Security of Authenticated Encryption Modes
Bart Mennink Radboud University (The Netherlands)
COST Training School on Symmetric Cryptography and Blockchain
February 22, 2018
1 / 57 −−−−−→ ←−−−−−
Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ B
2 / 57 Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B
2 / 57 Authentication • No outsider can manipulate data
Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B
Encryption • No outsider can learn anything about data
2 / 57 Authenticated Encryption
A ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−→−−−−−→ ←−−−−− B
Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data
2 / 57 CAESAR Competition
3 / 57 CAESAR Competition
Competition for Authenticated Encryption: Security, Applicability, and Robustness
Goal: portfolio of authenticated encryption schemes
Mar 15, 2014: 57 rst round candidates Jul 7, 2015: 29.5 second round candidates Aug 15, 2016: 16 third round candidates ??: announcement of nalists ??: announcement of nal portfolio
4 / 57 • Nonce N randomizes the scheme
Authenticated Encryption 4 AE
k
A, M AE C, T
N
• Ciphertext C encryption of message M • Tag T authenticates associated data A and message M
5 / 57 Authenticated Encryption 4 AE
k
A, M AE C, T
N
• Ciphertext C encryption of message M • Tag T authenticates associated data A and message M • Nonce N randomizes the scheme
5 / 57 • Correctness: ADk(N, A, AE k(N, A, M)) = M
PSfrag replacements m t c E k E t Authenticated Decryption A, M5 AD Ne C, T AE k k
M if T correct A, C, T AD otherwise (⊥ N
• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect
6 / 57 • Correctness: ADk(N, A, AE k(N, A, M)) = M
PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k
M if T correct A, C, T AD otherwise (⊥ N
• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect
6 / 57 PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k
M if T correct A, C, T AD otherwise (⊥ N
• Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect
• Correctness: ADk(N, A, AE k(N, A, M)) = M
6 / 57 • Distinguisher D has query access to one of these → unique nonce for each encryption query • D tries to determine which oracle it communicates with
h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1
Authenticated Encryption Security 6 indistsimpleAE
AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥
distinguisher D
• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥)
7 / 57 • D tries to determine which oracle it communicates with
h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1
Authenticated Encryption Security 6 indistsimpleAE
AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥
distinguisher D
• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥) • Distinguisher D has query access to one of these → unique nonce for each encryption query
7 / 57 h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1
Authenticated Encryption Security 6 indistsimpleAE
AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥
distinguisher D
• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥) • Distinguisher D has query access to one of these → unique nonce for each encryption query • D tries to determine which oracle it communicates with
7 / 57 Authenticated Encryption Security 6 indistsimpleAE
AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥
distinguisher D
• Two oracles: (AE k, ADk) (for secret key k) and ($, ⊥) • Distinguisher D has query access to one of these → unique nonce for each encryption query • D tries to determine which oracle it communicates with
h i ae AE k,ADk $,⊥ AdvAE (D) = Pr D = 1 − Pr D = 1
7 / 57 100% Security is Impractical
8 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking
Nonce-Reuse
Conclusion
9 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking
Nonce-Reuse
Conclusion
10 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack
• Bellare and Namprempre (2000): 3 basic approaches
1 E&M MtE EtM m m m
PSfrag replacements Enck MACl MACl Enck Enck MACl
c t t c c t • Used in SSH • Used in TLS • Used in IPSec
Generic Composition
• Generic constructions for AE: • Enc + MAC = AE
11 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack
Generic Composition
• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches
1 E&M MtE EtM m m m
PSfrag replacements Enck MACl MACl Enck Enck MACl
c t t c c t • Used in SSH • Used in TLS • Used in IPSec
11 / 57 • Mildly insecure • Most secure variant • Padding oracle • Ciphertext integrity attack
Generic Composition
• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches
1 E&M MtE EtM m m m
PSfrag replacements Enck MACl MACl Enck Enck MACl
c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure
• MACL(m) = mkt
11 / 57 • Most secure variant • Ciphertext integrity
Generic Composition
• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches
1 E&M MtE EtM m m m
PSfrag replacements Enck MACl MACl Enck Enck MACl
c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure MAC • L(m) = mkt • Padding oracle attack
11 / 57 Generic Composition
• Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches
1 E&M MtE EtM m m m
PSfrag replacements Enck MACl MACl Enck Enck MACl
c t t c c t • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack
11 / 57 • Parallelizable • Evaluates E only (no E−1) • Provably secure (if E is PRP) • Very ecient in HW • Reasonably ecient in SW
What happens if nonce is re-used?
GCM for 96-bit nonce N
1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC
C1 C2 Cm
A GHASHL
MAC
T
12 / 57 What happens if nonce is re-used?
GCM for 96-bit nonce N
1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW
12 / 57 GCM for 96-bit nonce N
1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW
What happens if nonce is re-used?
