Security of Authenticated Encryption Modes

Bart Mennink Radboud University (The Netherlands)

COST Training School on Symmetric Cryptography and Blockchain

February 22, 2018

1 / 57 −−−−−→ ←−−−−−

Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data

Authenticated Encryption

A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B

2 / 57 Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data

Authenticated Encryption

A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B

2 / 57 Authentication • No outsider can manipulate data

Authenticated Encryption

A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B

Encryption • No outsider can learn anything about data

2 / 57 Authenticated Encryption

A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B

Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data

2 / 57 CAESAR Competition

3 / 57 CAESAR Competition

Competition for Authenticated Encryption: Security, Applicability, and Robustness

Goal: portfolio of authenticated encryption schemes

Mar 15, 2014: 57 rst round candidates Jul 7, 2015: 29.5 second round candidates Aug 15, 2016: 16 third round candidates ??: announcement of nalists ??: announcement of nal portfolio

4 / 57 • Nonce N randomizes the scheme

Authenticated Encryption 4 AE

A, M AE C, T

• Ciphertext C encryption of message M • Tag T authenticates associated data A and message M

5 / 57 Authenticated Encryption 4 AE

A, M AE C, T

• Ciphertext C encryption of message M • Tag T authenticates associated data A and message M • Nonce N randomizes the scheme

5 / 57 • Correctness: ADk(N, A, AE k(N, A, M)) = M

PSfrag replacements m t c E k E t Authenticated Decryption A, M5 AD Ne C, T AE k k

M if T correct A, C, T AD otherwise (⊥ N

• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect

6 / 57 • Correctness: ADk(N, A, AE k(N, A, M)) = M

PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k

M if T correct A, C, T AD otherwise (⊥ N

• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect

6 / 57 PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k

M if T correct A, C, T AD otherwise (⊥ N

• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect

• Correctness: ADk(N, A, AE k(N, A, M)) = M

6 / 57 • Distinguisher D has query access to one of these → unique nonce for each encryption query • D tries to determine which oracle it communicates with

h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1

Authenticated Encryption Security 6 indistsimpleAE

AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥

distinguisher D

• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥)

7 / 57 • D tries to determine which oracle it communicates with

h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1

Authenticated Encryption Security 6 indistsimpleAE

AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥

distinguisher D

• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥) • Distinguisher D has query access to one of these → unique nonce for each encryption query

7 / 57 h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1

Authenticated Encryption Security 6 indistsimpleAE

AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥

distinguisher D

• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥) • Distinguisher D has query access to one of these → unique nonce for each encryption query • D tries to determine which oracle it communicates with

7 / 57 Authenticated Encryption Security 6 indistsimpleAE

AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥

distinguisher D

h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1

7 / 57 100% Security is Impractical

8 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking

Nonce-Reuse

Conclusion

9 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking

Nonce-Reuse

Conclusion

10 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack

• Bellare and Namprempre (2000): 3 basic approaches

1 E&M MtE EtM m m m

PSfrag replacements Enck MACl MACl Enck Enck MACl

c t t c c t • Used in SSH • Used in TLS • Used in IPSec

Generic Composition

• Generic constructions for AE: • Enc + MAC = AE

11 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack

Generic Composition

• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches

1 E&M MtE EtM m m m

PSfrag replacements Enck MACl MACl Enck Enck MACl

c t t c c t • Used in SSH • Used in TLS • Used in IPSec

11 / 57 • Mildly insecure • Most secure variant • Padding oracle • Ciphertext integrity attack

Generic Composition

• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches

1 E&M MtE EtM m m m

PSfrag replacements Enck MACl MACl Enck Enck MACl

c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure

• MACL(m) = mkt

11 / 57 • Most secure variant • Ciphertext integrity

Generic Composition

• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches

1 E&M MtE EtM m m m

PSfrag replacements Enck MACl MACl Enck Enck MACl

c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure MAC • L(m) = mkt • Padding oracle attack

11 / 57 Generic Composition

• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches

1 E&M MtE EtM m m m

PSfrag replacements Enck MACl MACl Enck Enck MACl

c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack

11 / 57 • Parallelizable • Evaluates E only (no E−1) • Provably secure (if E is PRP) • Very ecient in HW • Reasonably ecient in SW

What happens if nonce is re-used?

GCM for 96-bit nonce N

1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC

C1 C2 Cm

A GHASHL

MAC

12 / 57 What happens if nonce is re-used?

GCM for 96-bit nonce N

1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW

12 / 57 GCM for 96-bit nonce N

What happens if nonce is re-used?

