A Modular Framework for Building Variable-Input- Length Tweakable - - PowerPoint PPT Presentation

a modular framework for building variable input length
SMART_READER_LITE
LIVE PREVIEW

A Modular Framework for Building Variable-Input- Length Tweakable - - PowerPoint PPT Presentation

Oct 19, 2023 631 likes •1.24k views

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers Thomas Shrimpton and Seth Terashima Portland State University Motivation: Full Disk Encryption File System Virtual Disk (Exposes plaintexts) FDE Physical Disk

slide-1
SLIDE 1

A Modular Framework for Building Variable-Input- Length Tweakable Ciphers

Thomas Shrimpton and Seth Terashima Portland State University

slide-2
SLIDE 2

Motivation: Full Disk Encryption

File System Virtual Disk (Exposes plaintexts) FDE Physical Disk (Stores ciphertexts)

slide-3
SLIDE 3

Motivation: Full Disk Encryption

  • Disks encrypted sector-by-sector

– Plaintexts are sectors – No “file” abstraction File System Virtual Disk (Exposes plaintexts) FDE Physical Disk (Stores ciphertexts)

slide-4
SLIDE 4

Motivation: Full Disk Encryption

  • Disks encrypted sector-by-sector

– Plaintexts are sectors – No “file” abstraction

  • Accessing a plaintext shouldn't

result in accessing multiple HW sectors

File System Virtual Disk (Exposes plaintexts) FDE Physical Disk (Stores ciphertexts)

slide-5
SLIDE 5

Motivation: Full Disk Encryption

  • Disks encrypted sector-by-sector

– Plaintexts are sectors – No “file” abstraction

  • Accessing a plaintext shouldn't

result in accessing multiple HW sectors

File System Virtual Disk (Exposes plaintexts) FDE

  • No room for IV bits
  • No room for MAC bits

Therefore plaintext length = ciphertext length

Physical Disk (Stores ciphertexts)

slide-6
SLIDE 6

C1 C2 Cn File System Sector 1 Sector 2 Sector n Virtual disk Physical disk FDE layer

slide-7
SLIDE 7

C1 C2 Cn File System Sector 1 Sector 2 Sector n Problem: This looks uncomfortably like ECB (albeit with 4kB blocks)... Virtual disk Physical disk FDE layer

slide-8
SLIDE 8

C1 C2 Cn File System Sector 1 Sector 2 Sector n Problem: This looks uncomfortably like ECB (albeit with 4kB blocks)... 1 2 n Solution (?): Use Sector IDs as IVs. Virtual disk Physical disk FDE layer

slide-9
SLIDE 9

Nonce-based encryption isn't enough.

  • What if an attacker images the disk at two

different times?

slide-10
SLIDE 10

Nonce-based encryption isn't enough.

  • What if an attacker images the disk at two

different times? should look like a random permutation Should only leak equality of plaintexts

slide-11
SLIDE 11

Nonce-based encryption isn't enough.

  • What if an attacker images the disk at two

different times?

  • What if an attacker tampers with a ciphertext?

should look like a random permutation Should only leak equality of plaintexts

slide-12
SLIDE 12

Nonce-based encryption isn't enough.

  • What if an attacker images the disk at two

different times?

  • What if an attacker tampers with a ciphertext?

should look like a random permutation Should only leak equality of plaintexts should look like a random permutation Entire plaintext sector should be corrupted

slide-13
SLIDE 13

C1 C2 Cn File System Sector 1 Sector 2 Sector n 1 2 n Virtual disk Physical disk FDE layer

slide-14
SLIDE 14

C1 C2 Cn File System Sector 1 Sector 2 Sector n Virtual disk Physical disk FDE layer

slide-15
SLIDE 15

Tweakable (block)ciphers

  • A good tweakable blockcipher “looks like” a family of

independent, random permutations

slide-16
SLIDE 16

Tweakable (block)ciphers

  • A good tweakable blockcipher “looks like” a family of

independent, random permutations

slide-17
SLIDE 17

Tweakable (block)ciphers

  • A good tweakable blockcipher “looks like” a family of

independent, random permutations

Tweak

slide-18
SLIDE 18

Family of independent, random permutations

Tweakable (block)ciphers

  • A good tweakable blockcipher “looks like” a family of

independent, random permutations

Tweak

slide-19
SLIDE 19

Family of independent, random permutations

Tweakable (block)ciphers

  • A good tweakable blockcipher “looks like” a family of

independent, random permutations

  • FDE demands a “wideblock” STPRP (512 or 4096 byte blocks)

