AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated - - PowerPoint PPT Presentation

aez v2
SMART_READER_LITE
LIVE PREVIEW

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated - - PowerPoint PPT Presentation

Apr 06, 2023 405 likes •726 views

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

slide-1
SLIDE 1

1/26 1/45

DIAC 2014 UC Santa Barbara Aug 23, 2014 www.cs.ucdavis.edu/~rogaway/aez

Viet Tung Hoang Ted Krovetz Phillip Rogaway

AEZ v2

UC Davis, USA ETH Zürich, Switzerland Sacramento State, USA Georgetown University, USA University of Maryland, USA

Authenticated Encryption by Enciphering

1. Why we created AEZ

  • 2. Enciphering-based AE
  • 3. Robust-AE
  • 4. Accelerated provable-security
  • 5. Components FF0 and EME4
  • 6. AEZ Extensions
slide-2
SLIDE 2

2/26

AE Thesis

By strengthening symmetric encryption, we can provide a simpler-to-use primitive for users, and thereby minimize misuse. (Also: by focusing on the new target, we can maximize efficiency.) Giving definitions that guarantee more. Giving schemes that achieve them.

slide-3
SLIDE 3

3/26

IND-CCA2 prob encryption IND-CPA prob encryption Probabilistic AE Nonce-based AE Nonce-based AEAD Misuse-Resistant AE (MRAE) Online AE Robust AE

Strength

Symmetric Encryption

slide-4
SLIDE 4

4/26

Isn’t MRAE already very strong?

Still, there are important ways in which MRAE falls short of maximizing strength/ease of correct use, in both

  • the service it provides (syntax)
  • what it guarantees (security)

Yes.

Nonce-based AEAD MRAE Online AE (OAE) Robust AE

[Rogaway, Shrimpton 2006]

slide-5
SLIDE 5

5/26

A

C N, A, M N, A, C M ^ C MRAE

A may not ask queries that would trivially result in a win

  • Repeat an (N, A, M) enc query
  • Ask a dec query (N, A, C ) after C is returned by an (N, A, ) enc query

E (,,)

K

D (,,)

K

^

(,,) (,,)

$

[Rogaway, Shrimpton 2006]

slide-6
SLIDE 6

6/26

Effectively assumes |C| = |M|+128

A

C N, A, M N, A, C M ^ C MRAE

Some reasonably large constant t . Big enough that, with the “real” scheme, forgeries almost never occur.

E (,,)

K

D (,,)

K

^

(,,) (,,)

$

[Rogaway, Shrimpton 2006]

slide-7
SLIDE 7

7/26

There are settings where we don’t want to grow plaintexts ~16 bytes

Constrained devices: sensor networks, ad hoc networks, “internet of things”: short tags save energy. Shaving off 8 octets may justify making symmetric-key crypto 10× more expensive [sl.12] Crypto cost should not ignore cost of data

  • expansion. Authentication tags may be “evil”

(authenticity is not)

[sl.29]

Struik also speaks of the importance of supporting very short plaintexts and enabling exploitation of already-present redundancy.

slide-8
SLIDE 8

8/26

At some level, we know how to fix this:

Encrypt by Enciphering

[Bellare, Rogaway 2000]

slide-9
SLIDE 9

9/26

Enciphering-Based AE M C

t E

K N A

|K|, |N|, |A|, |M|, t arbitrary

[Bellare, Rogaway 2000] [Shrimpton, Terashima 2013]

slide-10
SLIDE 10

10/26

C N, A, M N, A, C M

K (,,) K (,,)

p (,, )

C

random t-expanding injection

M

E D

  • r S(,, )

p -1 (,, )

Pseudorandom injection

[R, Shrimpton 2006]

A

Inclusion of the simulator lets one formalize that release of unverified plaintext is not damaging

(cf: [ABLMMY14])

but now understood prescriptively, for all t — not just an alternative characterization of an MRAE scheme arbitrary arbitrary

Robust AE: User chooses K, N, A, M, and t   Scheme is expected to deliver best-security-possible for t

slide-11
SLIDE 11

11/26

Enciphering-based AE with a strong-PRP

Robust AE

Automatic exploitation of redundancy in messages Automatic exploitation of novelty in messages

(randomness or sequence nos.)

