Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries - - PowerPoint PPT Presentation

History of WCS Outline Known Security Analysis Our Works

Bernstein Bound is Tight

Repairing Luykx-Preneel Optimal Forgeries

Mridul Nandi

Indian Statistical Institute, Kolkata

CRYPTO 2018

History of WCS Outline Known Security Analysis Our Works

Wegman-Carter-Shoup (WCS) MAC

N EK

⊕

T H

κ

M

• Nonce based Authenticator
• Initial variant (WC authenticator) due to Wegman and Carter [WC81]
• Use of Block cipher EK due to [Sho96]

History of WCS Outline Known Security Analysis Our Works

Brief History of WC Authenticator

• Code of Gilbert, MacWilliams and Sloane [GMS74]
• one-time authentication protocol
• Issue: a fresh key of size as large as message

History of WCS Outline Known Security Analysis Our Works

Brief History of WC Authenticator

• Code of Gilbert, MacWilliams and Sloane [GMS74]
• one-time authentication protocol
• Issue: a fresh key of size as large as message
• WC authenticator uses strongly universal2 hash function H

κ (based on [CW79]).

• R1, R2, . . . , is a sequence of secret keys
• message number n (unique) and a message M
• Tag: H

κ(M) ⊕ Rn.

History of WCS Outline Known Security Analysis Our Works

Brief History of WC Authenticator

Rn

⊕

T H

κ

M

• universal2 is relaxed to a weaker hash AXU in [Kra94/Rog95]

– Pr(H

κ(M) ⊕ H κ(M′) = δ) is small

• polynomial hashing over n-bits: Polyκ(M) := md · κ ⊕ · · · ⊕ m1 · κd is d

2n -AXU

History of WCS Outline Known Security Analysis Our Works

Getting rid of onetime masking

Rn

⊕

T H

κ

M

Figure: We can compute Rn directly from n and a secret key.

History of WCS Outline Known Security Analysis Our Works

Getting rid of onetime masking

Rn

⊕

T H

κ

M

Figure: We can compute Rn directly from n and a secret key.

• Use PRBG (Brassard [Bra83]).
• Sequential in nature.
• Direct efficient computation of Rn (Blum-Blum-Shub PRBG)
• also modeled as pseudorandom function.

History of WCS Outline Known Security Analysis Our Works

Getting rid of onetime masking

N FK

⊕

T H

Kh

M

• Use pseudorandom function

History of WCS Outline Known Security Analysis Our Works

Finally - We have WCS

N EK

⊕

T H

κ

M

• Use pseudorandom function
• The block cipher (pseudorandom permutation) is widely available. Shoup

analyzed WC when PRF is replaced by PRP.

History of WCS Outline Known Security Analysis Our Works

In this Talk

We briefly revisit the security analysis.

• Different attacks.
• Shoup’s security guarantee.
• Bernstein’s bound and interpretation.

History of WCS Outline Known Security Analysis Our Works

In this Talk

We briefly revisit the security analysis.

• Different attacks.
• Shoup’s security guarantee.
• Bernstein’s bound and interpretation.

Recent development on WCS.

• Missing difference Problem [LS18].
• Luykx-Preneel ”optimal” forgeries [LP18] using false key set.

Identify the issues of Luykx-Preneel forgeries.

History of WCS Outline Known Security Analysis Our Works

In this Talk (contd.)

We resolve it here.

• We prove the optimality of Bernstein Bound.
• False-key based approach, but different analysis:

History of WCS Outline Known Security Analysis Our Works

In this Talk (contd.)

We resolve it here.

• We prove the optimality of Bernstein Bound.
• False-key based approach, but different analysis:

– messages are chosen random – messages are any fixed values

History of WCS Outline Known Security Analysis Our Works

In this Talk (contd.)

We resolve it here.

• We prove the optimality of Bernstein Bound.
• False-key based approach, but different analysis:

– messages are chosen random – messages are any fixed values Finally, extend this to show tightness of GCM security

History of WCS Outline Known Security Analysis Our Works

Polynomial Hashing based WCS

Nonce Misuse Forgery

N EK

⊕

T Polyκ M

• PM(κ) := Polyκ(M) := md · κ + · · · + m1 · κd
• nonce misuse (Joux’s forbidden attack):

History of WCS Outline Known Security Analysis Our Works

Polynomial Hashing based WCS

Nonce Misuse Forgery

N EK

⊕

T Polyκ M

• PM(κ) := Polyκ(M) := md · κ + · · · + m1 · κd
• nonce misuse (Joux’s forbidden attack):
• 1. T and T ′ tags of (N, M) and (N, M′) ⇒

PM(κ) ⊕ PM′(κ) = T ⊕ T ′

• 2. solve the hash key (solving polynomial equation).