12 / 57 • Inherits GCM features • Secure against nonce-reuse • Proof: Iwata and Seurin (2017)

GCM-SIV

1 GCMSIV

N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015)

Ek KeyGen EK EK EK • MtE design

C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free

A GHASHL

EK MAC

13 / 57 GCM-SIV

1 GCMSIV

N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015)

Ek KeyGen EK EK EK • MtE design

C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free

A GHASHL • Inherits GCM features

N • Secure against nonce-reuse • Proof: Iwata and Seurin EK MAC (2017)

13 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking

Nonce-Reuse

Conclusion

14 / 57 • Tweak: exibility to the cipher • Each tweak gives dierent permutation

Tweakable Blockciphers 1 cipher

m E c

15 / 57 Tweakable Blockciphers 2 ciphertweakable

m E c

t e

• Tweak: exibility to the cipher • Each tweak gives dierent permutation

15 / 57 • D tries to determine which oracle it communicates with

stprp h E ,E−1 i h π,π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee

Tweakable Blockcipher Security

1 indistsimpletE

Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e

distinguisher D

• Eek should look like random permutation for every t • Dierent tweaks −→ pseudo-independent permutations

16 / 57 Tweakable Blockcipher Security

1 indistsimpletE

Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e

distinguisher D

• Eek should look like random permutation for every t • Dierent tweaks −→ pseudo-independent permutations • D tries to determine which oracle it communicates with

stprp h E ,E−1 i h π,π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee

16 / 57 in CAESAR

KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR

rst round, second round, third round

Tweakable Blockcipher Designs

3 ciphertweakable-black

1 tEE 2 tEP

k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based

17 / 57 Tweakable Blockcipher Designs in CAESAR

3 ciphertweakable-black

1 tEE 2 tEP

k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based

KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR

rst round, second round, third round 17 / 57 • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality:

ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee

Example2 OCBgen Use in OCBx (1/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek

C1 C2 Cd T

• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11]

18 / 57 • Triangle inequality:

ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee

Example3 OCBgenalert Use in OCBx (1/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek

C1 C2 Cd T

• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak

18 / 57 • Triangle inequality:

≤ Advae (σ) + Advstprp(σ) AE[πe] Ee

Example3 OCBgenalert Use in OCBx (1/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek

C1 C2 Cd T

Advae (σ) AE[Eek]

18 / 57 + Advstprp(σ) Ee

Example4 OCBgenalertpi Use in OCBx (1/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

ae ae Adv (σ) ≤ AdvAE[π](σ) AE[Eek] e

18 / 57 Example4 OCBgenalertpi Use in OCBx (1/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee

18 / 57 • Tag forged with probability at most 1/(2n − 1)

design tweakableTo do: blockcipher

• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function

Advae (σ) ≤ 1/(2n − 1) AE[πe]

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

19 / 57 • Tag forged with probability at most 1/(2n − 1)

design tweakableTo do: blockcipher

Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function

Advae (σ) ≤ 1/(2n − 1) AE[πe]

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

• Nonce uniqueness ⇒ tweak uniqueness

19 / 57 • Tag forged with probability at most 1/(2n − 1)

design tweakableTo do: blockcipher

• Authentication behaves like random function

Advae (σ) ≤ 1/(2n − 1) AE[πe]

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $

19 / 57 design tweakableTo do: blockcipher

• Tag forged with probability at most 1/(2n − 1)

Advae (σ) ≤ 1/(2n − 1) AE[πe]

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function

19 / 57 design tweakableTo do: blockcipher

Advae (σ) ≤ 1/(2n − 1) AE[πe]

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function • Tag forged with probability at most 1/(2n − 1)

19 / 57 design tweakableTo do: blockcipher

Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

C1 C2 Cd T

Advae (σ) ≤ 1/(2n − 1) AE[πe]

19 / 57 Example4 OCBgenalertpi Use in OCBx (2/2)

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜

design tweakableTo do: blockcipherC1 C2 Cd T

Advae (σ) ≤ 1/(2n − 1) AE[πe]

19 / 57 Dedicated Tweakable Blockciphers

• Hasty Pudding Cipher [Sch98] • AES submission, rst tweakable cipher

• Mercy [Cro01] • Disk encryption

• Threesh [FLS+07] • SHA-3 submission Skein

• TWEAKEY framework [JNP14] • Four CAESAR submissions • SKINNY & MANTIS

20 / 57 • Security measured through cryptanalysis • Our focus: modular design

TWEAKEY Framework

1 tweakey• TWEAKEY by Jean et al. [JNP14]:

(k, t) h h h ······ g g g g

m f f f c ······

• f: round function • g: subkey computation • h: transformation of (k, t)

21 / 57 TWEAKEY Framework

1 tweakey• TWEAKEY by Jean et al. [JNP14]:

(k, t) h h h ······ g g g g

m f f f c ······

• f: round function • g: subkey computation • h: transformation of (k, t)

• Security measured through cryptanalysis • Our focus: modular design

21 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security

Nonce-Reuse

Conclusion

22 / 57 ←−−− ←−−− blend it with the key blend it with the state

ts1 recipe-emptyIntuition: Design

k t ?

mE c

• Consider a blockcipher E with κ-bit key and n-bit state

How to mingle the tweak into the evaluation?