OK to leak unverified plaintexts

(wrt side-information captured by D)

slide-12
SLIDE 12

12/26

Enciphering MRAE

ABYTES

(8t)

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Robust AE

Generalizes strong-PRP and MRAE definitions

slide-13
SLIDE 13

13/26

Arbitrary-length plaintext M BYTE* Same-length ciphertext Arbitrary-length tweak T BYTE*

What to use for the enciphering scheme?

C M

EK

T

slide-14
SLIDE 14

14/26

Length-Dependent Dispatch

 N, AD 

C

0··· 0

M Encipher EME4 Encipher FF0

1-31 bytes 32+ bytes

FF0

FFX-like (Feistel)

[NIST SP 800-38G]

AES4-Based

EME4

Builds on EME [Halevi, Rogaway] and OTR [Minematsu 2014] AES4 & AES based.

slide-15
SLIDE 15

15/26

Designing FF0 and EME4

Accelerated Provable-Security Paradigm

Assume some primitive A tweakable blockcipher (TBC)

(tweak space {0,1,2,3}  ℕ)

[Liskov, Rivest, Wagner 2002]

Design assuming the primitive meets some standard assumption The TBC is good as a tweakable PRP Instantiate with “standard” primitive: the scaled-up design Selectively instantiate with a mix of standard and reduced-round primitives: the scaled-down design Realize the TBC with AES / XE. Not what we submitted Use AES + AES4

In general In our case

slide-16
SLIDE 16

16/26

EME4

M1 M1 C1 C1 X1 S M0 M0 C0 C0

  • 1, 1

Mm Mm Cm Cm Xm Y1 S S ’ ’ ’ ’ X 0, 0 0, 0 2, 1 2, m 0, 0 0, 0 0, 1 1, 1 1, m 1, m 1, 1 0, 2 Y

  • 1, 2

¢ ¢

’ ’

* *

Ym

...

Message with an even number of blocks, no fragment at the end

slide-17
SLIDE 17

17/26

EME4

M C M1 M1 C1 C1 X1 S M0 M0 C0 C0

  • 1, 1

Mm Mm Cm Cm Xm Y1 S S ’ ’ ’ ’

*

*

X S

  • 1, 3

0, 3 0, 3 0, 0 0, 0 2, 1 2, m 0, 0 0, 0 0, 1 1, 1 1, m 1, m 1, 1 0, 2 Y

  • 1, 2

¢ ¢

’ ’ X* Y* Ym

...

Message with an odd number of blocks, the last possibly a fragment

slide-18
SLIDE 18

18/26

A2 A3 A0 A1 A2 A3 A0 A1 3, 0 3, 1 3, 2 3, 3 1, 0 3, 0 3, 1 3, 2

¢ ¢

10*

AHash

slide-19
SLIDE 19

19/26

FF0

D is a universal-hash of A

0, 5

is our TBC is truncation or X 0* padding

(depending on orientation)

1-15 bytes: more rounds (up to 24) and correct the “even permutation” issue  16-31 bytes

L R L R

¢  1

0, 5 0, 5 0, 5 0, 5 0, 5 0, 5 0, 5 0, 5

¢  0 ¢  3 ¢  2 ¢  6 ¢  5 ¢  7

* *

¢  4

slide-20
SLIDE 20

20/26

M C M1 M1 C1 C1 X1 M C M C S M0 M0 C0 C0

  • 1, 1

Mm Mm Cm Cm Xm Y1 S S ’ ’ ’ ’

*

*

*

A2 A3 A0 A1 A2 A3 A0 A1 L R L R X AMac S

  • 1, 3

0, 3

  • 1, 3

0, 3 0, 3

  • 1, 4

0, 4 0, 4 0, 3

  • 1, 5

0, 0 0, 0 2, 1 2, m 0, 0 0, 0 0, 1 1, 1 1, m 1, m 1, 1 0, 2 3, 0 3, 1 3, 2 3, 3 1, 0 3, 0 3, 1 3, 2 Y ¢ ¢ ¢

  • 1, 2

¢ ¢

¢  1

’ ’ 0, 5 0, 5 0, 5 0, 5 0, 5 0, 5 0, 5 0, 5

¢  0 ¢  3 ¢  2 ¢  6 ¢  5 ¢  7

X* Y* Ym S X* Y* S X** Y**

* ** ** * *

¢  4

...

