Parallelizable and Authenticated Online Ciphers1
Atul Luykx
COSIC KU Leuven and iMinds
December 3, 2013
1Joint work with E. Andreeva, A. Bogdanov, B. Mennink, E. Tischhauser, and K. Yasuda. 1 / 24 Motivation: Authenticated Encryption
Authenticated Encryption (AE) = Privacy + Authenticity
1 Applications: SSH, IPsec, TLS, IEEE 802.11 2 CAESAR competition
GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
Figure : AE schemes
2 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
M1
AEK
C1
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
M1 M1
AEK AEK
C1 C2
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1
N1 AEK AEK
C1 C2
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1
N1 AEK N2 AEK
C1 C2
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1 M2
N1 AEK N2 AEK N3 AEK
C1 C2 C3
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1 M2
N AEK N AEK N AEK
C1 C2 C3
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1 M2
N AEK N AEK N AEK
C1 C1 C3
3 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
3 / 24 Motivation: OCB With Nonce Repeated
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
C[1] C[2] C[3] C[4]
4 / 24 Motivation: OCB With Nonce Repeated
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
C[1] C[2] C[3] C[4]
4 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
M1 M1 M2
N AEK N AEK N AEK
C1 C1 C3
5 / 24 Motivation: Nonce Misuse
Authenticated Encryption (AE)
Nonce Respecting
Misuse Resistant AE (MRAE)
M1 M1 M2
N AEK N AEK N AEK
C1 C1 C3
5 / 24 Motivation: Efficiency
GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
SIV, BTM, HBS: 1 High latency (receive full message before first output) 2 Storage issues (large internal state) McOE: inherently sequential
6 / 24 Motivation: Efficiency
GCM XECB CWC HBS IAPM OCB CCM EAX SIV BTM McOE
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
SIV, BTM, HBS: 1 High latency (receive full message before first output) 2 Storage issues (large internal state) McOE: inherently sequential
6 / 24 Motivation: Our Goal
Design an AE scheme that is Online Parallelizable Misuse Resistant
7 / 24 Motivation: Our Goal
Design an AE scheme that is Online Parallelizable Misuse Resistant Our method: 1 Create the first parallelizable online cipher: COPE 2 Add authenticity efficiently: COPA
7 / 24 Motivation: Our Goal
Design an AE scheme that is Online Parallelizable Misuse Resistant Our method: 1 Create the first parallelizable online cipher: COPE 2 Add authenticity efficiently: COPA Our desired AE scheme: COPA
7 / 24 Background: Cipher Definition
M ∈ {0, 1}∗
8 / 24 Background: Cipher Definition
K
∗ M ∈ {0, 1} M Cipher C
8 / 24 Background: Cipher Definition
K
∗ M ∈ {0, 1} M Cipher C |M| = |C|
8 / 24 Background: Cipher Definition
K
∗ M ∈ {0, 1} M Cipher C |M| = |C|
Cipher vs Encryption Scheme Length-Preserving Not Necessarily Deterministic Randomized,Stateful(nonce) Indistinguishable from permutations Indistinguishable from random bits
8 / 24 Background: Achieving AE via Ciphers
Cipher
9 / 24 Background: Achieving AE via Ciphers
Authentication
Cipher
9 / 24 Background: Achieving AE via Ciphers
MRAE
Authentication
Cipher
9 / 24 Background: Achieving AE via Ciphers
AE
Nonce Respecting
MRAE
Authentication
Cipher
9 / 24 Background: Achieving AE via Ciphers
AE
Nonce Respecting
MRAE
Authentication
Cipher
Variable Input Length
Block Cipher
9 / 24 Background: Online Cipher Definition
1 Same interface as a cipher 2 More efficient and “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix
10 / 24 Background: Online Cipher Definition
M[1] M[2] M[3] M[4]
1 Same interface as a cipher C[1] C[2] C[3] C[4] 2 More efficient and Dependency in a cipher. “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix
10 / 24 Background: Online Cipher Definition
M[1] M[2] M[3] M[4]
1 Same interface as a cipher C[1] C[2] C[3] C[4] 2 More efficient and Dependency in a cipher. “on-the-fly” computing 3 Different (weaker) security requirement: up to prefix M[1] M[2] M[3] M[4]
C[1] C[2] C[3] C[4]
Dependency in an online cipher.
10 / 24 Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting
MRAE
Authentication
Cipher
Variable Input Length
Block Cipher
11 / 24 Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting
MRAE
Authentication
Cipher
Variable Input Length
Block Cipher 11 / 24 Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting Nonce Respecting
MRAE MRAE “up to prefix”
Authentication Authentication
Cipher Online Cipher
Variable Input Length
Block Cipher 11 / 24 Existing Work
1 HCBC1, HCBC2 (BBKN, Crypto ’01) 2 MHCBC, MCBC (Nandi, Indocrypt ’08) 3 Rewritten with tweakable block ciphers: TC1, TC2, TC3 (Rogaway and Zhang, CT-RSA ’11) 4 McOE family (FFL, FSE ’12): TC3 with authentication All schemes are inherently sequential.