23 / 57 ts1 recipe-emptyIntuition: Design

k t ?

mE c

• Consider a blockcipher E with κ-bit key and n-bit state

How to mingle the tweak into the evaluation?

←−−− ←−−− blend it with the key blend it with the state

23 / 57 • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour • TWEAKEY blending [JNP14] is more advanced

2 recipe-keyIntuition: Design

k t

mE c

• Blending tweak and key works. . . • . . . but: careful with related-key attacks!

24 / 57 • TWEAKEY blending [JNP14] is more advanced

2 recipe-keyIntuition: Design

k t

mE c

• Blending tweak and key works. . . • . . . but: careful with related-key attacks! • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour

24 / 57 2 recipe-keyIntuition: Design

k t

mE c

• Blending tweak and key works. . . • . . . but: careful with related-key attacks! • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour • TWEAKEY blending [JNP14] is more advanced

24 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek

3 recipe-msg1Intuition: Design

k t

mE c

• Simple blending of tweak and state does not work

25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary

• Some secrecy required: h Still does not work if adversary has access to −1 • Eek

3 recipe-msg1Intuition: Design

k t

mE c

• Simple blending of tweak and state does not work

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C)

25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary

Still does not work if adversary has access to −1 • Eek

Intuition: Design t4 recipe-msg2

k h t ⊗

mE c

• Simple blending of tweak and state does not work

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h

25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary

Intuition: Design t4 recipe-msg2

k h t ⊗

mE c

• Simple blending of tweak and state does not work

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek

25 / 57 • Two-sided masking necessary

Intuition: Design t4 recipe-msg2

k h t ⊗

mE c

• Simple blending of tweak and state does not work

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C

25 / 57 5 recipe-msg3Intuition: Design

k h t h t ⊗ ⊗

mE c

• Simple blending of tweak and state does not work

• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary

25 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle

• Generalizing masking? Depends on function f

• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem

5 recipe-msg3Intuition: Design

k h t h t ⊗ ⊗

mE c

• Two-sided secret masking seems to work • Can we generalize?

26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle

• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem

6 recipe-msg4Intuition: Design

k f(t) f(t)

m E c

• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f

26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle

• Releasing secrecy in E? Usually no problem

7 recipe-msg5Intuition: Design

f1(t) f2(t)

mE c

• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f

• Variation in masking? Depends on functions f1, f2

26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle

8 recipe-msg6Intuition: Design

f1(t) f2(t)

mP c

• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f

• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem

26 / 57 8 recipe-msg6Intuition: Design

f1(t) f2(t) Majority of tweakable blockciphers follow mask-mP c E • Two-sided secret maskingk /P seems-mask to work principle • Can we generalize? • Generalizing masking? Depends on function f

• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem

26 / 57 • Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek

27 / 57 • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek

• Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks

27 / 57 )9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek

• Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security

27 / 57 • For any two queries (t, m, c), (t0, m0, c0):

0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )

• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0

Scheme can be broken in ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

28 / 57 • Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0

Scheme can be broken in ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• For any two queries (t, m, c), (t0, m0, c0):

0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )

28 / 57 • Implication still holds with dierence C xored to m, m0

Scheme can be broken in ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• For any two queries (t, m, c), (t0, m0, c0):

0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )

• Unlikely to happen for random family of permutations

28 / 57 Scheme can be broken in ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• For any two queries (t, m, c), (t0, m0, c0):

0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )

• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0

28 / 57 )9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• For any two queries (t, m, c), (t0, m0, c0):

0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )

• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0

Scheme can be broken in ≈ 2n/2 evaluations

28 / 57 • Typical approach: • Consider any transcript τ an adversary may see • Most τ's should be equally likely in both worlds • Odd ones should happen with very small probability

All constructions in this presentation: secure up to ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• The fun starts here! • More technical and often more involved

29 / 57 All constructions in this presentation: secure up to ≈ 2n/2 evaluations

)9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

• The fun starts here! • More technical and often more involved • Typical approach: • Consider any transcript τ an adversary may see • Most τ's should be equally likely in both worlds • Odd ones should happen with very small probability

29 / 57 )9 recipe-msg7 Intuition: Analysis

f1(t) f2(t)

m Ek/P c

All constructions in this presentation: secure up to ≈ 2n/2 evaluations

29 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security

Nonce-Reuse

Conclusion

30 / 57 typically 128 bits much larger: 256-1600 bits

Tweakable Blockciphers Based on Masking

) 6 picEgen Blockcipher-Based)7 picPgen. pPermutation-Based.p

tweak-based mask tweak-based mask

mEk c mP c

31 / 57 Tweakable Blockciphers Based on Masking

) 6 picEgen Blockcipher-Based)7 picPgen. pPermutation-Based.p

tweak-based mask tweak-based mask

mEk c mP c

typically 128 bits much larger: 256-1600 bits

31 / 57 Original Constructions

• LRW1 and LRW2 by Liskov et al. [LRW02]: 14 LRWotherEk 13 LRWonetweak

t h(t)

m Ek Ek c mEk c

• h is XOR-universal hash • E.g., h(t) = h ⊗ t for n-bit key h

32 / 57 4 picTEM

2α3β7γ (k N P (k N)) · k ⊕ k

mP c

• Used in OCB2 and ±14 CAESAR candidates • Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])