History of WCS Outline Known Security Analysis Our Works

Polynomial Hashing based WCS

Nonce Respecting Forgery

N EK

⊕

T Polyκ M

Figure: T is a tag of (N, M).

(N, M′, T ′) is invalid κ ∈ Sol(PM(κ) ⊕ PM′(κ) = T ⊕ T ′).

History of WCS Outline Known Security Analysis Our Works

Polynomial Hashing based WCS

Nonce Respecting Forgery

N EK

⊕

T Polyκ M

Figure: T is a tag of (N, M).

(N, M′, T ′) is invalid κ ∈ Sol(PM(κ) ⊕ PM′(κ) = T ⊕ T ′).

• d disjoint solutions for each forging attempt.

History of WCS Outline Known Security Analysis Our Works

Polynomial Hashing based WCS

Nonce Respecting Forgery

N EK

⊕

T Polyκ M

Figure: T is a tag of (N, M).

(N, M′, T ′) is invalid κ ∈ Sol(PM(κ) ⊕ PM′(κ) = T ⊕ T ′).

• d disjoint solutions for each forging attempt.
• success probability after v forging attempts: v · ǫ = v·d

2n .

History of WCS Outline Known Security Analysis Our Works

Bernstein and Shoup’s Bound on WCS

• Classical bound: v · ǫ (based on RF or one time key)

History of WCS Outline Known Security Analysis Our Works

Bernstein and Shoup’s Bound on WCS

• Classical bound: v · ǫ (based on RF or one time key)
• By PRP-PRF switching lemma:

v · ǫ + (q + v)2 2n+1 . (1)

History of WCS Outline Known Security Analysis Our Works

Bernstein and Shoup’s Bound on WCS

• Classical bound: v · ǫ (based on RF or one time key)
• By PRP-PRF switching lemma:

v · ǫ + (q + v)2 2n+1 . (1)

• Shoup’s bound:

2v · ǫ, if ǫq2 ≤ 1. (2)

History of WCS Outline Known Security Analysis Our Works

Bernstein and Shoup’s Bound on WCS

• Classical bound: v · ǫ (based on RF or one time key)
• By PRP-PRF switching lemma:

v · ǫ + (q + v)2 2n+1 . (1)

• Shoup’s bound:

2v · ǫ, if ǫq2 ≤ 1. (2)

• Bernstein Bound: For all q and v

v · ǫ · (1 − q 2n )− q+1

2

≈ v · ǫ · eq2/2n. (3)

History of WCS Outline Known Security Analysis Our Works

Interpretation of Shoup’s and Bernstein Bound polynomial hash (ǫ = d/2−n) and v = 1

Compare: advantage = η

• Classical bound: (v + q) ≪ 2n/2 ⇒ η is small
• Shoup’s bound: q ≤ 2n/2

√ d ⇒ η ≈ 2−n

• Bernstein bound: q ≤ 2n/2 ⇒ η ≈ 2−n

History of WCS Outline Known Security Analysis Our Works

Interpretation of Shoup’s and Bernstein Bound polynomial hash (ǫ = d/2−n) and v = 1

Compare: advantage = η

• Classical bound: (v + q) ≪ 2n/2 ⇒ η is small
• Shoup’s bound: q ≤ 2n/2

√ d ⇒ η ≈ 2−n

• Bernstein bound: q ≤ 2n/2 ⇒ η ≈ 2−n

Example: n = 128 and d = 220. Data limit is set for advantage 2−32.

• Classical bound: (v + q) ≤ 248.5.
• Shoup’s bound: q ≤ 254.
• Bernstein bound: q ≤ 264.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

Missing Difference Problem

Let L, L′ and S be three lists of n-bit strings satisfying the missing condition: ∃ s ∈ S, s ∈ L ⊕ L′. Find s.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

Missing Difference Problem

Let L, L′ and S be three lists of n-bit strings satisfying the missing condition: ∃ s ∈ S, s ∈ L ⊕ L′. Find s. Complexity Finding Questions:

• 1. Let S = {0, 1}n. How large the lists should be to ensure the missing condition?
• 2. How efficiently (both time and memory) we can compute s?

