A New Look at Counters: Dont Run Like Marathon in a Hundred Meter - - PowerPoint PPT Presentation

A New Look at Counters: Don’t Run Like Marathon in a Hundred Meter Race

Directions in Authenticated Ciphers ’16, Nagoya

Avijit Dutta, Ashwin Jha and Mridul Nandi September 27, 2016

Indian Statistical Institute Kolkata

Counters in Cryptography

Classical View: ⟨0⟩s, ⟨1⟩s, ⟨2⟩s, ⟨3⟩s, . . . , ⟨2s − 1⟩s where ⟨i⟩s is the s-bits binary representation of i for some fixed s.

• Prevents collisions on the inputs to the underlying primitive.
• Standalone input: CTR mode, HAIFA, GCM, SIV.
• Encoded within message blocks: HAIFA, XORMAC, LightMAC.

1

Counter-Based Input Encoding

M CTR X := ⟨1⟩s∥M1 X1 ⟨2⟩s∥M2

• X2

· · · ⟨b⟩s∥Mb

• Xb

−ℓ −n −n −n f1 f1 f1 − n − n − n − n − n | n · · · − n | n f2 | n | n t

Security Needs Blockwise Collision-free: i j Xi Xj Injective: M M X X Rate signifies Efficiency rateSTD n s n where s log2 L, L being the maximum permissible message length. Example For n 128 and s 64, the rate is 0 5 for any message lengths. Can we have better rate for smaller messages?

2

Counter-Based Input Encoding

M CTR X := ⟨1⟩s∥M1 X1 ⟨2⟩s∥M2

• X2

· · · ⟨b⟩s∥Mb

• Xb

−ℓ −n −n −n f1 f1 f1 − n − n − n − n − n | n · · · − n | n f2 | n | n t

Security Needs Blockwise Collision-free: ∀ i ̸= j, Xi ̸= Xj. Injective: ∀ M ̸= M′, X ̸= X′. Rate signifies Efficiency rateSTD = n − s n where s = log2 L, L being the maximum permissible message length. Example For n 128 and s 64, the rate is 0 5 for any message lengths. Can we have better rate for smaller messages?

2

Counter-Based Input Encoding

M CTR X := ⟨1⟩s∥M1 X1 ⟨2⟩s∥M2

• X2

· · · ⟨b⟩s∥Mb

• Xb

−ℓ −n −n −n f1 f1 f1 − n − n − n − n − n | n · · · − n | n f2 | n | n t

Security Needs Blockwise Collision-free: ∀ i ̸= j, Xi ̸= Xj. Injective: ∀ M ̸= M′, X ̸= X′. Rate signifies Efficiency rateSTD = n − s n where s = log2 L, L being the maximum permissible message length. Example For n = 128 and s = 64, the rate is 0.5 for any message lengths. Can we have better rate for smaller messages?

2

STDopt: Length Dependent Counter Scheme

• Computes the optimal counter size (≈ log2 ℓ) for the given

message length ℓ. rateSTDopt = n − log2 ℓ n

• For ℓ < L, rateSTDopt > rateSTD.

Comparison For n = 128 bits and ℓ = 210 bits, the rate is 0.92. Catch What if we don’t know the length? Can we have a close approximation of STDopt in this case?

3

STDopt: Length Dependent Counter Scheme

• Computes the optimal counter size (≈ log2 ℓ) for the given

message length ℓ. rateSTDopt = n − log2 ℓ n

• For ℓ < L, rateSTDopt > rateSTD.

Comparison For n = 128 bits and ℓ = 210 bits, the rate is 0.92. Catch What if we don’t know the length? Can we have a close approximation of STDopt in this case?

3

A Race over Unknown Distance

200 m 400 m 10000 m 4

A Race over Unknown Distance

200 m 400 m 10000 m 4

A Race over Unknown Distance

200 m 400 m 10000 m 4

A Race over Unknown Distance

200 m 400 m 10000 m 4

A Race over Unknown Distance

5

A Race over Unknown Distance

5

A Race over Unknown Distance

5

A Candidate Length Independent Counter

0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

• Length Independent.
• rate

rateSTDopt.