Powering-Up Masking (XEX)

1 picXEX • XEX by Rogaway [Rog04]:

2α3β7γ E (N) · k

mEk c

• (α, β, γ, N) is tweak (simplied)

33 / 57 4 picTEM

2α3β7γ (k N P (k N)) · k ⊕ k

mP c

• Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])

Powering-Up Masking (XEX)

1 picXEX • XEX by Rogaway [Rog04]:

2α3β7γ E (N) · k

mEk c

• (α, β, γ, N) is tweak (simplied) • Used in OCB2 and ±14 CAESAR candidates

33 / 57 Powering-Up Masking (XEX)

1 picXEX •4XEX picTEMby Rogaway [Rog04]:

2α3β7γ E (N) 2α3β7γ (k N P (k N)) · k · k ⊕ k

mEk c mP c

• (α, β, γ, N) is tweak (simplied) • Used in OCB2 and ±14 CAESAR candidates • Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])

33 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 2 OCBgen

A A A M M M M 1 2 a ⊕ i 1 2 d

N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek

C1 C2 Cd T L = Ek(N)

34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 1 OCB2g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 7 OCB2-with-arrows-1g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 8 OCB2-with-arrows-2g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 9 OCB2-with-arrows-3g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

34 / 57 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

• Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

34 / 57 Intermezzo: Why Start at 2 · Ek(N)? 10 OCB2-with-arrows-4g

A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·

Ek Ek Ek Ek Ek Ek Ek

2L 22L 2dL

C1 C2 Cd T L = Ek(N)

• Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms

35 / 57 • Distinguisher can make inverse queries

• Putting c = 0 gives m = N ⊕ Ek(N)

• Distinguisher knows N so learns subkey Ek(N)

Intermezzo: Why Start at 2 · Ek(N)?

1 picXEX-atk1 • Suppose we would mask with Ek(N):

Ek(N) PSfrag replacements

mEk c

36 / 57 • Putting c = 0 gives m = N ⊕ Ek(N)

• Distinguisher knows N so learns subkey Ek(N)

Intermezzo: Why Start at 2 · Ek(N)?

2 picXEX-atk2 • Suppose we would mask with Ek(N):

PSfrag replacements Ek(N)

m1 c Ek Ek−

• Distinguisher can make inverse queries

36 / 57 • Distinguisher knows N so learns subkey Ek(N)

Intermezzo: Why Start at 2 · Ek(N)?

Suppose we would mask with : PSfrag replacements3 picXEX-atk3 • Ek(N) m c Ek(N)

Ek N E (N)1 0 ⊕ k Ek−

• Distinguisher can make inverse queries

• Putting c = 0 gives m = N ⊕ Ek(N)

36 / 57 Intermezzo: Why Start at 2 · Ek(N)?

Suppose we would mask with : PSfrag replacements3 picXEX-atk3 • Ek(N) m c Ek(N)

Ek N E (N)1 0 ⊕ k Ek−

• Distinguisher can make inverse queries

• Putting c = 0 gives m = N ⊕ Ek(N)

• Distinguisher knows N so learns subkey Ek(N)

36 / 57 • Single XOR • Logarithmic amount of eld doublings (precomputed) • More ecient than powering-up [KR11]

Gray Code Masking

2 picGray • OCB1 and OCB3 use Gray Codes:

α (α 1) E (N) ⊕ ≫ · k

mEk c

• (α, N) is tweak • Updating: G(α) = G(α − 1) ⊕ 2ntz(α)

37 / 57 Gray Code Masking

2 picGray • OCB1 and OCB3 use Gray Codes:

α (α 1) E (N) ⊕ ≫ · k

mEk c

• (α, N) is tweak • Updating: G(α) = G(α − 1) ⊕ 2ntz(α) • Single XOR • Logarithmic amount of eld doublings (precomputed) • More ecient than powering-up [KR11]

37 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security

Nonce-Reuse

Conclusion

38 / 57 • Combines advantages of: • Powering-up masking • Word-based LFSRs • Simpler, constant-time (by default), more ecient

Masked Even-Mansour (MEM)

) 5 picMEM • MEM by Granger et al. [GJMN16]:

ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k

m P c

• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied)

39 / 57 • Simpler, constant-time (by default), more ecient

Masked Even-Mansour (MEM)

) 5 picMEM • MEM by Granger et al. [GJMN16]:

ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k

m P c

• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied) • Combines advantages of: • Powering-up masking • Word-based LFSRs

39 / 57 Masked Even-Mansour (MEM)

) 5 picMEM • MEM by Granger et al. [GJMN16]:

ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k

m P c

• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied) • Combines advantages of: • Powering-up masking • Word-based LFSRs • Simpler, constant-time (by default), more ecient

39 / 57 • Sample LFSRs (state size b as n words of w bits):

b w n ϕ

128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 1) ⊕ (x10 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13)) 1600 32 50 (x , . . . , x , (x 3) ⊕ (x 3)) . . . 1 49 . 0 ≪ 23 . . . .