12 / 57 • Inherits GCM features • Secure against nonce-reuse • Proof: Iwata and Seurin (2017)
GCM-SIV
1 GCMSIV
N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015)
Ek KeyGen EK EK EK • MtE design
C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free
A GHASHL
N
EK MAC
T
13 / 57 GCM-SIV
1 GCMSIV
N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015)
Ek KeyGen EK EK EK • MtE design
C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free
A GHASHL • Inherits GCM features
N • Secure against nonce-reuse • Proof: Iwata and Seurin EK MAC (2017)
T
13 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking
Nonce-Reuse
Conclusion
14 / 57 • Tweak: exibility to the cipher • Each tweak gives dierent permutation
Tweakable Blockciphers 1 cipher
k
m E c
15 / 57 Tweakable Blockciphers 2 ciphertweakable
k
m E c
t e
• Tweak: exibility to the cipher • Each tweak gives dierent permutation
15 / 57 • D tries to determine which oracle it communicates with
stprp h E ,E−1 i h π,π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee
Tweakable Blockcipher Security
1 indistsimpletE
Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e
distinguisher D
• Eek should look like random permutation for every t • Dierent tweaks −→ pseudo-independent permutations
16 / 57 Tweakable Blockcipher Security
1 indistsimpletE
Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e
distinguisher D
• Eek should look like random permutation for every t • Dierent tweaks −→ pseudo-independent permutations • D tries to determine which oracle it communicates with
stprp h E ,E−1 i h π,π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee
16 / 57 in CAESAR
KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR
rst round, second round, third round
Tweakable Blockcipher Designs
3 ciphertweakable-black
1 tEE 2 tEP
k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based
17 / 57 Tweakable Blockcipher Designs in CAESAR
3 ciphertweakable-black
1 tEE 2 tEP
k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based
KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR
rst round, second round, third round 17 / 57 • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality:
ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee
Example2 OCBgen Use in OCBx (1/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek
C1 C2 Cd T
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11]
18 / 57 • Triangle inequality:
ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee
Example3 OCBgenalert Use in OCBx (1/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek
C1 C2 Cd T
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak
18 / 57 • Triangle inequality:
≤ Advae (σ) + Advstprp(σ) AE[πe] Ee
Example3 OCBgenalert Use in OCBx (1/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek
C1 C2 Cd T
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak
Advae (σ) AE[Eek]
18 / 57 + Advstprp(σ) Ee
Example4 OCBgenalertpi Use in OCBx (1/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality:
ae ae Adv (σ) ≤ AdvAE[π](σ) AE[Eek] e
18 / 57 Example4 OCBgenalertpi Use in OCBx (1/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11] • Internally based on tweakable blockcipher Ee • Tweak (N, tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality:
ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee
18 / 57 • Tag forged with probability at most 1/(2n − 1)
design tweakableTo do: blockcipher
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function
Advae (σ) ≤ 1/(2n − 1) AE[πe]
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
19 / 57 • Tag forged with probability at most 1/(2n − 1)
design tweakableTo do: blockcipher
Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function
Advae (σ) ≤ 1/(2n − 1) AE[πe]
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness
19 / 57 • Tag forged with probability at most 1/(2n − 1)
design tweakableTo do: blockcipher
• Authentication behaves like random function
Advae (σ) ≤ 1/(2n − 1) AE[πe]
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $
19 / 57 design tweakableTo do: blockcipher
• Tag forged with probability at most 1/(2n − 1)
Advae (σ) ≤ 1/(2n − 1) AE[πe]
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function
19 / 57 design tweakableTo do: blockcipher
Advae (σ) ≤ 1/(2n − 1) AE[πe]
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function • Tag forged with probability at most 1/(2n − 1)
19 / 57 design tweakableTo do: blockcipher
Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
C1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function • Tag forged with probability at most 1/(2n − 1)
Advae (σ) ≤ 1/(2n − 1) AE[πe]
19 / 57 Example4 OCBgenalertpi Use in OCBx (2/2)
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,tA1 N,tA2 N,tAa M N,tM1 N,tM2 N,tMd π˜ π˜ π˜ π˜ ⊕ π˜ π˜ π˜
design tweakableTo do: blockcipherC1 C2 Cd T
• Nonce uniqueness ⇒ tweak uniqueness Encryption calls behave like random functions: • AE[πe] = $ • Authentication behaves like random function • Tag forged with probability at most 1/(2n − 1)
Advae (σ) ≤ 1/(2n − 1) AE[πe]
19 / 57 Dedicated Tweakable Blockciphers
• Hasty Pudding Cipher [Sch98] • AES submission, rst tweakable cipher
• Mercy [Cro01] • Disk encryption
• Threesh [FLS+07] • SHA-3 submission Skein
• TWEAKEY framework [JNP14] • Four CAESAR submissions • SKINNY & MANTIS
20 / 57 • Security measured through cryptanalysis • Our focus: modular design
TWEAKEY Framework
1 tweakey• TWEAKEY by Jean et al. [JNP14]:
(k, t) h h h ······ g g g g
m f f f c ······
• f: round function • g: subkey computation • h: transformation of (k, t)
21 / 57 TWEAKEY Framework
1 tweakey• TWEAKEY by Jean et al. [JNP14]:
(k, t) h h h ······ g g g g
m f f f c ······
• f: round function • g: subkey computation • h: transformation of (k, t)
• Security measured through cryptanalysis • Our focus: modular design
21 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security
Nonce-Reuse
Conclusion
22 / 57 ←−−− ←−−− blend it with the key blend it with the state
ts1 recipe-emptyIntuition: Design
k t ?
mE c
• Consider a blockcipher E with κ-bit key and n-bit state
How to mingle the tweak into the evaluation?
23 / 57 ts1 recipe-emptyIntuition: Design
k t ?
mE c
• Consider a blockcipher E with κ-bit key and n-bit state
How to mingle the tweak into the evaluation?
←−−− ←−−− blend it with the key blend it with the state
23 / 57 • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour • TWEAKEY blending [JNP14] is more advanced
2 recipe-keyIntuition: Design
k t
mE c
• Blending tweak and key works. . . • . . . but: careful with related-key attacks!