• But, is this blockwise collision-free?

Trivial Collision For n 8 and M 0abcdefghijklmabcdef we have X1 00abcdef X2 1ghijklm and X3

• 00abcdef. Clearly, X1

X3.

6

A Candidate Length Independent Counter

0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

• Length Independent.

✓

• rate

rateSTDopt.

• But, is this blockwise collision-free?

Trivial Collision For n 8 and M 0abcdefghijklmabcdef we have X1 00abcdef X2 1ghijklm and X3

• 00abcdef. Clearly, X1

X3.

6

A Candidate Length Independent Counter

0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

• Length Independent.

✓

• rate > rateSTDopt.

✓

• But, is this blockwise collision-free?

Trivial Collision For n 8 and M 0abcdefghijklmabcdef we have X1 00abcdef X2 1ghijklm and X3

• 00abcdef. Clearly, X1

X3.

6

A Candidate Length Independent Counter

0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

• Length Independent.

✓

• rate > rateSTDopt.

✓

• But, is this blockwise collision-free?

✗ Trivial Collision For n 8 and M 0abcdefghijklmabcdef we have X1 00abcdef X2 1ghijklm and X3

• 00abcdef. Clearly, X1

X3.

6

A Candidate Length Independent Counter

0 , 1 , 00 , 01 , 10 , 11 , 000 . . .

• Length Independent.

✓

• rate > rateSTDopt.

✓

• But, is this blockwise collision-free?

✗ Trivial Collision For n = 8 and M := 0abcdefghijklmabcdef we have X1 = 00abcdef, X2 = 1ghijklm, and X3 = 00abcdef. Clearly, X1 = X3.

6

VAR: Message Length Independent Counter

• Add a small fixed length (r) counter that gets updated with the

change in counter size. 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . .

• Length Independent.
• Blockwise Collision-free and Injective.
• r

log2 log2 L, for L 2c n

n 2

c n n. rateVAR n r 2 log2 n Comparison For n 128 bits, L 264 bits, and 210 bits, the rate is 0.89.

7

VAR: Message Length Independent Counter

• Add a small fixed length (r) counter that gets updated with the

change in counter size. 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . .

• Length Independent.

✓

• Blockwise Collision-free and Injective.

✓

• r

log2 log2 L, for L 2c n

n 2

c n n. rateVAR n r 2 log2 n Comparison For n 128 bits, L 264 bits, and 210 bits, the rate is 0.89.

7

VAR: Message Length Independent Counter

• Add a small fixed length (r) counter that gets updated with the

change in counter size. 000 , 001 , 0100 , . . . , 0111 , 10000 , . . . , 10111 , 110000 , . . .

• Length Independent.

✓

• Blockwise Collision-free and Injective.

✓

• r ≈ log2 log2 L, for L < 2c(n),

n 2 ≤ c(n) < n.

rateVAR ≈ n − r + 2 − log2 ℓ n Comparison For n = 128 bits, L = 264 bits, and ℓ = 210 bits, the rate is 0.89.

7

Counter Function Family (CFF)

Definition: CTR is a family of counter functions {ctrℓ : ℓ ≤ L} where ∀ ℓ ≤ L, ctrℓ : N → {0, 1}<n.

• Length Independent: For STD counter function family

stdℓ(i) = ⟨i⟩s, ∀ ℓ, i.

• Length Dependent: For STDopt counter function family
• ptℓ(i) = ⟨i⟩log2 ℓ, ∀ ℓ, i.
• For a given ℓ, if ∀ i ̸= j, |ctrℓ(i)| = |ctrℓ(j)|, we say that CTR is a

fixed length CFF; variable length CFF otherwise. What can we say about the security relevant properties?

8

Counter Function Family (CFF)

Definition: CTR is a family of counter functions {ctrℓ : ℓ ≤ L} where ∀ ℓ ≤ L, ctrℓ : N → {0, 1}<n.

• Length Independent: For STD counter function family

stdℓ(i) = ⟨i⟩s, ∀ ℓ, i.