• Work exceptionally well for ARX primitives

MEM: Design Considerations

• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR

40 / 57 • Work exceptionally well for ARX primitives

MEM: Design Considerations

• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR • Sample LFSRs (state size b as n words of w bits):

b w n ϕ

40 / 57 MEM: Design Considerations

• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR • Sample LFSRs (state size b as n words of w bits):

b w n ϕ

• Work exceptionally well for ARX primitives

40 / 57 64 128 256 512 1024

solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]

MEM: Uniqueness of Masking

• Intuitively, masking goes well as long as

γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0

for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms

41 / 57 solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]

MEM: Uniqueness of Masking

• Intuitively, masking goes well as long as

γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0

for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms

64 128 256 512 1024

41 / 57 |results implicitly{z used,} e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]

MEM: Uniqueness of Masking

• Intuitively, masking goes well as long as

γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0

for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms

64 128 256 512 1024

solved| {z by} Rogaway [Rog04]

41 / 57 | {z } solved by Granger et al. [GJMN16]

MEM: Uniqueness of Masking

• Intuitively, masking goes well as long as

γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0

for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms

64 128 256 512 1024

solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014)

41 / 57 MEM: Uniqueness of Masking

• Intuitively, masking goes well as long as

γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0

for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms

64 128 256 512 1024

solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]

41 / 57 PSfrag replacements

Application1 OPPg to AE: OPP

A A A M M M M 0 1 a–1 ⊕ i 0 1 d–1 0 1 a–1 2 d–1 0 1 d–1 ϕ (L) ϕ (L) ϕ (L) ϕ2 ϕ ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ◦ 1 ◦ ◦ ◦ ◦ P P P P P P P

0 1 a–1 2 d–1 0 1 d–1 ϕ (L) ϕ (L) ϕ (L) ϕ2 ϕ ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ◦ 1 ◦ ◦ ◦ ◦

C1 C2 Cd T L = P (Nkk) 2 ϕ1 = ϕ ⊕ id, ϕ2 = ϕ ⊕ ϕ ⊕ id

• Oset Public Permutation (OPP) • Generalization of OCB3: • Permutation-based • More ecient MEM masking • Security against nonce-respecting adversaries • 0.55 cpb with reduced-round BLAKE2b

42 / 57 Application to AE: MRO 2 MROg

A A M M A M T 0 T d–1 0 a–1 0 d–1 | |k| | k k 0 a–1 0 d–1 ϕ (L) ϕ (L) ϕ1 ϕ (L) ϕ1 ϕ (L) ϕ2(L) ϕ2(L) ◦ ◦ PP P PP P

0 a–1 0 d–1 ϕ (L) ϕ (L) ϕ1 ϕ (L) ϕ1 ϕ (L) ϕ2(L) M0 ϕ2(L) M ◦ ◦ ⊕ ⊕ d–1 2 ϕ1(L) C1 Cd P L = P (Nkk) 2 ϕ2(L) ϕ1 = ϕ ⊕ id, ϕ2 = ϕ ⊕ ϕ ⊕ id 1 T

• Misuse-Resistant OPP (MRO) • Fully nonce-misuse resistant version of OPP • 1.06 cpb with reduced-round BLAKE2b

43 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security

Nonce-Reuse

Conclusion

44 / 57 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure

• Security of XPX strongly depends on choice of T

XPX

4 XPX • XPX by Mennink [Men16]:

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set

45 / 57 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure

XPX

4 XPX • XPX by Mennink [Men16]:

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T

45 / 57 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure

XPX

4 XPX • XPX by Mennink [Men16]:

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure

45 / 57 3 Strong T −→ related-key secure

XPX

4 XPX • XPX by Mennink [Men16]:

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure 2 Normal T −→ single-key secure

45 / 57 XPX

4 XPX • XPX by Mennink [Men16]:

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure

45 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

4 XPX XPX: Weak Tweaks

t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22

mP c

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

=⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

1 XPX-stupid-1XPX: Weak Tweaks

0k 0P (k) 0k 0P (k) ⊕ ⊕

m P

(0, 0, 0, 0) ∈ T

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

2 XPX-stupid-2XPX: Weak Tweaks

0k 0P (k) 0k 0P (k) ⊕ ⊕

mP P (m)

