An easy attack on AEZ Xavier Bonnetain Patrick Derbez Sbastien - - PowerPoint PPT Presentation

An easy attack on AEZ

Xavier Bonnetain Patrick Derbez Sébastien Duval Jérémy Jean Gaëtan Leurent Brice Minaud Valentin Suder FSE 2017 Rump Session

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 1 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

Cryptograpy for the Internet of Things

▶ Lightweight cryptograpy is required for the IoT ▶ Here is a concrete example: ▶ Toilet in my hotel is remote controlled! ▶ Some models use Bluetooth! ▶ Important confidentiality and

authenticity issues!

▶ Man in the

attack!

▶ Denial of

attack!

▶ Targeted attacks: ▶ Welcome to the Internet of

!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 2 / 9

AEZ

Viet Tung Hoang, Ted Krovetz & Phillip Rogaway Robust Authenticated-Encryption AEZ and the Problem That It Solves EUROCRYPT 2015

▶ Very strong security goal: robust authenticated encryption ▶ Very complex design: huge state, many subcases ▶ Third round CAESAR candidate ▶ Tor is considering using AEZ

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 3 / 9

Mv C v M1 M1 C1 C1 X1 S Mx My Cx Cy

• 1, 1

Mm Mm Cm Cm Xm Y1 S S ’ ’ ’ ’ Tm -1 T1 Tm T1 L R L R X S

• 1, 5

0, 5 0, 5 0, 0 0, 0 2, 1 2, m 0, 0 0, 0 0, 1 1, 1 1, m 1, m 1, 1 0, 2 i+2, 1 i+2, m−1 Y ∆i

• 1, 2

∆ ∆

∆⊕ 1

0, 6 0, 6 0, 6 0, 6 0, 6 0, 6 0, 6 0, 6

∆⊕ 0 ∆⊕ 3 ∆⊕ 2 ∆⊕ 6 ∆⊕ 5 ∆⊕ 7

Xv Yv Ym

* * ∆⊕ 4

...

10*

... ...

Cu

• 1, 4

0, 4 0, 4 S Xu Yu Mu ∆i Tm Tm -1 i+2, 1 i+2, m−1 i+2, m i+2, 0

Previous results on AEZ

▶ AEZv3: birthday attack recovers the key

[Asiacrypt 2015]

▶ Patched in AEZv4

▶ Using Blake2 for key derivation ▶ Bigger is better?

▶ AEZv4: birthday attack recovers the key

[FSE 2017]

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9

Previous results on AEZ

▶ AEZv3: birthday attack recovers the key

[Asiacrypt 2015]

▶ Patched in AEZv4

▶ Using Blake2 for key derivation ▶ Bigger is better?

▶ AEZv4: birthday attack recovers the key

[FSE 2017]

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9

Previous results on AEZ

▶ AEZv3: birthday attack recovers the key

[Asiacrypt 2015]

▶ Patched in AEZv4

▶ Using Blake2 for key derivation ▶ Bigger is better?

▶ AEZv4: birthday attack recovers the key

[FSE 2017]

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 5 / 9

AEZ-MAC (PMAC variant)

▶ With empty message, AEZ turns into a MAC

AEZv3 E E E E 𝛦1 𝛦2 𝛦3 A1 A2 A3 AEZv4 E E E E 𝛦1 𝛦2 𝛦3 𝛦1 𝛦2 𝛦3 A1 A2 A3

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 6 / 9

XEX construction

E P C 𝛦i 𝛦i

▶ E(P ⊕ 𝛦i) ⊕ 𝛦i is a tweakable block cipher

If i ↦ 𝛦i is an 𝜁-AXU function

▶ Common constructions (L = Ek(0))

▶ 𝛦i = i ⋅ L

(OCB1, OCB3)

▶ 𝛦i = 2i ⋅ L

(OCB2)

▶ AEZv3 (subkeys J, L)

