sign in sign up

<<

Parallelizable and Authenticated Online Ciphers1

Parallelizable and Authenticated Online Ciphers1

Parallelizable and Authenticated Online Ciphers1

Atul Luykx

COSIC KU Leuven and iMinds

December 3, 2013

1Joint work with E. Andreeva, A. Bogdanov, B. Mennink, E. Tischhauser, and K. Yasuda. 1 / 24 Motivation: Authenticated Encryption

Authenticated Encryption (AE) = Privacy + Authenticity

1 Applications: SSH, IPsec, TLS, IEEE 802.11 2 CAESAR competition

GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

Figure : AE schemes

2 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

M1

AEK

C1

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

M1 M1

AEK AEK

C1 C2

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1

N1 AEK AEK

C1 C2

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1

N1 AEK N2 AEK

C1 C2

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1 M2

N1 AEK N2 AEK N3 AEK

C1 C2 C3

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1 M2

N AEK N AEK N AEK

C1 C2 C3

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1 M2

N AEK N AEK N AEK

C1 C1 C3

3 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

3 / 24 Motivation: OCB With Nonce Repeated

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

C[1] C[2] C[3] C[4]

4 / 24 Motivation: OCB With Nonce Repeated

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

C[1] C[2] C[3] C[4]

4 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

M1 M1 M2

N AEK N AEK N AEK

C1 C1 C3

5 / 24 Motivation: Nonce Misuse

Authenticated Encryption (AE)

Nonce Respecting

Misuse Resistant AE (MRAE)

M1 M1 M2

N AEK N AEK N AEK

C1 C1 C3

5 / 24 Motivation: Eﬃciency

GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

SIV, BTM, HBS: 1 High latency (receive full message before ﬁrst output) 2 Storage issues (large internal state) McOE: inherently sequential

6 / 24 Motivation: Eﬃciency

GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

SIV, BTM, HBS: 1 High latency (receive full message before ﬁrst output) 2 Storage issues (large internal state) McOE: inherently sequential

6 / 24 Motivation: Our Goal

Design an AE scheme that is Online Parallelizable Misuse Resistant

7 / 24 Motivation: Our Goal

Design an AE scheme that is Online Parallelizable Misuse Resistant Our method: 1 Create the ﬁrst parallelizable online cipher: COPE 2 Add authenticity eﬃciently: COPA

7 / 24 Motivation: Our Goal

Design an AE scheme that is Online Parallelizable Misuse Resistant Our method: 1 Create the ﬁrst parallelizable online cipher: COPE 2 Add authenticity eﬃciently: COPA Our desired AE scheme: COPA

7 / 24 Background: Cipher Deﬁnition

M ∈ {0, 1}∗

8 / 24 Background: Cipher Deﬁnition

K

∗ M ∈ {0, 1} M Cipher C

8 / 24 Background: Cipher Deﬁnition

K

∗ M ∈ {0, 1} M Cipher C |M| = |C|

8 / 24 Background: Cipher Deﬁnition

K

∗ M ∈ {0, 1} M Cipher C |M| = |C|

Cipher vs Encryption Scheme Length-Preserving Not Necessarily Deterministic Randomized,Stateful(nonce) Indistinguishable from permutations Indistinguishable from random bits

8 / 24 Background: Achieving AE via Ciphers

Cipher

9 / 24 Background: Achieving AE via Ciphers

Authentication

Cipher

9 / 24 Background: Achieving AE via Ciphers

MRAE

Authentication

Cipher

9 / 24 Background: Achieving AE via Ciphers

AE

Nonce Respecting

MRAE

Authentication

Cipher

9 / 24 Background: Achieving AE via Ciphers

AE

Nonce Respecting

MRAE

Authentication

Cipher

Variable Input Length

Block Cipher

9 / 24 Background: Online Cipher Deﬁnition

1 Same interface as a cipher 2 More efficient and “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix

10 / 24 Background: Online Cipher Deﬁnition

M[1] M[2] M[3] M[4]

1 Same interface as a cipher C[1] C[2] C[3] C[4] 2 More efficient and Dependency in a cipher. “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix

10 / 24 Background: Online Cipher Deﬁnition

M[1] M[2] M[3] M[4]

1 Same interface as a cipher C[1] C[2] C[3] C[4] 2 More efficient and Dependency in a cipher. “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix M[1] M[2] M[3] M[4]

C[1] C[2] C[3] C[4]

Dependency in an online cipher.

10 / 24 Background: Achieving AE Via Online Ciphers

AE

Nonce Respecting

MRAE

Authentication

Cipher

Variable Input Length

Block Cipher

11 / 24 Background: Achieving AE Via Online Ciphers

AE

Nonce Respecting

MRAE

Authentication

Cipher

Variable Input Length

Block Cipher 11 / 24 Background: Achieving AE Via Online Ciphers

AE

Nonce Respecting Nonce Respecting

MRAE MRAE “up to preﬁx”

Authentication Authentication

Cipher Online Cipher

Variable Input Length

Block Cipher 11 / 24 Existing Work

1 HCBC1, HCBC2 (BBKN, Crypto ’01) 2 MHCBC, MCBC (Nandi, Indocrypt ’08) 3 Rewritten with tweakable block ciphers: TC1, TC2, TC3 (Rogaway and Zhang, CT-RSA ’11) 4 McOE family (FFL, FSE ’12): TC3 with authentication All schemes are inherently sequential.