24 / 57 • TWEAKEY blending [JNP14] is more advanced
2 recipe-keyIntuition: Design
k t
mE c
• Blending tweak and key works. . . • . . . but: careful with related-key attacks! • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour
24 / 57 2 recipe-keyIntuition: Design
k t
mE c
• Blending tweak and key works. . . • . . . but: careful with related-key attacks! • For ⊕-mixing, key can be recovered in 2κ/2 evaluations • Scheme is insecure if E is Even-Mansour • TWEAKEY blending [JNP14] is more advanced
24 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek
3 recipe-msg1Intuition: Design
k t
mE c
• Simple blending of tweak and state does not work
25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary
• Some secrecy required: h Still does not work if adversary has access to −1 • Eek
3 recipe-msg1Intuition: Design
k t
mE c
• Simple blending of tweak and state does not work
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C)
25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary
Still does not work if adversary has access to −1 • Eek
Intuition: Design t4 recipe-msg2
k h t ⊗
mE c
• Simple blending of tweak and state does not work
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h
25 / 57 −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary
Intuition: Design t4 recipe-msg2
k h t ⊗
mE c
• Simple blending of tweak and state does not work
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek
25 / 57 • Two-sided masking necessary
Intuition: Design t4 recipe-msg2
k h t ⊗
mE c
• Simple blending of tweak and state does not work
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C
25 / 57 5 recipe-msg3Intuition: Design
k h t h t ⊗ ⊗
mE c
• Simple blending of tweak and state does not work
• Eek(t, m) = Eek(t ⊕ C, m ⊕ C) • Some secrecy required: h Still does not work if adversary has access to −1 • Eek −1 −1 • Eek (t, c) ⊕ Eek (t ⊕ C, c) = h ⊗ C • Two-sided masking necessary
25 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle
• Generalizing masking? Depends on function f
• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem
5 recipe-msg3Intuition: Design
k h t h t ⊗ ⊗
mE c
• Two-sided secret masking seems to work • Can we generalize?
26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle
• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem
6 recipe-msg4Intuition: Design
k f(t) f(t)
m E c
• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f
26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle
• Releasing secrecy in E? Usually no problem
7 recipe-msg5Intuition: Design
k
f1(t) f2(t)
mE c
• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f
• Variation in masking? Depends on functions f1, f2
26 / 57 Majority of tweakable blockciphers follow mask- E k /P -mask principle
8 recipe-msg6Intuition: Design
f1(t) f2(t)
mP c
• Two-sided secret masking seems to work • Can we generalize? • Generalizing masking? Depends on function f
• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem
26 / 57 8 recipe-msg6Intuition: Design
f1(t) f2(t) Majority of tweakable blockciphers follow mask-mP c E • Two-sided secret maskingk /P seems-mask to work principle • Can we generalize? • Generalizing masking? Depends on function f
• Variation in masking? Depends on functions f1, f2 • Releasing secrecy in E? Usually no problem
26 / 57 • Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek
27 / 57 • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek
• Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks
27 / 57 )9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• Eek should look like random permutation for every t • Consider adversary D that makes q evaluations of Eek
• Step 1: • How many evaluations does D need at most? Step 1: • Boils down to nding generic attacks • Step 2: • How many evaluations does D need at least? Step 2: • Boils down to provable security
27 / 57 • For any two queries (t, m, c), (t0, m0, c0):
0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )
• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0
Scheme can be broken in ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
28 / 57 • Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0
Scheme can be broken in ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• For any two queries (t, m, c), (t0, m0, c0):
0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )
28 / 57 • Implication still holds with dierence C xored to m, m0
Scheme can be broken in ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• For any two queries (t, m, c), (t0, m0, c0):
0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )
• Unlikely to happen for random family of permutations
28 / 57 Scheme can be broken in ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• For any two queries (t, m, c), (t0, m0, c0):
0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )
• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0
28 / 57 )9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• For any two queries (t, m, c), (t0, m0, c0):
0 0 0 0 m ⊕ f1(t) = m ⊕ f1(t ) =⇒ c ⊕ f2(t) = c ⊕ f2(t )
• Unlikely to happen for random family of permutations • Implication still holds with dierence C xored to m, m0
Scheme can be broken in ≈ 2n/2 evaluations
28 / 57 • Typical approach: • Consider any transcript τ an adversary may see • Most τ's should be equally likely in both worlds • Odd ones should happen with very small probability
All constructions in this presentation: secure up to ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• The fun starts here! • More technical and often more involved
29 / 57 All constructions in this presentation: secure up to ≈ 2n/2 evaluations
)9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• The fun starts here! • More technical and often more involved • Typical approach: • Consider any transcript τ an adversary may see • Most τ's should be equally likely in both worlds • Odd ones should happen with very small probability
29 / 57 )9 recipe-msg7 Intuition: Analysis
f1(t) f2(t)
m Ek/P c
