Analysis of One-pass Block Cipher Based Authenticated Encryption Schemes By BinBin Di Bachelor of Electronic Engineering (Jilin Engineering Normal University) Thesis submitted in accordance with the regulations for the Degree of Master of Information Technology (Research) School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2015 ii Keywords Authenticated encryption, block cipher, symmetric cipher, one-pass scheme, cryptanalysis, MACs, ICV, EPBC, IOBC, M-PCBC, AES-JAMBU, forgery attacks, birthday paradox, brute force attacks, collision attacks, chosen-plaintext attacks. iii iv Abstract Authenticated Encryption (AE) is a symmetric-key scheme providing both confidentiality and integrity assurance to sensitive information transmitted through a network between two parties. This assures the protected message cannot be read or changed without detection by unauthorized parties. The most common way to achieve AE is using block cipher modes to provide confidentiality and a Message Authentication Code (MAC) or an Integrity Check Vector (ICV) to provide integrity assurance. There are two common approaches to provide AE: processing the data once with one algorithm that provides both confidentiality and integrity or processing the data twice with two algorithms, one for confidentiality and another for integrity. We focus on the former approach in this research. In this research project we first analyse and evaluate the integrity assurance of three AE schemes based on block ciphers. These schemes are Efficient Error-Propagating Block Chaining (EPBC), Input and Output Block Chaining (IOBC) and New Memory- Plaintext Ciphertext Block Chaining (M-PCBC). These schemes are all cross chaining block cipher modes that use an ICV appended to the message to provide integrity assurance. Secondly, we briefly look at one of the submissions to the recent Security, Applicability, and Robustness (CAESAR) competition, namely AES-JAMBU. This cipher also uses block chaining but uses a MAC rather than an ICV approach to provide integrity assurance. Our investigations include verifying the validity of existing and new attacks, and implementing attacks to verify claimed probabilities of successful forgeries. We have extended a chosen plaintext forgery attack on IOBC that was proposed by Mitchell by applying it also to EPBC and M-PCBC. We determined the complexity and success probability for this attack in each of the three cases. In addition, we propose an alternative approach to run this generic attack. This approach has similar complexities and success probability on EPBC and IOBC, and relatively lower success probability on M-PCBC. Previous analysis of EPBC claimed that a weakness of this algorithm allows its integrity to be breached by known-plaintext attack; however, we show that this attack on EPBC is no more effective than a brute force attack on the ICV. The alternative attacks we proposed on IOBC and M-PCBC can break their v integrity protection with similar success probabilities as claimed in their corresponding previous analysis. Therefore, these two schemes fail to guarantee the assurance of integrity services to messages. The block chaining feature of AES-JAMBU is similar to EPBC, IOBC and M-PCBC. Because of this, we apply similar attacks performed on the other three schemes to AES-JAMBU to examine its integrity assurance. The generic attack discussed above can also work on AES-JAMBU, but the calculation complexity is prohibitive. None of the other attacks can be better than guessing the tag. Therefore, from our observation, AES-JAMBU is secure in practice. However, more security analysis of AE proposals needs to be conducted prior to their adoption in a cryptographic standard. vi Contents Keywords ................................................................................................................................................. iii Abstract .................................................................................................................................................... v Contents ................................................................................................................................................. vii List of Figures ........................................................................................................................................... ix List of Tables ............................................................................................................................................. x Notation overview ................................................................................................................................... xi Declaration ............................................................................................................................................ xiii Acknowledgements ................................................................................................................................ xv 1. Introduction .......................................................................................................................................... 1 1.1 Aims and objectives ........................................................................................................................ 3 1.2 Contributions and achievements .................................................................................................... 3 1.3 Outline of thesis.............................................................................................................................. 4 2. Authenticated encryption..................................................................................................................... 5 2.1 Block ciphers ................................................................................................................................... 5 2.1.1 Feistel ciphers .......................................................................................................................... 6 2.1.2 Substitution-permutation network (SPN) ciphers .................................................................. 6 2.1.3 Modes of operation ................................................................................................................. 7 2.2 Integrity assurance ....................................................................................................................... 10 2.2.1 Integrity assurance mechanisms ........................................................................................... 10 2.2.2 Cryptanalysis of integrity assurance mechanisms ................................................................. 12 2.3 Authenticated encryption using block ciphers ............................................................................. 14 2.3.1 Generic-composition ............................................................................................................. 14 2.3.2 Two-pass combined schemes ................................................................................................ 16 2.3.3 One-pass combined schemes ................................................................................................ 17 2.4 Description of AE schemes to be analysed ................................................................................... 22 2.4.1 Input and output block chaining (IOBC) ................................................................................ 22 2.4.2 Efficient error-propagating block chaining (EPBC) ................................................................ 25 2.4.3 New memory- plaintext ciphertxt block chaining (M-PCBC) ................................................. 26 2.5 Summary ....................................................................................................................................... 28 3. Investigations into forgery attacks on block ciphers using ICVs ......................................................... 29 3.1 Generic weakness ......................................................................................................................... 30 3.1.1 Attack approach .................................................................................................................... 30 3.1.2 Probability that inner vectors match ..................................................................................... 32 vii 3.1.3 The success rate of the attacks .............................................................................................. 37 3.1.4 Summary ................................................................................................................................ 38 3.2 Analysis of EPBC ............................................................................................................................ 39 3.2.1 Review of Mitchell’s analysis ................................................................................................. 40 3.2.2 Other attacks ......................................................................................................................... 48 3.2.3 Summary ................................................................................................................................ 64 3.3 Analysis of IOBC ............................................................................................................................ 65 3.3.1 Previous analysis ...................................................................................................................