An easy attack on AEZ Xavier Bonnetain Patrick Derbez Sbastien - PowerPoint PPT Presentation

An easy attack on AEZ Xavier Bonnetain Patrick Derbez Sébastien Duval Jérémy Jean Gaëtan Leurent Brice Minaud Valentin Suder FSE 2017 Rump Session BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 1 / 9

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

Cryptograpy for the Internet of Things attack! FSE 2017 Rump Session An easy attack on AEZ BRUTUS team ! attack! 2 / 9 authenticity issues! ▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and ▶ Man in the ▶ Denial of ▶ Targeted attacks: ▶ Welcome to the Internet of

AEZ Viet Tung Hoang, Ted Krovetz & Phillip Rogaway Robust Authenticated-Encryption AEZ and the Problem That It Solves EUROCRYPT 2015 BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 3 / 9 ▶ Very strong security goal: robust authenticated encryption ▶ Very complex design: huge state, many subcases ▶ Third round CAESAR candidate ▶ Tor is considering using AEZ

’ ’ M 1 M 1 M m M m M u M v M x M y X 1, 1 1, m ∆ 0, 1 X u X v 0, 0 0, 0 0, 4 0, 5 -1, 1 X 1 X m S S S S -1, 4 -1, 5 2, 1 2, m ... S Y 1 Y m Y u Y v -1, 2 0, 0 0, 0 0, 4 0, 5 1, 1 1, m 0, 2 ∆ Y ’ ’ C y C 1 C 1 C m C m C u C v C x L R ∆ ⊕ 0 T 1 T m -1 T m 0, 6 ∆ ⊕ 1 0, 6 i +2, m − 1 i +2, 1 i +2, m ∆ ⊕ 2 0, 6 ∆ ⊕ 3 ... ∆ i 0, 6 ∆ ⊕ 4 0, 6 ∆ ⊕ 5 0, 6 ∆ ⊕ 6 T 1 T m -1 T m 10* 0, 6 ∆ ⊕ 7 i +2, m − 1 i +2, 1 i +2, 0 0, 6 ... ∆ i * * L R

Previous results on AEZ [Asiacrypt 2015] [FSE 2017] BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9 ▶ AEZv3: birthday attack recovers the key ▶ Patched in AEZv4 ▶ Using Blake2 for key derivation ▶ Bigger is better? ▶ AEZv4: birthday attack recovers the key

Previous results on AEZ [Asiacrypt 2015] [FSE 2017] BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9 ▶ AEZv3: birthday attack recovers the key ▶ Patched in AEZv4 ▶ Using Blake2 for key derivation ▶ Bigger is better? ▶ AEZv4: birthday attack recovers the key

Previous results on AEZ [Asiacrypt 2015] [FSE 2017] BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9 ▶ AEZv3: birthday attack recovers the key ▶ Patched in AEZv4 ▶ Using Blake2 for key derivation ▶ Bigger is better? ▶ AEZv4: birthday attack recovers the key

AEZ-MAC (PMAC variant) AEZv4 FSE 2017 Rump Session An easy attack on AEZ BRUTUS team A 3 A 2 A 1 E E E E A 3 A 2 AEZv3 E E E E 6 / 9 A 1 ▶ With empty message, AEZ turns into a MAC 𝛦 1 𝛦 2 𝛦 3 𝛦 1 𝛦 2 𝛦 3 𝛦 1 𝛦 2 𝛦 3

XEX construction E FSE 2017 Rump Session An easy attack on AEZ BRUTUS team (OCB2) (OCB1, OCB3) P C 7 / 9 ▶ E ( P ⊕ 𝛦 i ) ⊕ 𝛦 i is a tweakable block cipher If i ↦ 𝛦 i is an 𝜁 -AXU function ▶ Common constructions ( L = E k ( 0 ) ) 𝛦 i ▶ 𝛦 i = i ⋅ L ▶ 𝛦 i = 2 i ⋅ L ▶ AEZv3 (subkeys J , L ) 𝛦 i ▶ 𝛦 i = 8 ⋅ J ⊕ ( i mod 8 ) ⋅ J ⊕ 2 ⌊( i − 1 )/ 8 ⌋ ⋅ L ▶ AEZv4 (subkeys J , L ) ▶ 𝛦 i = L ⊕ 􏿵 2 3 +⌊( i − 1 )/ 8 ⌋ + ( i − 1 mod 8 )􏿸 ⋅ J