• The fun starts here! • More technical and often more involved • Typical approach: • Consider any transcript τ an adversary may see • Most τ's should be equally likely in both worlds • Odd ones should happen with very small probability
All constructions in this presentation: secure up to ≈ 2n/2 evaluations
29 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security
Nonce-Reuse
Conclusion
30 / 57 typically 128 bits much larger: 256-1600 bits
Tweakable Blockciphers Based on Masking
) 6 picEgen Blockcipher-Based)7 picPgen. pPermutation-Based.p
tweak-based mask tweak-based mask
mEk c mP c
31 / 57 Tweakable Blockciphers Based on Masking
) 6 picEgen Blockcipher-Based)7 picPgen. pPermutation-Based.p
tweak-based mask tweak-based mask
mEk c mP c
typically 128 bits much larger: 256-1600 bits
31 / 57 Original Constructions
• LRW1 and LRW2 by Liskov et al. [LRW02]: 14 LRWotherEk 13 LRWonetweak
t h(t)
m Ek Ek c mEk c
• h is XOR-universal hash • E.g., h(t) = h ⊗ t for n-bit key h
32 / 57 4 picTEM
2α3β7γ (k N P (k N)) · k ⊕ k
mP c
• Used in OCB2 and ±14 CAESAR candidates • Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])
Powering-Up Masking (XEX)
1 picXEX • XEX by Rogaway [Rog04]:
2α3β7γ E (N) · k
mEk c
• (α, β, γ, N) is tweak (simplied)
33 / 57 4 picTEM
2α3β7γ (k N P (k N)) · k ⊕ k
mP c
• Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])
Powering-Up Masking (XEX)
1 picXEX • XEX by Rogaway [Rog04]:
2α3β7γ E (N) · k
mEk c
• (α, β, γ, N) is tweak (simplied) • Used in OCB2 and ±14 CAESAR candidates
33 / 57 Powering-Up Masking (XEX)
1 picXEX •4XEX picTEMby Rogaway [Rog04]:
2α3β7γ E (N) 2α3β7γ (k N P (k N)) · k · k ⊕ k
mEk c mP c
• (α, β, γ, N) is tweak (simplied) • Used in OCB2 and ±14 CAESAR candidates • Permutation-based variants in Minalpher and Prøst (generalized by Cogliati et al. [CLS15])
33 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 2 OCBgen
A A A M M M M 1 2 a ⊕ i 1 2 d
N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek
C1 C2 Cd T L = Ek(N)
34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 1 OCB2g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 7 OCB2-with-arrows-1g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 8 OCB2-with-arrows-2g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 9 OCB2-with-arrows-3g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
34 / 57 • Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
34 / 57 Powering-Up Masking in OCB2 10 OCB2-with-arrows-4g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
• Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
34 / 57 Intermezzo: Why Start at 2 · Ek(N)? 10 OCB2-with-arrows-4g
A A A M M M M 1 2 a ⊕ i 1 2 d 2 32L 2232L 2a32L 2d3L 2L 22L 2dL ·
Ek Ek Ek Ek Ek Ek Ek
2L 22L 2dL
C1 C2 Cd T L = Ek(N)
• Update of mask: • Shift and conditional XOR • Variable time computation • Expensive on certain platforms
35 / 57 • Distinguisher can make inverse queries
• Putting c = 0 gives m = N ⊕ Ek(N)
• Distinguisher knows N so learns subkey Ek(N)
Intermezzo: Why Start at 2 · Ek(N)?
1 picXEX-atk1 • Suppose we would mask with Ek(N):
Ek(N) PSfrag replacements
mEk c
36 / 57 • Putting c = 0 gives m = N ⊕ Ek(N)
• Distinguisher knows N so learns subkey Ek(N)
Intermezzo: Why Start at 2 · Ek(N)?
2 picXEX-atk2 • Suppose we would mask with Ek(N):
PSfrag replacements Ek(N)
m1 c Ek Ek−
• Distinguisher can make inverse queries
36 / 57 • Distinguisher knows N so learns subkey Ek(N)
Intermezzo: Why Start at 2 · Ek(N)?
Suppose we would mask with : PSfrag replacements3 picXEX-atk3 • Ek(N) m c Ek(N)
Ek N E (N)1 0 ⊕ k Ek−
• Distinguisher can make inverse queries
• Putting c = 0 gives m = N ⊕ Ek(N)
36 / 57 Intermezzo: Why Start at 2 · Ek(N)?
Suppose we would mask with : PSfrag replacements3 picXEX-atk3 • Ek(N) m c Ek(N)
Ek N E (N)1 0 ⊕ k Ek−
• Distinguisher can make inverse queries
• Putting c = 0 gives m = N ⊕ Ek(N)
• Distinguisher knows N so learns subkey Ek(N)
36 / 57 • Single XOR • Logarithmic amount of eld doublings (precomputed) • More ecient than powering-up [KR11]
Gray Code Masking
2 picGray • OCB1 and OCB3 use Gray Codes:
α (α 1) E (N) ⊕ ≫ · k
mEk c
• (α, N) is tweak • Updating: G(α) = G(α − 1) ⊕ 2ntz(α)
37 / 57 Gray Code Masking
2 picGray • OCB1 and OCB3 use Gray Codes:
α (α 1) E (N) ⊕ ≫ · k
mEk c
• (α, N) is tweak • Updating: G(α) = G(α − 1) ⊕ 2ntz(α) • Single XOR • Logarithmic amount of eld doublings (precomputed) • More ecient than powering-up [KR11]
37 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security
Nonce-Reuse
Conclusion
38 / 57 • Combines advantages of: • Powering-up masking • Word-based LFSRs • Simpler, constant-time (by default), more ecient
Masked Even-Mansour (MEM)
) 5 picMEM • MEM by Granger et al. [GJMN16]:
ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k
m P c
• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied)
39 / 57 • Simpler, constant-time (by default), more ecient
Masked Even-Mansour (MEM)
) 5 picMEM • MEM by Granger et al. [GJMN16]:
ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k
m P c
• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied) • Combines advantages of: • Powering-up masking • Word-based LFSRs
39 / 57 Masked Even-Mansour (MEM)
) 5 picMEM • MEM by Granger et al. [GJMN16]:
ϕγ ϕβ ϕα P (N k) 2 ◦ 1 ◦ 0 ◦ k
m P c
• ϕi are xed LFSRs, (α, β, γ, N) is tweak (simplied) • Combines advantages of: • Powering-up masking • Word-based LFSRs • Simpler, constant-time (by default), more ecient
39 / 57 • Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 1) ⊕ (x10 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13)) 1600 32 50 (x , . . . , x , (x 3) ⊕ (x 3)) . . . 1 49 . 0 ≪ 23 . . . .
• Work exceptionally well for ARX primitives
MEM: Design Considerations
• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR
40 / 57 • Work exceptionally well for ARX primitives
MEM: Design Considerations
• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR • Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 1) ⊕ (x10 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13)) 1600 32 50 (x , . . . , x , (x 3) ⊕ (x 3)) . . . 1 49 . 0 ≪ 23 . . . .
