equal to . While this property does not provide any secrecy, it does provide a foundation for fast hashing and message authentication. [17] Universal hashes are significantly faster than other message authentication or hashing primitives. This is because they do not rely on any cryptographic processes 17 to achieve their goal. The only requirement is that they meet the combinatorial property identified above. In addition to being efficient functions, the combinatoric properties are simple to prove and absolute. [17] Formally a family of hash functions is a finite set of functions with a common domain A and range B. This is denoted by H = h : A → B using set notation or by

H : K × A → B where Hk : A → B given a value k ∈ K. In the latter notation, a function from H is chosen at random by choosing k ∈ K and letting f = Hk.[17] 18

CHAPTER 4

CONSTRUCTING THE SECURE CHANNEL WITH PSEUDORANDOM FUNCTIONS

The concept of a pseudorandom function provides an excellent starting place to design more complicated cryptographic primitives. Based on the indistinguishability of a PRF from a random function, they provide a strong base in which to construct primitives. With a conceptual PRF, it is possible to construct cryptographic prim- itives capable of encryption and authentication. From those two simple primitives, many other primitives can be constructed.

4.1 Conceptual Pseudorandom Function As defined earlier, the conceptual PRF is defined as F : K × D → R, where F is a family of functions, K = {0, 1}n where n is the key length, and D = {0, 1}l and R = {0, 1}m where l is the length of the input bit string processed by the function family and m is the length of the pseudorandom output. In pseudocode that is represented by the function PRF (K, I, iL, oL), where K is the shared-key, I is the input buffer, iL is the length of the input buffer, and oL is the length of the output buffer. The function returns a pseudorandom value with the length of oL. This definition is used to design the algorithm for confidentiality and authenticity.

4.2 Confidentiality Using a PRF In order to guarantee the confidentiality of a message a cryptographic cipher is used. A symmetric key cipher takes data of arbitrary length and a shared secret key as input, and outputs a bit string that appears to be random. The goal of a cipher 19 is that the outputted bit string, or cipher text, is computationally indistinguishable from a truly random bit string.[1] As PRFs provide a pseudorandom bit string, they are an ideal function to use when creating a stream cipher. This design is a synchronous stream cipher. That is when the key stream is generated independently of the plain text and the cipher text and then combined with the plain or cipher text using the binary exclusive-or operator. In order for this scheme to be successful, the sender and receiver must follow exactly the same steps to encrypt and decrypt the message. If any digits are added or removed from the message the synchronization is lost and the remaining message is corrupted. However, this design leads to some strengths. In situations when bit corruption is likely, the use of a stream cipher will only corrupt the bits of the cipher text that are corrupted. If this occurred while using a block cipher, the entire block of data would likely be corrupted. [1] The construction of this cipher is based on the stream cipher model, in which the cipher is producing a pseudorandom bit string to be XORed with the plain text to produce a cipher text. This model is simple to mimic using the PRF. It can be achieved by simply using an as the input to the PRF. An initialization vector is a bit string of fixed length that establishes the state of the cipher. Based on the initialization vector and the secret key, the PRF creates a different and unrelated random bit string with a length equal to the length of the plain text. This bit stream is then used as a key stream in a standard stream cipher model and XORed with the plain text. 20

Algorithm 1 Encrypting a Message Using a Stream Cipher Based on a Theoretical PRF function Encrypt(Key, P lainT ext, Length, IV ) CurrentOffset = 0 CipherT ext = {} = PRF (Key, IV, |IV |, Length) CipherT ext = P lainT ext ⊕ KeyStream return CipherT ext end function

Algorithm 2 Decrypting a Message Using a Stream Cipher Based on a Theoretical PRF function Decrypt(Key, CipherT ext, Length, IV ) CurrentOffset = 0 P lainT ext = {} KeyStream = PRF (Key, IV, |IV |, Length) P lainT ext = CipherT ext ⊕ KeyStream return P lainT ext end function

4.3 Authentication Using a PRF The process to create a MAC from a PRF is relatively simple. Since the PRF creates a random mapping from {0, 1}n → {0, 1}m, the MAC can be created by simply utilizing the PRF with the correct parameters. By having the PRF take a bit string of any length as an input and output fixed length bit string, the PRF can successfully mimic a MAC function. This construction makes the hash value created by the PRF based MAC construction dependent on all parts of the message along with the key value used to initialize the PRF.

Algorithm 3 Generating a MAC Using a Theoretical PRF function MAC(Key, Message, Length) T ag = PRF (Key, Message, |Message|, Length) return T ag end function 21