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

3 XPX-stupid-3XPX: Weak Tweaks

1k 0P (k) 1k 1P (k) ⊕ ⊕

0 P k

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

4 XPX-stupid-4XPX: Weak Tweaks

1k 0P (k) 0k 2P (k) ⊕ ⊕

0P 3P (k)

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k)

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

Valid Tweak Sets • Technical denition to eliminate weak cases

4 XPX-stupid-4XPX: Weak Tweaks

1k 0P (k) 0k 2P (k) ⊕ ⊕

0P 3P (k)

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······

46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

4 XPX-stupid-4XPX: Weak Tweaks

1k 0P (k) 0k 2P (k) ⊕ ⊕

0P 3P (k)

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases

46 / 57 4 XPX-stupid-4XPX: Weak Tweaks

1k 0P (k) 0k 2P (k) ⊕ ⊕

0P 3P (k)

(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)

(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k

(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure

46 / 57 • Single-key STPRP secure (surprise?) • Generally, if |T | = 1, XPX is a normal blockcipher

XPX Covers Even-Mansour

4 XPX 1 EM

t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22

mP c −−→ mP c

for T = {(1, 0, 1, 0)}

47 / 57 • Generally, if |T | = 1, XPX is a normal blockcipher

XPX Covers Even-Mansour

4 XPX 1 EM

t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22

mP c −−→ mP c

for T = {(1, 0, 1, 0)}

• Single-key STPRP secure (surprise?)

47 / 57 XPX Covers Even-Mansour

4 XPX 1 EM

t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22

mP c −−→ mP c

for T = {(1, 0, 1, 0)}

• Single-key STPRP secure (surprise?) • Generally, if |T | = 1, XPX is a normal blockcipher

47 / 57 • Related-key STPRP secure (if 2α3β7γ 6= 1)

XPX Covers XEX With Even-Mansour

4 XPX 4 XEMXsimple0

t k t P (k) t k t P (k) (2α3β7γ 1)k 2α3β7γP (k) 11 ⊕ 12 21 ⊕ 22 ⊕ ⊕

mP c −−→ mP c

α β γ α β γ ( 2 3 7 ⊕ 1 , 2 3 7 , for T = (α, β, γ) ∈ {XEX-tweaks} (2 α3β7γ ⊕ 1 , 2α3β7γ )

• (α, β, γ) is in fact the real tweak

48 / 57 XPX Covers XEX With Even-Mansour

4 XPX 4 XEMXsimple0

t k t P (k) t k t P (k) (2α3β7γ 1)k 2α3β7γP (k) 11 ⊕ 12 21 ⊕ 22 ⊕ ⊕

mP c −−→ mP c

α β γ α β γ ( 2 3 7 ⊕ 1 , 2 3 7 , for T = (α, β, γ) ∈ {XEX-tweaks} (2 α3β7γ ⊕ 1 , 2α3β7γ )

• (α, β, γ) is in fact the real tweak • Related-key STPRP secure (if 2α3β7γ 6= 1)

48 / 57 • Prøst-COPA by Kavun et al. (2014): COPA based on XEX based on Even-Mansour

Application to AE: COPA and Prøst-COPA 1 COPA

A1 A2 Aa 1 Aa M1 M2 Md M1 Md − ⊕···⊕ 33L 2 33L 2a-233L 2a-134L 3L 2 3L 2d-13L 2d-132L · ·

Ek Ek Ek Ek Ek Ek Ek L

Ek Ek Ek Ek

L = Ek(0) 2L 22L 2dL 2d-17L

C1 C2 Cd T

• By Andreeva et al. (2014) • Implicitly based on XEX based on AES

49 / 57 Application to AE: COPA and Prøst-COPA 1 COPA

A1 A2 Aa 1 Aa M1 M2 Md M1 Md − ⊕···⊕ 33L 2 33L 2a-233L 2a-134L 3L 2 3L 2d-13L 2d-132L · ·

Ek Ek Ek Ek Ek Ek Ek L

Ek Ek Ek Ek

L = Ek(0) 2L 22L 2dL 2d-17L

C1 C2 Cd T

• By Andreeva et al. (2014) • Implicitly based on XEX based on AES

• Prøst-COPA by Kavun et al. (2014): COPA based on XEX based on Even-Mansour

49 / 57 Ω 1 .. −−−−→ P rk

2 O σ 2n .. −−−−→ P sk

Related-Key Security of • Existing proof generalizes

2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk

σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of COPA

2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E sk sk

50 / 57 Ω 1 .. −−−−→ P rk

σ2 O 2n −−−−→ sk

Related-Key Security of • Existing proof generalizes

2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk

σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 O σ O σ .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E P sk sk

50 / 57 Ω 1 .. −−−−→ P rk

Related-Key Security of • Existing proof generalizes

2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk

σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk

50 / 57 Ω 1 .. −−−−→ P rk

σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk

Related-Key Security of COPA • Existing proof generalizes

2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk

50 / 57 Ω 1 −−−−→ rk

σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk

Related-Key Security of Prøst-COPA • Existing proof generalizes

2 2 O σ O σ .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E P rk rk

50 / 57 σ2 O 2n rk

Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk

Related-Key Security of Prøst-COPA • Existing proof generalizes

2 2 O σ O σ Ω 1 .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E −−−−→ P rk rk rk

50 / 57 Application to AE: COPA and Prøst-COPA

Single-Key Security of Prøst-COPA

2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk

Related-Key Security of Prøst-COPA • Existing proof generalizes

2 2 O σ O σ Ω 1 .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E −−−−→ P rk rk rk

σ2 O 2n rk

50 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking

Nonce-Reuse

Conclusion

51 / 57 • Sometimes, attacker can use same nonce multiple times

• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ...

