AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated - PowerPoint PPT Presentation

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz Phillip Rogaway Georgetown University, USA UC Davis, USA Sacramento State, USA University of Maryland, USA ETH Zürich, Switzerland www.cs.ucdavis.edu/~rogaway/aez DIAC 2014 UC Santa Barbara Aug 23, 2014 1/45 1/26

AE Thesis Giving definitions that guarantee more. Giving schemes that achieve them. By strengthening symmetric encryption, we can provide a simpler-to-use primitive for users, and thereby minimize misuse . (Also: by focusing on the new target, we can maximize efficiency .) 2/26

Symmetric Encryption Robust AE Strength Misuse-Resistant AE (MRAE) Online AE Nonce-based AEAD Nonce-based AE Probabilistic AE IND-CCA2 prob encryption IND-CPA prob encryption 3/26

[Rogaway, Shrimpton 2006] Robust AE Isn’t MRAE already MRAE very strong? Online AE (OAE) Nonce-based AEAD Yes. Still, there are important ways in which MRAE falls short of maximizing strength/ease of correct use, in both • the service it provides ( syntax ) • what it guarantees ( security ) 4/26

[Rogaway, Shrimpton 2006] MRAE N, A, M E ( ,, ) ( ,, ) $ K C C A M ^ ( ,, ) D ( ,, ) ^ K N, A, C A may not ask queries that would trivially result in a win - Repeat an ( N , A , M ) enc query - Ask a dec query ( N, A, C ) after C is returned by an ( N , A ,  ) enc query 5/26

[Rogaway, Shrimpton 2006] MRAE N, A, M E ( ,, ) ( ,, ) $ K C C A M ^ ( ,, ) D ( ,, ) ^ K N, A, C Effectively assumes |C| = |M|+ 128 Some reasonably large constant t . Big enough that, with the “real” scheme, forgeries almost never occur. 6/26

There are settings where we don’t want to grow plaintexts ~16 bytes Constrained devices: sensor networks, ad hoc networks, “internet of things”: short tags save energy. Shaving off 8 octets may justify making symmetric-key crypto 10× more expensive [sl.12] Crypto cost should not ignore cost of data expansion. Authentication tags may be “evil” (authenticity is not ) [sl.29] Struik also speaks of the importance of supporting very short plaintexts and enabling exploitation of already-present redundancy . 7/26

[Bellare, Rogaway 2000] At some level, we know how to fix this: Encrypt by Enciphering 8/26

[Bellare, Rogaway 2000] Enciphering-Based AE [Shrimpton, Terashima 2013] |K| , | N|, |A|, |M|, t M arbitrary K t N E A C 9/26

Robust AE : User chooses K , N , A , M , and t   Scheme is expected to deliver best-security-possible for t arbitrary arbitrary random t -expanding injection N, A, M E K ( ,, ) p (  ,  ,  ) C C A M M p -1 (  ,  ,  ) D K ( ,, ) or S (  ,  ,  ) N, A, C Pseudorandom injection Inclusion of the simulator lets one [R, Shrimpton 2006] formalize that release of unverified but now understood prescriptively , plaintext is not damaging for all t — not just an alternative (cf: [ABLMMY14]) characterization of an MRAE scheme 10/26

Enciphering-based AE with a strong-PRP Automatic exploitation of novelty in messages (randomness or sequence nos.) Robust AE OK to leak Automatic exploitation of unverified plaintexts redundancy in messages (wrt side-information captured by D ) 11/26

Robust AE Generalizes strong-PRP and MRAE definitions MRAE Enciphering 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ABYTES ( 8 t) 12/26

What to use for the enciphering scheme? Arbitrary-length plaintext M  B YTE * M Arbitrary-length T E K tweak T  B YTE * C Same-length ciphertext 13/26

Length-Dependent Dispatch  N , AD  M 0··· 0 32+ bytes 1-31 bytes Encipher Encipher FF0 EME4 C EME4 FF0 FFX-like (Feistel) Builds on EME [Halevi, Rogaway] [NIST SP 800-38G] and OTR [Minematsu 2014] AES4-Based AES4 & AES based. 14/26

Designing FF0 and EME4 Accelerated Provable-Security Paradigm In general In our case [Liskov, Rivest, Wagner 2002] A tweakable blockcipher (TBC) Assume some primitive (tweak space {0,1,2,3}  ℕ ) Design assuming the primitive The TBC is good as a tweakable PRP meets some standard assumption Instantiate with “standard” Realize the TBC with AES / XE. Not what we submitted primitive: the scaled-up design Selectively instantiate with a mix of standard and reduced-round Use AES + AES4 primitives: the scaled-down design 15/26

EME4 ’ ’ ’ M 0 M 0 M 1 M 1 M m M m X ¢ 0, 1 1, 1 1, m * 0, 0 0, 0 -1, 1 X 1 X m S S ... 2, 1 2, m S Y 1 Y m * -1, 2 0, 0 0, 0 0, 2 1, 1 1, m Y ¢ ’ ’ ’ C 0 C 0 C 1 C 1 C m C m Message with an even number of blocks, no fragment at the end 16/26