• Length Dependent: For STDopt counter function family
• ptℓ(i) = ⟨i⟩log2 ℓ, ∀ ℓ, i.
• For a given ℓ, if ∀ i ̸= j, |ctrℓ(i)| = |ctrℓ(j)|, we say that CTR is a

fixed length CFF; variable length CFF otherwise. What can we say about the security relevant properties?

8

Prefix-free and Injective CFFs

Prefix-free: CTR is prefix-free if ∀ ℓ ≤ L, ∀ i ̸= j ∈ b(ℓ), ctrℓ(i) is not a prefix of ctrℓ(j). CFF as an Encoding Function: For any length message M, CTR M X1 Xb , where each Xi ctr i Mi and b is the least integer b that satisfies, 1

b i 1

n ctr i n Lemma: Prefix-free Blockwise Collision-free CTR is a blockwise collision-free encoding if and only if it is CTR is a prefix-free CFF. What about injective property?

9

Prefix-free and Injective CFFs

Prefix-free: CTR is prefix-free if ∀ ℓ ≤ L, ∀ i ̸= j ∈ b(ℓ), ctrℓ(i) is not a prefix of ctrℓ(j). CFF as an Encoding Function: For any ℓ length message M, CTR(M) = (X1, . . . , Xb(ℓ)), where each Xi = ctrℓ(i)∥Mi and b(ℓ) is the least integer b that satisfies, ℓ + 1 ≤

b

∑

i=1

(n − |ctrℓ(i)|) ≤ ℓ + n. Lemma: Prefix-free Blockwise Collision-free CTR is a blockwise collision-free encoding if and only if it is CTR is a prefix-free CFF. What about injective property?

9

Prefix-free and Injective CFFs

Prefix-free: CTR is prefix-free if ∀ ℓ ≤ L, ∀ i ̸= j ∈ b(ℓ), ctrℓ(i) is not a prefix of ctrℓ(j). CFF as an Encoding Function: For any ℓ length message M, CTR(M) = (X1, . . . , Xb(ℓ)), where each Xi = ctrℓ(i)∥Mi and b(ℓ) is the least integer b that satisfies, ℓ + 1 ≤

b

∑

i=1

(n − |ctrℓ(i)|) ≤ ℓ + n. Lemma: Prefix-free ⇔Blockwise Collision-free CTR is a blockwise collision-free encoding if and only if it is CTR is a prefix-free CFF. What about injective property?

9

Prefix-free and Injective CFFs

Prefix-free: CTR is prefix-free if ∀ ℓ ≤ L, ∀ i ̸= j ∈ b(ℓ), ctrℓ(i) is not a prefix of ctrℓ(j). CFF as an Encoding Function: For any ℓ length message M, CTR(M) = (X1, . . . , Xb(ℓ)), where each Xi = ctrℓ(i)∥Mi and b(ℓ) is the least integer b that satisfies, ℓ + 1 ≤

b

∑

i=1

(n − |ctrℓ(i)|) ≤ ℓ + n. Lemma: Prefix-free ⇔Blockwise Collision-free CTR is a blockwise collision-free encoding if and only if it is CTR is a prefix-free CFF. What about injective property?

9

Prefix-free and Injective CFFs

Injective: CTR is injective if ∀ M ̸= M′, CTR(M) ̸= CTR(M′) (as sets, i.e. CTR(M) = {Xi : 1 ≤ i ≤ b(ℓ)}). Lemma: Prefix-free++ Injective Let CTR be a prefix-free CFF. It is injective if it satisfies the following condition, b b ctr ctr STD, STDopt, and VAR are prefix-free and injective CFFs.

10

Prefix-free and Injective CFFs

Injective: CTR is injective if ∀ M ̸= M′, CTR(M) ̸= CTR(M′) (as sets, i.e. CTR(M) = {Xi : 1 ≤ i ≤ b(ℓ)}). Lemma: Prefix-free++ = ⇒ Injective Let CTR be a prefix-free CFF. It is injective if it satisfies the following condition, ∀ ℓ, ℓ′, b(ℓ) = b(ℓ′) ⇒ ctrℓ = ctrℓ′. STD, STDopt, and VAR are prefix-free and injective CFFs.