4.4 Constructing the Secure Channel Encryption and authentication functions are the most basic cryptographic primitives that can be built using a PRF. By combining the two algorithms above, authenticated encryption can be achieved. Authenticated encryption is a crypto- graphic scheme that provides both confidentiality and authenticity. In order to do this, the sender creates a cipher text and tag based on the original message. The receiver decrypts the cipher text and uses the decrypted cipher text to generate a new tag. That tag is compared with the transmitted one to verify authenticity. This primitive can be provide all the goals of the secure channel. [2] Simply gluing together a secure message authentication scheme and secure encryption scheme does not necessarily create a secure authenticated encryption scheme. Bellare et.al. analyzed three different authenticated encryption operations, Encrypt-and-MAC, MAC-then-Encrypt, and Encrypt-then-MAC. Encrypt-and-Mac performs the encryption and MAC on the original message separately and than concatenates the cipher text and tag to form the message to be transmitted. In this constructions, the plain text tag is appended to the cipher text for transmission. Encrypt-then-MAC encrypts the plain text and MACs the cipher text. The tag based on the cipher text is then transmitted with the cipher text. MAC-then-Encrypt MACs the plain text and encrypts the concatenation of the plain text and the tag. In this construction only the cipher text is transmitted, since it contains both the encrypted message and the encrypted tag. Bellare et.al. proved that MAC-then- Encrypt is the most secure of the three constructions. Based on that research, the construction of MAC-then-Encrypt was chosen for the design of the PRF based algorithm.[2] 22

Algorithm 4 Authenticated Encryption Using a Theoretical PRF function AuthEncrypt(Key, Message, T agLength, IV ) CurrentOffset = 0 CipherT ext = {} T ag = PRF (Key, Message, |Message|, T agLengthLength) KeyStream = PRF (Key, IV, |IV |, |Message| + |T ag|) CipherT ext = Message|T ag ⊕ KeyStream return {CipherT ext} end function

Algorithm 5 Authenticated Decryption Using a Theoretical PRF function AuthDecrypt(Key, CipherT ext, T agLength, IV ) CurrentOffset = 0 P lainT ext = {} KeyStream = PRF (Key, IV, |IV |, |CipherT ext|) P lainT ext|T ag = CipherT ext ⊕ KeyStream NewT ag = PRF (Key, P lainT ext, |P lainT ext|, T agLength) if NewT ag = T ag then MessageisAuthentic else MessageisNotAuthentic end if return {CipherT ext} end function 23

CHAPTER 5

SCU-PRF - STREAM CIPHER UNIVERSAL HASH PSEUDORANDOM FUNCTION

The SCU-PRF is a pseudorandom function built by combining two crypto- graphic primitives, a universal hash-function family and a stream cipher. The concept behind the design is that the universal hash function will create a unique identifier for the input value, effectively distributing it around the set of bit strings contained in {0, 1}n, and the stream cipher will randomize and expand the value, creating a highly efficient pseudorandom random function.

5.1 Test Environment This chapter will present performance details on the SCU-PRF algorithm and its individual components. In order to establish a reproducible performance baseline, the hardware and software details of the test system must be listed. The test system was a Lenovo Thinkpad T400 laptop. The system specs are detailed in the adjacent table.

5.2 Phase 1 - Compression The first phase of the SCU-PRF is built using a universal hash function family. The goal of this phase is to take a string of arbitrary length and reduce it to the a distilled unique bit string of constant length. This unique identifier will be uti- lized as the IV for the second phase. The universal hash function VHASH has the performance characteristics needed to achieve the performance goal. 24

Table 5.1: Specifications of Lenovo T400 Test Platform

Manufacturer Lenovo Model T400 Pseudorandom functions CPU Model Intel Core 2 Duo T9400 CPU Cache 6MB L2 Cache Min Frequency 800MHz Max Frequency 2.53GHz Memory 2x2GB Operating System Linux Mint 12(Based on Ubuntu 11.10) Operating System Version 64 Kernel 3.0

5.2.1 VHASH VHASH is a high efficiency implementation of a universal hash. It was chosen for use in this design do to its performance characteristics and accessible code base. VHASH uses a three-stage hashing strategy in which each stage is made from a discrete hashing function with a particular purpose. The first stage compresses the message by a fixed ratio. This is done with the purpose of reducing the amount of computation needed during the later stages. The second stage hashes the compressed message to a fixed length. Lastly, the third stage distills the second state output into a smaller number of bits while preserving the security. Each of these stages are made of primitive hash functions which were chosen to meet the specific requirements of the stages. The details of each of these stages, while important for performance, are outside the scope of this paper.[11] The performance of VHASH is due to many factors, the most important one being the 64-bit architecture shift that began with the AMD Athlon 64. These platforms allowed for multiplication of 64-bit integers and addition of 128-bit values. While not all 64-bit architectures support these type of operations, all consumer 25

Table 5.2: Performance of VHASH-128 in CPU Cycles Per Block

Bytes Cycles Per Bytes 16 38.89 32 19.70 64 9.98 128 5.31 256 3.15 512 2.05 1024 1.44 2048 1.15 4096 1.00

processors currently being produced do. VHASH relies on 64-bit multiplications and it is necessary for the performance of the algorithm.[11] The performance of VHASH was the major factor in its selection to be used in the SCU-PRF algorithm. VHASH has a reported peak performance of 0.5cpb. VHASH-128, a variation on the VHASH algorithm used to produce 128-bit tags instead of the standard 64-bit tag, was used in order to expand the range of the intermediate value. This algorithm utilizes two rounds of VHASH and therefore reports a peak performance of 1.0cpb, which was confirmed on the test system. The VHASH-128 performance numbers were collected on the test system. [8]

5.2.2 Probability of Hash Collisions In order to use VHASH within the SCU-PRF algorithm, it must be shown that VHASH has a very low likelihood of collisions. If VHASH was to collide, two input values would map to the same output value, which would break the pseudorandom goal of this construction. Fortunately, the probability of having hash collisions when the events are dependent maps to a sum-bound. With universal hash functions the 26 likelihood of a collision is based on the  value. This is the basis for the sum-bound computation.