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

• LS18 constructed 22n/3 (ignoring log factor) time and memory algorithm for

missing difference when both list sizes are 22n/3.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

• LS18 constructed 22n/3 (ignoring log factor) time and memory algorithm for

missing difference when both list sizes are 22n/3.

• Optimal list size: 2n/2√n.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

• LS18 constructed 22n/3 (ignoring log factor) time and memory algorithm for

missing difference when both list sizes are 22n/3.

• Optimal list size: 2n/2√n.
• 1. Assumptions: for all x ∈ L, x′ ∈ L′, x ⊕ x′ values are uniform and independent

from {0, 1}n \ {s}.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

• LS18 constructed 22n/3 (ignoring log factor) time and memory algorithm for

missing difference when both list sizes are 22n/3.

• Optimal list size: 2n/2√n.
• 1. Assumptions: for all x ∈ L, x′ ∈ L′, x ⊕ x′ values are uniform and independent

from {0, 1}n \ {s}.

• 2. Number of pairs is 2n · n.

History of WCS Outline Known Security Analysis Our Works

Missing Difference Problem

• LS18 constructed 22n/3 (ignoring log factor) time and memory algorithm for

missing difference when both list sizes are 22n/3.

• Optimal list size: 2n/2√n.
• 1. Assumptions: for all x ∈ L, x′ ∈ L′, x ⊕ x′ values are uniform and independent

from {0, 1}n \ {s}.

• 2. Number of pairs is 2n · n.
• 3. Coupon collecting problem: Expected number of tries to collect all N coupons (here

2n − 1) is N log N

History of WCS Outline Known Security Analysis Our Works

Recovering Hash Key: Approach 1

• For single block message m, tag T = EK(N) ⊕ κ · m.
• Hash-key recovery algorithm
• 1. queries (Ni, 0) and (N′

i , 1). Response Ti and T ′ i (1 ≤ i ≤ q)

• 2. Note, Ti = EK(Ni) and T ′

i = EK(N′ i ) ⊕ κ.

• 3. So, κ = Ti ⊕ Tj (as Ni = N′

j ).

• 4. κ is the missing number for the sum of the lists L (of Ti values) and L′ (of T ′

i

values).

History of WCS Outline Known Security Analysis Our Works

Recovering Hash Key: Approach 1

• For single block message m, tag T = EK(N) ⊕ κ · m.
• Hash-key recovery algorithm
• 1. queries (Ni, 0) and (N′

i , 1). Response Ti and T ′ i (1 ≤ i ≤ q)

• 2. Note, Ti = EK(Ni) and T ′

i = EK(N′ i ) ⊕ κ.

• 3. So, κ = Ti ⊕ Tj (as Ni = N′

j ).

• 4. κ is the missing number for the sum of the lists L (of Ti values) and L′ (of T ′

i

values).

• The assumption on uniformity and independence is wrong.

History of WCS Outline Known Security Analysis Our Works

Luykx-Preneel Forgery: Approach 2

• τ denotes transcript ((N1, m1, T1), . . . , (Nq, mq, Tq))
• Consider False-Key set F

τ.

F

τ = {x : H x(Mi) ⊕ Ti = H x(Mj) ⊕ Tj, i = j}

• κ ∈ F

τ (if not, EK(Ni) = EK(Nj)) Hope: false-key set almost exhaust the

key-space

• Choose an element randomly from Fc

τ as a guess of κ

• Key-recovery advantage is at least

1 2n−Ex(|F

τ|).

History of WCS Outline Known Security Analysis Our Works

Luykx-Preneel Forgery: Approach 2 (contd.)

Theorem(LP18)

• 1. Ex(F

τ) ≥ q2/4 for all q < 2n/2.

• 2. KR advantage is at least

1 2n−q2/4 for all q < 2n/2.

Concluded from above that Bernstein Bound is Tight!

History of WCS Outline Known Security Analysis Our Works

Luykx-Preneel Forgery: Approach 2 (contd.)

Theorem(LP18)

• 1. Ex(F

τ) ≥ q2/4 for all q < 2n/2.