▶ 𝛦i = 8 ⋅ J ⊕ (i mod 8) ⋅ J ⊕ 2⌊(i−1)/8⌋ ⋅ L

▶ AEZv4 (subkeys J, L)

▶ 𝛦i = L ⊕ 􏿵23+⌊(i−1)/8⌋ + (i − 1 mod 8)􏿸 ⋅ J BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 7 / 9

A closer look

AEZv4 ofgsets 𝛦i = L ⊕ 􏿵23+⌊(i−1)/8⌋ + (i − 1 mod 8)􏿸 ⋅ J

▶ Addition between GF(2128) elements? ▶ 𝛦i = L ⊕ 23+⌊(i−1)/8⌋ ⋅ J ⊕ (i − 1 mod 8) ⋅ J

▶ 2x is actually 𝛽x, with 𝛽 a generator (𝛽128 = 𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ▶ (i − 1 mod 8) is one of {0, 1, 𝛽, 𝛽 ⊕ 1, 𝛽2, 𝛽2 ⊕ 1, 𝛽2 ⊕ 𝛽, 𝛽2 ⊕ 𝛽 ⊕ 1}

▶ Is it injective?

▶ No! ▶ 𝛦40 = L ⊕ 𝛽7 ⋅ J ⊕ (𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J ▶ 𝛦1001 = L ⊕ 𝛽128 ⋅ J = L ⊕ (𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9

A closer look

AEZv4 ofgsets 𝛦i = L ⊕ 􏿵23+⌊(i−1)/8⌋ + (i − 1 mod 8)􏿸 ⋅ J

▶ Addition between GF(2128) elements? ▶ 𝛦i = L ⊕ 23+⌊(i−1)/8⌋ ⋅ J ⊕ (i − 1 mod 8) ⋅ J

▶ 2x is actually 𝛽x, with 𝛽 a generator (𝛽128 = 𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ▶ (i − 1 mod 8) is one of {0, 1, 𝛽, 𝛽 ⊕ 1, 𝛽2, 𝛽2 ⊕ 1, 𝛽2 ⊕ 𝛽, 𝛽2 ⊕ 𝛽 ⊕ 1}

▶ Is it injective?

▶ No! ▶ 𝛦40 = L ⊕ 𝛽7 ⋅ J ⊕ (𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J ▶ 𝛦1001 = L ⊕ 𝛽128 ⋅ J = L ⊕ (𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9

A closer look

AEZv4 ofgsets 𝛦i = L ⊕ 􏿵23+⌊(i−1)/8⌋ + (i − 1 mod 8)􏿸 ⋅ J

▶ Addition between GF(2128) elements? ▶ 𝛦i = L ⊕ 23+⌊(i−1)/8⌋ ⋅ J ⊕ (i − 1 mod 8) ⋅ J

▶ 2x is actually 𝛽x, with 𝛽 a generator (𝛽128 = 𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ▶ (i − 1 mod 8) is one of {0, 1, 𝛽, 𝛽 ⊕ 1, 𝛽2, 𝛽2 ⊕ 1, 𝛽2 ⊕ 𝛽, 𝛽2 ⊕ 𝛽 ⊕ 1}

▶ Is it injective?

▶ No! ▶ 𝛦40 = L ⊕ 𝛽7 ⋅ J ⊕ (𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J ▶ 𝛦1001 = L ⊕ 𝛽128 ⋅ J = L ⊕ (𝛽7 ⊕ 𝛽2 ⊕ 𝛽 ⊕ 1) ⋅ J BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 8 / 9

Conclusion

Forgery attack

▶ Swap A40 and A1001 same tag ▶ Swap P79,80 and P2001,2002 C79,80 and C2001,2002 swapped ▶ Similar to OTR attack ▶ Easy to patch: AEZv5? ▶ Even provably secure ciphers can be broken! ▶ Don’t use AEZv4 to secure your toilet!

BRUTUS team An easy attack on AEZ FSE 2017 Rump Session 9 / 9