Theorem: The probability of the i-th hash value collides with any preceding hash is a bounded by the sum of all possibly collisions. Since the probability of a collision occurring is bounded by the  based on the  value of the universal hash function,

q(q−1)∗ the probability of a hash colliding with any preceding has is 2 .

Proof: Let Ci be the event where any collisions occur within the set of i hash values.

The probability of the hash function Hk(x) colliding with Hk(x0) is less than or equal to . Based on the assumption that the input values to the universal hash is evenly distributed with little to no relation between the inputs, it can be assumed that for any two inputs chosen at random from a set of i hash values, the probability of a collision is less than or equal to . Therefore, the total number of possible collisions within the set of i messages multiplied by  would be greater than or equal to the probability of there existing a collision between any two input values selected from the set. Let Ci,j be the probability of a collision occurring between the hash values i and j

P r[C(q)] = P r[C0,1 ∪ C0,2 ∪ C0,3 ∪ ... ∪ Ci,i−1]

= P r[C0,1] + P r[C0,2] + ... + P r[Ci,i−1] i−1 X ≤ n n=1 i(i − 1) ≤ 2

This provides an upper bound for the probability that two collisions will occur

i(i−1) in a set of i input values of 2 . Since the the implementation of VHASH being used is VHASH-128,  = (l/b)2−118 where l is the input length and b is the tag length.[11]. 27

Since the epsilon value is sufficiently low, the probability of a hash collision is going to based primarily on the number of hashes being performed. For SCU-PRF, one execution of VHASH-128 is performed for each pseudorandom string generated.

5.3 Phase 2 - Expansion The Salsa20 stream cipher family was chosen to be the next component of SCU- PRF not only due to is performance, but also its security. It provides an efficient and effective way of producing a long random-looking output from the shorter hash output.

5.3.1 Salsa20 Salsa20 is a family of stream ciphers which were designed for the eSTREAM competition. The Salsa20 hash function takes a key, nonce, and block number and hashes them to create a 64-bit hash. These operations are performed by using only 32-bit additions, 32-bit XORs, and constant distance 32-bit rotation. By limiting the set of operation to these three, the designers were able to create a fast imple- mentation. Salsa20 takes a 256-bit key and 64-bit nonce as its input values and produces segments of 70-bit pseudorandom data used as a keystream. Since Salsa20 is designed as a stream cipher, it uses the exclusive-or operation to combine the key stream with the plain-text to produce the cipher text. [5] The fastest known attack on Salsa20/8 is 2249 operations, making it a good alternative for high speed encryption. This is the version of cipher that was chosen as part of the SCU-PRF implementation. [5] 28

Figure 5.1: SCU-PRF Design

The data flow for the SCU-PRF is shown above. The input to the algorithm is a n-bit string. This string is passed to VHASH for compression. VHASH reduces the string to 128-bits. This intermediate value is used as the initialization vector for Salsa20/8. Salsa20/8 generates a keystream of length m, which is outputted as the pseudorandom bit string 29

5.4 Engineering Obstacles Both components of SCU-PRF have manageable and well maintained code base, which made the process of combining the two into a PRF simple. There were still a few engineering problems that emerged during the combination.

5.4.1 Key Handling In order to prevent identical keys from being used with both the VHASH and Salsa20/8 portions of SCU-PRF, special handling for the secret key was implemented. To avoid this problem the key space is divided into two 255-bit key spaces. In order to achieve this, VHASH is keyed using the user provided key. Once VHASH has been initialized, the highest bit of the key is XORed with 1. This separates the key space and prevents any interactions between the two phases that could occur when the same key is used. The modified key is then used to initialize Salsa20/8. This operation is done as part of the SCU-PRF key initialization and requires only a single 256-bit key to be provided by the user, instead of providing one key for each phase.

5.4.2 VHASH Modifications The VHASH code base required no modification to integrate into SCU-PRF. VMAC provided an option for outputting 128-bit MAC values and the VHASH function was easily exported by including the proper headers and making small modifications to the preprocessor definitions documented in the VHASH headers.

5.4.3 Salsa20 Modifications Salsa20 was not as simple as just including the proper headers and calling the function. Salsa20 required a modification to the function that initializes the IV. For the standard Salsa20 implementation, the IV is a 64-bit value which is split between 30 two 32-bit variables housed within the ciphers context. There are two more 32-bit variables adjacent to the IV that house the block count and are always initialized to zero. In order to allow for a 128-bit IV value to be used, the IV value in the context was expanded to use the original IV variables and the block counter variables. That modification required the counter code to be modified slightly to account for the new possibility of 96-bit and 128-bit addition overflow.

5.4.4 SCU-PRF Context A new context was created for SCU-PRF, which consists of the VHASH and Salsa20/8 context. An original design included a 128-bit variable which housed the output of VHASH-128, before passing the value into Salsa. Later versions of the SCU-PRF code removed that value and instead had VMAC-128 write directly into the Salsa20/8 context, thus removing the need for intermediate values.