• 2. KR advantage is at least

1 2n−q2/4 for all q < 2n/2.

Concluded from above that Bernstein Bound is Tight! Wait:

History of WCS Outline Known Security Analysis Our Works

Luykx-Preneel Forgery: Approach 2 (contd.)

Theorem(LP18)

• 1. Ex(F

τ) ≥ q2/4 for all q < 2n/2.

• 2. KR advantage is at least

1 2n−q2/4 for all q < 2n/2.

Concluded from above that Bernstein Bound is Tight! Wait: The maximum guaranteed KR advantage is

1 0.75×2n ≈ 1 2n .

History of WCS Outline Known Security Analysis Our Works

Luykx-Preneel Forgery: Approach 2 (contd.)

Theorem(LP18)

• 1. Ex(F

τ) ≥ q2/4 for all q < 2n/2.

• 2. KR advantage is at least

1 2n−q2/4 for all q < 2n/2.

Concluded from above that Bernstein Bound is Tight! Wait: The maximum guaranteed KR advantage is

1 0.75×2n ≈ 1 2n .

• In the range q ≤ 2n/2, the random guess shows the optimality.
• For q ≥ 2n/2, [LP18] did not show anything.

History of WCS Outline Known Security Analysis Our Works

Our Work: Resolving The Issue

• Consider true key approach (complement of false key).
• We have shown KR-advantage is at least

1 1 + 2ne−

q2 2n+1

.

• 1. messages are chosen randomly and
• 2. messages are fixed.

History of WCS Outline Known Security Analysis Our Works

Our Work: Resolving The Issue

• Consider true key approach (complement of false key).
• We have shown KR-advantage is at least

1 1 + 2ne−

q2 2n+1

.

• 1. messages are chosen randomly and
• 2. messages are fixed.
• KR is at least 1/2 for q = 2n/2 · √n.

History of WCS Outline Known Security Analysis Our Works

Our Work: Resolving The Issue

• Consider true key approach (complement of false key).
• We have shown KR-advantage is at least

1 1 + 2ne−

q2 2n+1

.

• 1. messages are chosen randomly and
• 2. messages are fixed.
• KR is at least 1/2 for q = 2n/2 · √n.
• We extend our analysis for GCM.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

Hash-key recovery algorithm

• 1. queries:(Ni, mi) / Response:Ti –

mi’s are chosen randomly

• 2. κ ∈ T

τ := {x : Ti ⊕ x · mi

• Ri,x

= Tj ⊕ x · mj

• Rj,x

for all i = j}.

• 3. return an element randomly from T

τ.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

Hash-key recovery algorithm

• 1. queries:(Ni, mi) / Response:Ti –

mi’s are chosen randomly

• 2. κ ∈ T

τ := {x : Ti ⊕ x · mi

• Ri,x

= Tj ⊕ x · mj

• Rj,x

for all i = j}.

• 3. return an element randomly from T

τ.

Observations

• 1. for all x = κ, Ri,x := EK(Ni) ⊕ (κ ⊕ x) · mi – uniform and independent.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

Hash-key recovery algorithm

• 1. queries:(Ni, mi) / Response:Ti –

mi’s are chosen randomly

• 2. κ ∈ T

τ := {x : Ti ⊕ x · mi

• Ri,x

= Tj ⊕ x · mj

• Rj,x

for all i = j}.

• 3. return an element randomly from T

τ.

Observations

• 1. for all x = κ, Ri,x := EK(Ni) ⊕ (κ ⊕ x) · mi – uniform and independent.
• 2. x ∈ T

τ if and only if Ri,x values are distinct.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

Hash-key recovery algorithm

• 1. queries:(Ni, mi) / Response:Ti –

mi’s are chosen randomly

• 2. κ ∈ T

τ := {x : Ti ⊕ x · mi

• Ri,x

= Tj ⊕ x · mj

• Rj,x

for all i = j}.

• 3. return an element randomly from T

τ.

Observations

• 1. for all x = κ, Ri,x := EK(Ni) ⊕ (κ ⊕ x) · mi – uniform and independent.
• 2. x ∈ T

τ if and only if Ri,x values are distinct.