40 / 57 MEM: Design Considerations
• Particularly suited for large states (permutations) • Low operation counts by clever choice of LFSR • Sample LFSRs (state size b as n words of w bits):
b w n ϕ
128 8 16 (x1, . . . , x15, (x0 ≪ 1) ⊕ (x9 1) ⊕ (x10 1)) 128 32 4 (x1, . . . , x3, (x0 ≪ 5) ⊕ x1 ⊕ (x1 13)) 128 64 2 (x1, (x0 ≪ 11) ⊕ x1 ⊕ (x1 13)) 256 64 4 (x1, . . . , x3, (x0 ≪ 3) ⊕ (x3 5)) 512 32 16 (x1, . . . , x15, (x0 ≪ 5) ⊕ (x3 7)) 512 64 8 (x1, . . . , x7, (x0 ≪ 29) ⊕ (x1 9)) 1024 64 16 (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13)) 1600 32 50 (x , . . . , x , (x 3) ⊕ (x 3)) . . . 1 49 . 0 ≪ 23 . . . .
• Work exceptionally well for ARX primitives
40 / 57 64 128 256 512 1024
solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]
MEM: Uniqueness of Masking
• Intuitively, masking goes well as long as
γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0
for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms
41 / 57 solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]
MEM: Uniqueness of Masking
• Intuitively, masking goes well as long as
γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0
for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms
64 128 256 512 1024
41 / 57 |results implicitly{z used,} e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]
MEM: Uniqueness of Masking
• Intuitively, masking goes well as long as
γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0
for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms
64 128 256 512 1024
solved| {z by} Rogaway [Rog04]
41 / 57 | {z } solved by Granger et al. [GJMN16]
MEM: Uniqueness of Masking
• Intuitively, masking goes well as long as
γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0
for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms
64 128 256 512 1024
solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014)
41 / 57 MEM: Uniqueness of Masking
• Intuitively, masking goes well as long as
γ β α γ0 β0 α0 ϕ2 ◦ ϕ1 ◦ ϕ0 6= ϕ2 ◦ ϕ1 ◦ ϕ0
for any (α, β, γ) 6= (α0, β0, γ0) • Challenge: set proper domain for (α, β, γ) • Requires computation of discrete logarithms
64 128 256 512 1024
solved| {z by} |results implicitly{z used,} Rogaway [Rog04] e.g., by Prøst (2014) | {z } solved by Granger et al. [GJMN16]
41 / 57 PSfrag replacements
Application1 OPPg to AE: OPP
A A A M M M M 0 1 a–1 ⊕ i 0 1 d–1 0 1 a–1 2 d–1 0 1 d–1 ϕ (L) ϕ (L) ϕ (L) ϕ2 ϕ ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ◦ 1 ◦ ◦ ◦ ◦ P P P P P P P
0 1 a–1 2 d–1 0 1 d–1 ϕ (L) ϕ (L) ϕ (L) ϕ2 ϕ ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ϕ2 ϕ (L) ◦ 1 ◦ ◦ ◦ ◦
C1 C2 Cd T L = P (Nkk) 2 ϕ1 = ϕ ⊕ id, ϕ2 = ϕ ⊕ ϕ ⊕ id
• Oset Public Permutation (OPP) • Generalization of OCB3: • Permutation-based • More ecient MEM masking • Security against nonce-respecting adversaries • 0.55 cpb with reduced-round BLAKE2b
42 / 57 Application to AE: MRO 2 MROg
A A M M A M T 0 T d–1 0 a–1 0 d–1 | |k| | k k 0 a–1 0 d–1 ϕ (L) ϕ (L) ϕ1 ϕ (L) ϕ1 ϕ (L) ϕ2(L) ϕ2(L) ◦ ◦ PP P PP P
0 a–1 0 d–1 ϕ (L) ϕ (L) ϕ1 ϕ (L) ϕ1 ϕ (L) ϕ2(L) M0 ϕ2(L) M ◦ ◦ ⊕ ⊕ d–1 2 ϕ1(L) C1 Cd P L = P (Nkk) 2 ϕ2(L) ϕ1 = ϕ ⊕ id, ϕ2 = ϕ ⊕ ϕ ⊕ id 1 T
• Misuse-Resistant OPP (MRO) • Fully nonce-misuse resistant version of OPP • 1.06 cpb with reduced-round BLAKE2b
43 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking • Intuition • State of the Art • Improved Eciency • Improved Security
Nonce-Reuse
Conclusion
44 / 57 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure
• Security of XPX strongly depends on choice of T
XPX
4 XPX • XPX by Mennink [Men16]:
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set
45 / 57 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure
XPX
4 XPX • XPX by Mennink [Men16]:
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T
45 / 57 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure
XPX
4 XPX • XPX by Mennink [Men16]:
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure
45 / 57 3 Strong T −→ related-key secure
XPX
4 XPX • XPX by Mennink [Men16]:
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure 2 Normal T −→ single-key secure
45 / 57 XPX
4 XPX • XPX by Mennink [Men16]:
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
n 4 • (t11, t12, t21, t22) from some tweak set T ⊆ ({0, 1} ) • T can (still) be any set • Security of XPX strongly depends on choice of T 1 Weak T −→ insecure 2 Normal T −→ single-key secure 3 Strong T −→ related-key secure
45 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
4 XPX XPX: Weak Tweaks
t k t P (k) t k t P (k) 11 ⊕ 12 21 ⊕ 22
mP c
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
=⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
1 XPX-stupid-1XPX: Weak Tweaks
0k 0P (k) 0k 0P (k) ⊕ ⊕
m P
(0, 0, 0, 0) ∈ T
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
2 XPX-stupid-2XPX: Weak Tweaks
0k 0P (k) 0k 0P (k) ⊕ ⊕
mP P (m)
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
3 XPX-stupid-3XPX: Weak Tweaks
1k 0P (k) 1k 1P (k) ⊕ ⊕
0 P k
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
4 XPX-stupid-4XPX: Weak Tweaks
1k 0P (k) 0k 2P (k) ⊕ ⊕
0P 3P (k)
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k)
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
Valid Tweak Sets • Technical denition to eliminate weak cases
4 XPX-stupid-4XPX: Weak Tweaks
1k 0P (k) 0k 2P (k) ⊕ ⊕
0P 3P (k)
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······
46 / 57 • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
4 XPX-stupid-4XPX: Weak Tweaks
1k 0P (k) 0k 2P (k) ⊕ ⊕
0P 3P (k)
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases
46 / 57 4 XPX-stupid-4XPX: Weak Tweaks
1k 0P (k) 0k 2P (k) ⊕ ⊕
0P 3P (k)
(0, 0, 0, 0) ∈ T =⇒ XPXk((0, 0, 0, 0),m ) = P (m)
(1, 0, 1, 1) ∈ T =⇒ XPXk((1, 0, 1, 1), 0) = k
(1, 0, 0, 2) ∈ T =⇒ XPXk((1, 0, 0, 2), 0) =3 P (k) ··· ······ Valid Tweak Sets • Technical denition to eliminate weak cases • T invalid ⇐⇒ XPX insecure • T valid ⇐⇒ XPX single- or related-key secure
46 / 57 • Single-key STPRP secure (surprise?) • Generally, if |T | = 1, XPX is a normal blockcipher
XPX Covers Even-Mansour
4 XPX 1 EM
t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22
mP c −−→ mP c
for T = {(1, 0, 1, 0)}
47 / 57 • Generally, if |T | = 1, XPX is a normal blockcipher
XPX Covers Even-Mansour
4 XPX 1 EM
t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22
mP c −−→ mP c
for T = {(1, 0, 1, 0)}
• Single-key STPRP secure (surprise?)