EME4 ’ ’ ’ M 0 M 0 M 1 M 1 M m M m M * X ¢ 0, 1 1, 1 1, m X * 0, 0 0, 0 0, 3 -1, 1 X 1 X m S S ... S -1, 3 2, 1 2, m S Y 1 Y m Y * -1, 2 0, 0 0, 0 0, 3 0, 2 1, 1 1, m Y ¢ ’ ’ ’ C 0 C 0 C 1 C 1 C m C m C * Message with an odd number of blocks, the last possibly a fragment 17/26

AHash A 0 A 1 A 2 A 3 3, 0 3, 1 3, 2 3, 3 ¢ A 0 A 1 A 2 A 3 10* 3, 0 3, 1 3, 2 1, 0 ¢ 18/26

FF0 L R ¢  0 D is a universal-hash of A 0, 5 ¢  1 is our TBC 0, 5 0, 5 ¢  2 is truncation or X 0* padding 0, 5 ¢  3 (depending on orientation) 0, 5 ¢  4 0, 5 ¢  5  16-31 bytes 0, 5 ¢  6 0, 5 ¢  7 0, 5 1-15 bytes: more rounds (up to 24) and correct the “even permutation” issue * * L R 19/26

’ ’ ’ M 0 M 0 M 1 M 1 M m M m M * X ¢ 0, 1 1, 1 1, m X * 0, 0 0, 0 0, 3 -1, 1 X 1 X m S S ... S -1, 3 2, 1 2, m S Y 1 Y m Y * -1, 2 0, 0 0, 0 0, 3 0, 2 1, 1 1, m Y ¢ ’ ’ ’ C 0 C 0 C 1 C 1 C m C m C * M M L R A 0 A 1 A 2 A 3 * ** ¢  0 0, 5 ¢  1 3, 0 3, 1 3, 2 3, 3 X * X ** 0, 5 ¢  2 0, 3 0, 4 0, 5 ¢ ¢  3 0, 5 ¢  4 S S A 0 A 1 A 2 A 3 10* -1, 3 -1, 4 0, 5 ¢  5 0, 5 3, 0 3, 1 3, 2 1, 0 ¢  6 Y ** Y * 0, 5 0, 3 0, 4 ¢  7 0, 5 ¢ -1, 5 ¢ AMac * * C C L R ** * 20/26

Security property The user chooses the ciphertext-expansion t   and the scheme delivers best-possible-security for t .  Robust AE (Robust AE > MRAE > > Online-AE)  Automatic novelty & redundancy exploitation  Unverified-plaintext-release OK Basic approach Enciphering-based AE  FF0 and EME4  Accelerated provable security (AES+AES4; AES key schedule)  Additional features Blockcipher calls: 1 AES enc; 4 AES for AD and fast-reject   Inverse-free  Parameter-free (well, ABYTES) Highly symmetric: encipher  decipher   Good key-agility  Arbitrary-length keys (extract 256 bits; then expand) & nonces Small context size (  144 bytes for speed-optimized)   AEZ Extensions (coming soon) 21/26

AEZ Efficiency in “AES equivalents” (10 AES rounds) Message of m  2 blocks computation  latency  Encipher/Decipher m + 2.4 3.6 Encrypt/Decrypt m + 3.8 3.6 0.4 m + 3 3.2 Reject invalid ciphertext 0.4 m 0.4 Process AD Setup 128-bit key 2.4 0.8 Experimental implementation: 0.75 cpb (4Kb, Haswell) 0.69 cpb (marginal cost, Haswell) (cf. the CTR, OCB: 0.64 cpb ) 22/26

AEZ Extensions A wrapper to realize additional functionality K N post-processing pre-process A C* AEZ C M Encrypt ABYTES EXTNS 23/26

AEZ-Encrypt is Already an Extension of its underlying enciphering scheme K post-processing K pre-process N C* AEZ T C A Encipher M M ABYTES “Basic AE” 24/26

Functionality Deliverable via AEZ Extensions 1. Secret Message Numbers By encoding the SMN into the plaintext By padding (eg, to 2 n blocks) 2. Plaintext length-obfuscation 3. Salting passwords By encoding the salt in with the key 4. Slow PW-processing By iterating a permutation 5. Convenient ciphertext alphabet By, eg, base64url [RFC 4648] encoding 6. Vector-valued plaintexts and AD By argument-encoding Arbitrary-length keys could have been delivered by an AEZ Extension, but were put into AEZ itself. 25/26

AEZ Conclusions Getting the strongest security & versatility guarantee is not expensive • Cost (Robust AE)  Cost (AES-CTR)  Properly done, deterministic encryption can be good : • Eliminates need for coins and state   Shortens ciphertexts  Main security concern – equality leakage – is often irrelevant Frustrates one line of mass-surveillance [Bellare, Paterson, Rogaway 14]  26/26

27/26

[Bellare, Boldyreva, Knudsen, Namprempre 2001] [Boldyreva, Taesombut 2004], [Rogaway, Zhang 2011] [Fleischmann, Forler, Lucks, Wenzel 2012] Online AE • Requires a parameter — OAE[ n ] — to be meaningful. • With fixed n : makes an implementation characteristic a security goal. • Does not approximate best-possible security for an online scheme. • Far weaker than MRAE — no exploitation of novelty or redundancy • Notion will not be understandable by users. Attacks likely. • Name: Online-MR max-online MR Paper on this in the coming months. 28/26

29/26

30/26

31/26