The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Those who’ve worked with me on AE: Mihir Bellare Workshop on Real-World Cryptography John Black Thursday, 10 January 2013 Ted Krovetz Stanford, California, USA Chanathip Namprempre Tom Shrimpton David Wagner 1/40 Traditional View (~2000) Of Symmetric Goals K K Sender Receiver Privacy Authenticity (confidentiality) (data-origin authentication) Encryption Authenticated Encryption Message scheme Achieve both of these aims Authentication Code (MAC) IND-CPA [Goldwasser, Micali 1982] Existential-unforgeability under ACMA [Bellare, Desai, Jokipii, R 1997] [Goldwasser, Micali, Rivest 1984, 1988], [Bellare, Kilian, R 1994], [Bellare, Guerin, R 1995] 2/40 Needham-Schroeder Protocol (1978) Attacked by Denning-Saco (1981) Practioners never saw a b IND-CPA as S encryption’s goal A . B . NA {N . B . s . {s . A} } 1 A b a 2 a b {s . A} A 3 b B 4 {NB}s 5 {NB -1 }s 3/40 Add redundancy No authenticity for any S = f (P) CBC ~ 1980 Doesn’t work Beyond CBC MAC: regardless of how you compute unkeyed checksums don’t work even the (unkeyed) checksum S = R(P1, …, Pn) with IND-CCA or NM-CPA schemes (Wagner) [An, Bellare 2001] 4/40 Add more arrows PCBC 1982 Doesn’t work See [Yu, Hartman, Raeburn 2004] The Perils of Unauthenticated Encryption: Kerberos Version 4 for real-world attacks 5/40 Add yet more stuff iaPCBC [Gligor, Donescu 1999] Doesn’t work Promptly broken by Jutla (1999) & Ferguson, Whiting, Kelsey, Wagner (1999) 6/40 Emerging understanding that: - We’d like to get authenticity as an adjunct to privacy - Ad hoc ways to try to get it cheaply don’t work ~2000 Similar realization, earlier, in the PK world - [Bleichenbacher 1998] – Attack on PKCS #1 - Reaction: IND-CPA security not enough - CCA1 security [Naor-Yung 1990] - CCA2 security [Rackoff-Simon 1991] - Non-malleability [Dolev-Dwork-Naor 1991] - Signcryption [Zheng 1997] (very different motivation) 7/40 AE Def ined [Bellare, R 2000] – “Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography” [Katz, Yung 2000] – “Unforgeable encryption and chosen ciphertext secure modes of operation” coins M Enc C C Dec M or ^ K K 1. Privacy IND-CPA, as defined in [BDJR97]: IND-CPA 2. Authenticity The only ciphertexts C an adversary can name that will decrypt to an M ^ are those obtained by an Enc(·) call Integrity of ciphertexts [Bellare Namprempre 2000] “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm” 8/40 AE Def ined M || EncK () EncK ($ ) C C A [Bellare, Desai, Jokipii, R 1997] priv Enc () Enc ($||) Adv (A) = Pr[A K 1] - Pr[A K 1] P 9/40 AE Def ined M EncK () C A C* [Bellare, Desai, Jokipii, R 1997] priv Enc () Enc ($||) Adv (A) = Pr[A K 1] - Pr[A K 1] P auth EncK () * * * Adv (A) = Pr[A C : no query returned C and DecK (C ) ^ ] P [Bellare, R 2000] [Katz, Yung 2000] 10/40 Generic Composition [Bellare, Namprempre 2000] of an IND-CPA encryption scheme and a PRF M M M EncK MACL MACL EncK C T EncK MACL C C T Encrypt-and-MAC MAC-then-Encrypt EncryptP-then -MAC 11/40 RPC Mode [Katz, Yung 2000] M1 M2 M3 M4 start i M1 i+1 M2 i+2 M3 i+3 M4 i+4 end i+5 EK EK EK EK EK EK i C0 C1 C2 C3 C4 C5 • Blockcipher-based AE