47 / 57 XPX Covers Even-Mansour
4 XPX 1 EM
t k t P (k) t k t P (k) k k 11 ⊕ 12 21 ⊕ 22
mP c −−→ mP c
for T = {(1, 0, 1, 0)}
• Single-key STPRP secure (surprise?) • Generally, if |T | = 1, XPX is a normal blockcipher
47 / 57 • Related-key STPRP secure (if 2α3β7γ 6= 1)
XPX Covers XEX With Even-Mansour
4 XPX 4 XEMXsimple0
t k t P (k) t k t P (k) (2α3β7γ 1)k 2α3β7γP (k) 11 ⊕ 12 21 ⊕ 22 ⊕ ⊕
mP c −−→ mP c
α β γ α β γ ( 2 3 7 ⊕ 1 , 2 3 7 , for T = (α, β, γ) ∈ {XEX-tweaks} (2 α3β7γ ⊕ 1 , 2α3β7γ )
• (α, β, γ) is in fact the real tweak
48 / 57 XPX Covers XEX With Even-Mansour
4 XPX 4 XEMXsimple0
t k t P (k) t k t P (k) (2α3β7γ 1)k 2α3β7γP (k) 11 ⊕ 12 21 ⊕ 22 ⊕ ⊕
mP c −−→ mP c
α β γ α β γ ( 2 3 7 ⊕ 1 , 2 3 7 , for T = (α, β, γ) ∈ {XEX-tweaks} (2 α3β7γ ⊕ 1 , 2α3β7γ )
• (α, β, γ) is in fact the real tweak • Related-key STPRP secure (if 2α3β7γ 6= 1)
48 / 57 • Prøst-COPA by Kavun et al. (2014): COPA based on XEX based on Even-Mansour
Application to AE: COPA and Prøst-COPA 1 COPA
A1 A2 Aa 1 Aa M1 M2 Md M1 Md − ⊕···⊕ 33L 2 33L 2a-233L 2a-134L 3L 2 3L 2d-13L 2d-132L · ·
Ek Ek Ek Ek Ek Ek Ek L
Ek
Ek Ek Ek Ek
L = Ek(0) 2L 22L 2dL 2d-17L
C1 C2 Cd T
• By Andreeva et al. (2014) • Implicitly based on XEX based on AES
49 / 57 Application to AE: COPA and Prøst-COPA 1 COPA
A1 A2 Aa 1 Aa M1 M2 Md M1 Md − ⊕···⊕ 33L 2 33L 2a-233L 2a-134L 3L 2 3L 2d-13L 2d-132L · ·
Ek Ek Ek Ek Ek Ek Ek L
Ek
Ek Ek Ek Ek
L = Ek(0) 2L 22L 2dL 2d-17L
C1 C2 Cd T
• By Andreeva et al. (2014) • Implicitly based on XEX based on AES
• Prøst-COPA by Kavun et al. (2014): COPA based on XEX based on Even-Mansour
49 / 57 Ω 1 .. −−−−→ P rk
2 O σ 2n .. −−−−→ P sk
Related-Key Security of • Existing proof generalizes
2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk
σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of COPA
2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E sk sk
50 / 57 Ω 1 .. −−−−→ P rk
σ2 O 2n −−−−→ sk
Related-Key Security of • Existing proof generalizes
2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk
σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 O σ O σ .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E P sk sk
50 / 57 Ω 1 .. −−−−→ P rk
Related-Key Security of • Existing proof generalizes
2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk
σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk
50 / 57 Ω 1 .. −−−−→ P rk
σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk
Related-Key Security of COPA • Existing proof generalizes
2 2 O σ O σ .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E rk rk
50 / 57 Ω 1 −−−−→ rk
σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk
Related-Key Security of Prøst-COPA • Existing proof generalizes
2 2 O σ O σ .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E P rk rk
50 / 57 σ2 O 2n rk
Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk
Related-Key Security of Prøst-COPA • Existing proof generalizes
2 2 O σ O σ Ω 1 .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E −−−−→ P rk rk rk
50 / 57 Application to AE: COPA and Prøst-COPA
Single-Key Security of Prøst-COPA
2 2 2 O σ O σ O σ .. 2n .. 2n .. 2n .. COPA −−−−→ XEX −−−−→ E −−−−→ P sk sk sk
Related-Key Security of Prøst-COPA • Existing proof generalizes
2 2 O σ O σ Ω 1 .. 2n .. 2n .. .. COPA −−−−→ XEX −−−−→ E −−−−→ P rk rk rk
σ2 O 2n rk
50 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking
Nonce-Reuse
Conclusion
51 / 57 • Sometimes, attacker can use same nonce multiple times
• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ...
