Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption Philipp Jovanovic SPEED-B October 20, 2016 ACKs (published at Eurocrypt’16) https://eprint.iacr.org/2015/999 2 Outline Tweakable Blockciphers & Authenticated Encryption Masked Even-Mansour Applications to Authenticated Encryption Implementation & Evaluation Conclusion 3 Tweakable Blockciphers & Authenticated Encryption Ee T • Tweak T : - Public parameter - Adds flexibility to the cipher • Different tweak ) different permutation Tweakable Blockciphers (TBC) K M E C 4 • Different tweak ) different permutation Tweakable Blockciphers (TBC) K M Ee C T • Tweak T : - Public parameter - Adds flexibility to the cipher 4 Tweakable Blockciphers (TBC) K M Ee C T • Tweak T : - Public parameter - Adds flexibility to the cipher • Different tweak ) different permutation 4 • Output: Ciphertext C, authentication tag T • Protects: - Confidentiality and integrity/authenticity of M - Integrity/authenticity of N and H Nonce N randomizes the scheme (similar to a tweak) Authenticated Encryption (AEAD) K H; M AE C; T N • Input: Key K, nonce N, associated data H, message M 5 • Protects: - Confidentiality and integrity/authenticity of M - Integrity/authenticity of N and H Nonce N randomizes the scheme (similar to a tweak) Authenticated Encryption (AEAD) K H; M AE C; T N • Input: Key K, nonce N, associated data H, message M • Output: Ciphertext C, authentication tag T 5 Nonce N randomizes the scheme (similar to a tweak) Authenticated Encryption (AEAD) K H; M AE C; T N • Input: Key K, nonce N, associated data H, message M • Output: Ciphertext C, authentication tag T • Protects: - Confidentiality and integrity/authenticity of M - Integrity/authenticity of N and H 5 Authenticated Encryption (AEAD) K H; M AE C; T N • Input: Key K, nonce N, associated data H, message M • Output: Ciphertext C, authentication tag T • Protects: - Confidentiality and integrity/authenticity of M - Integrity/authenticity of N and H Nonce N randomizes the scheme (similar to a tweak) 5 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 6 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 6 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 6 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 6 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 6 What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) 6 What is the simplest way to build a tweakable blockcipher? TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) 6 TBC History 1998: Hasty Pudding Cipher [Sch98] (AES submission, “first tweakable cipher”, tweak: spice) 2001: Mercy [Cro01] (disk encryption) 2002: Formalization of Tweakable Blockciphers [LRW02] 2004: XE / XEX [Rog04] (OCB) 2007: Threefish [FLS+07] (in SHA-3 submission Skein) 2014: TWEAKEY [JNP14] (in CAESAR submissions Deoxys, Joltik, and KIASU) What is the simplest way to build a tweakable blockcipher? 6 Permutation-Based (keyed) tweak-based mask M P C typically 128 bits typically 256 – 1600 bits Masking-Based TBC Blockcipher-Based (keyed) tweak-based mask M EK C 7 typically 128 bits typically 256 – 1600 bits Masking-Based TBC Blockcipher-Based Permutation-Based (keyed) tweak-based mask (keyed) tweak-based mask M EK C M P C 7 Masking-Based TBC Blockcipher-Based Permutation-Based (keyed) tweak-based mask (keyed) tweak-based mask M EK C M P C typically 128 bits typically 256 – 1600 bits 7 - Unique for every evaluation - Different tweaks for different blocks - Change should be efficient • Tweak (N; t): TBC and AEAD Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm N;t N;t N;t N;t N;t N;t H1 H2 ::: Hh M⊕ M1 M2 ::: N;tMm EeK EeK EeK EeK EeK EeK EeK C1 C2 Cm T • OCBx: generalized OCB [RBBK01] [Rog04] [KR11] • Based on tweakable blockcipher Ee 8 - Change should be efficient TBC and AEAD Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm N;t N;t N;t N;t N;t N;t H1 H2 ::: Hh M⊕ M1 M2 ::: N;tMm EeK EeK EeK EeK EeK EeK EeK C1 C2 Cm T • OCBx: generalized OCB [RBBK01] [Rog04] [KR11] • Based on tweakable blockcipher Ee • Tweak (N; t): - Unique for every evaluation - Different tweaks for different blocks 8 TBC and AEAD Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm N;t N;t N;t N;t N;t N;t H1 H2 ::: Hh M⊕ M1 M2 ::: N;tMm EeK EeK EeK EeK EeK EeK EeK C1 C2 Cm T • OCBx: generalized OCB [RBBK01] [Rog04] [KR11] • Based on tweakable blockcipher Ee • Tweak (N; t): - Unique for every evaluation - Different tweaks for different blocks - Change should be efficient 8 TEM [STA+14] 2α3β7γ · (K k N ⊕ P(K k N)) M P C • Used in OCB2 and various CAESAR candidates • Permutation-based variants: Minalpher and Prøst Powering-Up Masking XEX [Rog04] α β γ 2 3 7 · EK (N) M EK C • Tweak (simplified): (α; β; γ; N) 9 TEM [STA+14] 2α3β7γ · (K k N ⊕ P(K k N)) M P C • Permutation-based variants: Minalpher and Prøst Powering-Up Masking XEX [Rog04] α β γ 2 3 7 · EK (N) M EK C • Tweak (simplified): (α; β; γ; N) • Used in OCB2 and various CAESAR candidates 9 Powering-Up Masking XEX TEM [Rog04] [STA+14] α β γ α β γ 2 3 7 · EK (N) 2 3 7 · (K k N ⊕ P(K k N)) M EK C M P C • Tweak (simplified): (α; β; γ; N) • Used in OCB2 and various CAESAR candidates • Permutation-based variants: Minalpher and Prøst 9 • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm 10 • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm 10 • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm 10 • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm 10 • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm 10 • Variable time computation • Expensive on certain platforms Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else 10 Powering-Up Masking in OCB2 Authentication Encryption L H1 H2 Hh Mi M1 M2 Mm m m 21 · 32L 22 · 32L 2h · 32L 2 · 3L 21L 22L 2 L EK EK ::: EK EK EK EK ::: EK 21L 22L 2mL L = EK (N) T C1 C2 Cm • Update of mask: shift and conditional XOR ( L 1 if msb(L) = 0 21L = (L 1) ⊕ 012010413 else • Variable time computation • Expensive on certain platforms 10 • Tower of fields: i w - z 2 F2w [z]=g for z 2 f0; 1g ..