12 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
EK EK EK EK
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
0 EK EK EK EK
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
0 EK EK EK EK
C[1]
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
0 EK + EK EK EK
C[1]
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
0 EK + EK EK EK
C[1] C[2]
13 / 24 Existing Work: TC3
M[1] M[2] M[3] M[4]
0 EK + EK + EK + EK
C[1] C[2] C[3] C[4]
13 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
EK EK EK EK
C[1] C[2] C[3] C[4]
14 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
C[1] C[2] C[3] C[4]
14 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
C[1] C[2] C[3] C[4]
14 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
C[1] C[2] C[3] C[4]
t5 EK t6 EK t7 EK t8 EK
14 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
+ + +
t5 EK t6 EK t7 EK t8 EK
14 / 24 Achieving Parallelizability
M[1] M[2] M[3] M[4]
t1 EK t2 EK t3 EK t4 EK
+ + +
t5 EK t6 EK t7 EK t8 EK
C[1] C[2] C[3] C[4]
14 / 24 Our Online Cipher: COPE
M[1] M[2] M[3] M[4]
20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK
+ + +
21L EK 22L EK 23L EK 24L EK
C[1] C[2] C[3] C[4]
L := EK (0)
15 / 24 Adding Authenticity to COPE
M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4]
2332L EK
S +
237L EK
T
16 / 24 Our Authenticated Online Cipher: COPA
M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4]
M[1] M[2] M[3] M[4] 2332L EK
20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK S + V + + + + S
21L EK 22L EK 23L EK 24L EK 237L EK
C[1] C[2] C[3] C[4] COPE T
Note: COPA also accepts associated data (while maintaining parallelizability)
17 / 24 Security
σ: total length of all queries in number of blocks a ≈ 40, b ≈ 4
Advcpa a·σ2 Advprp±1 ′ COPE(t,σ) ≤ 2n + E (t , b · σ) Advcpa a·σ2 Advprp±1 ′ COPA(t,σ) ≤ 2n + E (t , b · σ) Advint a·σ2 Advprp±1 ′ COPA(t,σ) ≤ 2n + E (t , b · σ)
18 / 24 Security: Proof Idea
M[1] M[2] M[3] M[4]
20 · 3L EK 21 · 3L EK 22 · 3L EK 23 · 3L EK
+ + +
21L EK 22L EK 23L EK 24L EK
C[1] C[2] C[3] C[4]
L := EK (0)
19 / 24 Security: Proof Idea
M[1] M[2] M[3] M[4]
π1 π2 π3 π4
+ + +
π5 π6 π7 π8
C[1] C[2] C[3] C[4]
19 / 24 Security: Proof Idea
M[1] M[2] M[3] M[4]
π1 π2 π3 π4
+ + +
π5 π6 π7 π8
C[1] C[2] C[3] C[4]
19 / 24 Results: Using AES-NI on Intel Sandy Bridge
12 CTR COPE 10 COPA McOE-G 8 TC1 TC3 6 MCBC
cycles per byte 4
2
0 102 103 104 message length (bytes) 20 / 24 Summary
1 COPE: first parallelizable, online cipher
2 COPA: misuse resistant authenticated encryption (with associated data) efficient security reduction to block cipher CAESAR submission
21 / 24 COPE
M[1] M[2] M[3] M[4]
20 · 3L + 21 · 3L + 22 · 3L + 23 · 3L +
EK EK EK EK
L + + + +
EK EK EK EK
21L + 22L + 23L + 24L +
C[1] C[2] C[3] C[4] L := EK (0) 22 / 24 Associated Data in COPA
A[1] A[2] A[3] A[4]
33L + 2 · 33L + 22 · 33L + 23 · 34L +
EK EK EK
+ + +
EK
V
23 / 24 Results
Table : Software performance of (authenticated) online ciphers based on the AES on the Intel Sandy Bridge platform (AES-NI). All numbers are given in cycles per byte (cpb).
message length (bytes) Algorithm 128 256 512 1024 2048 4096 8192 CTR 1.74 1.27 1.05 0.93 0.86 0.83 0.82 TC1 9.00 8.75 8.65 8.60 8.56 8.56 8.56 TC3 9.08 8.82 8.72 8.67 8.63 8.63 8.62 MCBC 11.66 11.00 10.68 10.52 10.44 10.40 10.38 COPE 2.56 2.08 1.89 1.78 1.72 1.70 1.69 McOE-G 10.85 9.73 9.14 8.90 8.74 8.69 8.66 COPA 3.78 2.85 2.31 2.06 1.94 1.88 1.85
24 / 24