Guaranteeing Uniqueness of Nonce
counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−
52 / 57 • Sometimes, attacker can use same nonce multiple times
Guaranteeing Uniqueness of Nonce
counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−
• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ...
52 / 57 Guaranteeing Uniqueness of Nonce
counter nonce random nonce user-chosen nonce ←−−− ←−−− ←−−−
• Issues with nonce generation: • Counter needs storage • Need synchronization or transmission • Eciency cost • Laziness or mistake of implementor • ... • Sometimes, attacker can use same nonce multiple times
52 / 57 Nonce-Reuse in Practice
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Böck et al., USENIX WOOT 2016
• GCM is widely used authenticated encryption scheme • Used in TLS (https)
• Internet-wide scan for GCM implementations • 184 devices with duplicated nonces • VISA, Polish bank, German stock exchange, . . . • ≈ 70.000 devices with random nonce
53 / 57 Resistance Against Nonce-Reuse
Intuition • All input should be cryptographically transformed • Any change in (N, A, M) −→ unpredictable (C,T ) • Often comes at a price: • Eciency • Security • Parallelizability • ...
54 / 57 Back to GCM-SIV
1 GCMSIV
N T +0 T +1 T +(m 1) PSfrag replacements −
Ek KeyGen EK EK EK
C1 C2 Cm ENC (K, L) KEY M1 M2 Mm
A GHASHL
N
EK MAC
T
55 / 57 Outline
Generic Composition
Link With Tweakable Blockciphers
Tweakable Blockciphers Based on Masking
Nonce-Reuse
Conclusion
56 / 57 Tweakable Blockciphers • Allow for modular and compact proofs • Birthday-bound secure TBCs: simple and ecient • Security beyond the birthday bound?
Thank you for your attention!
Conclusion
Authenticated Encryption • Nonce-based AE: currently the norm • CCM, GCM, OCB3, . . . • Nonce-reuse comes at eciency penalty • GCM-SIV, MRO, AEZ, . . . • CAESAR competition
57 / 57 Conclusion
Authenticated Encryption • Nonce-based AE: currently the norm • CCM, GCM, OCB3, . . . • Nonce-reuse comes at eciency penalty • GCM-SIV, MRO, AEZ, . . . • CAESAR competition
Tweakable Blockciphers • Allow for modular and compact proofs • Birthday-bound secure TBCs: simple and ecient • Security beyond the birthday bound?
Thank you for your attention!
57 / 57 SUPPORTING SLIDES
58 / 57 Detailed Picture of GCM
n 1 n + 1 1 n + 2 0
Ek Ek Ek Ek
m0 m1 H
c0 c1
ad ⊗H ⊗H ⊗H ⊗H t
len(ad)klen(c)
59 / 57 Detailed Picture of GCM-SIV
x ad ⊗k1 ⊗k1 ⊗k1 ⊗k1 0 Ek2 t
m0 m1 len(ad)klen(m) n
c0 c1 1 2 3
Ek2 Ek2 Ek Ek Ek Ek
xy xy xy xy x1 x1 k k t 1
k1 k2
60 / 57 = GCM-SIV Deoxys MRO4 MRO6 - - 8.07 11.32 - ≈ 2.58 2.41 3.58 1.17 ≈ 1.92 1.06 1.39
• Main implementation results:
nonce-respecting misuse-resistant
6= Platform AES-GCM OCB3 Deoxys OPP4 OPP6 Cortex-A8 38.6 28.9 - 4.26 5.91 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 Haswell 1.03 0.69 0.96 0.55 0.75
MEM: Implementation
• State size b = 1024 • LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• P : BLAKE2b permutation with 4 or 6 rounds
61 / 57 = GCM-SIV Deoxys MRO4 MRO6 - - 8.07 11.32 - ≈ 2.58 2.41 3.58 1.17 ≈ 1.92 1.06 1.39
MEM: Implementation
• State size b = 1024 • LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• P : BLAKE2b permutation with 4 or 6 rounds
• Main implementation results:
nonce-respecting misuse-resistant
6= Platform AES-GCM OCB3 Deoxys OPP4 OPP6 Cortex-A8 38.6 28.9 - 4.26 5.91 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 Haswell 1.03 0.69 0.96 0.55 0.75
61 / 57 MEM: Implementation
• State size b = 1024 • LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• P : BLAKE2b permutation with 4 or 6 rounds
• Main implementation results:
nonce-respecting misuse-resistant
6= = Platform AES-GCM OCB3 Deoxys OPP4 OPP6 GCM-SIV Deoxys MRO4 MRO6 Cortex-A8 38.6 28.9 - 4.26 5.91 - - 8.07 11.32 Sandy Bridge 2.55 0.98 1.29 1.24 1.91 - ≈ 2.58 2.41 3.58 Haswell 1.03 0.69 0.96 0.55 0.75 1.17 ≈ 1.92 1.06 1.39
61 / 57 x16 x17 x18 x19
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15
• Begin with state Li = [x0, . . . , x15] of 64-bit words
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
62 / 57 x16 x17 x18 x19
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15
62 / 57 x17 x18 x19
• x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16
• x16 = (x0 ≪ 53) ⊕ (x5 13)
62 / 57 x18 x19
• x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13)
62 / 57 x19
• x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13)
62 / 57 • Parallelizable (AVX2) and word-sliceable
MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13)
62 / 57 MEM: Parallelizability
• LFSR on 16 words of 64 bits:
ϕ(x0, . . . , x15) = (x1, . . . , x15, (x0 ≪ 53) ⊕ (x5 13))
• Begin with state Li = [x0, . . . , x15] of 64-bit words x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19
• x16 = (x0 ≪ 53) ⊕ (x5 13) • x17 = (x1 ≪ 53) ⊕ (x6 13) • x18 = (x2 ≪ 53) ⊕ (x7 13) • x19 = (x3 ≪ 53) ⊕ (x8 13) • Parallelizable (AVX2) and word-sliceable