5.5 SCU-PRF Algorithm The basic constructing of SCU-PRF is relatively simple. As detailed before, a bit string of length n is hashed to a bit string of length 128 using VHASH-128. That value is fed into Salsa20 as the IV and is used to generate a key stream of m bits. That m bit key stream is used as the output value, which provides a deterministic mapping from a 0, 1n → 0, 1m that is computationally indistinguishable from a truly random function.

5.5.1 SCU-PRF Performance Due to the construction of the algorithm, the lower bound on cycles per byte performance of SCU-PRF is the Salsa20/8 plus the VMAC128 performance. In real world, the performance followed that expectation very closely, especially as the 31

Algorithm 6 SCU-PRF Pseudocode

function SUC-PRF(Key, Input, Lengthin, Lengthout) SalsaIV = 0 Output = 0 SalsaIV = V HASH(Key, Input, Lengthin) Output = Salsa20/8 Keystream(Key, SalsaI V, Lengthout) return Output end function message length increased. The overhead of function calls and intermediate variable assignments were the only differences between the lower bound theoretical perfor- mance and the real world performance, and these differences disappeared as the data size increased. There is one particularly interesting feature present in the performance data. Between 4MB and 8MB, there is a 10% increase in the cycles required to process each byte of data. This is due to data filling the 6MB cache, forcing cache evictions to occur. While the intermediate data passed between the two phases of SCU-PRF is not affected by it, each of the algorithms must process more than 6MB of data and that extra processing could be due to extra reads from main memory.

5.6 Cryptographic Applications and Performance SCU-PRF provides a good base for building cryptographic primitives in a sim- ple and highly efficient manner. The construction of encryption, authentication, and authenticated encryption primitives are detailed in the current section.

5.6.1 Encryption As shown in the earlier section on encryption using a PRF, the SCU-PRF can be applied simply. SCU-PRF can be used to generate a pseudorandom bit string of 32

Table 5.3: Performance of SCU-PRF in CPU Cycles Per Byte

Bytes VHASH Salsa20/8 Expected SCU-PRF Real SCU-PRF 32 4.36 10.89 15.25 15.67 64 2.83 5.66 8.49 10.18 128 1.84 6.44 8.28 8.04 256 1.2 6.58 7.78 7.38 512 1.17 6.61 7.78 7.39 1024 1.01 6.57 7.58 7.14 2048 0.99 6.24 7.23 7.09 4096 0.85 6.41 7.26 7.02 8192 0.83 6.25 7.08 6.99 16384 0.9 6.32 7.22 7 32768 0.85 6.34 7.19 7.02 65536 0.84 6.31 7.15 7 131072 0.86 6.28 7.14 7 262144 0.86 6.29 7.15 7.01 524288 0.86 6.29 7.15 7.01 1048576 0.86 6.3 7.16 7.02 2097152 0.86 6.33 7.19 7.03 4194304 0.86 6.47 7.33 7.12 8388608 0.86 7.16 8.02 7.85 33

Figure 5.2: SCU-PRF Efficiency

any length from a fixed length IV. The random sequence will be used as a key stream and combined with the message using an XOR operation. The encryption scheme was validated by providing a set if differing keys, IVs, and messages and verifying the the original message is the same as the decryption message. The performance was measured using the same style of metrics as the SCU-PRF performance.

5.6.2 Authentication Based on the performance profiles of VHASH128 and Salsa20/8, the authen- tication algorithm shows very good performance. The current bottle neck created by the Salsa20/8 function is reduced, since it must only generate enough keystream to create the tag. Utilizing SCU-PRF as a MAC takes full advantage of the PRF design. 34

Table 5.4: Performance of SCU-PRF Based Encryption in CPU Cycles Per Byte

Bytes SCU-PRF Based Encryption(cpb) 32 17.43 64 11.33 128 9.21 256 7.78 512 7.00 1024 7.08 2048 6.74 4096 6.62 8192 6.66 16384 6.59 32768 6.57 65536 6.60 131072 6.57 262144 6.57 524288 6.58 1048576 6.59 2097152 6.61 4194304 6.59 8388608 7.21 35

Figure 5.3: SCU-PRF Based Encryption Efficiency

Figure 5.4: SCU-PRF Based MAC Efficiency 36

Table 5.5: Performance of SCU-PRF Based Authentication in CPU Cycles Per Byte

Bytes 32-Byte Tag 64-Byte Tag 128-Byte Tag 256-Byte Tag 32 13.07 17.43 17.43 17.43 64 7.08 8.5 8.5 9.91 128 4.6 3.68 4.6 4.6 256 2.39 2.39 2.99 3.59 512 1.56 1.94 1.94 1.94 1024 1.26 1.26 1.52 1.52 2048 0.99 1.15 1.15 1.15 4096 0.96 0.96 0.96 1.07 8192 0.9 0.9 0.97 0.9 16384 0.86 0.9 0.9 0.9 32768 0.88 0.88 0.88 0.88 65536 0.86 0.88 0.86 0.86 131072 0.87 0.86 0.86 0.87 262144 0.86 0.87 0.86 0.86 524288 0.86 0.86 0.86 0.86 1048576 0.86 0.86 0.86 0.86 2097152 0.86 0.86 0.86 0.88 4194304 0.87 0.87 0.88 0.88 8388608 0.98 0.97 0.97 0.97 37

Figure 5.5: SCU-PRF Based Authenticate Encryption Efficiency

The MAC was tested using a variety of random input messages, each message processed twice, each time with a different context. Since the results of the MAC are consistent across multiple instances and multiple executions, the functionality is verified.