12 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

EK EK EK EK

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

0 EK EK EK EK

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

0 EK EK EK EK

C[1]

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

0 EK + EK EK EK

C[1]

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

0 EK + EK EK EK

C[1] C[2]

13 / 24 Existing Work: TC3

M[1] M[2] M[3] M[4]

0 EK + EK + EK + EK

C[1] C[2] C[3] C[4]

13 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

EK EK EK EK

C[1] C[2] C[3] C[4]

14 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

C[1] C[2] C[3] C[4]

14 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

C[1] C[2] C[3] C[4]

14 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

C[1] C[2] C[3] C[4]

t5 EK t6 EK t7 EK t8 EK

14 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

+ + +

t5 EK t6 EK t7 EK t8 EK

14 / 24 Achieving Parallelizability

M[1] M[2] M[3] M[4]

t1 EK t2 EK t3 EK t4 EK

+ + +

t5 EK t6 EK t7 EK t8 EK

C[1] C[2] C[3] C[4]

14 / 24 Our Online Cipher: COPE

M[1] M[2] M[3] M[4]

20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK

+ + +

21L EK 22L EK 23L EK 24L EK

C[1] C[2] C[3] C[4]

L := EK (0)

15 / 24 Adding Authenticity to COPE

M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4]

2332L EK

S +

237L EK

T

16 / 24 Our Authenticated Online Cipher: COPA

M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4]

M[1] M[2] M[3] M[4] 2332L EK

20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK S + V + + + + S

21L EK 22L EK 23L EK 24L EK 237L EK

C[1] C[2] C[3] C[4] COPE T

Note: COPA also accepts associated data (while maintaining parallelizability)

17 / 24 Security

σ: total length of all queries in number of blocks a ≈ 40, b ≈ 4

Advcpa a·σ2 Advprp±1 ′ COPE(t,σ) ≤ 2n + E (t , b · σ) Advcpa a·σ2 Advprp±1 ′ COPA(t,σ) ≤ 2n + E (t , b · σ) Advint a·σ2 Advprp±1 ′ COPA(t,σ) ≤ 2n + E (t , b · σ)

18 / 24 Security: Proof Idea

M[1] M[2] M[3] M[4]

20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK

+ + +

21L EK 22L EK 23L EK 24L EK

C[1] C[2] C[3] C[4]

L := EK (0)

19 / 24 Security: Proof Idea

M[1] M[2] M[3] M[4]

π1 π2 π3 π4

+ + +

π5 π6 π7 π8

C[1] C[2] C[3] C[4]

19 / 24 Security: Proof Idea

M[1] M[2] M[3] M[4]

π1 π2 π3 π4

+ + +

π5 π6 π7 π8

C[1] C[2] C[3] C[4]

19 / 24 Results: Using AES-NI on Intel Sandy Bridge

12 CTR COPE 10 COPA McOE-G 8 TC1 TC3 6 MCBC

cycles per byte 4

2

0 102 103 104 message length (bytes) 20 / 24 Summary

1 COPE: ﬁrst parallelizable, online cipher

2 COPA: misuse resistant authenticated encryption (with associated data) eﬃcient security reduction to block cipher CAESAR submission

21 / 24 COPE

M[1] M[2] M[3] M[4]

20 · 3L + 21 · 3L + 22 · 3L + 23 · 3L +

EK EK EK EK

L + + + +

EK EK EK EK

21L + 22L + 23L + 24L +

C[1] C[2] C[3] C[4] L := EK (0) 22 / 24 Associated Data in COPA

A[1] A[2] A[3] A[4]

33L + 2 · 33L + 22 · 33L + 23 · 34L +

EK EK EK

+ + +

EK

V

23 / 24 Results

Table : Software performance of (authenticated) online ciphers based on the AES on the Intel Sandy Bridge platform (AES-NI). All numbers are given in cycles per byte (cpb).

message length (bytes) Algorithm 128 256 512 1024 2048 4096 8192 CTR 1.74 1.27 1.05 0.93 0.86 0.83 0.82 TC1 9.00 8.75 8.65 8.60 8.56 8.56 8.56 TC3 9.08 8.82 8.72 8.67 8.63 8.63 8.62 MCBC 11.66 11.00 10.68 10.52 10.44 10.40 10.38 COPE 2.56 2.08 1.89 1.78 1.72 1.70 1.69 McOE-G 10.85 9.73 9.14 8.90 8.74 8.69 8.66 COPA 3.78 2.85 2.31 2.06 1.94 1.88 1.85

24 / 24