10*

slide-21
SLIDE 21

21/26

Security property The user chooses the ciphertext-expansion t   and the scheme delivers best-possible-security for t.

  • Robust AE

(Robust AE > MRAE > > Online-AE)

  • Automatic novelty & redundancy exploitation
  • Unverified-plaintext-release OK

Basic approach

  • Enciphering-based AE
  • FF0 and EME4
  • Accelerated provable security (AES+AES4;

AES key schedule) Additional features

  • Blockcipher calls: 1 AES enc; 4 AES for AD and fast-reject
  • Inverse-free
  • Parameter-free (well, ABYTES)
  • Highly symmetric: encipher  decipher
  • Good key-agility
  • Arbitrary-length keys (extract 256 bits; then expand) & nonces
  • Small context size ( 144 bytes for speed-optimized)
  • AEZ Extensions (coming soon)
slide-22
SLIDE 22

22/26

AEZ Efficiency

Experimental implementation: 0.75 cpb (4Kb, Haswell) 0.69 cpb (marginal cost, Haswell)

(cf. the CTR, OCB: 0.64 cpb)

Encipher/Decipher

m + 2.4 3.6 computation 

Encrypt/Decrypt

m + 3.8 3.6

Reject invalid ciphertext

0.4 m + 3 3.2

Process AD

0.4 m 0.4 latency  Message of m  2 blocks

Setup 128-bit key

2.4 0.8

in “AES equivalents” (10 AES rounds)

slide-23
SLIDE 23

23/26

AEZ Extensions

A wrapper to realize additional functionality

AEZ Encrypt K N A M

ABYTES EXTNS pre-process post-processing

C C*

slide-24
SLIDE 24

24/26

AEZ-Encrypt is Already an Extension

  • f its underlying enciphering scheme

AEZ Encipher K T M

pre-process post-processing

C K N A M

ABYTES “Basic AE”

C*

slide-25
SLIDE 25

25/26

Functionality Deliverable via AEZ Extensions

  • 1. Secret Message Numbers

By encoding the SMN into the plaintext

  • 2. Plaintext length-obfuscation

By padding (eg, to 2n blocks)

  • 3. Salting passwords

By encoding the salt in with the key

  • 4. Slow PW-processing

By iterating a permutation

  • 5. Convenient ciphertext alphabet

By, eg, base64url [RFC 4648] encoding

  • 6. Vector-valued plaintexts and AD By argument-encoding

Arbitrary-length keys could have been delivered by an AEZ Extension, but were put into AEZ itself.

slide-26
SLIDE 26

26/26

AEZ Conclusions

  • Getting the strongest security & versatility guarantee is not expensive
  • Cost(Robust AE)  Cost (AES-CTR)
  • Properly done, deterministic encryption can be good:
  • Eliminates need for coins and state
  • Shortens ciphertexts
  • Main security concern – equality leakage – is often irrelevant
  • Frustrates one line of mass-surveillance [Bellare, Paterson, Rogaway 14]
slide-27
SLIDE 27

27/26

slide-28
SLIDE 28

28/26 [Bellare, Boldyreva, Knudsen, Namprempre 2001] [Boldyreva, Taesombut 2004], [Rogaway, Zhang 2011] [Fleischmann, Forler, Lucks, Wenzel 2012]

  • Requires a parameter — OAE[n] — to be meaningful.
  • With fixed n: makes an implementation characteristic a security goal.
  • Does not approximate best-possible security for an online scheme.
  • Far weaker than MRAE — no exploitation of novelty or redundancy
  • Notion will not be understandable by users. Attacks likely.
  • Name: Online-MR

max-online MR

Online AE

Paper on this in the coming months.

slide-29
SLIDE 29

29/26

slide-30
SLIDE 30

30/26

slide-31
SLIDE 31

31/26