5.6.3 Secure Channel Performance The construction of the authenticated encryption protocol based on the SCU- PRF authentication and encryption primitives was simple. The encryption scheme was implemented so that it would be straightforward to add a tag to the set of data to be encrypted or decrypted. This allowed for a simple implementation which just made a function call to each of the primitives. The performance of this implementation matched what was expected. Each byte of message was processed by both the cipher and the MAC, and, therefore, the 38

Table 5.6: Performance of SCU-PRF Based Authenticated Encryption in CPU Cycles Per Byte

Bytes 32-Byte Tag 64-Byte Tag 128-Byte Tag 256-Byte Tag 32 37.04 37.04 43.57 52.29 64 24.08 24.08 25.49 26.91 128 15.65 15.65 16.57 17.49 256 11.97 11.97 11.97 12.57 512 9.72 9.33 9.72 10.11 1024 8.6 8.6 8.34 8.6 2048 7.89 7.89 8.05 8.05 4096 7.69 7.69 7.69 7.69 8192 7.5 7.5 7.5 7.5 16384 7.45 7.45 7.4 7.45 32768 7.48 7.48 7.51 7.63 65536 7.53 7.53 7.51 7.51 131072 7.53 7.52 7.52 7.53 262144 7.53 7.52 7.54 7.63 524288 7.62 7.68 7.65 7.7 1048576 7.68 7.65 7.61 7.64 2097152 7.75 8.33 7.7 7.72 4194304 8.38 8.38 8.47 8.33 8388608 9.56 9.27 9.22 9.21 39 efficiency was equal to the sum of the two. The authenticated encryption scheme was tested using multiple keys and messages. The message was MACed and encrypted. The resulting strings were then decrypted and MACed again, and the MAC compared to the transmitted MAC.

5.7 Performance Overview The performance of SCU-PRF and the encryption and authentication schemes based on it was very good. When compared to other scheme, the cycles per byte efficiency was not only competitive, but in some cases, best in class. The efficiency of the encryption scheme was adequate. Since it is based on a high efficiency stream cipher, it was not surprising that it performed better than most of the block ciphers. When compared to other stream ciphers, such as Salsa20, it did not match up. The throughput of the algorithm placed it slightly below that of Salsa20, but above any AES implementation. While the performance numbers for Salsa20 were not produced on the same system, the reported values are 4.3cpb for the 20 round version and 2.0cpb for the 8 round version.[7] This is partially due to the C language implementation of the Salsa20/8 algorithm that SCU-PRF is based on. The throughput for was 369 MB/sec, compared to the Salsa20 and Salsa20/8 throughput of 408 and 887 MB/sec, respectively. Future work on integrating the as- sembly language version of the algorithm should bring the efficiency and throughput of SCU-PRF near that of Salsa20. The MAC performance was the strength of this implementation. Since the cycles per byte efficiency calculation is based on the input message size, the SCU- PRF performed well. VHASH reduced the message to a 128-bit string efficiently and Salsa is only required to generate enough keystream to fulfill the tag require- 40

Table 5.7: Cryptographic Algorithm Performance Comparison

Protocol Peak Throughput(MB/Sec) VMAC64(AES)* 1519 VMAC128(AES)* 779 CMAC(AES)* 109 SCU-PRF MAC 2819 AES/GCM(64K Tables)* 108 Salsa20* 408 Salsa20/8* 887 SCU-PRF Encrypt 369 SCU-PRF AE 327 The table above contains the peak throughput(MB/sec) for a variety of cryp- tographic algorithms as measured by the test system and reported by crypto- graphic libraries(marked with *).[7]

ment, so the bottleneck caused by the C implementation of Salsa was lessened. This showed when comparing the SCU-PRF MAC to other algorithms. Due to the lim- ited use of Salsa, the efficiency was equal to the efficiency of the VHASH algorithm. This efficiency makes it competitive with the VMAC-128 implementation with AES. VMAC128(AES) has a peak throughput of 1519 MB/sec, nearly half the throughput of SCU-PRF at 2819 MB/sec.[7] One other advantage of the SCU-PRF algorithm is that it will scale well with different MAC sizes. Unlike the VMAC-128(AES) imple- mentation, which is restricted to a specific tag size, the SCU-PRF implementation can produce any tag size with simple modifications and the increased tag size has been shown to not affect the throughput or efficiency of the algorithm. 41