10

Prefix-free and Injective CFFs

Injective: CTR is injective if ∀ M ̸= M′, CTR(M) ̸= CTR(M′) (as sets, i.e. CTR(M) = {Xi : 1 ≤ i ≤ b(ℓ)}). Lemma: Prefix-free++ = ⇒ Injective Let CTR be a prefix-free CFF. It is injective if it satisfies the following condition, ∀ ℓ, ℓ′, b(ℓ) = b(ℓ′) ⇒ ctrℓ = ctrℓ′. STD, STDopt, and VAR are prefix-free and injective CFFs.

10

Summary of Candidate CFFs

STD STDopt VAR Length Dependent ✗ ✓ ✗ Length Independent ✓ ✗ ✓ Fixed Length ✓ ✓ ✗ Variable Length ✗ ✗ ✓ Rate

n−s n n−log2 ℓ n n−r+2−log2 ℓ n

Prefix-free ✓ ✓ ✓ Injective ✓ ✓ ✓

11

Counter-Based Constructions

h0 h1 h2 hb−1 hb iv h X1 X2 ⟨|M|⟩n e e e . . . . . . . . . . . . . . . . . . . CtHAIFA X1 X2 Xb f1 f1 f1 − n − n − n − n − n | n . . . . . . . . . . . . . . . . . . . . . . − n | n | n H CtH f2 H M s T CtMAC2 f2 H M T CtMAC1 | n | ℓ | n − n | n | ℓ | n | n 12

Performance Comparison: CtMAC1

6 8 10 12 14 16 18 20 1 1.5 2 2.5 Message Length (in Log Base 2) Cycles per Byte CtMAC1-VAR4,8 CtMAC1-STDopt,8 CtMAC1-STD64 CtMAC1-STD32 CtMAC1-STD16 CtMAC1-STD8 13

Performance Comparison: CtMAC2

6 8 10 12 14 16 18 20 1 1.5 2 2.5 Message Length (in Log Base 2) Cycles per Byte CtMAC2st-VAR4,8 CtMAC2st-STDopt,8 CtMAC2st-STD64 CtMAC2st-STD32 CtMAC2st-STD16 CtMAC2st-STD8 14

Performance Comparison: CtHAIFA

6 8 10 12 14 16 18 20 10 15 20 Message Length (in Log Base 2) Cycles per Byte CtHAIFA-VAR4,8 CtHAIFA-STDopt,8 CtHAIFA-STD64 CtHAIFA-STD32 CtHAIFA-STD16 CtHAIFA-STD8 15

Summary of Security Results: CtHAIFA and CtH

Theorem: Second Preimage Security of CtHAIFA CtHAIFA has full second preimage security. More specifically, for any second preimage adversary A that makes at most q queries, we have Adv2PI

CtHAIFA(q) ≤ 3q

2n . Theorem: AXU Security of CtH CtHΠ,CTR is 1/(2n − b)-AXU where b = b(L) (the number of blocks for the largest message).

16

Summary of Security Results: CtMAC1 and CtMAC2

Theorem: PRF Security of CtMAC1 Let CtMac1 := CtMac1EK1,EK2 be defined based on two independently chosen keyed blockcipher. Then, Advprf

CtMac1(t, q, ℓ) ≤ 1.5q2

2n + Advprp

E

(t′, ℓq) Theorem: MAC Security of CtMAC2 Let CtMac2EK1,EK2(s, M) be defined on two independently chosen keyed block ciphers. Then,

• 1. Advforge

CtMac2st(t, qm, qv, ℓ) ≤ 0.5q2 2n

+ Advprp

E

(t′, ℓ(qm + qv)) + qv

2n

• 2. Advforge

CtMac2$(t, qm, qv, ℓ) ≤ q2 2n + Advprp E

(t′, ℓ(qm + qv)) + qv

2n 17

Conclusion

• Two efficient alternatives for the standard counter scheme.
• A general notion for counters and counter based encoding.
• Counter property based security results for some schemes.
• Software performance comparison between the three counter

schemes.

18

Thank you.

18