bbb secure nonce based mac using public permutation
play

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and - PowerPoint PPT Presentation

Mar 15, 2024 •1.07k likes •1.74k views

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

  1. Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020

  2. Introduction Motivation Security Result Attack Security Proof Nonce Based MAC MAC Sign. Algorithm Ver. Algorithm ( N , M , T ) N Sign k Ver k ⊤ / ⊥ M

  3. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M ) T = Sign k ( N , M ) q = the number of tagging queries

  4. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries

  5. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries (Nonce Respecting) : Nonce is unique in MAC query; it can repeat in verification query

  6. Introduction Motivation Security Result Attack Security Proof Security Model ( N , M , T ) ( N , M ) T = Sign k ( N , M ) ⊤ / ⊥ q = the number v = the number of of tagging queries verification queries Can Eve forge a valid tag for a message that Alice never saw ?

  7. Introduction Motivation Security Result Attack Security Proof Nonce Based MAC Build on Public Permutations MAC Sign. Algorithm Ver. Algorithm ( N , M , T ) N Sign P Ver P ⊤ / ⊥ k k M

  8. Introduction Motivation Security Result Attack Security Proof Security Model of Nonce Based MAC Build on Public Permutations ( P , P − 1 ) N M N M T T p Sign P Ver P k k q v ⊤ / ⊥ T

  9. Introduction Motivation Security Result Attack Security Proof MAC Based on (Tweakable) Block Cipher MAC Birthday Beyond Birthday BC TBC BC TBC • CBC • Tbc • WC • PMAC TBC3k • PMAC • PMAC+ • ZMAC • GCBC • EWCDM • DoveMAC • LightMAC • LightMAC+

  10. Introduction Motivation Security Result Attack Security Proof MAC Based on (Tweakable) Block Cipher MAC Birthday Beyond Birthday BC TBC BC TBC • CBC • Tbc • WC • PMAC TBC3k • PMAC • PMAC+ • ZMAC • GCBC • EWCDM • DoveMAC • LightMAC • LightMAC+ Other MAC includes Cryptographic Hash-based MACs (e.g., HMAC) Compression function based MAC (e.g., NMAC, NI, NI + )

  11. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives

  12. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion

  13. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives

  14. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ?

  15. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction).

  16. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c / 2-bits, c is the capacity part of sponge

  17. Introduction Motivation Security Result Attack Security Proof MAC Based on Public Permutations Block cipher or Tweakable Block cipher are high-level primitives These are designed to be efficintly evaluated in reverse direcion MAC constructions do not require invertibility of the primitives Can we design a MAC based on lower-level primitives like public permutations ? Apparently yes! (Sponge construction). It gives security upto c / 2-bits, c is the capacity part of sponge Can we do better ?

  18. Introduction Motivation Security Result Attack Security Proof Outline for the Rest of the Talk Motivation of the construction Security Result Forging Attack A Glimpse of the idea of the security proof.

  19. Introduction Motivation Security Result Attack Security Proof PRF Build from Public Permutations: Sparking Interest SoEM21, SoEM1 – Chen et al., CRYPTO’19. M M M M k 1 ⊕ ⊕ k 2 ⊕ ⊕ k k P 1 P 2 P P k 1 ⊕ ⊕ ⊕ k 2 ⊕ ⊕ ⊕ k k C C

  20. Introduction Motivation Security Result Attack Security Proof PRF Build from Public Permutations: Sparking Interest SoEM21, SoEM1 – Chen et al., CRYPTO’19. M M M M k 1 ⊕ ⊕ k 2 ⊕ ⊕ k k P 1 P 2 P P k 1 ⊕ ⊕ ⊕ k 2 ⊕ ⊕ ⊕ k k C C Birthday Bound Security

  21. Introduction Motivation Security Result Attack Security Proof BBB PRF Build from Public Permutations SoEM22 – Chen et al., CRYPTO’19. M M k 1 ⊕ ⊕ k 2 P 1 P 2 k 1 ⊕ ⊕ ⊕ k 2 C

  22. Introduction Motivation Security Result Attack Security Proof BBB PRF Build from Public Permutations SoEM22 – Chen et al., CRYPTO’19. M M k 1 ⊕ ⊕ k 2 P 1 P 2 k 1 ⊕ ⊕ ⊕ k 2 C Can we use this design to build a MAC that process arbitrary length message from Public Permutation ?