62 / 57 XPX: Single-Key Security
(Strong) Tweakable PRP real world ideal world
( ) IC ( ) XPXk± P ± π ± P ±
e
distinguisher D
• Information-theoretic indistinguishability ideal tweakable permutation • πe • P ideal permutation • k secret key
q2 + qr T is valid =⇒ XPX is (S)TPRP up to O 2n
63 / 57
1 XPX: Related-Key Security
Related-Key (Strong) Tweakable PRP real world ideal world
( ) ( ) ± IC XPXϕ(k) P ± rkπ ± P ±
f
distinguisher D
• Information-theoretic indistinguishability • rkfπ ideal tweakable related-key permutation • P ideal permutation • k secret key
• D restricted to some set of key-deriving functions Φ
64 / 57
1 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕
• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕
• Note: maskings in XPX are ti1k ⊕ ti2P (k)
Results
if T is valid, and for all tweaks: security Φ
t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕
XPX: Related-Key Security
Key-Deriving Functions
• Φ⊕: all functions k 7→ k ⊕ δ
65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕
• Note: maskings in XPX are ti1k ⊕ ti2P (k)
Results
if T is valid, and for all tweaks: security Φ
t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕
XPX: Related-Key Security
Key-Deriving Functions
• Φ⊕: all functions k 7→ k ⊕ δ
• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕
65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕
Results
if T is valid, and for all tweaks: security Φ
t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕
XPX: Related-Key Security
Key-Deriving Functions
• Φ⊕: all functions k 7→ k ⊕ δ
• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕
• Note: maskings in XPX are ti1k ⊕ ti2P (k)
65 / 57 t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕
XPX: Related-Key Security
Key-Deriving Functions
• Φ⊕: all functions k 7→ k ⊕ δ
• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕
• Note: maskings in XPX are ti1k ⊕ ti2P (k)
Results
if T is valid, and for all tweaks: security Φ
t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕
65 / 57 XPX: Related-Key Security
Key-Deriving Functions
• Φ⊕: all functions k 7→ k ⊕ δ
• ΦP ⊕: all functions k 7→ k ⊕ δ or P (k) 7→ P (k) ⊕
• Note: maskings in XPX are ti1k ⊕ ti2P (k)
Results
if T is valid, and for all tweaks: security Φ
t12 6= 0 TPRP Φ⊕ t12, t22 6= 0 and (t21, t22) 6= (0, 1) STPRP Φ⊕
t11, t12 6= 0 TPRP ΦP ⊕ t11, t12, t21, t22 6= 0 STPRP ΦP ⊕
65 / 57 - h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )
prob. ratio for good transcripts
• Trade-o: dene bad transcripts smartly!
XPX: Security Proof Techniques
Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts
66 / 57 • Trade-o: dene bad transcripts smartly!
XPX: Security Proof Techniques
Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts
- h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )
prob. ratio for good transcripts
66 / 57 XPX: Security Proof Techniques
Patarin's H-coecient Technique • Each conversation denes a transcript • Dene good and bad transcripts
- h i rk (s)prp bad transcript for AdvXPX (D) ≤ ε + Pr (rkfπ, P )
prob. ratio for good transcripts
• Trade-o: dene bad transcripts smartly!
66 / 57 XPX: Security Proof Techniques
Before the Interaction • Reveal dedicated oracle queries
After the Interaction • Reveal key information • Single-key: k and P (k) • Φ⊕-related-key: k and P (k ⊕ δ) −1 • ΦP ⊕-related-key: k and P (k ⊕ δ) and P (P (k) ⊕ ε)
Bounding the Advantage • Smart denition of bad transcripts
67 / 57 σ2 O 2n −−−−→ rk
• Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}
2 O σ .. 2n .. .. Minalph. −−−−→ XPX P rk
XPX: Application to AE: Minalpher
1 Minalpher
A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
P P P P P P P
2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L
L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L
22d-13L
• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T
68 / 57 σ2 O 2n −−−−→ rk
2 O σ .. 2n .. .. Minalph. −−−−→ XPX P rk
XPX: Application to AE: Minalpher
1 Minalpher
A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
P P P P P P P
2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L
L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L
22d-13L
• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T • Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}
68 / 57 XPX: Application to AE: Minalpher
1 Minalpher
A1 A2 Aa 1 Aa M1 M2 Md 1 Md − − 2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
P P P P P P P
2 a-1 3 2d-3 2d-1 2L′ 2 L′ 2 L′ 2L 2 L 2 L 2 L
C1 C2 Cd 1 Cd − a-1 2 4 2d-2 2 3L′ 2 L 2 L 2 L
L0 = kkflagk0 ⊕ P (kkflagk0) P P P P a-1 2 4 2d-2 L = kkflagkN ⊕ P (kkflagkN) 2 3L′ 2 L 2 L 2 L
22d-13L
• By Sasaki et al. (2014) P • Extra nonce N concatenated to k 22d-13L T • Based on XPX with T = {(2α3β, 2α3β, 2α3β, 2α3β)}
2 2 O σ O σ .. 2n .. 2n .. Minalph. −−−−→ XPX −−−−→ P rk rk
68 / 57