using ~1.33 m + 2 calls • Fully parallelizable 12/40 IAPM Mode [Jutla 2001] Encryption Modes with Almost Free Message Integrity Illustration from [Jutla 2001] • Blockcipher-based AE using m + 1 calls • Fully parallelizable [Gligor, Donescu 2001] • Plaintext a multiple of blocksize. Padding will up |C| for many other AE designs • ~ lg mmax additional calls for key setup • Multiple blockcipher keys • Need for random r 13/40 OCB Mode (later “OCB1”) [R, Bellare, Black, Krovetz 2001] Z [i] = R gi L Checksum = M[1] M[m-1] C[m]0*Y[m] • Arbitrary-length messages; no padding • Efficient offset calculations • Single blockcipher key • Cheap key setup (one blockcipher call) • m + 2 blockcipher calls 14/40 Urgent Real-World Need for AE • 802.11 standard ratified in 1999 Uses WEP security – RC4 with a CRC-32 checksum for integrity • Fatal attacks soon emerge: - [Fluhrer, Mantin, Shamir 2001] Weaknesses in the key scheduling algorithm of RC4 - [Stubblefield, Ioannidis, Rubin 2001] Using the Fluhrer, Mantin, Shamir attack to break WEP - [Borisov, Goldberg, Wagner 2001] Intercepting mobile communications: the insecurity of 802.11 - [Cam-Winget, Housley, Wagner, Walker 2003] Security flaws in 802.11 data links protocols • WEP WPA (uses TKIP) WPA2 (uses CCM) - Draft solutions based on OCB - Politics +patent-avoidance: CCM developed [Whiting, Housley, Ferguson 2002] - Standardized in IEEE 802.11 – then NIST 15/40 Definitional Issues N coins N M Enc C C Dec M AD AD or ^ K K 1) Move the coins “out” and make Enc deterministic [RBBK01] 2) Add in “associated data” [R02] 16/40 All-in-one definition [R, Shrimpton 2006] AEAD Also uses ind from random bits [RBBK00] N, AD, M EncK (,,) $ (,, ) C C A M ^ ^ (,, ) DecK (,,) N, AD, C aead EncK DecK $ ^ Adv (A) = Pr[A 1] - Pr[A 1] P A may not - Repeat an N in an enc query - Ask a dec query (N, AD, C) after C is returned by an (N, AD, ) enc query 17/40 IND vs. IND$ N, AD, M N, AD, M Enc Fake Enc $ C Enc($) vs. C $ A A IND IND$ • Overshooting the “right” goal X • Easier to prove schemes meet • Tightly implies other notion • Conceptually simpler Anonymity • Gives you more which-key concealing A names i; • real: use Ki • fake: use K IND anonymity IND$ 18/40 Nonce-Based Generic Composition M M AD AD M N AD N N EncK MACL EncK MACL C T EncK MACL C C T Encrypt-and-MAC MAC-then-Encrypt Encrypt-then-MAC P P P 19/40 [Whiting, Housley, Ferguson 2002] NIST SP 800-38C RFC 3610, 4309, 5084 CCM 20/40 Functions COUNT and FORMAT 21/40 [Whiting, Housley, Ferguson 2002] NIST SP 800-38C RFC 3610, 4309, 5084 [R, Wagner 2003] “A Critique of CCM” CCM • About 2m+2 blockcipher calls • Half non-parallelizable • Word alignment disrupted • Can’t preprocess static AD • Not online • Provably secure [Jonsson 2002] • Widely standardized & used • Parameter q {2,3,4,5,6,7,8}, byte length of byte length of • Simple to implement longest message, determines • Only forward direction of cipher used nonce length of t =15-q 22/40 [McGrew, Viega 2004] (Follows CWC [Kohno, Viega, Whiting 2004]) NIST SP 800-38D:2007 RFC 4106, 5084, 5116, 5288, 5647 ISO 19772:2009 GCM • Provably secure • Efficient in HW • Widely standardized & used • Good in SW with AES-NI, PCMULDQ, or tables • Parallelizable, online • Static AD can be preprocessed • About m+1 blockcipher calls • Only forward direction of blockcipher used • Poor key agility (table-based implementation)• “Reflected-bit” convention • Can’t use short tags [Ferguson 05] • |N|96 not handled well • Not so good in SW • Published proof buggy [Iwata, 2012] • Timing attacks? (if table-based) 23/40 In terms of [KR11], following tweakable blockcipher [RBBK01,LRW02,R04] [LRW02] OCB = M1 M2 M3 M4 24/40 In terms of [KR11], following tweakable blockcipher [RBBK01,LRW02,R04] [LRW02] OCB = M1 M2 M3 M410 * 25/40 [KR11] Making the Tweakable Blockcipher ~ N i EK (X) = EK (XD) D with D= Initial + li L ~ N i * * EK (X) = EK (XD) with D= Initial + li L ~N i $ $ EK (X) = EK (XD) with D= Initial + li L ~ N i * $ *$ EK (X) = EK (XD) with D= Initial + li L ~ i EK (X) = EK (XD) with D= li L ~ i * * EK (X) = EK (XD) with D= li L 127-|N| 128 a(0) = 0 Nonce = 0 1 N L = EK (0 ) Top = Nonce & 1122 06 ntz (i) li = 4 a(i) a(i) = a(i-1) 2 122 6 * Bottom = Nonce & 1 1 li = 4 a(i)+1 $ Ktop = EK (Top) li = 4 a(i)+2 *$ Stretch = Ktop || (Ktop (Ktop << 8)) li = 4 a(i)+3 Initial = (Stretch << Bottom) [1..128] 26/40 [KR11] Software Performance Mode 4KB cpb Intel Core x86 i7 – “Sandy Bridge” CCM 5.14 64-bit OS, using AES/GCM NIs GCM 2.95 OCB 0.87 Encryption Time (cpb) message length (bytes) 27/40 See the OCB homepage www.cs.ucdavis.edu/~rogaway/ocb for more platforms and data, +reference code 28/40 [KR11] Utility of Implementations for Understanding What’s Fast / Desirable int ae_encrypt( ae_ctx *ctx, const void *nonce, const void *pt, Word-Oriented int pt_len, 1 1 15 const void *ad, ¿ À ¿ LFSRs int ad_len, [Chakraborty, Sarkar 2008] A B C D void *ct, © don’t help void *tag, int final); C D B A’ Incremental API impacts processing of final chunks 6 128 X = HK (X) K K 8 ¿ Stretch-then-Shift 128 128 hash does help 29/40 Utility of Theory for Designing Fast / Correct Schemes • Modes as efficient as OCB can’t be designed without a supporting theory • Errors are expected without a supporting theory Broken within days by Rogaway and by Donescu, Gligor, and Wagner http://www.nsa.gov/research/tech_transfer/ fact_sheets/dual_counter_mode.shtml 30/40 OCB • Fastest provably-secure blockcipher-based construction for SW • Parallelizable, online, ~ m+1.02 blockcipher calls • Blockcipher used in the forward and backward direction • There are faster de novo approaches • Security only to the birthday bound • Patents • Limited misuse resistance • Nonce reuse • Tag truncation • Incremental-decrypt exploit 31/40 [R, Shrimpton 2006] Nonce Repetitions One form of misuse • If N is a nonce, you get what an AE delivers • If N gets reused, all that leaks is repetitions: - authenticity is undamaged - privacy damaged to the extent unavoidable—repetitions of (N, AD, M) revealed 32/40 [R, Shrimpton 2006] Nonce-Reuse-Resistant AE N, AD, M EncK (,,) $ (, ,) C C A M ^ DecK (,,) ^ (, ,) N, AD, C A may not ask queries that would trivially result in a win 33/40 [R, Shrimpton 2006] Deterministic AE vector N, AD, M EncK (,) $ (, ) C C A M