A closer look AEZv4 ofgsets BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9 𝛦 i = L ⊕ 􏿵 2 3 +⌊( i − 1 )/ 8 ⌋ + ( i − 1 mod 8 )􏿸 ⋅ J ▶ Addition between GF ( 2 128 ) elements? ▶ 𝛦 i = L ⊕ 2 3 +⌊( i − 1 )/ 8 ⌋ ⋅ J ⊕ ( i − 1 mod 8 ) ⋅ J ▶ 2 x is actually 𝛽 x , with 𝛽 a generator ( 𝛽 128 = 𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ▶ ( i − 1 mod 8 ) is one of { 0 , 1 , 𝛽, 𝛽 ⊕ 1 , 𝛽 2 , 𝛽 2 ⊕ 1 , 𝛽 2 ⊕ 𝛽, 𝛽 2 ⊕ 𝛽 ⊕ 1 } ▶ Is it injective? ▶ No! ▶ 𝛦 40 = L ⊕ 𝛽 7 ⋅ J ⊕ (𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J ▶ 𝛦 1001 = L ⊕ 𝛽 128 ⋅ J = L ⊕ (𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J

A closer look AEZv4 ofgsets BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9 𝛦 i = L ⊕ 􏿵 2 3 +⌊( i − 1 )/ 8 ⌋ + ( i − 1 mod 8 )􏿸 ⋅ J ▶ Addition between GF ( 2 128 ) elements? ▶ 𝛦 i = L ⊕ 2 3 +⌊( i − 1 )/ 8 ⌋ ⋅ J ⊕ ( i − 1 mod 8 ) ⋅ J ▶ 2 x is actually 𝛽 x , with 𝛽 a generator ( 𝛽 128 = 𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ▶ ( i − 1 mod 8 ) is one of { 0 , 1 , 𝛽, 𝛽 ⊕ 1 , 𝛽 2 , 𝛽 2 ⊕ 1 , 𝛽 2 ⊕ 𝛽, 𝛽 2 ⊕ 𝛽 ⊕ 1 } ▶ Is it injective? ▶ No! ▶ 𝛦 40 = L ⊕ 𝛽 7 ⋅ J ⊕ (𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J ▶ 𝛦 1001 = L ⊕ 𝛽 128 ⋅ J = L ⊕ (𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J

A closer look AEZv4 ofgsets BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9 𝛦 i = L ⊕ 􏿵 2 3 +⌊( i − 1 )/ 8 ⌋ + ( i − 1 mod 8 )􏿸 ⋅ J ▶ Addition between GF ( 2 128 ) elements? ▶ 𝛦 i = L ⊕ 2 3 +⌊( i − 1 )/ 8 ⌋ ⋅ J ⊕ ( i − 1 mod 8 ) ⋅ J ▶ 2 x is actually 𝛽 x , with 𝛽 a generator ( 𝛽 128 = 𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ▶ ( i − 1 mod 8 ) is one of { 0 , 1 , 𝛽, 𝛽 ⊕ 1 , 𝛽 2 , 𝛽 2 ⊕ 1 , 𝛽 2 ⊕ 𝛽, 𝛽 2 ⊕ 𝛽 ⊕ 1 } ▶ Is it injective? ▶ No! ▶ 𝛦 40 = L ⊕ 𝛽 7 ⋅ J ⊕ (𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J ▶ 𝛦 1001 = L ⊕ 𝛽 128 ⋅ J = L ⊕ (𝛽 7 ⊕ 𝛽 2 ⊕ 𝛽 ⊕ 1 ) ⋅ J

Conclusion Forgery attack BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 9 / 9 ▶ Swap A 40 and A 1001 � same tag ▶ Swap P 79 , 80 and P 2001 , 2002 � C 79 , 80 and C 2001 , 2002 swapped ▶ Similar to OTR attack ▶ Easy to patch: AEZv5? ▶ Even provably secure ciphers can be broken! ▶ Don’t use AEZv4 to secure your toilet!