Tweak

slide-20
SLIDE 20

VIL Tweakable Ciphers

  • VIL = Variable input length

– Still preserves length of input – Random permutation for each length and tweak

slide-21
SLIDE 21

VIL Tweakable Ciphers

  • VIL = Variable input length

– Still preserves length of input – Random permutation for each length and tweak

  • Existing constructions

– CMC, EME*, PEP, TET, HEH, HCTR, … – Security reduction to underlying n-bit blockcipher – Birthday-bound security (wrt n) – Either:

2 blockcipher calls or 1 blockcipher call, 1 GF multiply per n bits of input

slide-22
SLIDE 22

PIV: A new approach to VIL TCs AEAD from VIL TCs Results

slide-23
SLIDE 23

PIV: A new approach to VIL TCs AEAD from VIL TCs Results

slide-24
SLIDE 24

PIV: A new approach to VIL TCs

  • TCT2: First to break the birthday bound

AEAD from VIL TCs Results

slide-25
SLIDE 25

PIV: A new approach to VIL TCs

  • TCT2: First to break the birthday bound
  • TCT1: First to require a single blockcipher call (and no finite

field multiplications) for each n bits of input

AEAD from VIL TCs Results

slide-26
SLIDE 26

PIV: A new approach to VIL TCs

  • TCT2: First to break the birthday bound
  • TCT1: First to require a single blockcipher call (and no finite

field multiplications) for each n bits of input

  • Simple, easily verified security proof

AEAD from VIL TCs Results

slide-27
SLIDE 27

Protected IV Mode

slide-28
SLIDE 28

Protected IV Mode

N-bit TBC

slide-29
SLIDE 29

Protected IV Mode

N-bit TBC VIL Tweakable Cipher

slide-30
SLIDE 30

Protected IV Mode

N-bit TBC VIL Tweakable Cipher Only needs to be secure against adversaries that never repeat tweaks.

slide-31
SLIDE 31
slide-32
SLIDE 32

Doesn't repeat a tweak Doesn't repeat a tweak

slide-33
SLIDE 33

Doesn't repeat a tweak Doesn't repeat a tweak Does a “protected” IV repeat? Does YL look random?

slide-34
SLIDE 34
slide-35
SLIDE 35

If we start with an n-bit blockcipher, we beat the b'day bound if N > n.

slide-36
SLIDE 36

If we start with an n-bit blockcipher, we beat the b'day bound if N > n. Okay if is slow as long as N ≪ m and is efficient

slide-37
SLIDE 37

If we start with an n-bit blockcipher, we beat the b'day bound if N > n. Standard 4KB disc sector, to scale (N = 256 bits) Okay if is slow as long as N ≪ m and is efficient

slide-38
SLIDE 38

TCT2: Constructing

  • Optimized for sector-sized messages (arbitrary length

messages require incrementing the protected IV)

  • Setting = CLRW2 [LST '12] gives beyond b'day security

– Makes two blockcipher calls per invocation

slide-39
SLIDE 39
  • Build an N = 2n-bit TBC out
  • f an n-bit TBC [CDMS '10]

TCT2: Constructing

slide-40
SLIDE 40
  • Build an N = 2n-bit TBC out
  • f an n-bit TBC [CDMS '10]
  • Implement the n-bit TBC

using CLRW2 [LST '12]

  • ver, e.g., AES

TCT2: Constructing

slide-41
SLIDE 41
  • Build an N = 2n-bit TBC out
  • f an n-bit TBC [CDMS '10]
  • Implement the n-bit TBC

using CLRW2 [LST '12]

  • ver, e.g., AES
  • Use NH [BHKKR '99] to

extend the tweak length

TCT2: Constructing

slide-42
SLIDE 42
  • Build an N = 2n-bit TBC out
  • f an n-bit TBC [CDMS '10]
  • Implement the n-bit TBC

using CLRW2 [LST '12]

  • ver, e.g., AES
  • Use NH [BHKKR '99] to

extend the tweak length

  • Secure to O(22n/3) queries

TCT2: Constructing

slide-43
SLIDE 43
  • Build an N = 2n-bit TBC out
  • f an n-bit TBC [CDMS '10]
  • Implement the n-bit TBC

using CLRW2 [LST '12]

  • ver, e.g., AES
  • Use NH [BHKKR '99] to

extend the tweak length

  • Secure to O(22n/3) queries
  • The two F calls make a total:

– 28 multiplies in GFn – 12 n-bit blockcipher calls

TCT2: Constructing

slide-44
SLIDE 44
  • Build an N = 2n-bit TBC out of

an n-bit TBC [CDMS '10]

  • Implement the n-bit TBC using

CLRW2 [LST '12] over, e.g., AES

  • Use NH [BHKKR '99] to

extend the tweak length

  • Secure to O(22n/3) queries
  • The two F calls make a total:

– 28 multiplies in GFn – 12 n-bit blockcipher calls

  • Potentially expensive for short

inputs, fine for long ones

TCT2: Constructing

slide-45
SLIDE 45

Comparison with other modes

Mode BC Calls GF Multiplies Ring Ops Queries Reference EME* 2s + 3

  • 2n/2

Halevi '04; Halevi, Rogaway '03 HEH s + 1 s + 2

  • 2n/2

Sarkar '07, '09 TCT1 s + 1 5 16s 2n/2 TCT2 2s + 8 32 32s 22n/3 Typical: s = 256 (4KB sectors, AES) Computational cost on sn-bit inputs Security Bound

slide-46
SLIDE 46

PIV: A new approach to VIL TCs AEAD from VIL TCs Results

slide-47
SLIDE 47

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

Unique sequence numbers can provide privacy

slide-48
SLIDE 48

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

Unique sequence numbers can provide privacy Security largely agnostic to the nature, location of uniqueness

slide-49
SLIDE 49

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

0x000000 Simple padding can ensure authenticity (language of padded strings is “sparse”).

slide-50
SLIDE 50

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

Encoder

Encoded Payload Encoded Header Encoded Header

  • cf. “Encode then Encrypt” [Bellare and Rogaway '00]
slide-51
SLIDE 51

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

Encoder

Encoded Payload Encoded Header Encoded Header Decryption checks membership in this language to ensure authenticity

  • cf. “Encode then Encrypt” [Bellare and Rogaway '00]
slide-52
SLIDE 52

, then we get b bits of authenticity. If and for all n,

  • Payload may be mapped into during an explicit encoding

step (e.g., pad with 0x00..00)

slide-53
SLIDE 53

, then we get b bits of authenticity. If and for all n,

  • Payload may be mapped into during an explicit encoding

step (e.g., pad with 0x00..00)

  • Payload may already be in some “sparse” language (e.g., a

protocol with human-readable fields, checksums)

– No ciphertext stretch!

slide-54
SLIDE 54

, then we get b bits of authenticity. If and for all n,

  • Payload may be mapped into during an explicit encoding

step (e.g., pad with 0x00..00)

  • Payload may already be in some “sparse” language (e.g., a

protocol with human-readable fields, checksums)

– No ciphertext stretch!

  • Remains secure even with multiple error messages

– Errors can depend on encoded payload

slide-55
SLIDE 55

, then we get b bits of authenticity. If and for all n,

  • Payload may be mapped into during an explicit encoding

step (e.g., pad with 0x00..00)

  • Payload may already be in some “sparse” language (e.g., a

protocol with human-readable fields, checksums)

– No ciphertext stretch!

  • Remains secure even with multiple error messages

– Errors can depend on encoded payload

  • Nonce-misuse resistance
slide-56
SLIDE 56

, then we get b bits of authenticity. If and for all n,

  • Payload may be mapped into during an explicit encoding

step (e.g., pad with 0x00..00)

  • Payload may already be in some “sparse” language (e.g., a

protocol with human-readable fields, checksums)

– No ciphertext stretch!

  • Remains secure even with multiple error messages

– Errors can depend on encoded payload

  • Nonce-misuse resistance
  • NM-CPA/IND-CCA not enough [AnBellare01]
slide-57
SLIDE 57

VIL Tweakable Cipher

Ciphertext Payload Header

  • Seq. No.

Checksum

  • Checksum, sequence no.

produced/verified in existing protocol

  • Encode-Encipher allows

length-preserving AEAD

  • Checksum becomes a MAC
  • “Bad Checksum” error won't

leak info about original payload

  • Possible use-case: low-

power wireless networks

slide-58
SLIDE 58

Wrapping up

  • PIV: New VIL TC

– Can beat b'day bound

at little cost

  • AEAD from a VIL TC

– Privacy & authenticity

from broad classes of encodings

– Possibility of zero

ciphertext stretch

– Robust against

multiple error messages

slide-59
SLIDE 59

Questions?