  23. Introduction Motivation Security Result Attack Security Proof Nonce Based EHtM (Dutta et al. EUROCRYPT’19) Properties of nEHtM M Nonce based MAC H k h N 2 n / 3-bit security n − 1 0 1 n − 1 ⊕ Secure under faulty nonce model E k E k Gives birthday bound ⊕ security when the number of faulty nonce T reaches to 2 n / 2

  24. Introduction Motivation Security Result Attack Security Proof Nonce Based EHtM (Dutta et al. EUROCRYPT’19) Properties of nEHtM M Nonce based MAC H k h N 2 n / 3-bit security n − 1 0 1 n − 1 ⊕ Secure under faulty nonce model E k E k Gives birthday bound ⊕ security when the number of faulty nonce T reaches to 2 n / 2 Can we use this design to make a Permutation based MAC ?

  25. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C

  26. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour.

  27. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls.

  28. Introduction Motivation Security Result Attack Security Proof A Naive Approach 2-round Iterated Even Mansour (Chen et al., CRYPTO’14) M γ 0 ( k ) γ 1 ( k ) γ 2 ( k ) ≈ 2 n / 3 E k ⊕ ⊕ ⊕ M P P C C Instantiate E k of nEHtM with 2-round Iterated Even Mansour. Drawback Gives BBB Security but requires 4 permutation Calls. Can we improve the number of permutation calls ?

  29. Introduction Motivation Security Result Attack Security Proof nEHtM p : Public Permutation Based BBB Secure Nonce Based MAC M H k h N n − 1 0 1 n − 1 ⊕ ⊕ k P P ⊕ T

  30. Introduction Motivation Security Result Attack Security Proof nEHtM p : Public Permutation Based BBB Secure Nonce Based MAC M M H k h H k h N N n − 1 n − 1 0 1 0 1 n − 1 n − 1 ⊕ ⊕ ⊕ k E k E k P P ⊕ ⊕ T T k is an n − 1 bit random key P is an n -bit public random permutation Masking of key is neccessary, otherwise, one can easily attack the system using offline queries to the public permutation

  31. Introduction Motivation Security Result Attack Security Proof Security Result of nEHtM p q = # of signing queries, v = # of verification queries, p = # of primitive queries. # of faulty nonces ≤ 2 n / 3 H is 2 − ( n − 1) -almost-xor universal and 2 − ( n − 1) -almost regular hash function Security Advantage nEHtM p ( q , v , p ) ≤ O ( q + v + p ) 2 2 n / 3 ) + O ( pq 2 + qp 2 + vp 2 Adv MAC ) 2 2 n Interpretation : if q ≈ 2 2 n / 3 , v ≈ 2 2 n / 3 and p ≈ 2 2 n / 3 , then the scheme is secure.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

980 views • 70 slides
Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

1.08k views • 107 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio Intelligent Systems Group Department of Computer Science and Artificial Intelligence University of the Basque Country (UPV/EHU) 1 Permutation-based

1.3k views • 89 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work with Sylvie Corteel (Paris-Sud) and parts with Svante Janson (Uppsala) LIPN, February 5, 2008 Permutation tableaux Permutation tableau T : a Ferrers

1.11k views • 50 slides
Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

. . . . . . Permutation Based Cryptography for IoT Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp, November 21 Joan Daemen 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP

755 views • 41 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

679 views • 63 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

845 views • 67 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny 1

843 views • 35 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

760 views • 47 slides
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . 1

473 views • 28 slides
Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All Together The Bitcoin System The First Primitive Data Structure Reference Reference Header Header Header Transactions Transactions

1k views • 57 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides
A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.

391 views • 36 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

Lecture 4 All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus Who are the miners? Lecture 4.1: The

1.16k views • 99 slides

More recommend