Guaranteeing Uniqueness of Nonce

counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−

52 / 57 • Sometimes, attacker can use same nonce multiple times

Guaranteeing Uniqueness of Nonce

counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−

• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ...

52 / 57 Guaranteeing Uniqueness of Nonce

counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−

• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ... • Sometimes, attacker can use same nonce multiple times

52 / 57 Nonce-Reuse in Practice

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Böck et al., USENIX WOOT 2016

• GCM is widely used authenticated encryption scheme • Used in TLS (https)

• Internet-wide scan for GCM implementations • 184 devices with duplicated nonces • VISA, Polish bank, German stock exchange, . . . • ≈ 70.000 devices with random nonce

53 / 57 Resistance Against Nonce-Reuse

Intuition • All input should be cryptographically transformed • Any change in (N, A, M) −→ unpredictable (C,T ) • Often comes at a price: • Eciency • Security • Parallelizability • ...

54 / 57 Back to GCM-SIV

1 GCMSIV

N T +0 T +1 T +(m 1) PSfrag replacements −

Ek KeyGen EK EK EK

C1 C2 Cm ENC (K, L) KEY M1 M2 Mm

A GHASHL

EK MAC

55 / 57 Outline

Generic Composition

Link With Tweakable Blockciphers

Tweakable Blockciphers Based on Masking

Nonce-Reuse

Conclusion

56 / 57 Tweakable Blockciphers • Allow for modular and compact proofs • Birthday-bound secure TBCs: simple and ecient • Security beyond the birthday bound?

Thank you for your attention!

Conclusion

Authenticated Encryption • Nonce-based AE: currently the norm • CCM, GCM, OCB3, . . . • Nonce-reuse comes at eciency penalty • GCM-SIV, MRO, AEZ, . . . • CAESAR competition

57 / 57 Conclusion

Authenticated Encryption • Nonce-based AE: currently the norm • CCM, GCM, OCB3, . . . • Nonce-reuse comes at eciency penalty • GCM-SIV, MRO, AEZ, . . . • CAESAR competition

Tweakable Blockciphers • Allow for modular and compact proofs • Birthday-bound secure TBCs: simple and ecient • Security beyond the birthday bound?

Thank you for your attention!

57 / 57 SUPPORTING SLIDES

58 / 57 Detailed Picture of GCM

n 1 n + 1 1 n + 2 0

Ek Ek Ek Ek

m0 m1 H

c0 c1

ad ⊗H ⊗H ⊗H ⊗H t

len(ad)klen(c)

59 / 57 Detailed Picture of GCM-SIV

x ad ⊗k1 ⊗k1 ⊗k1 ⊗k1 0 Ek2 t

m0 m1 len(ad)klen(m) n

c0 c1 1 2 3

Ek2 Ek2 Ek Ek Ek Ek

xy xy xy xy x1 x1 k k t 1

k1 k2

60 / 57 = GCM-SIV Deoxys MRO4 MRO6 - - 8.07 11.32 - ≈ 2.58 2.41 3.58 1.17 ≈ 1.92 1.06 1.39

• Main implementation results:

nonce-respecting misuse-resistant

6= Platform AES-GCM OCB3 Deoxys OPP4 OPP6 Cortex-A8 38.6 28.9 - 4.26 5.91 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 Haswell 1.03 0.69 0.96 0.55 0.75

MEM: Implementation

• State size b = 1024 • LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• P : BLAKE2b permutation with 4 or 6 rounds

61 / 57 = GCM-SIV Deoxys MRO4 MRO6 - - 8.07 11.32 - ≈ 2.58 2.41 3.58 1.17 ≈ 1.92 1.06 1.39

MEM: Implementation

• State size b = 1024 • LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• P : BLAKE2b permutation with 4 or 6 rounds

• Main implementation results:

nonce-respecting misuse-resistant

6= Platform AES-GCM OCB3 Deoxys OPP4 OPP6 Cortex-A8 38.6 28.9 - 4.26 5.91 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 Haswell 1.03 0.69 0.96 0.55 0.75

61 / 57 MEM: Implementation

• State size b = 1024 • LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• P : BLAKE2b permutation with 4 or 6 rounds

