Security of Authenticated Encryption Modes Bart Mennink Radboud University (The Netherlands) COST Training School on Symmetric Cryptography and Blockchain February 22, 2018 1 / 57 −−−−−! −−−−− Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−! B 2 / 57 Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B 2 / 57 Authentication • No outsider can manipulate data Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B Encryption • No outsider can learn anything about data 2 / 57 Authenticated Encryption A −−−−−−−−−−−−−−−−−−−−−−−−−−−−!−−−−−! −−−−− B Encryption • No outsider can learn anything about data Authentication • No outsider can manipulate data 2 / 57 CAESAR Competition 3 / 57 CAESAR Competition Competition for Authenticated Encryption: Security, Applicability, and Robustness Goal: portfolio of authenticated encryption schemes Mar 15, 2014: 57 rst round candidates Jul 7, 2015: 29.5 second round candidates Aug 15, 2016: 16 third round candidates ??: announcement of nalists ??: announcement of nal portfolio 4 / 57 • Nonce N randomizes the scheme Authenticated Encryption 4 AE k A, M AE C, T N • Ciphertext C encryption of message M • Tag T authenticates associated data A and message M 5 / 57 Authenticated Encryption 4 AE k A, M AE C, T N • Ciphertext C encryption of message M • Tag T authenticates associated data A and message M • Nonce N randomizes the scheme 5 / 57 • Correctness: ADk(N; A; AE k(N; A; M)) = M PSfrag replacements m t c E k E t Authenticated Decryption A, M5 AD Ne C, T AE k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect 6 / 57 • Correctness: ADk(N; A; AE k(N; A; M)) = M PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect 6 / 57 PSfrag replacements m t c E k E t A, M Ne C, T AE k A, C, T N Authenticated Decryption M if T correct 6 AD2 otherwise (⊥ AD k k M if T correct A, C, T AD otherwise (⊥ N • Authenticated decryption needs to satisfy that • Message disclosed if tag is correct • Message is not leaked if tag is incorrect • Correctness: ADk(N; A; AE k(N; A; M)) = M 6 / 57 • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) 7 / 57 • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query 7 / 57 h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with 7 / 57 Authenticated Encryption Security 6 indistsimpleAE AE k, AD k IC $, AE scheme random cipher,⊥ function ⊥ distinguisher D • Two oracles: (AE k; ADk) (for secret key k) and ($; ?) • Distinguisher D has query access to one of these ! unique nonce for each encryption query • D tries to determine which oracle it communicates with h i ae AE k;ADk $;? AdvAE (D) = Pr D = 1 − Pr D = 1 7 / 57 100% Security is Impractical 8 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 9 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 10 / 57 • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack • Bellare and Namprempre (2000): 3 basic approaches 1 E&M MtE EtM m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Used in SSH • Used in TLS • Used in IPSec Generic Composition • Generic constructions for AE: • Enc + MAC = AE 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Mildly insecure • Most secure variant • Padding oracle • Ciphertext integrity attack Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • MACL(m) = mkt 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t • Most secure variant • Ciphertext integrity Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure MAC • L(m) = mkt • Padding oracle attack 11 / 57 1 m m m PSfrag replacements Enck MACl MACl Enck Enck MACl c t t c c t Generic Composition • Generic constructions for AE: • Enc + MAC = AE • Bellare and Namprempre (2000): 3 basic approaches E&M MtE EtM • Used in SSH • Used in TLS • Used in IPSec • Generically insecure • Mildly insecure • Most secure variant MAC • L(m) = mkt • Padding oracle • Ciphertext integrity attack 11 / 57 • Parallelizable • Evaluates E only (no E−1) • Provably secure (if E is PRP) • Very ecient in HW • Reasonably ecient in SW What happens if nonce is re-used? GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC C1 C2 Cm A GHASHL MAC T 12 / 57 What happens if nonce is re-used? GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW 12 / 57 GCM for 96-bit nonce N 1 GCM • McGrew and Viega (2004) N 1 N 2 N 3 N (m + 1) k k k k • EtM design • Widely used (TLS!) EK EK EK EK • Patent-free M1 M2 Mm ENC • Parallelizable C1 C2 Cm • Evaluates E only (no E−1) Provably secure A GHASHL • (if E is PRP) MAC • Very ecient in HW T • Reasonably ecient in SW What happens if nonce is re-used? 12 / 57 • Inherits GCM features • Secure against nonce-reuse • Proof: Iwata and Seurin (2017) GCM-SIV 1 GCMSIV N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015) Ek KeyGen EK EK EK • MtE design C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free A GHASHL N EK MAC T 13 / 57 GCM-SIV 1 GCMSIV N T +0 T +1 T +(m 1) PSfrag replacements − • Gueron and Lindell (2015) Ek KeyGen EK EK EK • MtE design C1 C2 Cm ENC • Ongoing standardization (K, L) KEY (IETF RFC) M1 M2 Mm • Patent-free A GHASHL • Inherits GCM features N • Secure against nonce-reuse • Proof: Iwata and Seurin EK MAC (2017) T 13 / 57 Outline Generic Composition Link With Tweakable Blockciphers Tweakable Blockciphers Based on Masking Nonce-Reuse Conclusion 14 / 57 • Tweak: exibility to the cipher • Each tweak gives dierent permutation Tweakable Blockciphers 1 cipher k m E c 15 / 57 Tweakable Blockciphers 2 ciphertweakable k m E c t e • Tweak: exibility to the cipher • Each tweak gives dierent permutation 15 / 57 • D tries to determine which oracle it communicates with stprp h E ;E−1 i h π;π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee Tweakable Blockcipher Security 1 indistsimpletE Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e distinguisher D • Eek should look like random permutation for every t • Dierent tweaks −! pseudo-independent permutations 16 / 57 Tweakable Blockcipher Security 1 indistsimpletE Ek IC π PSfrag replacements tweakable blockcipher random tweakable permutation e e distinguisher D • Eek should look like random permutation for every t • Dierent tweaks −! pseudo-independent permutations • D tries to determine which oracle it communicates with stprp h E ;E−1 i h π;π−1 i Adv (D) = Pr D ek ek = 1 − Pr De e = 1 Ee 16 / 57 in CAESAR KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR rst round, second round, third round Tweakable Blockcipher Designs 3 ciphertweakable-black 1 tEE 2 tEP k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based 17 / 57 Tweakable Blockcipher Designs in CAESAR 3 ciphertweakable-black 1 tEE 2 tEP k E E m E c E P t e e e Dedicated Blockcipher-Based Permutation-Based KIASU, CBA, COBRA, iFeed, Prøst, Joltik, Marble, OMD, POET, Minalpher SCREAM, SHELL, AEZ, COPA/ Deoxys ELmD, OCB, OTR rst round, second round, third round 17 / 57 • Internally based on tweakable blockcipher Ee • Tweak (N; tweak) is unique for every evaluation • Dierent blocks always transformed under dierent tweak • Triangle inequality: ae ae stprp Adv (σ) ≤ AdvAE[π](σ) + Adv (σ) AE[Eek] e Ee Example2 OCBgen Use in OCBx (1/2) A A A M M M M 1 2 a ⊕ i 1 2 d N,t N,t N,t N,t N,t N,t ˜ A1 ˜ A2 ˜N,tAa ˜ M ˜ M1 ˜ M2 ˜ Md Ek Ek Ek Ek ⊕ Ek Ek Ek C1 C2 Cd T • Generalized OCB by Rogaway et al.