CHAPTER 6

CONCLUSION

Since the majority of modern communications are performed digitally, the con- struction of a channel that is not only secure, but also efficient, is of utmost im- portance. By using a pseudorandom function as the most basic primitive, it has been shown that a set of cryptographic primitives capable of providing authenticity and confidentiality can be constructed. Not only do PRF based primitives meet the requirements of constructing a secure channel and authenticated encryption scheme, they do so efficiently. The use of a PRF allows for a simple construction focused on the goals of the protocol and less on the implementation. In order to construct the protocol from a real PRF, the design and imple- mentation for SCU-PRF was presented. This PRF provides a simple and flexible implementation capable of processing a bit string of any length and creating a pseu- dorandom bit string of any length. The construction was built from VHASH, a uni- versal hash function, and Sasla20/8, a reduced round version of the Salsa20 stream cipher. Based on these components, SCU-PRF was able to provide a efficient PRF that could be easily utilized in the construction of cryptographic protocols. As secure communication moves from being the concern of the nation state, cor- poration, and technophile, to being the concern of the common person, the simplicity and efficiency of the cryptographic primitives that are used becomes paramount to their success. The future of communications is going to be built around the concept of real-time, always connected networking, with little time available for providing security. Therefore the goals of all new cryptographic primitives must be speed and 42 efficiency in addition to the classic goals of confidentiality and authenticity. Imple- mentation like VMAC, Salsa20, and SCU-PRF are part of a class of cryptographic primitives based these goals.

6.1 Future Work In order to expand the usefulness of the PRF, more protocols should be de- signed based on them. Deterministic authenticated encryption and authenticated encryption with associated data are simple expansions on the protocols detailed in this paper. Deterministic authenticated encryption is the concept of removing the necessity of the IV or nonce from an authenticated encryption protocol. This is done by deterministically computing the IV based on the message or some other piece of data associated with the message. Authenticated encryption with associated data is the same as authenticated encryption, except that it authenticates data that is not included in the encryption. This style of protocol is very useful for network commu- nications, where the packet headers must be transmitted in the clear but should be authenticated to when the packet reaches the receiver to guarantee authenticity. By continuing to construct protocols based on the PRF, the flexibility of the PRF can be shown and utilized to construct other simple and efficient primitives. In terms of performance, SCU-PRF has a few potential improvements. The current implementation uses the ’C’ language version of Salsa20/8, which was neces- sary due to integration issues. Salsa20/8 has an implementation written in assembly code that has a peak listed performance of 2.0 cycles per byte. By basing SCU-PRF on the assembly language implementation of Salsa20, the performance of SCU-PRF can be theoretically reduced by 4 cycles per byte. In addition, there are a few bottle- necks in SCU-PRF where utilization of assembly code and SSE 128-bit instructions 43 could improve performance. By implementing the performance improvements, the algorithm would be competitive or surpass the efficiency of most other encryption and authentication schemes. 44

Appendix

Source Code

SCU-PRF Header File

/∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/ /∗ F i l e : SCUPRF. h ∗/ /∗ Author: Matt Clarke−Lauer ∗/ /∗ E−Mail: mdlauer[AT] gmail [DOT]com ∗/ /∗ Description: contains headers and context structures for SCU−PRF ∗/ /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/

//Global includes #include ” ecrypt −sync . h” #include ”vmac . h”

//Preprocessor Definitions #define ULONGLONG unsigned long long #define ULONG unsigned long #define UCHAR unsigned char #define BIT ( x ) (1UL << ( x ) )

#define SALSA IV input [ 6 ]

// Structure: prf c t x t // Description: Context for SCU−PRF typedef struct { ECRYPT_ctx salsa_ctx ; vmac_ctx_t vmac_ctx ; } SCUPRF_ctx ;

// Function Prototypes inline void SCUPRF_Init ( SCUPRF_ctx ∗pCtx , 45

ULONGLONG ∗ pKey ); inline void SCUPRF ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG InLength , ULONG OutLength ); inline void SCUPRF_MAC ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG ulMessageLength , ULONG ulTagLength ); inline void SCUPRF_Encrypt ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , ULONG ulLength , uint64_t ∗ pOutput , uint64_t ∗pIV , ULONG ulIVLength ); inline void SCUPRF_Decrypt ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , ULONG ulLength , uint64_t ∗ pOutput , uint64_t ∗pIV , ULONG ulIVLength ); void SCUPRF_AuthEncrypt ( SCUPRF_ctx ∗ pEncryptCtx , SCUPRF_ctx ∗ pMacCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , unsigned long ulLength , uint64_t ∗ pIV , unsigned long ulIVLength , ULONG ulTagLength );

SCU-PRF Source File 46

/∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/ /∗ F i l e : SCUPRF. c ∗/ /∗ Author: Matt Clarke−Lauer ∗/ /∗ E−Mail: mdlauer[AT] gmail [DOT]com ∗/ /∗ Description: Contains init and execution functions for SCUPRF ∗/ /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/ #include ”SCUPRF. h”

// Function: SCUPRF Init // Inputs : //SCUPRF ctx pCtx : context to be intialized // unsigned long ∗pKey : pointer to key // Outputs: None // Description: // Initialize SCUPRF Ctx. Must be done before void SCUPRF_Init ( SCUPRF_ctx ∗pCtx , ULONGLONG ∗ pKey ) { // Initialize Salsa20/8 Context ECRYPT_keysetup (&( pCtx−>salsa_ctx ),( u8 ∗) pKey , 2 5 6 , 0 ) ;

// Flip High bit in key and intialize VMAC context // NOTE: Key seperate is done by flipping highest bit pKey [ 0 ] ˆ= __BIT ( 3 1 ) ; vmac_set_key (( UCHAR ∗) pKey ,&( pCtx−>vmac_ctx )); }