• 3. |T

τ| = x Ix where Ix is indicator r.v. taking 1 if Ri,x’s are distinct.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

• Pr(Ix = 1) = q−1

i=1 (1 − i 2n ) ≈ e−

q2 2n+1 (birthday paradox bound)

E(|T

τ|) = 1 +

• x=κ

E(Ix) ≤ 1 + (H − 1)e−

q2 2n+1

where H is the size of hash key space (here 2n).

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

• Pr(Ix = 1) = q−1

i=1 (1 − i 2n ) ≈ e−

q2 2n+1 (birthday paradox bound)

E(|T

τ|) = 1 +

• x=κ

E(Ix) ≤ 1 + (H − 1)e−

q2 2n+1

where H is the size of hash key space (here 2n).

• KR advantage is at least

1 1+(H−1)e

− q2 2n+1

.

History of WCS Outline Known Security Analysis Our Works

Analysis for random messages

• Pr(Ix = 1) = q−1

i=1 (1 − i 2n ) ≈ e−

q2 2n+1 (birthday paradox bound)

E(|T

τ|) = 1 +

• x=κ

E(Ix) ≤ 1 + (H − 1)e−

q2 2n+1

where H is the size of hash key space (here 2n).

• KR advantage is at least

1 1+(H−1)e

− q2 2n+1

.

• Choose q = 2n/2√log H.

History of WCS Outline Known Security Analysis Our Works

Analysis for fixed messages

• Ri,x := EK(Ni) ⊕ (κ ⊕ x) · mi are no longer independent and uniform.
• Apply WOR distribution of Vi = EK(Ni)

History of WCS Outline Known Security Analysis Our Works

Analysis for fixed messages

• Ri,x := EK(Ni) ⊕ (κ ⊕ x) · mi are no longer independent and uniform.
• Apply WOR distribution of Vi = EK(Ni)

Lemma

Let V1, . . . , Vq be a uniform without replacement sample from B of size N and a1, . . . , aq ∈ B be some distinct elements, for some q ≤ N/6. Then, px := Pr(V1 + a1, . . . , Vq + aq are distinct) ≤ e−q2/4N.

• Apply this lemma with ai as (κ ⊕ x) · mi.
• Rest is similar.

History of WCS Outline Known Security Analysis Our Works

Overview of GCM and Its Attack

ciphertext generation

Nij EK

⊕

Ci[j] Mi[j]

History of WCS Outline Known Security Analysis Our Works

Overview of GCM and Its Attack

ciphertext generation

Nij EK

⊕

Ci[j] Mi[j]

tag generation

Ni0 EK

⊕

Ti Polyκ AiCi

History of WCS Outline Known Security Analysis Our Works

Overview of GCM and Its Attack

ciphertext generation

Nij EK

⊕

Ci[j] Mi[j]

tag generation

Ni0 EK

⊕

Ti Polyκ AiCi

• Encryption query for random messages Mi (same Ai) and let Ci and Ti be

responses.

• Construct false key set by comparing EK(Nij) and EK(Ni0).
• Hash key recovery whenever ℓq2 is about 2n · n.

History of WCS Outline Known Security Analysis Our Works

More Formally –

• Let Mi be ℓ blocks messages and Ci, Ti be responses.
• True key set T

τ := {x : Ti ⊕ Polyx(ACi)

• Ri,x

= Mi[j] ⊕ Ci[j] for all i = j}.

• Clearly, κ ∈ T

τ.

• As Mi’s are random, Ci’s are random and using random message analysis, the key

recovery advantage is at least 1 1 + 2n · e

−ℓq2 2n

• Query complexity: ℓq2 = n · 2n.

History of WCS Outline Known Security Analysis Our Works

Conclusion

• Luykx-Preneel forgeries (as it is) is not better than random guess.
• Idea of false key set or missing difference problem is useful.
• We provide correct analysis with higher complexities.
• Applicable for more general set up.
• 1. arbitrary hash functions.
• 2. applicable for both random and any fixed messages.
• Extend the result for GCM.

History of WCS Outline Known Security Analysis Our Works

Conclusion

• Luykx-Preneel forgeries (as it is) is not better than random guess.
• Idea of false key set or missing difference problem is useful.
• We provide correct analysis with higher complexities.
• Applicable for more general set up.
• 1. arbitrary hash functions.
• 2. applicable for both random and any fixed messages.
• Extend the result for GCM.

Thank You.