• Main implementation results:

nonce-respecting misuse-resistant

6= = Platform AES-GCM OCB3 Deoxys OPP4 OPP6 GCM-SIV Deoxys MRO4 MRO6 Cortex-A8 38.6 28.9 - 4.26 5.91 - - 8.07 11.32 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 - ≈ 2.58 2.41 3.58 Haswell 1.03 0.69 0.96 0.55 0.75 1.17 ≈ 1.92 1.06 1.39

61 / 57 x16 x17 x18 x19

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

• Begin with state Li = [x0, . . . , x15] of 64-bit words

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

62 / 57 x16 x17 x18 x19

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15

62 / 57 x17 x18 x19

• x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16

• x16 = (x0 ≪ 53) ⊕ (x5 13)

62 / 57 x18 x19

• x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13)

62 / 57 x19

• x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13)

62 / 57 • Parallelizable (AVX2) and word-sliceable

MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13)

62 / 57 MEM: Parallelizability

• LFSR on 16 words of 64 bits:

ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))

• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19

• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable

62 / 57 XPX: Single-Key Security

(Strong) Tweakable PRP real world ideal world

( ) IC ( ) XPXk± P ± π ± P ±

distinguisher D

• Information-theoretic indistinguishability ideal tweakable permutation • πe • P ideal permutation • k secret key

q2 + qr T is valid =⇒ XPX is (S)TPRP up to O 2n

63 / 57

1 XPX: Related-Key Security

Related-Key (Strong) Tweakable PRP real world ideal world

( ) ( ) ± IC XPXϕ(k) P ± rkπ ± P ±

distinguisher D

• Information-theoretic indistinguishability • rkfπ ideal tweakable related-key permutation • P ideal permutation • k secret key

• D restricted to some set of key-deriving functions Φ

64 / 57

1 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕

• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕

• Note: maskings in XPX are ti1k ⊕ ti2P (k)

Results

if T is valid, and for all tweaks: security Φ

t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕

XPX: Related-Key Security

Key-Deriving Functions

• Φ⊕: all functions k 7→ k ⊕ δ

65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕

• Note: maskings in XPX are ti1k ⊕ ti2P (k)

Results

if T is valid, and for all tweaks: security Φ

t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕

XPX: Related-Key Security

Key-Deriving Functions

• Φ⊕: all functions k 7→ k ⊕ δ

• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕

65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕

Results

if T is valid, and for all tweaks: security Φ

t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕

XPX: Related-Key Security

Key-Deriving Functions

• Φ⊕: all functions k 7→ k ⊕ δ

• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕

• Note: maskings in XPX are ti1k ⊕ ti2P (k)

65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕

XPX: Related-Key Security

Key-Deriving Functions

• Φ⊕: all functions k 7→ k ⊕ δ

• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕

• Note: maskings in XPX are ti1k ⊕ ti2P (k)

Results

if T is valid, and for all tweaks: security Φ

t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕

65 / 57 XPX: Related-Key Security

Key-Deriving Functions

• Φ⊕: all functions k 7→ k ⊕ δ

• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕

• Note: maskings in XPX are ti1k ⊕ ti2P (k)

Results

if T is valid, and for all tweaks: security Φ

t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕

t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕

65 / 57 - h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )

prob. ratio for good transcripts

• Trade-o: dene bad transcripts smartly!

XPX: Security Proof Techniques

Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts

66 / 57 • Trade-o: dene bad transcripts smartly!

XPX: Security Proof Techniques

Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts

- h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )

prob. ratio for good transcripts

66 / 57 XPX: Security Proof Techniques

Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts

- h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )

prob. ratio for good transcripts

• Trade-o: dene bad transcripts smartly!

66 / 57 XPX: Security Proof Techniques

Before the Interaction • Reveal dedicated oracle queries

After the Interaction • Reveal key information • Single-key: k and P (k) • Φ⊕-related-key: k and P (k ⊕ δ) −1 • ΦP ⊕-related-key: k and P (k ⊕ δ) and P (P (k) ⊕ ε)

Bounding the Advantage • Smart denition of bad transcripts

67 / 57 σ2 O 2n −−−−→ rk

• Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}

2 O σ .. 2n .. .. Minalph. −−−−→ XPX P rk

XPX: Application to AE: Minalpher

1 Minalpher

A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

P P P P P P P

2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L

L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L

22d-13L

• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T

68 / 57 σ2 O 2n −−−−→ rk

2 O σ .. 2n .. .. Minalph. −−−−→ XPX P rk

XPX: Application to AE: Minalpher

1 Minalpher

A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

P P P P P P P

2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L

L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L

22d-13L

• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T • Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}

68 / 57 XPX: Application to AE: Minalpher

1 Minalpher

A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

P P P P P P P

2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L

C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L

L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L

22d-13L

• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T • Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}

2 2 O σ O σ .. 2n .. 2n .. Minalph. −−−−→ XPX −−−−→ P rk rk

68 / 57