// Function: SCUPRF // Inputs : //SCUPRF ctx pCtx : pointer to context // u i n t 6 4 t pInput : pointer to input data // u i n t 6 4 t pOutput : pointer to output buffer // ULONG InLength : Length of input buffer // ULONG OutLength : Length of Output buffer // Outputs: None // Description: // SCUPRF Implementation inline void SCUPRF ( SCUPRF_ctx ∗pCtx , 47

uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG InLength , ULONG OutLength ) { // C a l l to VHASH pCtx−>salsa_ctx . input [ 8 ] = vhash (( UCHAR ∗) pInput , InLength , ( uint64_t ∗)(&( pCtx−>salsa_ctx . SALSA_IV )), &(pCtx−>vmac_ctx ));

// Call to Salsa20/8 ECRYPT_keystream_bytes (&( pCtx−>salsa_ctx ), ( u8 ∗) pOutput , OutLength ); }

// Function: SCUPRF SALSA // Inputs : //SCUPRF ctx pCtx : pointer to context // u i n t 6 4 t pInput : pointer to input data // u i n t 6 4 t pOutput : pointer to output buffer // ULONG InLength : Length of input buffer // ULONG OutLength : Length of Output buffer // Outputs: None // Description: // Salsa only protion of SCU−PRF. Used for performance testing inline void SCUPRF_SALSA ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG InLength , ULONG OutLength ) { // Call to Salsa20/8 ECRYPT_keystream_bytes (&( pCtx−>salsa_ctx ), ( u8 ∗) pOutput , OutLength ); } 48

// Function: SCUPRF NO IV // Inputs : //SCUPRF ctx pCtx : pointer to context // u i n t 6 4 t pInput : pointer to input data // u i n t 6 4 t pOutput : pointer to output buffer // ULONG InLength : Length of input buffer // ULONG OutLength : Length of Output buffer // Outputs: None // Description: // Salsa only protion of SCU−PRF. Used for performance testing inline void SCUPRF_NO_IV ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG InLength , ULONG OutLength ) { // Call to Salsa20/8 ECRYPT_keystream_bytes (&( pCtx−>salsa_ctx ), ( u8 ∗) pOutput , OutLength ); }

// Function: SCUPRF VHASH // Inputs : //SCUPRF ctx pCtx : pointer to context // u i n t 6 4 t pInput : pointer to input data // u i n t 6 4 t pOutput : pointer to output buffer // ULONG InLength : Length of input buffer // ULONG OutLength : Length of Output buffer // Outputs: None // Description: // VHASH only protion of SCU−PRF. Used for performance testing inline void SCUPRF_VHASH ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG InLength , ULONG OutLength ) 49

{ // C a l l to VHASH pCtx−>salsa_ctx . input [ 8 ] = vhash (( UCHAR ∗) pInput , InLength , ( uint64_t ∗) (&( pCtx−>salsa_ctx . SALSA_IV )), &(pCtx−>vmac_ctx )); }

// Function: SCUPRF MAC // Inputs : //SCUPRF ctxpCtx : pointer to context // u i n t 6 4 t pInput : pointer to message data // u i n t 6 4 t pOutput : pointer to tag buffer // ULONG ulMessageLength : Length of Message buffer // ULONG ulTagLength : Length of Tag buffer // Outputs: None // Description: // Utilize SCUPRF to generate Message Authenitcation Code inline void SCUPRF_MAC ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , ULONG ulMessageLength , ULONG ulTagLength ) { SCUPRF ( pCtx , pInput , pOutput , ulMessageLength , ulTagLength ); }

// Function: SCUPRF EncryptC // Inputs : //SCUPRF ctxpCtx : pointer to context // u i n t 6 4 t pInput : pointer to message data // ULONB ulLength : length of message data // u i n t 6 4 t pOutput : pointer to Output Buffer 50

// u i n t 6 4 t pIv :pointertoIV // ULONG ulIVLength : Length of IV buffer // Outputs: None // Description: // Utilize SCUPRF to encrypt input data inline void SCUPRF_Encrypt ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , ULONG ulLength , uint64_t ∗ pOutput , uint64_t ∗pIV , ULONG ulIVLength ) {

SCUPRF ( pCtx , pIV , pOutput , ulIVLength , ulLength ); ulLength /= s i z e of ( uint64_t );

while ( ulLength > 0 ) { ulLength −−; pOutput [ ulLength ] ˆ= pInput [ ulLength ]; } }

// Function: SCUPRF Decrypt // Inputs : //SCUPRF ctxpCtx : pointer to context // u i n t 6 4 t pInput : pointer to message data // ULONB ulLength : length of message data // u i n t 6 4 t pOutput : pointer to Output Buffer // u i n t 6 4 t pIv :pointertoIV // ULONG ulIVLength : Length of IV buffer // Outputs: None // Description: // Utilize SCUPRF to decrypt input data 51

inline void SCUPRF_Decrypt ( SCUPRF_ctx ∗pCtx , uint64_t ∗ pInput , ULONG ulLength , uint64_t ∗ pOutput , uint64_t ∗pIV , ULONG ulIVLength ) { SCUPRF_Encrypt ( pCtx , pInput , ulLength , pOutput , pIV , ulIVLength ); }

// Function: SCUPRF AuthEncrypt // Inputs : //SCUPRF ctx pEncryptCtx : pointer to encryption context //SCUPRF ctx pMacCtx : pointer to MAC context // u i n t 6 4 t pInput : pointer to message data // u i n t 6 4 t pOutput : pointer to Output Buffer // ULONB ulLength : length of message data // u i n t 6 4 t pIv :pointertoIV // ULONG ulIVLength : Length of IV buffer // ULONG ulTagLength : Length of MAC tag // Outputs: None // Description: // Utilize SCUPRF to MAC and encrypt the message void SCUPRF_AuthEncrypt ( SCUPRF_ctx ∗ pEncryptCtx , SCUPRF_ctx ∗ pMacCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , unsigned long ulLength , uint64_t ∗ pIV , unsigned long ulIVLength , ULONG ulTagLength ) { SCUPRF_MAC ( pMacCtx , 52

pInput , &(pInput [ ulLength / s i z e o f ( uint64_t )]), ulLength , ulTagLength ); SCUPRF_Encrypt ( pEncryptCtx , pInput , ulLength+ulTagLength , pOutput , pIV , ulIVLength ); }

// Function: SCUPRF AuthDecrypt // Inputs : //SCUPRF ctx pEncryptCtx : pointer to encryption context //SCUPRF ctx pMacCtx : pointer to MAC context // u i n t 6 4 t pInput : pointer to message data // u i n t 6 4 t pOutput : pointer to Output Buffer // ULONB ulLength : length of message data // u i n t 6 4 t pIv :pointertoIV // ULONG ulIVLength : Length of IV buffer // ULONG ulTagLength : Length of MAC tag // Outputs: BOOLEAN for wether message was authentic // Description: // Utilize SCUPRF to decrypt and authneticate message inline ULONG SCUPRF_AuthDecrypt ( SCUPRF_ctx ∗ pEncryptCtx , SCUPRF_ctx ∗ pMacCtx , uint64_t ∗ pInput , uint64_t ∗ pOutput , unsigned long ulLength , uint64_t ∗ pIV , unsigned long ulIVLength , uint64_t ∗ pTag , ULONG ulTagLength ) { uint64_t MacCheck [ 1 0 2 4 ] ; SCUPRF_Decrypt ( pEncryptCtx , pInput , 53

ulLength+ulTagLength , pOutput , pIV , ulIVLength ); SCUPRF_MAC ( pMacCtx , pOutput , MacCheck , ulLength , ulTagLength ); ulLength /= s i z e o f ( uint64_t ); ulTagLength /= s i z e o f ( uint64_t ); while ( ulTagLength > 0) { ulTagLength −−; i f ( MacCheck [ ulTagLength ] != pOutput [ ulLength+ulTagLength ]) { printf (”TAG Mismatch\n” ) ; // return 0 ; } } return 1 ; } 54

References

1. S. Vanstone A. Menezes, P. Van Oorschot and R. L. Rivest. Handbook of applied cryptography, 1997.

2. M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 531–545. Springer Berlin / Heidelberg, 2000.

3. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. pages 62–73. ACM Press, 1993.

4. M. Bellare and P. Rogaway. Introduction to modern crypotgraphy, 2005.

5. D. Bernstein. The salsa20 family of stream ciphers, 2007.

6. J. Kelsey C. Hall, D. Wagner and B. Schneier. Building prfs from prps. In Ad- vances in CryptologyCRYPTO 98, LNCS 1462, pages 370–389. Springer- Verlag, 1998.

7. W Dai. Speed comparison of popular crypto algorithms, April 2012.

8. W. Dai and T. Krovetz. Vhash security. Cryptology ePrint Archive, Report 2007/338, 2007. http://eprint.iacr.org/.

9. Zytrax Inc. Survival guide - encryption, authentication, April 2012.

10. M. Jenkin and P. Dymond. One-time pads for secure communication in ubiqui- tous computing, 2004.

11. T. Krovetz. Message authentication on 64-bit architectures. In In Selected Ar- eas in Cryptography: 13th International Workshop, SAC 2006. Springer- Verlag, 2006.

12. M. Langberg. An implementation of efficient pseudo-random functions, 1998.

13. T. Krovetz M. Bellare and P. Rogaway. Luby-rackoff backwards: Increasing se- curity by making block ciphers non-invertible. In ADVANCES IN CRYP- TOLOGY—EUROCRYPT ’98 PROCEEDINGS, pages 140–3. Springer- Verlag, 1998. 55

14. M. Naor and O. Reingold. Synthesizers and their application to the parallel construction of pseudo-random functions. In Proc. 36th IEEE Symp. on Foundations of Computer Science, pages 170–181, 1995.

15. M. Naor and O. Reingold. From unpredictability to indistinguishability: A simple construction of pseudo-random functions from macs. In Advances in Cryptology - CRYPTO ’98, LNCS, pages 267–282. Springer-Verlag, 1998.

16. S. Vadhan. The unified theory of pseudorandomness, 2007.

17. M. Wegman and L. Carter. Universal classes of hash functions. In Journal of Computer and System Sciences, number 18, pages 143–154, 1979.